IT评测·应用市场-qidao123.com

标题: 容器渗透横向 [打印本页]

---

作者: 尚未崩坏    时间: 2025-1-17 21:07
标题: 容器渗透横向
本质上要得到

1.得到容器IP段
2.得到主机IP段
3.得到本机IP
4.通过CNI或Docker0等扫描本机端口

Flannel

容器信息

1. root@ubuntu-linux-22-04-desktop:/home/parallels/Desktop# k get po -A -o wide
2. NAMESPACE      NAME                                                 READY   STATUS                   RESTARTS         AGE    IP            NODE                         NOMINATED NODE   READINESS GATES
3. default        escaper                                              1/1     Running                  0                24h    10.244.0.53   ubuntu-linux-22-04-desktop   <none>           <none>
4. default        rootdir-escape-7d96587449-cjhz7                      1/1     Running                  4 (3d2h ago)     33d    10.244.1.94   node2                        <none>           <none>
5. default        rootdir-escape-7d96587449-ftmhp                      0/1     ContainerStatusUnknown   4 (33d ago)      83d    10.244.1.56   node2                        <none>           <none>
6. default        tomcat01-7f555c84f7-hgzjh                            0/1     ImagePullBackOff         0                25h    10.244.0.49   ubuntu-linux-22-04-desktop   <none>           <none>
7. default        tomcat01-7fd8849567-gthhh                            0/1     ImagePullBackOff         1 (3d2h ago)     33d    10.244.1.93   node2                        <none>           <none>
8. kube-flannel   kube-flannel-ds-7jmkz                                1/1     Running                  10 (3d2h ago)    57d    10.211.55.7   node2                        <none>           <none>
9. kube-flannel   kube-flannel-ds-fg7wh                                1/1     Running                  89 (3d ago)      439d   10.211.55.6   ubuntu-linux-22-04-desktop   <none>           <none>
10. kube-system    coredns-6d8c4cb4d-7ll4q                              1/1     Running                  14966 (3d ago)   439d   10.244.0.48   ubuntu-linux-22-04-desktop   <none>           <none>
11. kube-system    coredns-6d8c4cb4d-v2v6s                              1/1     Running                  14970 (3d ago)   439d   10.244.0.46   ubuntu-linux-22-04-desktop   <none>           <none>
12. kube-system    etcd-ubuntu-linux-22-04-desktop                      1/1     Running                  11 (3d ago)      118d   10.211.55.6   ubuntu-linux-22-04-desktop   <none>           <none>
13. kube-system    kube-apiserver-ubuntu-linux-22-04-desktop            1/1     Running                  433 (3d ago)     400d   10.211.55.6   ubuntu-linux-22-04-desktop   <none>           <none>
14. kube-system    kube-controller-manager-ubuntu-linux-22-04-desktop   1/1     Running                  855 (3d ago)     439d   10.211.55.6   ubuntu-linux-22-04-desktop   <none>           <none>
15. kube-system    kube-proxy-wbhzx                                     1/1     Running                  84 (3d ago)      439d   10.211.55.6   ubuntu-linux-22-04-desktop   <none>           <none>
16. kube-system    kube-proxy-wbnkq                                     1/1     Running                  9 (3d2h ago)     57d    10.211.55.7   node2                        <none>           <none>
17. kube-system    kube-scheduler-ubuntu-linux-22-04-desktop            1/1     Running                  900 (3d ago)     439d   10.211.55.6   ubuntu-linux-22-04-desktop   <none>           <none>
18. sectest        detector-5qvmq                                       1/1     Running                  4 (3d ago)       21d    10.244.0.47   ubuntu-linux-22-04-desktop   <none>           <none>
19. sectest        detector-kd6hm                                       1/1     Running                  3 (3d2h ago)     21d    10.244.1.92   node2

