search
githubEdit

Escape to the node

hashtag
Example:

hashtag
If we have admin access to the cluster, we can create any resources we want.

hashtag
We can create a "bad" pod that mounts the node's file system.

hashtag
EVERYTHING-ALLOWED-EXEC-POD: https://github.com/BishopFox/badPods/blob/main/manifests/everything-allowed/pod/everything-allowed-exec-pod.yaml

hashtag
STEPS:

1) Pull a container image (minikube's local docker registry)

2)

kubectl apply -f BAD_POD.yml --token={TOKEN} (Create the "bad" pod for privesc)

3)

kubectl get pods --token={TOKEN}

4)

kubectl exec -it BAD_POD --token={TOKEN} -- /bin/bash

hashtag
Breakout of the Kubernetes environment

hashtag
After we created an ran our malicious pod, we can escape the Kubernetes environment by mounting the file system to the /tmp directory (example)

1)

2)

3) GGWP!

PreviousKubernetesNextKubectl-Kubeletctl

Last updated