Tryhackme
Advent of Cyber 2024 — Day 22: Kubernetes
Determine how Mayor Malware exploited Kubernetes Role-Based Access Control (RBAC) misconfigurations to execute malicious actions.
3 min read1 day ago
Learning Objectives
- Understand Kubernetes RBAC policies and their role in securing resources.
- Analyze logs to track the activity of a specific user within a Kubernetes cluster.
- Identify and mitigate overly permissive RBAC roles.
Steps Performed
- Examining the Mayor’s Permissions:
- Command Used:
kubectl get rolebindings -n wareville - Found a rolebinding
mayor-user-bindinglinked to the rolemayor-user.
2. Analyzing the Assigned Role:
- Command Used:
kubectl describe role mayor-user -n wareville - Found
pods/execpermissions granted, which are uncommon for non-admin roles, potentially allowing shell access into running pods.
3. Reviewing Mayor Malware’s Activity:
- Command Used:
cat audit.log | grep --color=always '"user":{"username":"mayor-malware"' | grep --color=always '"resource"' | grep --color=always '"verb"' - Observed multiple actions:
- Attempted and failed to access secrets (
403 Forbidden). - Listed available roles and described the
job-runnerrole with secret access. - Found and described the
job-runner-bindingrolebinding, linked to thejob-runner-saservice account. - Listed and described pods, targeting
morality-checkerrunning withjob-runner-sa.
4. Confirmed Exploitation via Exec:
Mayor Malware executed a shell into the morality-checker pod using the pods/exec verb, gaining unauthorized access to the service account's elevated permissions.
Analysis of Findings
Key Issue Identified:
Overly permissive RBAC configuration allowed Mayor Malware to:
- Discover a role (
job-runner) with elevated privileges. - Exploit
pods/execpermission to access sensitive resources through a service account (job-runner-sa) attached to a pod (morality-checker).
Attack Path Summary:
- Enumerated roles and bindings to identify elevated privileges.
- Targeted a pod linked to a privileged service account.
- Gained shell access via exec permissions and leveraged the service account to escalate privileges.
Key Takeaways
- RBAC Misconfigurations: Non-admin roles should not include
pods/execpermissions unless absolutely necessary. - Least Privilege Principle: Assign minimal permissions to roles and service accounts, ensuring they align with their intended purpose.
- Audit Logging: Regularly review Kubernetes audit logs to detect suspicious activities.
- Best Practices for Role Management: Restrict sensitive role bindings to trusted entities. Periodically audit and refine RBAC policies to mitigate risks.
Tasks
- What is the name of the webshell that was used by Mayor Malware?
shelly.php
- What file did Mayor Malware read from the pod?
db.php
- What tool did Mayor Malware search for that could be used to create a remote connection from the pod?
nc - What IP connected to the docker registry that was unexpected
10.10.130.253
- At what time is the first connection made from this IP to the docker registry?
29/Oct/2024:10:06:33 +0000
- At what time is the updated malicious image pushed to the registry?
29/Oct/2024:12:34:28 +0000
- What is the value stored in the “pull-creds” secret?
{“auths”:{“http://docker-registry.nicetown.loc:5000":{"username":"mr.nice","password":"Mr.N4ughty","auth":"bXIubmljZTpNci5ONHVnaHR5"}}}
