🕳️
The Cyber Security Library
  • The Library
  • Offensive Security
    • Solar, Exploiting log4j
      • Reconnaissance
      • Discovery
      • Proof of Concept
      • Exploitation
    • Basic Authentication Bypass
      • Username Enumeration
      • Brute Force
      • Logic Flaw
      • Cookie Tampering
    • Insekube
      • Recon with Nmap
      • Checking out the web address
      • Creating a Reverse shell
      • Inside the Kubernetes pod
      • CVE-2021-43798
    • Snort
      • What is Snort? (For the uninitiated)
      • Task exercise
      • Traffic Generator
      • Brief overview of IDS and IPS
      • Checking Snort
      • Snort Sniffer mode
      • Packet Logger mode
    • Runtime Detection Evasion
      • Learning Objectives of AMSI
      • Runtime detections
      • AMSI Overview
      • AMSI Instrumentation
      • Powershell Downgrade
      • Powershell Reflection
      • Patching AMSI
    • Red team recon using OSINT
      • Taxonomy of Reconnaissance
      • Built-in tools
      • Advanced Searching
      • Specialized Search Engines
  • Malware
    • Introduction to Malware Analysis
      • What are the different types of malware analysis
      • Doing different types of analysis
      • Anti analysis techniques
    • Ransomeware: Maze
    • Exploring Steganography
    • Simple Trojan with Python
      • The Python Trojan
      • Breaking down the python code
  • Vulnerability Management
    • Nessus
      • Introduction
      • Nessus Essentials
      • Scans
      • Authenticated Scans
      • Results
      • Running custom scans
  • Cloud
    • AWS
      • AWS CDK: Deploy and using amazon SQS Que from Repo
        • Node modules and Bootstrapping troubleshooting
        • Sending and Receiving information from the stack
        • Destroying the stack and cleaning up
      • Using Different AWS Services with Splunk
        • AWS Config
          • How Does Config work?
          • How to enable Config
          • Settings
          • Aggregation
          • Creating Config Resource
          • Creating Aggregator
          • Adding Rules
        • CloudTrail
          • What is CloudTrail?
          • Features of CloudTrail
          • Benefits of CloudTrail
          • CloudTrail Event History
          • Securing CloudTrail
        • EventBridge
          • Configuring EventBridge and Event Patterns
          • EventBridge Targets
        • CloudWatch
          • The CloudWatch Dashboard
            • Virtual Machine
          • CloudWatch Alarms and Metric Filters
            • Searching logs using metric filters
            • CloudWatch Alarms
          • CloudWatch CIS Alarms
            • SNS
        • Configuring VPC Flow Logs
          • An introduction to VPC flow logs
        • Automating Incident Response with EventBridge
          • Creating Lambda functions
        • CloudTrail SIEM Integration (Splunk)
          • AWS architecture for integrating with Splunk
      • AWS DevOps EBS Volumes
        • CloudWatch
        • EBS Volume
        • Lambda
      • EKS Creating a deployment with AWS in the command Line
        • Setting up AWS Cloud9
        • Creating a Cluster
        • Creating Deployment
      • How to CloudShell SSH in to ec2 Instances
    • Azure
      • Worker CTF (Azure DevOps)
        • Enumeration
        • Using SVN
        • Exploring the Domain
        • Cracking Azure DevOps console
      • Software development environments and Azure DevOps pipeline abuse
        • Accessing Azure Devops
        • Exploring Project Pages
  • Splunk
    • Splunk SIEM Integration
      • AWS architecture for integrating with Splunk
    • Splunk Threat Hunting Ep.6 Credential Access
  • DevOps
    • Using AWS, Docker, Jenkins and SonarQube to improve code quality
      • Updating the Cloud Instance and Getting Docker
      • Installing SonarQube
      • Creating Jenkins Server
      • Manaing SonarQube and Jenkins
    • Creating a Codebuild project and getting the output with CloudWatch Logs
      • IAM
      • CodeBuild
  • CTF's
    • THM Wonderland
      • Nmap and Gobuster
      • Entering Wonderland
      • Privilege Escalation
    • Healthcare OpenEMR system -THM Plotted EMR
      • Recon with Nmap
      • Exploring the ports found
      • Gobuster
      • Searchsploit Open emr
    • Steam Cloud CTF Exploiting Kubernetes
      • SteamCloud Privilege Escalation
    • THM Flatline CTF
      • Recon with Nmap
      • Searchsploit for freeswitch
      • Using the exploit
      • Escalating my privileges
      • Gaining access inside the Windows RDP
    • Biteme CTF
      • Recon
      • Looking into the PHP code and decoding hexadecimal
      • Python script and Bash script
      • Bruteforcing MFA Code
      • Trying to gain access via SSH
      • Inside SSH
      • Fail2ban Privilege Escalation
    • Devoops CTF
      • Enumeration
      • Exploiting Web Page
      • Creating Python exploit
    • GoBox CTF
      • Enumeration
      • Using Burpsuite and creating Reverse shell
    • Explore: Android Box
      • Enumeration
      • Initial foothold
      • Privilege escalation
Powered by GitBook
On this page
  1. CTF's

Steam Cloud CTF Exploiting Kubernetes

PreviousSearchsploit Open emrNextSteamCloud Privilege Escalation

Last updated 1 year ago

The port scan reveals that it has a bunch of Kubernetes specific ports open. We cannot enumerate the Kubernetes API because it requires authentication. Now, as Kubelet allows anonymous access, we can extract a list of all the pods from the K8s cluster by enumerating the Kubelet service. Furthermore, we can get into one of the pods and obtain the keys necessary to authenticate into the Kubernetes API. We can now create and spawn a malicious pod and then use Kubectl to run commands within the pod to read the root flag

Running Nmap scan to see what ports and services are open -

Ports ive seen are; 22 tcp, 2379 tcp, 2380 tcp, 8443 tcp, 10249 tcp, 10250 tcp, 10256 tcp

Tried to connect to the 8443 server to listen but it failed probably because I am not authenticated.

So now I am going to try Kubelet service

That failed as well but I think it was only for me, so I looked online to see how other people tackled the issue.

I found that someone used the kubeletctl_linux_amd64 binary from GitHub, we can query the service more neatly. The output below shows me listing the pods.

I can use the Kubeletctl binary to check whether any of these Pods allow us to execute commands. As you can see below, the image shows that commands can be run on the kube-proxy-bhb59 and NGINX pods.

The result indicates that commands can be executed on the Nginx pod. Let's see whether I can run id within Nginx.

Now that I have code execution on the NGINX pod, I should be able to use it to perform a privilege escalation. I am going to create our own highly privileged service account. First, we need to grab the token.

Next, I need to grab the CA certificate.

With these two things, I should now be able to perform higher privileged operations. I will save the certificate to a file and we export the token to an environmental variable. I reran the certificate command but piped the output to a file using ‘| tee -a ca.cert’. I ran the following to export the token to the token environmental variable. Replace ‘–snip–‘ with the token.

Kubectl

With the token and certificate in my possession, I can use Kubectl to talk to the host. As you can see from the command below we can query the pod. Let’s check to see what actions we can perform. The output below shows that we can get, create and list pods. I can see where this is going.