search

Unobtainium

hashtag
Gaining Access

Nmap scan:

$ nmap -p- --min-rate 5000 10.129.136.226
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-28 08:04 EST
Nmap scan report for 10.129.136.226
Host is up (0.0073s latency).
Not shown: 65529 closed tcp ports (conn-refused)
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
8443/tcp  open  https-alt
10250/tcp open  unknown
10251/tcp open  unknown
31337/tcp open  Elite

There are some interesting ports that are open on this machine. We can do a detailed scan for better clarity (output has been truncated).

$ sudo nmap -p 22,80,8443,10250,10251,31337 -sC -sV -O -T4 10.129.136.226
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-28 08:05 EST
Nmap scan report for 10.129.136.226
Host is up (0.0071s latency).

PORT      STATE SERVICE       VERSION
22/tcp    open  ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp    open  http          Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Unobtainium
8443/tcp  open  ssl/https-alt
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
| ssl-cert: Subject: commonName=k3s/organizationName=k3s
| Subject Alternative Name: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, DNS:unobtainium, IP Address:10.129.136.226, IP Address:10.43.0.1, IP Address:127.0.0.1
10250/tcp open  ssl/http      Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
| ssl-cert: Subject: commonName=unobtainium
| Subject Alternative Name: DNS:unobtainium, DNS:localhost, IP Address:127.0.0.1, IP Address:10.129.136.226
| Not valid before: 2022-08-29T09:26:11
|_Not valid after:  2024-01-28T13:02:51
10251/tcp open  unknown
31337/tcp open  http          Node.js Express framework
| http-methods: 
|_  Potentially risky methods: PUT DELETE
|_http-title: Site doesn't have a title (application/json; charset=utf-8)

hashtag
Port 80 & 8443

Visting the web page shows us this:

When any of the links are clicked, we can download a zip file for an application. Not too sure what we can do with this at the moment.

We can see from the nmap scan above that there is some kind of Kubernetes application being run on port 8443. When trying to view it, all we get is a 401 Unauthorized error from the API.

hashtag
Deb File Analysis

I downloaded the deb version of the application and unzipped it to find a few items:

With the ar x command, we can decompile the deb file. We would get a few more files:

We can first use gunzip and tar to extract the control.tar.gz files. Within it, we can find a few other files.

Interesting. We can take a look at the content within these folders.

Seems that there is a user named felamos and this is some metadata of the program. The other files are bash scripts. The postinst file contained some hints about Electron 5+.

The other bash scripts was just a file to remove the binary.

Using xz -d and tar xvf on the data.tar.xz file revealed lots of files pertaining to the application.

Amongst all the files mentioned, it appears that the source code was within the ./opt/unobtainium/resources/app.asar directory of the folder. We can decompile this file using npx asar.

Then, we can begin our source code analysis

hashtag
Source Code Analysis

It appears that this is the code for the application running on port 31337 of the machine. We can analyse /src/js/app.js to find this hint. We can also find a set of credentials.

There was also another todo.js file that had a similar set of code within it.

We can test the connection to this server by sending a POST request as follows:

We would be able to see that there's an obvious LFI present in the filename parameter. However, attempting to access anything beyond the local folder results in a hang. Perhaps there was another hidden file preventing access to other directories.

Anyways, I took a look at the index.js file by varying the filename parameter in the JSON data. This revealed some hidden code for me to read.

hashtag
Finding RCE

Let's break this file down slowly. It starts off with the imports, and straightaway we can notice the child_process being used with exec, meaning there's some RCE to do here.

Then, there's further mention of the user and his credentials, as well as an admin. There was an auth function as well, and it uses ===. Seems like guessing the admin password is not the way to go here.

We can find the code used for the /todo endpoint:

We were able to use this earlier, meaning that we passed the !user check. Now, we can take a look at the code for an /upload function.

The function used here is root.upload, which was taken from the google-cloudstorage-commands imported earlier. When researching for exploits regarding this package, there are some RCE exploits that pop up.

