diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml index 8c7cd5368..e19ffef17 100644 --- a/.github/workflows/build_master.yml +++ b/.github/workflows/build_master.yml @@ -33,7 +33,7 @@ jobs: # Build the mdBook - name: Build mdBook - run: MDBOOK_BOOK__LANGUAGE=en mdbook build || (echo "Error logs" && cat hacktricks-preprocessor-error.log && echo "" && echo "" && echo "Debug logs" && (cat hacktricks-preprocessor.log | tail -n 20) && exit 1); ls -la; ls -la book + run: MDBOOK_BOOK__LANGUAGE=en mdbook build || (echo "Error logs" && cat hacktricks-preprocessor-error.log && echo "" && echo "" && echo "Debug logs" && (cat hacktricks-preprocessor.log | tail -n 20) && exit 1) - name: Update searchindex.js in repo run: | diff --git a/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md b/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md index f19f9ff19..57cbc2ff0 100644 --- a/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md +++ b/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md @@ -430,6 +430,68 @@ While an attacker in possession of a token with read permissions requires the ex The token is generated from a limited 27-character set (`bcdfghjklmnpqrstvwxz2456789`), rather than the full alphanumeric range. This limitation reduces the total possible combinations to 14,348,907 (27^5). Consequently, an attacker could feasibly execute a brute-force attack to deduce the token in a matter of hours, potentially leading to privilege escalation by accessing sensitive service accounts. +### EncrpytionConfiguration in clear text + +It's possible to find clear text keys to encrypt data at rest in this type of object like: + +```yaml +# From https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ + +# +# CAUTION: this is an example configuration. +# Do not use this for your own cluster! +# + +apiVersion: apiserver.config.k8s.io/v1 +kind: EncryptionConfiguration +resources: + - resources: + - secrets + - configmaps + - pandas.awesome.bears.example # a custom resource API + providers: + # This configuration does not provide data confidentiality. The first + # configured provider is specifying the "identity" mechanism, which + # stores resources as plain text. + # + - identity: {} # plain text, in other words NO encryption + - aesgcm: + keys: + - name: key1 + secret: c2VjcmV0IGlzIHNlY3VyZQ== + - name: key2 + secret: dGhpcyBpcyBwYXNzd29yZA== + - aescbc: + keys: + - name: key1 + secret: c2VjcmV0IGlzIHNlY3VyZQ== + - name: key2 + secret: dGhpcyBpcyBwYXNzd29yZA== + - secretbox: + keys: + - name: key1 + secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY= + - resources: + - events + providers: + - identity: {} # do not encrypt Events even though *.* is specified below + - resources: + - '*.apps' # wildcard match requires Kubernetes 1.27 or later + providers: + - aescbc: + keys: + - name: key2 + secret: c2VjcmV0IGlzIHNlY3VyZSwgb3IgaXMgaXQ/Cg== + - resources: + - '*.*' # wildcard match requires Kubernetes 1.27 or later + providers: + - aescbc: + keys: + - name: key3 + secret: c2VjcmV0IGlzIHNlY3VyZSwgSSB0aGluaw== +``` + + ### Certificate Signing Requests If you have the verbs **`create`** in the resource `certificatesigningrequests` ( or at least in `certificatesigningrequests/nodeClient`). You can **create** a new CeSR of a **new node.** diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md b/src/pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md index baf5ca34a..14a0fea49 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md @@ -287,6 +287,10 @@ Check more information about this attack in: abusing-roles-clusterroles-in-kubernetes/README.md {{/ref}} +## Abusing exposed kubernetes management services + +Services like Apache NiFi, Kubeflow, Argo Workflows, Weave Scope, and the Kubernetes dashboard are often exposed either to the internet or within the kubernetes network. An attacker that manage to **find any platform used to manage kubernetes and access it** can abuse it to get access to the kubernetes API and perform actions like creating new pods, modifying existing ones, or even deleting them. + ## Enumerating kubernetes network policies Get configured **networkpolicies**: