forked from Ne0nd0g/merlin
-
Notifications
You must be signed in to change notification settings - Fork 115
Kubelet Attack
yanivyakobovich edited this page Jan 17, 2022
·
1 revision
Light kubeletctl tool
Info: Kubelet exposes its API over the default port 10250/TCP and this is one of the things that we will check when attacking the Kubernetes cluster. Privileged access to kubelelt’s port, whether as a result of no authentication or as a result of possessing the required permissions, will allow us to list the pods, access them, and maybe even breakout to the host (if one of the containers is privileged).
Research about kubelet - https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster
Requirements:
- /etc/kubernetes/kubelet.conf
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: true -> allow anonymous calls to kubelet
...
authorization:
mode: AlwaysAllow -> make sure this line exists, allow authorization to any request
#mode: Webhook -> make sure this is set as a comment
This configuration allows any call to access
Exploit:
- Establish connection with kubelet endpoint
- Use the available options:
- Scan for containers with RCE
- Scan for Pods and containers
- Scan for tokens from all available containers
- Run command with multiple options
Wish to contribute module?
Exploit Module Guide
- cGroup Breakout
- Mount Breakout
- DockerSock Breakout
- Kubelet Attack
- Var Log Escape
- Kernel Module Breakout
Other Modules