[Kubernetes] Attack Path (Part 2) — Post Initial Access

Intro

In the Part 1 — [Kubernetes] Attack Path (Part 1) — Discovery & Initial Access, we discussed how to discover Kubernetes services and endpoint and some of the attack vectors to gain initial access. In this Part 2, I will go over attack surfaces after gaining initial access to either of the Kubernetes cluster or the container deployed within the cluster.

1) Container Access

Let’s say that you were able to breach into the target Kubernetes environment by exploiting a vulnerable web application running on the cluster. Luckily, there was a known exploit to gain RCE to a container. The attack was successful and now you have gained access to one of the containers. Now let’s talk about what kinds of attacks can be done with the given container access.

1–1) Service Account Token

By default, the containers in the Kubernetes cluster will hold service account token within their file system. If an attacker could find that token, he/she can use it to move laterally or depending the privilege of the service account, one can escalate its privilege to further compromise the cluster environment.

$ cat /run/secrets/kubernetes.io/serviceaccount/token