复制代码

网卡信息

node1

1. root@ubuntu-linux-22-04-desktop:/home/parallels/code/CloudPentestSuite# ip a
2. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
3.     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
4.     inet 127.0.0.1/8 scope host lo
5.        valid_lft forever preferred_lft forever
6.     inet6 ::1/128 scope host
7.        valid_lft forever preferred_lft forever
8. 2: enp0s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
9.     link/ether 00:1c:42:23:16:2f brd ff:ff:ff:ff:ff:ff
10.     inet 10.211.55.6/24 metric 100 brd 10.211.55.255 scope global dynamic enp0s5
11.        valid_lft 1002sec preferred_lft 1002sec
12.     inet6 fdb2:2c26:f4e4:0:21c:42ff:fe23:162f/64 scope global dynamic mngtmpaddr noprefixroute
13.        valid_lft 2591674sec preferred_lft 604474sec
14.     inet6 fe80::21c:42ff:fe23:162f/64 scope link
15.        valid_lft forever preferred_lft forever
16. 3: docker_gwbridge: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
17.     link/ether 02:42:a9:12:87:bc brd ff:ff:ff:ff:ff:ff
18.     inet 172.19.0.1/16 brd 172.19.255.255 scope global docker_gwbridge
19.        valid_lft forever preferred_lft forever
20. 4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
21.     link/ether 02:42:95:9f:9c:b1 brd ff:ff:ff:ff:ff:ff
22.     inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
23.        valid_lft forever preferred_lft forever
24.     inet6 fe80::42:95ff:fe9f:9cb1/64 scope link
25.        valid_lft forever preferred_lft forever
26. 5: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
27.     link/ether 2e:52:7e:36:bb:f6 brd ff:ff:ff:ff:ff:ff
28.     inet 10.244.0.0/32 scope global flannel.1
29.        valid_lft forever preferred_lft forever
30.     inet6 fe80::2c52:7eff:fe36:bbf6/64 scope link
31.        valid_lft forever preferred_lft forever
32. 6: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
33.     link/ether 5e:2b:ff:49:bf:21 brd ff:ff:ff:ff:ff:ff
34.     inet 10.244.0.1/24 brd 10.244.0.255 scope global cni0
35.        valid_lft forever preferred_lft forever
36.     inet6 fe80::5c2b:ffff:fe49:bf21/64 scope link
37.        valid_lft forever preferred_lft forever
38. 7: veth8c1b6acf@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default
39.     link/ether 62:67:e7:13:1f:2e brd ff:ff:ff:ff:ff:ff link-netnsid 0
40.     inet6 fe80::6067:e7ff:fe13:1f2e/64 scope link
41.        valid_lft forever preferred_lft forever
42. 8: vethbaadb61c@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default
43.     link/ether ca:ee:34:ac:90:d1 brd ff:ff:ff:ff:ff:ff link-netnsid 1
44.     inet6 fe80::c8ee:34ff:feac:90d1/64 scope link
45.        valid_lft forever preferred_lft forever
46. 8: veth49d153e6@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default
47.     link/ether f2:d0:0f:78:59:37 brd ff:ff:ff:ff:ff:ff link-netnsid 2
48.     inet6 fe80::f0d0:fff:fe78:5937/64 scope link
49.        valid_lft forever preferred_lft forever
50. 10: veth49b58a71@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default
51.     link/ether 4a:7d:06:37:d8:7d brd ff:ff:ff:ff:ff:ff link-netnsid 3
52.     inet6 fe80::487d:6ff:fe37:d87d/64 scope link
53.        valid_lft forever preferred_lft forever
54. 11: vethd96bd702@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default
55.     link/ether 6a:a7:34:e5:00:86 brd ff:ff:ff:ff:ff:ff link-netnsid 4
56.     inet6 fe80::68a7:34ff:fee5:86/64 scope link
57.        valid_lft forever preferred_lft forever
58. 12: veth7f1682e@if30: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
59.     link/ether e6:a8:05:01:40:16 brd ff:ff:ff:ff:ff:ff link-netnsid 5
60.     inet6 fe80::e4a8:5ff:fe01:4016/64 scope link
61.        valid_lft forever preferred_lft forever

