k8s_debug

k8s cves

• https://kubernetes.io/docs/reference/issues-security/official-cve-feed/

go download

• https://dl.google.com/go/go1.9.1.linux-amd64.tar.gz
• https://dl.google.com/go/go1.11.1.linux-amd64.tar.gz
• https://dl.google.com/go/go1.18.1.linux-amd64.tar.gz

k8s download

• https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.9.3.tar.gz
• https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.11.1.tar.gz
• https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.13.5.tar.gz
• https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.13.8.tar.gz
• https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.13.10.tar.gz
• https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.17.1.tar.gz

tools

• kubectl-whoami: https://github.com/rajatjindal/kubectl-whoami/releases/download/v0.0.44/kubectl-whoami_v0.0.44_linux_amd64.tar.gz

docker hub

root password: K8s@env
ssh: ssh -p12222 root@127.0.0.1
exploit: cd exploit;./run

• base: docker pull noirfate/k8svul-base:1.2
• CVE-2017-1002101 hostPath symbol link path escape: docker pull noirfate/vul-k8s-cve-2017-1002101:1.0
• CVE-2018-1002100 kubectl cp path escape: docker pull noirfate/vul-k8s-cve-2018-1002100:1.0
• CVE-2018-1002105 kube-apiserver do not properly close kubelet proxy connection: docker pull noirfate/vul-k8s-cve-2018-1002105:1.0
• CVE-2019-1002101 kubectl cp path escape: docker pull noirfate/vul-k8s-cve-2019-1002101:1.0
• CVE-2019-11246 kubectl cp path escape: docker pull noirfate/vul-k8s-cve-2019-11246:1.0
• CVE-2019-11249 kubectl cp path escape: docker pull noirfate/vul-k8s-cve-2019-11249:1.0
• CVE-2019-11250 kube-apiserver token revealed in log: docker pull noirfate/vul-k8s-cve-2019-11250:1.0
• CVE-2019-11251 kubectl cp path escape: docker pull noirfate/vul-k8s-cve-2019-11251:1.0
• CVE-2019-11253 kube-apiserver yaml parser dos: docker pull noirfate/vul-k8s-cve-2019-11253:1.0
• CVE-2020-8555 kube-controller-manager ssrf: docker pull noirfate/vul-k8s-cve-2020-8555:1.0
• CVE-2020-8558 kube-proxy route_localnet: docker pull noirfate/vul-k8s-cve-2020-8558:1.0
• CVE-2020-8559 kube-apiserver follow kubelet redirect request: docker pull noirfate/vul-k8s-cve-2020-8559:1.0
• CVE-2021-25735 Kubernetes validating admission webhook bypass: docker pull noirfate/vul-k8s-cve-2021-25735:1.0
• CVE-2021-25741 kubelet subpath TOCTOU: docker pull noirfate/vul-k8s-cve-2021-25741:1.0
• CVE-2021-25742 ingress-nginx snippet command execution: docker pull noirfate/vul-k8s-cve-2021-25742:1.0
• CVE-2021-25748 ingress-nginx path sanitization bypass
• CVE-2022-3162 Unauthorized read of Custom Resources kind create cluster --name cve-2022-3162 --image=kindest/node:v1.23.13
• CVE-2022-3172 Aggregated API server can cause clients to be redirected (SSRF) kind create cluster -n cve-2022-3172 --image kindest/node:v1.21.10
• CVE-2023-2431 Bypass of seccomp profile enforcement kind create cluster --name cve-2023-2431 --image=kindest/node:v1.23.13 --config=kind-config.yaml
• CVE-2023-2728 Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin kind create cluster -n cve-2023-2728 --image kindest/node:v1.27.1
• CVE-2024-3177 Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin kind create cluster -n cve-2023-2728 --image kindest/node:v1.27.1

run

docker run --name master --privileged -v /lib/modules:/lib/modules -v /etc/localtime:/etc/localtime -e LC_CTYPE=en_US.UTF-8 -idt xxx