0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity
hacktricks/cloud-security/pentesting-kubernetes/namespace-escalation.md

4.0 KiB
Raw Blame History

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.

In Kubernetes it's pretty common that somehow you manage to get inside a namespace (by stealing some user credentials or by compromising a pod). However, usually you will be interested in escalating to a different namespace as more interesting things can be found there.

Here are some techniques you can try to escape to a different namespace:

Abuse K8s privileges

Obviously if the account you have stolen have sensitive privileges over the namespace you can to escalate to, you can abuse actions like creating pods with service accounts in the NS, executing a shell in an already existent pod inside of the ns, or read the secret SA tokens.

For more info about which privileges you can abuse read:

{% content-ref url="abusing-roles-clusterroles-in-kubernetes/" %} abusing-roles-clusterroles-in-kubernetes {% endcontent-ref %}

Escape to the node

If you can escape to the node either because you have compromised a pod and you can escape or because you ca create a privileged pod and escape you could do several things to steal other SAs tokens:

  • Check for SAs tokens mounted in other docker containers running in the node
  • Check for new kubeconfig files in the node with extra permissions given to the node
  • If enabled (or enable it yourself) try to create mirrored pods of other namespaces as you might get access to those namespaces default token accounts (I haven't tested this yet)

All these techniques are explained in:

{% content-ref url="../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md" %} attacking-kubernetes-from-inside-a-pod.md {% endcontent-ref %}

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.