复制代码

node2

1. root@node2:/home/parallels# ip a
2. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
3.     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
4.     inet 127.0.0.1/8 scope host lo
5.        valid_lft forever preferred_lft forever
6.     inet6 ::1/128 scope host
7.        valid_lft forever preferred_lft forever
8. 2: enp0s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
9.     link/ether 00:1c:42:ea:e4:e4 brd ff:ff:ff:ff:ff:ff
10.     inet 10.211.55.7/24 brd 10.211.55.255 scope global enp0s5
11.        valid_lft forever preferred_lft forever
12.     inet6 fdb2:2c26:f4e4:0:21c:42ff:feea:e4e4/64 scope global dynamic mngtmpaddr noprefixroute
13.        valid_lft 2591800sec preferred_lft 604600sec
14.     inet6 fe80::21c:42ff:feea:e4e4/64 scope link
15.        valid_lft forever preferred_lft forever
16. 3: br-2133897d2ca9: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
17.     link/ether 02:42:fe:62:1e:ce brd ff:ff:ff:ff:ff:ff
18. 4: br-53b41bbd8455: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
19.     link/ether 02:42:0d:36:42:b5 brd ff:ff:ff:ff:ff:ff
20.     inet6 fe80::42:dff:fe36:42b5/64 scope link
21.        valid_lft forever preferred_lft forever
22. 5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
23.     link/ether 02:42:0a:01:3e:44 brd ff:ff:ff:ff:ff:ff
24. 15: veth3a2c643@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-53b41bbd8455 state UP group default
25.     link/ether 4e:ae:51:95:b0:96 brd ff:ff:ff:ff:ff:ff link-netnsid 1
26.     inet6 fe80::4cae:51ff:fe95:b096/64 scope link
27.        valid_lft forever preferred_lft forever
28. 17: vethcf86640@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-53b41bbd8455 state UP group default
29.     link/ether b6:a5:9e:65:ee:ec brd ff:ff:ff:ff:ff:ff link-netnsid 0
30.     inet6 fe80::b4a5:9eff:fe65:eeec/64 scope link
31.        valid_lft forever preferred_lft forever
32. 19: veth52d72dd@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-53b41bbd8455 state UP group default
33.     link/ether 82:b1:11:13:d4:0c brd ff:ff:ff:ff:ff:ff link-netnsid 2
34.     inet6 fe80::80b1:11ff:fe13:d40c/64 scope link
35.        valid_lft forever preferred_lft forever
36. 34: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
37.     link/ether be:22:e7:6f:f7:ef brd ff:ff:ff:ff:ff:ff
38.     inet 10.244.1.0/32 scope global flannel.1
39.        valid_lft forever preferred_lft forever
40.     inet6 fe80::bc22:e7ff:fe6f:f7ef/64 scope link
41.        valid_lft forever preferred_lft forever
42. 35: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
43.     link/ether 92:63:7e:1c:2f:9d brd ff:ff:ff:ff:ff:ff
44.     inet 10.244.1.1/24 brd 10.244.1.255 scope global cni0
45.        valid_lft forever preferred_lft forever
46.     inet6 fe80::9063:7eff:fe1c:2f9d/64 scope link
47.        valid_lft forever preferred_lft forever
48. 36: vethd3d21947@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default
49.     link/ether 92:43:ba:8b:b6:78 brd ff:ff:ff:ff:ff:ff link-netnsid 4
50.     inet6 fe80::9043:baff:fe8b:b678/64 scope link
51.        valid_lft forever preferred_lft forever
52. 37: veth31c95721@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default
53.     link/ether b6:ee:ea:c9:59:3a brd ff:ff:ff:ff:ff:ff link-netnsid 5
54.     inet6 fe80::b4ee:eaff:fec9:593a/64 scope link
55.        valid_lft forever preferred_lft forever
56. 38: veth1b480f08@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default
57.     link/ether 7a:02:0b:ac:22:59 brd ff:ff:ff:ff:ff:ff link-netnsid 6
58.     inet6 fe80::6410:d3ff:fea2:2626/64 scope link
59.        valid_lft forever preferred_lft forever
60. 25913: veth4ca56da@if25912: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-53b41bbd8455 state UP group default
61.     link/ether 0a:24:ac:9b:8b:07 brd ff:ff:ff:ff:ff:ff link-netnsid 3
62.     inet6 fe80::824:acff:fe9b:8b07/64 scope link
63.        valid_lft forever preferred_lft forever
64. root@node2:/home/parallels#
65. root@node2:/home/parallels#
66. root@node2:/home/parallels#
