Steam Cloud CTF Exploiting Kubernetes
Last updated
Last updated
The port scan reveals that it has a bunch of Kubernetes specific ports open. We cannot enumerate the Kubernetes API because it requires authentication. Now, as Kubelet allows anonymous access, we can extract a list of all the pods from the K8s cluster by enumerating the Kubelet service. Furthermore, we can get into one of the pods and obtain the keys necessary to authenticate into the Kubernetes API. We can now create and spawn a malicious pod and then use Kubectl to run commands within the pod to read the root flag
Running Nmap scan to see what ports and services are open -
Ports ive seen are; 22 tcp, 2379 tcp, 2380 tcp, 8443 tcp, 10249 tcp, 10250 tcp, 10256 tcp
Tried to connect to the 8443 server to listen but it failed probably because I am not authenticated.
So now I am going to try Kubelet service
That failed as well but I think it was only for me, so I looked online to see how other people tackled the issue.
I found that someone used the kubeletctl_linux_amd64 binary from GitHub, we can query the service more neatly. The output below shows me listing the pods.
I can use the Kubeletctl binary to check whether any of these Pods allow us to execute commands. As you can see below, the image shows that commands can be run on the kube-proxy-bhb59 and NGINX pods.
The result indicates that commands can be executed on the Nginx pod. Let's see whether I can run id within Nginx.
Now that I have code execution on the NGINX pod, I should be able to use it to perform a privilege escalation. I am going to create our own highly privileged service account. First, we need to grab the token.
Next, I need to grab the CA certificate.
With these two things, I should now be able to perform higher privileged operations. I will save the certificate to a file and we export the token to an environmental variable. I reran the certificate command but piped the output to a file using ‘| tee -a ca.cert’. I ran the following to export the token to the token environmental variable. Replace ‘–snip–‘ with the token.
With the token and certificate in my possession, I can use Kubectl to talk to the host. As you can see from the command below we can query the pod. Let’s check to see what actions we can perform. The output below shows that we can get, create and list pods. I can see where this is going.
