As a Malicious Internal User…

[lojikil]

Overview

A Malicious Internal User is a user, such as an administrator or developer, who uses their privileged position maliciously against the system, or stolen credentials used for the same. The scenario is more focused on what logging/auditing/roles/NAC can do to prevent such credential abuse.

Setup

• create a malicious user
• map what kops & kubespray look like from the host perspective
• discover components and what they leak from this perspective as well
• map what components a reasonably-permissioned attacker may have access to
• non-repudiation throughout the system (are there logging gaps?)

I wish to exfil secrets

• what secrets do I have access to by default
• can I move laterally to gain access to other secrets

I wish to add resources

• can I modify a resource to establish a beachhead without alerting other admins/users
• can I deploy resources without alerting other admins

I wish to punch holes in system security

• port forwarding without anyone noticing
• breaking down restrictions/filters without alert

[btonic]

DNS enumeration within the cluster via coredns:

root@wordpress-dccb8668f-mzg45:/var/www/html# nslookup -type=ns default.svc.cluster.local
;; Truncated, retrying in TCP mode.
Server:		10.233.0.3
Address:	10.233.0.3#53

cluster.local
	origin = ns.dns.cluster.local
	mail addr = hostmaster.cluster.local
	serial = 1555691051
	refresh = 7200
	retry = 1800
	expire = 86400
	minimum = 30
wordpress.default.svc.cluster.local	service = 0 100 80 wordpress.default.svc.cluster.local.
_http._tcp.wordpress.default.svc.cluster.local	service = 0 100 80 wordpress.default.svc.cluster.local.
kubernetes-dashboard.kube-system.svc.cluster.local	service = 0 100 443 kubernetes-dashboard.kube-system.svc.cluster.local.
kubernetes.default.svc.cluster.local	service = 0 100 443 kubernetes.default.svc.cluster.local.
_https._tcp.kubernetes.default.svc.cluster.local	service = 0 100 443 kubernetes.default.svc.cluster.local.
coredns.kube-system.svc.cluster.local	service = 0 100 53 coredns.kube-system.svc.cluster.local.
_dns._udp.coredns.kube-system.svc.cluster.local	service = 0 100 53 coredns.kube-system.svc.cluster.local.
coredns.kube-system.svc.cluster.local	service = 0 100 53 coredns.kube-system.svc.cluster.local.
_dns-tcp._tcp.coredns.kube-system.svc.cluster.local	service = 0 100 53 coredns.kube-system.svc.cluster.local.
coredns.kube-system.svc.cluster.local	service = 0 100 9153 coredns.kube-system.svc.cluster.local.
_metrics._tcp.coredns.kube-system.svc.cluster.local	service = 0 100 9153 coredns.kube-system.svc.cluster.local.
liveness-http.default.svc.cluster.local	service = 0 100 81 liveness-http.default.svc.cluster.local.
cluster.local
	origin = ns.dns.cluster.local
	mail addr = hostmaster.cluster.local
	serial = 1555691051
	refresh = 7200
	retry = 1800
	expire = 86400
	minimum = 30
Name:	10-233-92-48.wordpress-mysql.default.svc.cluster.local
Address: 10.233.92.48
Name:	kubernetes.default.svc.cluster.local
Address: 10.233.0.1
Name:	liveness-http.default.svc.cluster.local
Address: 10.233.28.202
Name:	kubernetes-dashboard.kube-system.svc.cluster.local
Address: 10.233.50.205
Name:	coredns.kube-system.svc.cluster.local
Address: 10.233.0.3
Name:	wordpress-mysql.default.svc.cluster.local
Address: 10.233.92.48
Name:	wordpress.default.svc.cluster.local
Address: 10.233.40.236
Name:	coredns.kube-system.svc.cluster.local
Address: 10.233.0.3
Name:	coredns.kube-system.svc.cluster.local
Address: 10.233.0.3