67. root@node2:/home/parallels#
68. root@node2:/home/parallels# ip a
69. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
70.     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
71.     inet 127.0.0.1/8 scope host lo
72.        valid_lft forever preferred_lft forever
73.     inet6 ::1/128 scope host
74.        valid_lft forever preferred_lft forever
75. 2: enp0s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
76.     link/ether 00:1c:42:ea:e4:e4 brd ff:ff:ff:ff:ff:ff
77.     inet 10.211.55.7/24 brd 10.211.55.255 scope global enp0s5
78.        valid_lft forever preferred_lft forever
79.     inet6 fdb2:2c26:f4e4:0:21c:42ff:feea:e4e4/64 scope global dynamic mngtmpaddr noprefixroute
80.        valid_lft 2591796sec preferred_lft 604596sec
81.     inet6 fe80::21c:42ff:feea:e4e4/64 scope link
82.        valid_lft forever preferred_lft forever
83. 3: br-2133897d2ca9: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
84.     link/ether 02:42:fe:62:1e:ce brd ff:ff:ff:ff:ff:ff
85. 4: br-53b41bbd8455: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
86.     link/ether 02:42:0d:36:42:b5 brd ff:ff:ff:ff:ff:ff
87.     inet6 fe80::42:dff:fe36:42b5/64 scope link
88.        valid_lft forever preferred_lft forever
89. 5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
90.     link/ether 02:42:0a:01:3e:44 brd ff:ff:ff:ff:ff:ff
91. 15: veth3a2c643@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-53b41bbd8455 state UP group default
92.     link/ether 4e:ae:51:95:b0:96 brd ff:ff:ff:ff:ff:ff link-netnsid 1
93.     inet6 fe80::4cae:51ff:fe95:b096/64 scope link
94.        valid_lft forever preferred_lft forever
95. 17: vethcf86640@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-53b41bbd8455 state UP group default
96.     link/ether b6:a5:9e:65:ee:ec brd ff:ff:ff:ff:ff:ff link-netnsid 0
97.     inet6 fe80::b4a5:9eff:fe65:eeec/64 scope link
98.        valid_lft forever preferred_lft forever
99. 19: veth52d72dd@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-53b41bbd8455 state UP group default
100.     link/ether 82:b1:11:13:d4:0c brd ff:ff:ff:ff:ff:ff link-netnsid 2
101.     inet6 fe80::80b1:11ff:fe13:d40c/64 scope link
102.        valid_lft forever preferred_lft forever
103. 34: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
104.     link/ether be:22:e7:6f:f7:ef brd ff:ff:ff:ff:ff:ff
105.     inet 10.244.1.0/32 scope global flannel.1
106.        valid_lft forever preferred_lft forever
107.     inet6 fe80::bc22:e7ff:fe6f:f7ef/64 scope link
108.        valid_lft forever preferred_lft forever
109. 35: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
110.     link/ether 92:63:7e:1c:2f:9d brd ff:ff:ff:ff:ff:ff
111.     inet 10.244.1.1/24 brd 10.244.1.255 scope global cni0
112.        valid_lft forever preferred_lft forever
113.     inet6 fe80::9063:7eff:fe1c:2f9d/64 scope link
114.        valid_lft forever preferred_lft forever
115. 36: vethd3d21947@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default
116.     link/ether 92:43:ba:8b:b6:78 brd ff:ff:ff:ff:ff:ff link-netnsid 4
117.     inet6 fe80::9043:baff:fe8b:b678/64 scope link
118.        valid_lft forever preferred_lft forever
119. 37: veth31c95721@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default
120.     link/ether b6:ee:ea:c9:59:3a brd ff:ff:ff:ff:ff:ff link-netnsid 5
121.     inet6 fe80::b4ee:eaff:fec9:593a/64 scope link
122.        valid_lft forever preferred_lft forever
123. 38: veth1b480f08@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master cni0 state UP group default
124.     link/ether 7a:02:0b:ac:22:59 brd ff:ff:ff:ff:ff:ff link-netnsid 6
125.     inet6 fe80::6410:d3ff:fea2:2626/64 scope link
126.        valid_lft forever preferred_lft forever
127. 25963: veth6a3543e@if25962: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-53b41bbd8455 state UP group default
128.     link/ether a2:ca:b6:cd:19:7a brd ff:ff:ff:ff:ff:ff link-netnsid 3
129.     inet6 fe80::a0ca:b6ff:fecd:197a/64 scope link
130.        valid_lft forever preferred_lft forever

