Awesome
HackingKubernetes
This repository contain any information that can be used to hack Kubernetes.
Offensive
Atricles
Securing Kubernetes Clusters by Eliminating Risky Permissions
Kubernetes Pentest Methodology Part 1
Kubernetes Pentest Methodology Part 2
Kubernetes Pentest Methodology Part 3
Eight Ways to Create a Pod
Leaked Code from Docker Registries
Kubernetes Pod Escape Using Log Mounts
kubelet
https://faun.pub/attacking-kubernetes-clusters-using-the-kubelet-api-abafc36126ca
https://rhinosecuritylabs.com/cloud-security/kubelet-tls-bootstrap-privilege-escalation/
Containers and Pods
Bad Pods: Kubernetes Pod Privilege Escalation
Risk8s Business: Risk Analysis of Kubernetes Clusters
CVE-2020-15157 "ContainerDrip" Write-up
Deep Dive into Real-World Kubernetes Threats
Unpatched Docker bug allows read-write access to host OS
Docker Container Breakout: Abusing SYS_MODULE capability!
Container Breakouts – Part 1: Access to root directory of the Host
Privileged Container Escapes with Kernel Modules
Digging into cgroups Escape
Understanding Docker container escapes
Abusing Privileged and Unprivileged Linux
Containers
Defending Containers
Videos
Compromising Kubernetes Cluster by Exploiting RBAC Permissions
How We Used Kubernetes to Host a Capture the Flag (CTF) - Ariel Zelivansky & Liron Levin, Twistlock (presentation)
Crafty Requests: Deep Dive Into Kubernetes CVE-2018-1002105 - Ian Coldwater, Heroku (presentation)
A Hacker's Guide to Kubernetes and the Cloud - Rory McCune, NCC Group PLC (Intermediate Skill Level)
Advanced Persistence Threats: The Future of Kubernetes Attacks
Hack my mis-configured Kubernetes - Or Kamara
LISA19 - Deep Dive into Kubernetes Internals for Builders and Operators
DIY Pen-Testing for Your Kubernetes Cluster - Liz Rice, Aqua Security
Hacking and Hardening Kubernetes Clusters by Example
Tutorial: Attacking and Defending Kube...
Securing (and pentesting) the great spaghetti monster (k8s)
Jay Beale - Kubernetes Practical Attack and Defense
Jay Beale - Quick Intro Attacking a Kubernetes Cluster
Jay Beale - Attacking and Defending Kubernetes - DEF CON 27 Packet Hacking Village
Jay Beale - Kubernetes Attack and Defense: Inception-Style
Jay Beale - RSA20219: Hacking and Hardening Kubernetes
Attacking Kubernetes Clusters Through Your Network Plumbing
Magno Logan - TrendMicro: Kubernetes Security - Attacking and Defending K8s Clusters
Magno Logan - CloudSecNextSummit2021: Kubernetes Security - Attacking and Defending K8s Clusters
Magno Logan - Hackfest HF: Kubernetes Security: Attacking and Defending K8s Clusters
Vulnerabilities
2020
Protecting Against an Unfixed Kubernetes Man-in-the-Middle Vulnerability (CVE-2020-8554)
Kubernetes Vulnerability Puts Clusters at Risk of Takeover (CVE-2020-8558)
2019
Top 5 Kubernetes Vulnerabilities of 2019 - the Year in Review
Kubectl vulnerability (CVE-2019-1002101)
Disclosing a directory traversal vulnerability in Kubernetes copy – CVE-2019-1002101
Kubernetes API server vulnerability (CVE-2019-11247)
Kubernetes API server vulnerability (CVE-2019-11247)
Kubernetes billion laughs attack vulnerability (CVE-2019-11253)
CVE-2019-11253: Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack
2018
Demystifying Kubernetes CVE-2018-1002105 (and a dead simple exploit)
[https://sysdig.com/blog/privilege-escalation-kubernetes-dashboard/](CVE-2018-18264 Privilege escalation through Kubernetes dashboard.)
Tools
kubesploit
kubiscan
kubeletctl
kube-hunter
Defensive
Smarter Kubernetes Access Control: A Simpler Approach to Auth - Rob Scott, ReactiveOps
Others
Install Docker on Ubuntu
Reference from here.
# remove old versions
apt-get remove docker docker-engine docker.io containerd runc
# install
apt-get update
apt-get install \
apt-transport-https \
ca-certificates \
curl \
gnupg \
lsb-release
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo \
"deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
apt-get install docker-ce docker-ce-cli containerd.io
Install minikube
The documentation can be found here. In AWS you need to run:
curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64
install minikube-linux-amd64 /usr/local/bin/minikube
swapoff -a
apt install conntrack
minikube start --driver=none
Install kubectl
# https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
Create containers
Privileged container
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: priv-pod
spec:
containers:
- name: sec-ctx-8
image: gcr.io/google-samples/node-hello:1.0
securityContext:
allowPrivilegeEscalation: true
privileged: true
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
EOF
Container with environment variables passwords
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: envvars-db
namespace: default
spec:
containers:
- name: envvars-multiple-secrets
image: nginx
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
key: db-username-key
name: db-username
- name: DB_USERNAME
valueFrom:
secretKeyRef:
key: db-password-key
name: db-password
EOF
kubectl apply -f - <<EOF
apiVersion: v1
kind: Namespace
metadata:
creationTimestamp: null
name: mars
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: mars
name: user1
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: kube-system
name: list-secrets
rules:
- apiGroups: ["*"]
resources: ["secrets"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
namespace: kube-system
name: list-secrets-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: list-secrets
subjects:
- kind: ServiceAccount
name: user1
namespace: mars
---
apiVersion: v1
kind: Pod
metadata:
name: alpine-secret
namespace: mars
spec:
containers:
- name: alpine-secret
image: alpine
command: ["/bin/sh"]
args: ["-c", "sleep 100000"]
serviceAccountName: user1
automountServiceAccountToken: true
hostNetwork: true
---
apiVersion: v1
kind: Secret
metadata:
name: db-username
data:
db-username-key: YWRtaW4=
---
apiVersion: v1
kind: Secret
metadata:
name: db-password
data:
db-password-key: MTIzNDU=
EOF
Get ServiceAccount token by name
kubectl get secrets $(kubectl get sa <SERVICE_ACCOUNT_NAME> -o json | jq -r '.secrets[].name') -o json | jq -r '.data.token' | base64 -d
Function:
alias k=kubectl
function getSecretByName {
k get secrets $(k get sa $1 -o json | jq -r '.secrets[].name') -o json | jq -r '.data.token' | base64 -d
}
getSecretByName <serviceAccountName>
*Replace <SERVICE_ACCOUNT_NAME>
with the name
Delete multiple containers
// delete by match with grep
kubectl delete po $(kubectl get pods -o go-template -n <NAMESPACE> --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}' | grep <SEARCH_STRING) -n <NAMESPACE>
// delete specific pods
kubectl delete pods -n <NAMESPACE> $(echo -e 'alpine1\nalpine2\nalpine3')
Get docker container IPs
docker inspect --format='{{.Name}}' $(docker ps -aq -f label=kubelabel)
docker inspect --format='{{ .NetworkSettings.IPAddress }}' $(docker ps -aq -f label=kubelabel)