Martin Spiering TP: Kubernetes Security
TP: Kubernetes Security
Context
The SOC team has noticed abnormal activity on a Kubernetes cluster. As a
member of the blue team, they’ve asked you to investigate. They’ve given you
admin access to the cluster and the machines hosting the cluster.
The alerts came from a webapp running in the cluster: a shell was open inside
the container, but they fear that the cluster might have been further
compromised. They have already identified the vulnerability inside the
webapp and fixed it. They want you to see if and how the attacker might have
pivoted inside the cluster, or, worse, on the hosts.
They ask you to deliver a report with your findings and the possible
remediation.
Before starting
Once you’ve connected to the machine with SSH, you can start investigating
with kubectl. You have full admin access to Kubernetes cluster and can see any
resources.
Be careful, you can also destroy resources. If that is the case, please ask your
teacher to reset the VM.
The only two commands you should need are:
- kubectl get
- kubectl describe
You can use other subsets of the kubectl commands, but they are not obligatory
to complete this task. They might or might not gain you time.
For a full list of all the kubectl commands available, you can refer to the
documentation: https://kubernetes.io/docs/reference/kubectl/
You also have provided a bash script in the home directory named start.sh.
Running it will open you a shell in the webapp container that was
compromised and will allow you to trace the steps of the attacker from the
start.
1/4
�Martin Spiering TP: Kubernetes Security
There will be questions in this TP to guide you. But the report should NOT only
contain the answers to the questions. A comprehensive report is expected,
tracing the steps of the attackers and proposing remediations.
It is preferred that you propose a remediation for each step you take rather
than going at all costs to the end and having no or few remediations in your
report.
A list of useful resources will be compiled at the end of this document.
2/4
�Martin Spiering TP: Kubernetes Security
Inside the webapp container
Launch the start.sh script to open a shell in the webapp container.
Q1) Find a way to contact the Kubernetes API from inside the container.
Q2) Use the API to list the privileges of the container.
Q3) Read the content of the Kubernetes resources the container has access to.
Q4) With that content, find a possible way to gain access to another application
inside the Kubernetes cluster.
Q5) Confirm your theory by listing all the services inside the cluster.
Pivoting inside the cluster
Q6) Connect to this new service using what you’ve previously found.
Q7) Gain root privileges on the container.
Q8) Repeat Q1 to Q3 for this new container.
Escaping the container and gaining access to the host
Q9) Find a possible way to gain (at least partial at first, and then full) access to
the host from the container.
Q10) Execute your theory to read the admin kubeconfig stored on the host in
/etc/rancher/k3s/k3s.yaml.
Q11) Bonus: Using that admin kubeconfig, find a way to escape the pod and
open a shell directly on the host.
3/4
�Martin Spiering TP: Kubernetes Security
References
Kubectl documentation - https://kubernetes.io/docs/reference/kubectl/
Kubernetes documentation - https://kubernetes.io/docs/home/
Kubernetes pentesting -
https://cloud.hacktricks.xyz/pentesting-cloud/kubernetes-security
Attacking Kubernetes from inside a pod -
https://cloud.hacktricks.xyz/pentesting-cloud/kubernetes-security/attacking-
kubernetes-from-inside-a-pod
Kubernetes Enumeration -
https://cloud.hacktricks.xyz/pentesting-cloud/kubernetes-security/kubernetes-
enumeration
Abusing Roles/ClusterRoles in Kubernetes -
https://cloud.hacktricks.xyz/pentesting-cloud/kubernetes-security/abusing-
roles-clusterroles-in-kubernetes
GTFObins - https://gtfobins.github.io/
4/4
