This repository contain any information that can be used to hack Kubernetes.
Securing Kubernetes Clusters by Eliminating Risky Permissions
Kubernetes Pentest Methodology Part 1
Kubernetes Pentest Methodology Part 2
Kubernetes Pentest Methodology Part 3
Eight Ways to Create a Pod
Leaked Code from Docker Registries
Kubernetes Pod Escape Using Log Mounts
https://faun.pub/attacking-kubernetes-clusters-using-the-kubelet-api-abafc36126ca https://rhinosecuritylabs.com/cloud-security/kubelet-tls-bootstrap-privilege-escalation/
Bad Pods: Kubernetes Pod Privilege Escalation
Risk8s Business: Risk Analysis of Kubernetes Clusters
CVE-2020-15157 "ContainerDrip" Write-up
Deep Dive into Real-World Kubernetes Threats
Unpatched Docker bug allows read-write access to host OS
Docker Container Breakout: Abusing SYS_MODULE capability!
Container Breakouts – Part 1: Access to root directory of the Host
Privileged Container Escapes with Kernel Modules
Abusing Privileged and Unprivileged Linux
Containers
Defending Containers
Compromising Kubernetes Cluster by Exploiting RBAC Permissions
How We Used Kubernetes to Host a Capture the Flag (CTF) - Ariel Zelivansky & Liron Levin, Twistlock (presentation)
Crafty Requests: Deep Dive Into Kubernetes CVE-2018-1002105 - Ian Coldwater, Heroku (presentation)
A Hacker's Guide to Kubernetes and the Cloud - Rory McCune, NCC Group PLC (Intermediate Skill Level)
Advanced Persistence Threats: The Future of Kubernetes Attacks
Protecting Against an Unfixed Kubernetes Man-in-the-Middle Vulnerability (CVE-2020-8554)
Kubernetes Vulnerability Puts Clusters at Risk of Takeover (CVE-2020-8558)
Top 5 Kubernetes Vulnerabilities of 2019 - the Year in Review
Disclosing a directory traversal vulnerability in Kubernetes copy – CVE-2019-1002101
Kubernetes API server vulnerability (CVE-2019-11247)
CVE-2019-11253: Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack
Demystifying Kubernetes CVE-2018-1002105 (and a dead simple exploit)
[https://sysdig.com/blog/privilege-escalation-kubernetes-dashboard/](CVE-2018-18264 Privilege escalation through Kubernetes dashboard.)
kubesploit
kubiscan
kubeletctl
kube-hunter
Smarter Kubernetes Access Control: A Simpler Approach to Auth - Rob Scott, ReactiveOps
The documentation can be found here. In AWS you need to run:
curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64
install minikube-linux-amd64 /usr/local/bin/minikube
swapoff -a
minikube start --driver=none
# https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: priv-pod
spec:
containers:
- name: sec-ctx-8
image: gcr.io/google-samples/node-hello:1.0
securityContext:
allowPrivilegeEscalation: true
privileged: true
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
EOF
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: envvars-db
namespace: default
spec:
containers:
- name: envvars-multiple-secrets
image: nginx
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
key: db-username-key
name: db-username
- name: DB_USERNAME
valueFrom:
secretKeyRef:
key: db-password-key
name: db-password
EOF
kubectl apply -f - <<EOF
apiVersion: v1
kind: Namespace
metadata:
creationTimestamp: null
name: mars
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: mars
name: user1
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: kube-system
name: list-secrets
rules:
- apiGroups: ["*"]
resources: ["secrets"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
namespace: kube-system
name: list-secrets-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: list-secrets
subjects:
- kind: ServiceAccount
name: user1
namespace: mars
---
apiVersion: v1
kind: Pod
metadata:
name: alpine-secret
namespace: mars
spec:
containers:
- name: alpine-secret
image: alpine
command: ["/bin/sh"]
args: ["-c", "sleep 100000"]
serviceAccountName: user1
automountServiceAccountToken: true
hostNetwork: true
---
apiVersion: v1
kind: Secret
metadata:
name: db-username
data:
db-username-key: YWRtaW4=
---
apiVersion: v1
kind: Secret
metadata:
name: db-password
data:
db-password-key: MTIzNDU=
EOF
kubectl get secrets $(kubectl get sa <SERVICE_ACCOUNT_NAME> -o json | jq -r '.secrets[].name') -o json | jq -r '.data.token' | base64 -d
Function:
alias k=kubectl
function getSecretByName {
k get secrets $(k get sa $1 -o json | jq -r '.secrets[].name') -o json | jq -r '.data.token' | base64 -d
}
getSecretByName <serviceAccountName>
*Replace <SERVICE_ACCOUNT_NAME> with the name
// delete by match with grep
kubectl delete po $(kubectl get pods -o go-template -n <NAMESPACE> --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}' | grep <SEARCH_STRING) -n <NAMESPACE>
// delete specific pods
kubectl delete pods -n <NAMESPACE> $(echo -e 'alpine1\nalpine2\nalpine3')
docker inspect --format='{{.Name}}' $(docker ps -aq -f label=kubelabel)
docker inspect --format='{{ .NetworkSettings.IPAddress }}' $(docker ps -aq -f label=kubelabel)