Using a Leaked Kubernetes Config
Published at Dec 17, 2022 - 07:07 AM
Contents
Introduction
Kuber-what-now?
I have a nice introductory post that covers some of the basics of Kubernetes and can help you spin up a test cluster.
Okay so, leaked config
Sometimes in the real world you might gain access to a developer workstation, via a method like RBCD, and recover a Kubernetes configuration file. But what can this file do? How can we use it to escalate privileges? Let's take a look 🔎.
Common Situations
So in what cases would Kubernetes access be useful to us when all we want is Domain Administrator? Well here are some situations where you definitely will want to gain access to the cluster:
- Kubernetes cluster is storing application secrets
- Kubernetes cluster is configured to talk to internal repository that has containers that hold developer API keys and secrets
- Rancher is deployed to manage the Kubernetes cluster, and has credentials to access VSphere or other virtualisation software (haha it's almost like I've seen this in real life 👀)
- Kubernetes cluster is hosting sensitive applications
Smash and Grab
Okay okay, so we need to setup our tools to talk to the cluster, what do we do?
Kubernetes config file
kubectl
Kubectl is a command line tool use to communicate with the Kubernetes API server. It can be used to grab information about and make modifications to the the cluster.
Authorization checks
Kubectl actually has a built-in utility that allows us to retrieve a list of all our privileges:
kubectl auth can-i --list
Of course, this is limited to our current namespace, but we can also check our global cluster permissions like so:
kubectl auth can-i --list -A
Grab Secrets
So let's look at a real-world example of how we would quickly grab a secret from our current namespace:
kubectl get secrets
NAME TYPE DATA AGE
db-credentials Opaque 2 12d
kubectl get secret db-credentials -o jsonpath='{.data}' -n ${NAMESPACE}
That's well and good, but what if we want to look at all the secrets… well we could always ask to get the resource across all namespaces:
kubectl get secrets --all-namespaces
If you're still interested in going a bit deeper on the Kubernetes rabbit hole, there is a follow up blog post. This post will demonstrate how you can use pod spawning permissions to pivot around the cluster, which can be helpful if the recovered config has restricted permissions.