Exploiting (Pentesting) An AWS EKS Cluster

Michael Levan - Aug 20 - - Dev Community

By default, Kubernetes clusters are not secure in the slightest.

Everything from:

  1. Not being forced to set SecurityContexts.
  2. The default Service Account is used to create Pods if you don't manually set a new one.
  3. NetworkPolicies aren't enforced.

And A LOT more.

One of the biggest issues is the use of tokens. In fact, it's a bad practice to enable Tokens for Pod creation (if you do and use the Default Service Account, that Token can be used by a bad actor).

In this blog post, you'll learn how to use Metasploit to enumerate Kubernetes resources (Pods, Namespaces, and More).

Prerequisites

To follow along with this blog post, you should either have a Kali Linux server/VM or another place where Metasploit is running.

Obtaining A Token

The first step is the actual authentication and authorization. Luckily when it comes to Kubernetes, you don’t need a username and password or two key/value pairs. You only need a Token.

Obtaining the token will be a bit different across Kubernetes clusters. For example, how you retrieve the default Token in EKS will be different than how you obtain the default Token from a Kubernetes cluster that was bootstrapped with Kubeadm.

When you first do some research on how to obtain a Token, it’s possible that you may see the following command used.



aws sts get-caller-identity


Enter fullscreen mode Exit fullscreen mode

The sts command, however, won’t output the proper Token.

You’ll need to use the command below to get the full Token output



aws eks get-token --cluster-name k8squickstart


Enter fullscreen mode Exit fullscreen mode

After running the above, you should see an output similar to the one below.




    "kind": "ExecCredential",
    "apiVersion": "client.authentication.k8s.io/v1beta1",
    "spec": {},
    "status": {
        "expirationTimestamp": "2024-08-09T19:02:53Z",
        "token": "k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtZ**************"
    }
}


Enter fullscreen mode Exit fullscreen mode

Copy the token as you’ll see it for the next section.

Running Metasploit

Now that you have a Token, let’s see if it allows you to see Kubernetes resource/objects.

  1. Open Metasploit

Image description

  1. Run the following command to see the Kubernetes framework. The Kubernetes Framework is built into Metasploit.


search kubernetes


Enter fullscreen mode Exit fullscreen mode
  1. Set up the enumeration


use cloud/kubernetes/enum_kubernetes


Enter fullscreen mode Exit fullscreen mode
  1. Configure your target (the DNS or IP Address of the Control Plane where the k8s API Server lives).


set RHOST https://****FA88****.gr7.us-east-1.eks.amazonaws.com


Enter fullscreen mode Exit fullscreen mode
  1. Set the Token that you retrieved from the previous section.


set TOKEN k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtZWFzdC********


Enter fullscreen mode Exit fullscreen mode
  1. Try to run all Payloads. You can also target specific resources. For example, just running pods will run the Pods Payload.


run


Enter fullscreen mode Exit fullscreen mode

You should see an output similar to the screenshots below.

Image description
Image description

You can now see what access the Token has, and that Token is deployed automatically when Kubernetes is deployed.

How About On-Prem Clusters?

If you have access to a Kubeadm cluster, the same rules apply.

Every Kubeadm cluster gets bootstrapped with a token. You’ll see a command that looks something like the below:



kubeadm join 192.168.1.100:6443 --token 5g28xi.6bx***** --discovery-token-ca-cert-hash sha256:734f52a38a*****


Enter fullscreen mode Exit fullscreen mode

You can use the --token value, set the RHOST, and attack the cluster.

Image description

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .