Kubernetes Namespaces bypass

Scenario Information

By default Kubernetes uses flat networking schema, which means any pod/service with in the cluster can talk to other. The namespaces with in the cluster doesn't have any network security restrictions by default. Anyone in the any namespace can talk to other namespace. We heard that Kubernetes-Goat loves cache. Let's see if we gain access to other namespaces

  • To get started with the scenario, let's run our awesome hacker-container in default namespace
kubectl run -it hacker-container --image=madhuakula/hacker-container -- sh

Scenario 11 Welcome

Scenario Solution

  • Get the cluster IP range information
ip route
ifconfig
printenv

Scenario 11 recon

  • Based on the analysis/understanding about the system. We can run the internal scan for the entire cluster range using zamp
zmap -p 6379 10.0.0.0/8 -o results.csv

Scenario 11 zmap Scenario 11 output ips

There is also another way to access the services/pods in the Kubernetes. For example servicename.namespace

  • Let's access the redis using the reds-cli client
redis-cli -h 10.12.0.2
KEYS * 
GET SECRETSTUFF

Scenario 11 redis access

There are many other services and resources exposed with in the cluster like ElasticSearch, Mongo, etc. So if your recon skill is good then you got gold mine here.

Miscellaneous

TBD