LogoCommand Injection in google-cloudstorage-commands | CVE-2020-28436 | SnykLearn more about npm with Snyk Open Source Vulnerability Databasechevron-right

In short, we need to execute this on the server: root.upload("./","& touch JHU", true);. This is trivial by altering the filename.

However, there's a small problem as we aren't allowed to upload with the credentials of felamos.

This means we need to take a look at how the application authenticates its users / stores data about the user.canUpload check.

hashtag
Prototype Pollution

Looking at the rest of the file, we can see that there's a PUT method allowed on the machine.

The main thing to take note of is the usage of merge, which is used unsafely because it does not verify the contents of message. This means that the application is vulnerable to prototype pollution, which would allow us to change certain attributes of our object. In this case, the object is the user felamos.

So to craft our exploit, we need to find out what information the JSON object must have. Based on app.js found earlier, we know that we need a "message":{"text':message}}" JSON. Afterwards, we can include the __proto__ portion.

The final request I sent looked like this:

Afterwards, I was able to upload files to the server:

Then, we can simply get a reverse shell by changing the filename parameter.

hashtag
Privilege Escalation

Very obviously, we were in some kind of container. Remember the kubernetes API that we found a lot earlier? Perhaps that was the container escape vector.

hashtag
Kubernetes Enumeration

I found this page rather useful.

LogoPage not found - HackTricks Cloudcloud.hacktricks.xyzchevron-right

It appears that we can get a token from the /run/secrets/kubernetes.io/serviceaccount folder to interact with the API. Within that file, we can find a ca.crt and token file.

Using this in conjunction with kubectl reveals that we can indeed talk to the API.

Now, although we did not get any information, it confirms that this set of credentials are required to communicate with the API (which would have returned 401 Unauthorized anyways). We can just auth can-i --list to view our permissions

It appears that we can enumerate the namespaces hosted on the server.

The dev one was the most interesting. We can attempt to enumerate what was running within that namespace. This can be done by appending -n dev get pods to our command.

It seems that there are 3 pods running. We can enumerate the IP addresses of what's running by appending -n dev get pods -o custom-columns=NAME:metadata.name,IP:status.podIP.

When checking the IP address of the pod I had a shell on, it was running on 10.42.0.41. Perhaps the other pods were accessible from that machine? I wanted to enumerate these machines more.

hashtag
Container Escape

I downloaded an nmap binary to the machine we had access to and scanned the first 10000 ports of these 3 containers. The scan for 10.42.0.38 revealed that port 3000 was open on this machine.

Port 3000 is the default port where Express applications run on. Earlier, in our source code review, the application was found to be running on Express. I repeated the Prototype Pollution and RCE exploit I used earlier, and was able to receive a shell to the devnode.

hashtag
Namespace Enumeration

Now, within this new container, there was another token and ca.crt to be downloaded. Perhaps I would have new permissions with these.

When checking the auth can-i for all the namespaces, the kube-system one revealed something new.

We had access to some secrets. Here's the output from get secrets.

From this, we can retrieve the administrator token to become the admin on the Kubernetes API. We can use describe secret -n kube-system c-admin-token-b47f7 to retrieve the token. Using this token, we can do all commands.

hashtag
Pod Escape

As the administrator, one attack path we can do is to create a new pod that has root access to the file system and connect to it. This article is very useful in telling us how.

LogoKubernetes Container Escape With HostPath MountsMediumchevron-right

Essentially, we need to create a YAML file that has specifications on how our new pod would be like, and it's there that we can include the mount path. First, we need to find the images available on the machine. This c an be done with some basic commands.

At the very bottom, we can find and use localhost:5000/dev-alpine. Then we can create our YAML file and then a new pod with custom settings.

Here's my YAML file:

Then we can connect to it directly using this command:

Then we can capture the root flag. Afterwards, we can easily upgrade a shell into this machine. We can create an authorized_keys file and echo our public key in it.

Rooted! Really good machine for learning source code analysis and Kubernetes enumerations.

PreviousTalkativeNextVessel