peirates v1.14 releases: Kubernetes Penetration Testing tool

by do son · Published August 30, 2021 · Updated November 5, 2023

What is Peirates?

Peirates is a penetration testing tool for Kubernetes, focused on privilege escalation and lateral movement. It has an interactive interface, wherein the penetration tester chooses actions from the techniques that Peirates encodes. Some of the techniques in Peirates will give you administrative access to the cluster in one-shot. Others are intended to get you tokens for an increasing number of service accounts that you can use to move laterally, steal secrets, and chain together to achieve the goals of your penetration test.

Note: Peirates is focused entirely on attacking a Kubernetes cluster. This may not be legal in your country or in the way that you use it. Please discuss its use with your lawyer and that of any organizations that own or participate in the management of the cluster.

How Do I Use Peirates?

When you gain or are given remote code execution capability in a container running in a Kubernetes cluster, you use Peirates to expand that access. Peirates is a staticly-compiled binary that you can download or compile yourself using a golang compiler. Place this binary into the container that is your starting point, mark it executable and run it. You’ll be presented with a menu of options – use these to gain access. Peirates is especially focused on gathering service account’s tokens. If there are actions that you know how to accomplish with kubectl commands that aren’t in Peirates, you have two options: (1) copy the service account token from Peirates into a kubectl command or (2) create code in Peirates to accomplish your goal, and submit a pull request so you can get credit and everyone else gets the benefit.

What Can Peirates Do?

Peirates has a number of Kubernetes penetration testing features. It’s an interactive tool, intended to allow you to escalate privilege, move laterally, and take over clusters.

The list of features is growing, as this active Open Source project continues to evolve. The current list:

Gain a reverse shell on a node, using a hostPath-mounting pod 
Pull service account tokens from bucket storage (GCS-only) 
Pull service account tokens from secrets 
Run a token-dumping command on all pods, abusing Kubelets 
Gain IAM credentials from an AWS or GCP Metadata server 
Transfer itself into another pod, allowing lateral movement

Changelog v1.14

Added a feature to display the values of stored service account tokens
Added a verbose (-v) flag to display additional DEBUG messages.
Updated upstream libraries to handle vulnerabilities found in dependencies: CVE-2023-39325, CVE-2023-44487, CVE-2023-3978