Exploiting (Pentesting) An AWS EKS Cluster

By default, Kubernetes clusters are not secure in the slightest.

Everything from:

1. Not being forced to set SecurityContexts.
2. The default Service Account is used to create Pods if you don’t manually set a new one.
3. NetworkPolicies aren’t enforced.

And A LOT more.

One of the biggest issues is the use of tokens. In fact, it’s a bad practice to enable Tokens for Pod creation (if you do and use the Default Service Account, that Token can be used by a bad actor).

In this blog post, you’ll learn how to use Metasploit to enumerate Kubernetes resources (Pods, Namespaces, and More).

Prerequisites

To follow along with this blog post, you should either have a Kali Linux server/VM or another place where Metasploit is running.

Obtaining A Token

The first step is the actual authentication and authorization. Luckily when it comes to Kubernetes, you don’t need a username and password or two key/value pairs. You only need a Token.

Obtaining the token will be a bit different across Kubernetes clusters. For example, how you retrieve the default Token in EKS will be different than how you obtain the default Token from a Kubernetes cluster that was bootstrapped with Kubeadm.

When you first do some research on how to obtain a Token, it’s possible that you may see the following command used.

aws sts get-caller-identity

The sts command, however, won’t output the proper Token.

You’ll need to use the command below to get the full Token output

aws eks get-token --cluster-name k8squickstart

After running the above, you should see an output similar to the one below.

    "kind": "ExecCredential",
    "apiVersion": "client.authentication.k8s.io/v1beta1",
    "spec": {},
    "status": {
        "expirationTimestamp": "2024-08-09T19:02:53Z",
        "token": "k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtZ**************"
    }
}

Copy the token as you’ll see it for the next section.

Running Metasploit

Now that you have a Token, let’s see if it allows you to see Kubernetes resource/objects.

1. Open Metasploit

1. Run the following command to see the Kubernetes framework. The Kubernetes Framework is built into Metasploit.

search kubernetes

1. Set up the enumeration

use cloud/kubernetes/enum_kubernetes

1. Configure your target (the DNS or IP Address of the Control Plane where the k8s API Server lives).

set RHOST https://****FA88****.gr7.us-east-1.eks.amazonaws.com

1. Set the Token that you retrieved from the previous section.

set TOKEN k8s-aws-v1.aHR0cHM6Ly9zdHMudXMtZWFzdC********

1. Try to run all Payloads. You can also target specific resources. For example, just running pods will run the Pods Payload.

run

You should see an output similar to the screenshots below.

You can now see what access the Token has, and that Token is deployed automatically when Kubernetes is deployed.

How About On-Prem Clusters?

If you have access to a Kubeadm cluster, the same rules apply.

Every Kubeadm cluster gets bootstrapped with a token. You’ll see a command that looks something like the below:

kubeadm join 192.168.1.100:6443 --token 5g28xi.6bx***** --discovery-token-ca-cert-hash sha256:734f52a38a*****

You can use the --token value, set the RHOST, and attack the cluster.