In a situation where you have managed to break into a Kubernetes Pod you could start enumerating the kubernetes environment from within.
Service Account Tokens
Before continuing, if you don't know what is a service in Kubernetes I would suggest you to .
ServiceAccount is an object managed by Kubernetes and used to provide an identity for processes that run in a pod.
Every service account has a secret related to it and this secret contains a bearer token. This is a JSON Web Token (JWT), a method for representing claims securely between two parties.
Usually in the directory /run/secrets/kubernetes.io/serviceaccount or /var/run/secrets/kubernetes.io/serviceaccount you can find the files:
ca.crt: It's the ca certificate to check kubernetes communications
namespace: It indicates the current namespace
token: It contains the service token of the current pod.
The service account token is being signed by the key residing in the file sa.key and validated by sa.pub.
Default location on Kubernetes:
/etc/kubernetes/pki
Default location on Minikube:
/var/lib/localkube/certs
Taken from the Kubernetes :
“When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace.”
Hot Pods
Hot pods are pods containing a privileged service account token. A privileged service account token is a token that has permission to do privileged tasks such as listing secrets, creating pods, etc.
RBAC
Enumeration CheatSheet
Differences between list and get verbs
With get permissions you can access the API:
GET /apis/apps/v1/namespaces/{namespace}/deployments/{name}
If you have the list permission, you are allowed to execute these API requests:
#In a namespace
GET /apis/apps/v1/namespaces/{namespace}/deployments
#In all namespaces
GET /apis/apps/v1/deployments
If you have the watch permission, you are allowed to execute these API requests:
GET /apis/apps/v1/deployments?watch=true
GET /apis/apps/v1/watch/namespaces/{namespace}/deployments?watch=true
GET /apis/apps/v1/watch/namespaces/{namespace}/deployments/{name} [DEPRECATED]
GET /apis/apps/v1/watch/namespaces/{namespace}/deployments [DEPRECATED]
GET /apis/apps/v1/watch/deployments [DEPRECATED]
They open a streaming connection that returns you the full manifest of a Deployment whenever it changes (or when a new one is created).
The following kubectl commands indicates just how to list the objects. If you want to access the data you need to use describe instead of get
As you are inside the Kubernetes environment, if you cannot escalate privileges abusing the current pods privileges and you cannot escape from the container, you should search potential vulnerable services.
Services
For this purpose, you can try to get all the services of the kubernetes environment:
kubectl get svc --all-namespaces
Scanning
sudo apt-get update
sudo apt-get install nmap
nmap-kube ()
{
nmap --open -T4 -A -v -Pn -p 443,2379,8080,9090,9100,9093,4001,6782-6784,6443,8443,9099,10250,10255,10256 "${@}"
}
nmap-kube-discover () {
local LOCAL_RANGE=$(ip a | awk '/eth0$/{print $2}' | sed 's,[0-9][0-9]*/.*,*,');
local SERVER_RANGES=" ";
SERVER_RANGES+="10.0.0.1 ";
SERVER_RANGES+="10.0.1.* ";
SERVER_RANGES+="10.*.0-1.* ";
nmap-kube ${SERVER_RANGES} "${LOCAL_RANGE}"
}
nmap-kube-discover
References
If you don't know what is RBAC, .
To enumerate the environment you can upload the binary and use it. Also, using the servicetoken obtained before you can manually access some endpoints of the API Server.
In order to find the the IP of the API service check the environment for a variable called KUBERNETES_SERVICE_HOST.
More info at:
The following Bash script (taken from a ) will install and scan the IP ranges of the kubernetes cluster: