HackingKubernetes

This repository contain any information that can be used to hack Kubernetes.

Offensive

Atricles

Securing Kubernetes Clusters by Eliminating Risky Permissions
Kubernetes Pentest Methodology Part 1
Kubernetes Pentest Methodology Part 2
Kubernetes Pentest Methodology Part 3
Eight Ways to Create a Pod
Leaked Code from Docker Registries
Kubernetes Pod Escape Using Log Mounts

kubelet

https://faun.pub/attacking-kubernetes-clusters-using-the-kubelet-api-abafc36126ca
https://rhinosecuritylabs.com/cloud-security/kubelet-tls-bootstrap-privilege-escalation/

Containers and Pods

Bad Pods: Kubernetes Pod Privilege Escalation
Risk8s Business: Risk Analysis of Kubernetes Clusters
CVE-2020-15157 "ContainerDrip" Write-up
Deep Dive into Real-World Kubernetes Threats
Unpatched Docker bug allows read-write access to host OS
Docker Container Breakout: Abusing SYS_MODULE capability!
Container Breakouts – Part 1: Access to root directory of the Host
Privileged Container Escapes with Kernel Modules
Digging into cgroups Escape
Understanding Docker container escapes

PDF

Abusing Privileged and Unprivileged Linux Containers
Defending Containers

Videos

Compromising Kubernetes Cluster by Exploiting RBAC Permissions
How We Used Kubernetes to Host a Capture the Flag (CTF) - Ariel Zelivansky & Liron Levin, Twistlock (presentation)
Crafty Requests: Deep Dive Into Kubernetes CVE-2018-1002105 - Ian Coldwater, Heroku (presentation) A Hacker's Guide to Kubernetes and the Cloud - Rory McCune, NCC Group PLC (Intermediate Skill Level)
Advanced Persistence Threats: The Future of Kubernetes Attacks
Hack my mis-configured Kubernetes - Or Kamara
LISA19 - Deep Dive into Kubernetes Internals for Builders and Operators
DIY Pen-Testing for Your Kubernetes Cluster - Liz Rice, Aqua Security
Hacking and Hardening Kubernetes Clusters by Example
Tutorial: Attacking and Defending Kube...
Securing (and pentesting) the great spaghetti monster (k8s)
Jay Beale - Kubernetes Practical Attack and Defense
Jay Beale - Quick Intro Attacking a Kubernetes Cluster
Jay Beale - Attacking and Defending Kubernetes - DEF CON 27 Packet Hacking Village
Jay Beale - Kubernetes Attack and Defense: Inception-Style
Jay Beale - RSA20219: Hacking and Hardening Kubernetes
Attacking Kubernetes Clusters Through Your Network Plumbing
Magno Logan - TrendMicro: Kubernetes Security - Attacking and Defending K8s Clusters
Magno Logan - CloudSecNextSummit2021: Kubernetes Security - Attacking and Defending K8s Clusters
Magno Logan - Hackfest HF: Kubernetes Security: Attacking and Defending K8s Clusters

Vulnerabilities

2020

Protecting Against an Unfixed Kubernetes Man-in-the-Middle Vulnerability (CVE-2020-8554)
Kubernetes Vulnerability Puts Clusters at Risk of Takeover (CVE-2020-8558)

2019

Top 5 Kubernetes Vulnerabilities of 2019 - the Year in Review

Kubectl vulnerability (CVE-2019-1002101)

Disclosing a directory traversal vulnerability in Kubernetes copy – CVE-2019-1002101

Kubernetes API server vulnerability (CVE-2019-11247)

Kubernetes API server vulnerability (CVE-2019-11247)

Kubernetes billion laughs attack vulnerability (CVE-2019-11253)

CVE-2019-11253: Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack

2018

Demystifying Kubernetes CVE-2018-1002105 (and a dead simple exploit)
[https://sysdig.com/blog/privilege-escalation-kubernetes-dashboard/](CVE-2018-18264 Privilege escalation through Kubernetes dashboard.)

Tools

kubesploit
kubiscan
kubeletctl
kube-hunter

Defensive

Smarter Kubernetes Access Control: A Simpler Approach to Auth - Rob Scott, ReactiveOps

Others

Install Docker on Ubuntu

Reference from here.

# remove old versions
apt-get remove docker docker-engine docker.io containerd runc
# install
apt-get update
apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg \
    lsb-release
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo \
  "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

apt-get update
apt-get install docker-ce docker-ce-cli containerd.io

Install minikube

The documentation can be found here. In AWS you need to run:

curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64
install minikube-linux-amd64 /usr/local/bin/minikube
swapoff -a
apt install conntrack
minikube start --driver=none

Install kubectl

# https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

Create containers

Privileged container

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: priv-pod
spec:
  containers:
  - name: sec-ctx-8
    image: gcr.io/google-samples/node-hello:1.0
    securityContext:
      allowPrivilegeEscalation: true
      privileged: true
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      runAsUser: 1000
      capabilities:
        add: ["NET_ADMIN", "SYS_TIME"]
EOF

Container with environment variables passwords

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: envvars-db
  namespace: default
spec:
  containers:
  - name: envvars-multiple-secrets
    image: nginx
    env:
    - name: DB_PASSWORD
      valueFrom:
        secretKeyRef:
          key: db-username-key
          name: db-username
    - name: DB_USERNAME
      valueFrom:
        secretKeyRef:
          key: db-password-key
          name: db-password
EOF

kubectl apply -f - <<EOF

apiVersion: v1
kind: Namespace
metadata:
  creationTimestamp: null
  name: mars
---

apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: mars
  name: user1
  
---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: kube-system
  name: list-secrets
rules:
- apiGroups: ["*"]
  resources: ["secrets"]
  verbs: ["get", "list"]
  
---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  namespace: kube-system
  name: list-secrets-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: list-secrets
subjects:
  - kind: ServiceAccount
    name: user1
    namespace: mars
    
---

apiVersion: v1
kind: Pod
metadata:
  name: alpine-secret
  namespace: mars
spec:
  containers:
  - name: alpine-secret
    image: alpine
    command: ["/bin/sh"]
    args: ["-c", "sleep 100000"]
  serviceAccountName: user1
  automountServiceAccountToken: true
  hostNetwork: true
---

apiVersion: v1
kind: Secret
metadata:
  name: db-username
data:
  db-username-key: YWRtaW4=

---

apiVersion: v1
kind: Secret
metadata:
  name: db-password
data:
  db-password-key: MTIzNDU=

EOF

Get ServiceAccount token by name

kubectl get secrets $(kubectl get sa <SERVICE_ACCOUNT_NAME> -o json | jq -r '.secrets[].name') -o json | jq -r '.data.token' | base64 -d

Function:

alias k=kubectl
function getSecretByName {
k get secrets $(k get sa $1 -o json | jq -r '.secrets[].name') -o json | jq -r '.data.token' | base64 -d
}

getSecretByName <serviceAccountName>

*Replace <SERVICE_ACCOUNT_NAME> with the name

Delete multiple containers

// delete by match with grep
kubectl delete po $(kubectl get pods -o go-template -n <NAMESPACE> --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}' | grep <SEARCH_STRING) -n <NAMESPACE>

// delete specific pods
kubectl delete pods -n <NAMESPACE> $(echo -e 'alpine1\nalpine2\nalpine3')

Get docker container IPs

docker inspect --format='{{.Name}}' $(docker ps -aq -f label=kubelabel)
docker inspect --format='{{ .NetworkSettings.IPAddress }}' $(docker ps -aq -f label=kubelabel)