k0otkit: universal post-penetration technique in penetrations against Kubernetes clusters

by do son ·

Kubernetes penetrations

k0otkit – Manipulate K8s in a K8s way

k0otkit is a universal post-penetration technique which could be used in penetrations against Kubernetes clusters.

With k0otkit, you can manipulate all the nodes in the target Kubernetes cluster in a rapid, covert, and continuous way (reverse shell).

k0otkit is the combination of Kubernetes and rootkit.

Kubernetes penetrations

Prerequisite:

k0otkit is a post-penetration tool, so you have to first conquer a cluster, somehow manage to escape from the container, and get the root privilege of the master node (to be exact, you should get the admin privilege of the target Kubernetes).

Scenario:

  1. After Web penetration, you get a shell of the target.
  2. If necessary, you manage to escalate the privilege and make it.
  3. You find the target environment is a container (Pod) in a Kubernetes cluster.
  4. You manage to escape from the container and make it (with CVE-2016-5195, CVE-2019-5736, docker.sock or other techniques).
  5. You get a root shell of the master node and are able to instruct the cluster with kubectl on the master node as admin.
  6. Now you want to control all the nodes in the cluster as quickly as possible. Here comes k0otkit!

Features

  • utilize K8s resources and features (hack K8s in a K8s way)
  • dynamic container injection
  • communication encryption (thanks to Meterpreter)
  • fileless

Install & Use

Tags: k0otkitKubernetespenetrations