复制代码

通过Docker运行容器

1. root@18c7d48fca76:/# ip a
2. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
3.     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
4.     inet 127.0.0.1/8 scope host lo
5.        valid_lft forever preferred_lft forever
6. 30: eth0@if31: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
7.     link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
8.     inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
9.        valid_lft forever preferred_lft forever

复制代码

自身IP 失败

1. root@18c7d48fca76:/# curl https://172.17.0.2:10250/pods --insecure
2. curl: (7) Failed to connect to 172.17.0.2 port 10250 after 0 ms: Connection refused

复制代码

docker0 乐成

1. root@18c7d48fca76:/# curl https://172.17.0.1:10250/pods --insecure
2. {"kind":"PodList","apiVersion":"v1","metadata":{},"items":[{"metadata":{"name":"coredns-6d8c4cb4d-7ll4q","generateName":"coredns-6d8c4cb4d-","namespace":"kube-system","uid":"a12aa7c3-ba0a-425e-ac58-96d372e6d473","resourceVersion":"13905304","creationTimestamp":"2023-11-02T09:41:34Z","labels":{"k8s-app":"kube-dns","pod-template-hash":"6d8c4cb4d"},"annotations":{"kubernetes.io/config.seen":"2025-01-12T12:24:55.886401680+08:00","kubernetes.io/config.source":"api"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"coredns-6d8c4cb4d","uid":"32c3b707-2c34-4bd0-bbc9-cc724c9ab8e3","controller":true,"blockOwnerDeletion":true}],"managedFields":[{"manager":"kube-controller-manager","operation":"Update","apiVersion":"v1","time":"2023-11-02T09:41:34Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:generateName":{},"f:labels":{".":{},"f:k8s-app":{},"f:pod-template-hash":{}},"f:ownerReferences":{".":{},"k:{"uid":"32c3b707-2c34-4bd0-bbc9-cc724c9ab8e3"}":{}}},"f:spec":{"f:containers":{"k:{"name":"coredns"}":{".":{},"f:args":{},"f:image":{},"f:imagePullPolicy":{},"f:livenessProbe":{".":{},"f:failureThreshold":{},"f:httpGet":{".":{},"f:path":{},"f:port":{},"f:scheme":{}},"f:initialDelaySeconds":{},"f:periodSeconds":{},"f:successThreshold":{},"f:timeoutSeconds":{}},"f:name":{},"f:ports":{".":{},"k:{"containerPort":53,"protocol":"TCP"}":{".":{},"f:containerPort":{},"f:name":{},"f:protocol":{}},"k:{"contai

复制代码

flannel.1 乐成 

1. root@18c7d48fca76:/# curl https://10.244.0.0:10250/pods --insecure
2. {"kind":"PodList","apiVersion":"v1","metadata":{},"items":[{"metadata":{"name":"coredns-6d8c4cb4d-v2v6s","generateName":"coredns-6d8c4cb4d-","namespace":"kube-system","uid":"7fbaad56-7595-460a-9687-a295ed79b24c","resourceVersion":"13905287","creationTimestamp":"2023-11-02T09:41:34Z","labels":{"k8s-app":"kube-dns","pod-template-hash":"6d8c4cb4d"},"annotations":{"kubernetes.io/config.seen":"2025-01-12T12:24:55.886404222+08:00","kubernetes.io/config.source":"api"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"coredns-6d8c4cb4d","uid":"32c3b707-2c34-4bd0-bbc9-cc724c9ab8e3","controller":true,"blockOwnerDeletion":true}],"managedFields":[{"manager":"kube-controller-manager","operation":"Update","apiVersion":"v1","time":"2023-11-02T09:41:34Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:generateName":{},"f:labels":{".":{},"f:k8s-app":{},"f:pod-template-hash":{}},"f:ownerReferences":{".":{},"k:{"uid":\

复制代码

cni0 乐成

1. root@18c7d48fca76:/# curl https://10.244.0.0:10250/pods --insecure
2. {"kind":"PodList","apiVersion":"v1","metadata":{},"items":[{"metadata":{"name":"coredns-6d8c4cb4d-v2v6s","generateName":"coredns-6d8c4cb4d-","namespace":"kube-system","uid":"7fbaad56-7595-460a-9687-a295ed79b24c","resourceVersion":"13905287","creationTimestamp":"2023-11-02T09:41:34Z","labels":{"k8s-app":"kube-dns","pod-template-hash":"6d8c4cb4d"},"annotations":{"kubernetes.io/config.seen":"2025-01-12T12:24:55.886404222+08:00","kubernetes.io/config.source":"api"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"coredns-6d8c4cb4d","uid":"32c3b707-2c34-4bd0-bbc9-cc724c9ab8e3","controller":true,"blockOwnerDeletion":true}],"managedFields":[{"manager":"kube-controller-manager","operation":"Update","apiVersion":"v1","time":"2023-11-02T09:41:34Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:generateName":{},"f:labels":{".":{},"f:k8s-app":{},"f:pod-template-hash":{}},"f:ownerReferences":{".":{},"k:{"uid":\

复制代码

自身节点主机IP 乐成

1. root@18c7d48fca76:/# curl https://10.211.55.6:10250/pods --insecure
2. {"kind":"PodList","apiVersion":"v1","metadata":{},"items":[{"metadata":{"name":"kube-flannel-ds-fg7wh","generateName":"kube-flannel-ds-","namespace":"kube-flannel","uid":"cffe6a8a-c03b-4cab-aaf5-52af441f2b15","resourceVersion":"13864130","creationTimestamp":"2023-11-02T09:45:27Z","labels":{"app":"flannel","controller-revision-hash":"6b69bb98dd","pod-template-generation":"1","tier":"node"},"annotations":{"kubernetes.io/config.seen":"2025-01-12T12:24:55.886404972+08:00","kubernetes.io/config.source":"api"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"DaemonSet","name":"kube-flannel-ds","uid":"8beb07f0-980c-48a5-bdfa-ae1b5ca4bbca","controller":true,"blockOwnerDeletion":true}],"managedFields":[{"manager":"kube-controller-manager","operation":"Update","apiVersion":"v1","time":"2023-11-02T09:45:27Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:generateName":{},"f:labels":{".":{},"f:app":{},"f:controller-revision-hash":{},"f:pod-template-generation":{},"f:tier":{}},"f:ownerReferences":{".":{},"k:{"uid":"8beb07f0-980c-48a5-bdfa-ae1b5ca4bbca"}":{}}},"f:spec":{"f:affinity":{".":{},"f:nodeAffinity":{".":{},"f:requiredDuringSchedulingIgnoredDuringExecution":{}}},"f:containers":{"k:{"name":"kube-flannel"}":{".":{},"f:args":{},

复制代码

其他节点 乐成（由于未开Kubelet未授权，以是用ping替换）

1. root@18c7d48fca76:/# ping 10.211.55.7
2. PING 10.211.55.7 (10.211.55.7): 56 data bytes
3. 64 bytes from 10.211.55.7: icmp_seq=0 ttl=63 time=2.653 ms
4. 64 bytes from 10.211.55.7: icmp_seq=1 ttl=63 time=0.610 ms
5. ^C--- 10.211.55.7 ping statistics ---

复制代码

通过k8s容器运行的容器

1. root@escaper:/home# ip a
2. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
3.     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
4.     inet 127.0.0.1/8 scope host lo
5.        valid_lft forever preferred_lft forever
6. 2: eth0@if27: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
7.     link/ether 46:a7:ed:f5:62:a7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
8.     inet 10.244.0.53/24 brd 10.244.0.255 scope global eth0
9.        valid_lft forever preferred_lft forever

复制代码

自身IP 失败

1. root@escaper:/home#  curl https://10.244.0.53:10250/pods --insecure
2. curl: (7) Failed to connect to 10.244.0.53 port 10250 after 0 ms: Connection refused

复制代码

 docker0 乐成

1. root@18c7d48fca76:/# curl https://172.17.0.1:10250/pods --insecure
2. {"kind":"PodList","apiVersion":"v1","metadata":{},"items":[{"metadata":{"name":"coredns-6d8c4cb4d-7ll4q","generateName":"coredns-6d8c4cb4d-","namespace":"kube-system","uid":"a12aa7c3-ba0a-425e-ac58-96d372e6d473","resourceVersion":"13905304","creationTimestamp":"2023-11-02T09:41:34Z","labels":{"k8s-app":"kube-dns","pod-template-hash":"6d8c4cb4d"},"annotations":{"kubernetes.io/config.seen":"2025-01-12T12:24:55.886401680+08:00","kubernetes.io/config.source":"api"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"coredns-6d8c4cb4d","uid":"32c3b707-2c34-4bd0-bbc9-cc724c9ab8e3","controller":true,"blockOwnerDeletion":true}],"managedFields":[{"manager":"kube-controller-manager","operation":"Update","apiVersion":"v1","time":"2023-11-02T09:41:34Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:generateName":{},"f:labels":{".":{},"f:k8s-app":{},"f:pod-template-hash":{}},"f:ownerReferences":{".":{},"k:{"uid":"32c3b707-2c34-4bd0-bbc9-cc724c9ab8e3"}":{}}},"f:spec":{"f:containers":{"k:{"name":"coredns"}":{".":{},"f:args":{},"f:image":{},"f:imagePullPolicy":{},"f:livenessProbe":{".":{},"f:failureThreshold":{},"f:httpGet":{".":{},"f:path":{},"f:port":{},"f:scheme":{}},"f:initialDelaySeconds":{},"f:periodSeconds":{},"f:successThreshold":{},"f:timeoutSeconds":{}},"f:name":{},"f:ports":{".":{},"k:{"containerPort":53,"protocol":"TCP"}":{".":{},"f:containerPort":{},"f:name":{},"f:protocol":{}},"k:{"contai

复制代码

 flannel.1 乐成 

1. root@18c7d48fca76:/# curl https://10.244.0.0:10250/pods --insecure
2. {"kind":"PodList","apiVersion":"v1","metadata":{},"items":[{"metadata":{"name":"coredns-6d8c4cb4d-v2v6s","generateName":"coredns-6d8c4cb4d-","namespace":"kube-system","uid":"7fbaad56-7595-460a-9687-a295ed79b24c","resourceVersion":"13905287","creationTimestamp":"2023-11-02T09:41:34Z","labels":{"k8s-app":"kube-dns","pod-template-hash":"6d8c4cb4d"},"annotations":{"kubernetes.io/config.seen":"2025-01-12T12:24:55.886404222+08:00","kubernetes.io/config.source":"api"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"coredns-6d8c4cb4d","uid":"32c3b707-2c34-4bd0-bbc9-cc724c9ab8e3","controller":true,"blockOwnerDeletion":true}],"managedFields":[{"manager":"kube-controller-manager","operation":"Update","apiVersion":"v1","time":"2023-11-02T09:41:34Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:generateName":{},"f:labels":{".":{},"f:k8s-app":{},"f:pod-template-hash":{}},"f:ownerReferences":{".":{},"k:{"uid":\

复制代码

cni0 乐成 

1. root@18c7d48fca76:/# curl https://10.244.0.0:10250/pods --insecure
2. {"kind":"PodList","apiVersion":"v1","metadata":{},"items":[{"metadata":{"name":"coredns-6d8c4cb4d-v2v6s","generateName":"coredns-6d8c4cb4d-","namespace":"kube-system","uid":"7fbaad56-7595-460a-9687-a295ed79b24c","resourceVersion":"13905287","creationTimestamp":"2023-11-02T09:41:34Z","labels":{"k8s-app":"kube-dns","pod-template-hash":"6d8c4cb4d"},"annotations":{"kubernetes.io/config.seen":"2025-01-12T12:24:55.886404222+08:00","kubernetes.io/config.source":"api"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"coredns-6d8c4cb4d","uid":"32c3b707-2c34-4bd0-bbc9-cc724c9ab8e3","controller":true,"blockOwnerDeletion":true}],"managedFields":[{"manager":"kube-controller-manager","operation":"Update","apiVersion":"v1","time":"2023-11-02T09:41:34Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:generateName":{},"f:labels":{".":{},"f:k8s-app":{},"f:pod-template-hash":{}},"f:ownerReferences":{".":{},"k:{"uid":\

复制代码

自身节点IP 

1. root@18c7d48fca76:/# curl https://10.211.55.6:10250/pods --insecure
2. {"kind":"PodList","apiVersion":"v1","metadata":{},"items":[{"metadata":{"name":"kube-flannel-ds-fg7wh","generateName":"kube-flannel-ds-","namespace":"kube-flannel","uid":"cffe6a8a-c03b-4cab-aaf5-52af441f2b15","resourceVersion":"13864130","creationTimestamp":"2023-11-02T09:45:27Z","labels":{"app":"flannel","controller-revision-hash":"6b69bb98dd","pod-template-generation":"1","tier":"node"},"annotations":{"kubernetes.io/config.seen":"2025-01-12T12:24:55.886404972+08:00","kubernetes.io/config.source":"api"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"DaemonSet","name":"kube-flannel-ds","uid":"8beb07f0-980c-48a5-bdfa-ae1b5ca4bbca","controller":true,"blockOwnerDeletion":true}],"managedFields":[{"manager":"kube-controller-manager","operation":"Update","apiVersion":"v1","time":"2023-11-02T09:45:27Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:generateName":{},"f:labels":{".":{},"f:app":{},"f:controller-revision-hash":{},"f:pod-template-generation":{},"f:tier":{}},"f:ownerReferences":{".":{},"k:{"uid":"8beb07f0-980c-48a5-bdfa-ae1b5ca4bbca"}":{}}},"f:spec":{"f:affinity":{".":{},"f:nodeAffinity":{".":{},"f:requiredDuringSchedulingIgnoredDuringExecution":{}}},"f:containers":{"k:{"name":"kube-flannel"}":{".":{},"f:args":{},

复制代码

参考

Lateral movement risks in the cloud and how to prevent them – Part 2: from compromised container to cloud takeover | Wiz Blog
An Insight into RSAC 2023: Lateral Movement in Kubernetes - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.
Lateral Movement - Threat Matrix for Kubernetes
Taking a look at the Kube-Proxy API

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。

---

欢迎光临 IT评测·应用市场-qidao123.com (https://dis.qidao123.com/)

Powered by Discuz! X3.4