đź“š Table of Contents
This was an interesting box that starts with a webchat app that gives us a little useful information. From there we find an extremely barebones webapp but further enumeration provides some interesting details that we can use to gain a foothold. Once we’re on the host we easily privilege escalated directly to root due to poor security posture of the Kubernetes deployment.
$ sudo rustscan -b 8192 -u 16384 -a 10.10.208.119 -- -sS -sV -sC -oN 10.10.208.119.$(basename $PWD).nmap.txt
# Nmap 7.92 scan initiated Sun May 15 14:58:22 2022 as: nmap -vvv -p 22,3000,10257,10255,10259,10250,16443,25000,31337,32000 -sS -sV -sC -oN 10.10.208.119.frankandherby.nmap.txt 10.10.208.119
Nmap scan report for 10.10.208.119
Host is up, received echo-reply ttl 61 (0.15s latency).
Scanned at 2022-05-15 14:58:23 PDT for 130s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 64:79:10:0d:72:67:23:80:4a:1a:35:8e:0b:ec:a1:89 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDVZVdzBeNozVqMBvkqTgoMzE1gZdDq9qQo80NRBAbAuwgemIowsSpVnbn98CQIoxjAQ/zbyqu05qDnosP2MVXSwpgFr+D6Wk6nkB2pWSzCwdHsBuNxNkU3RNv9dPb4S1wUNlMOpGhEpyNo50zslBnQN7kz7ZPRHET37+q1aySu2WU9UlvRdsN6ouqoQyH06UGFza0X21wPKmhwG4IjxtSbG0ST5Gi3TBUNs3r4LlmvcY0OgCCpAwjCxjl8V2a/FB/SH9Tg6a3fc815tWaN028nbXMHOvyBW+kW3ETvp5pR+IGBHGXIs0zJhJV/FZSBVRkLF5p53LDrq0eCL+b2yjVLl5keOZPJU2T6encsjkMZB3ynJLqYuojIDYSDzvBVdZFQNFNKIVd67o8yX/J27PusXiXBmVwkk/ZfXaEqzURkDg4car1cV5WOJIRIHxz9V+TZ/OC10er/iBppNrzjmpCJXzzey21OoTpLZ3GyEL2s+07TPxHb3HOwupQKZ1y2i4c=
| 256 3b:0e:e7:e9:a5:1a:e4:c5:c7:88:0d:fe:ee:ac:95:65 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNX+QRguEL4oz+kogQzTSjnw/avVHwIvCK4QwTJmettBooLnWqE3JafmjtuKXJiGKe+8f0v6wYbLnwM2fy4EcSo=
| 256 d8:a7:16:75:a7:1b:26:5c:a9:2e:3f:ac:c0:ed:da:5c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5D29NgPRAP6UHvWfviHmkXUvTGAk9r2c+JcknWvle7
3000/tcp open ppp? syn-ack ttl 61
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| X-XSS-Protection: 1
| X-Content-Type-Options: nosniff
| X-Frame-Options: sameorigin
| Content-Security-Policy: default-src 'self' ; connect-src *; font-src 'self' data:; frame-src *; img-src * data:; media-src * data:; script-src 'self' 'unsafe-eval' ; style-src 'self' 'unsafe-inline'
| X-Instance-ID: QdGqw4ZWyN5mN982t
| Content-Type: text/html; charset=utf-8
| Vary: Accept-Encoding
| Date: Sun, 15 May 2022 21:58:34 GMT
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <link rel="stylesheet" type="text/css" class="__meteor-css__" href="/a3e89fa2bdd3f98d52e474085bb1d61f99c0684d.css?meteor_css_resource=true">
| <meta charset="utf-8" />
| <meta http-equiv="content-type" content="text/html; charset=utf-8" />
| <meta http-equiv="expires" content="-1" />
| <meta http-equiv="X-UA-Compatible" content="IE=edge" />
| <meta name="fragment" content="!" />
| <meta name="distribution" content
| HTTPOptions:
| HTTP/1.1 200 OK
| X-XSS-Protection: 1
| X-Content-Type-Options: nosniff
| X-Frame-Options: sameorigin
| Content-Security-Policy: default-src 'self' ; connect-src *; font-src 'self' data:; frame-src *; img-src * data:; media-src * data:; script-src 'self' 'unsafe-eval' ; style-src 'self' 'unsafe-inline'
| X-Instance-ID: QdGqw4ZWyN5mN982t
| Content-Type: text/html; charset=utf-8
| Vary: Accept-Encoding
| Date: Sun, 15 May 2022 21:58:35 GMT
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <link rel="stylesheet" type="text/css" class="__meteor-css__" href="/a3e89fa2bdd3f98d52e474085bb1d61f99c0684d.css?meteor_css_resource=true">
| <meta charset="utf-8" />
| <meta http-equiv="content-type" content="text/html; charset=utf-8" />
| <meta http-equiv="expires" content="-1" />
| <meta http-equiv="X-UA-Compatible" content="IE=edge" />
| <meta name="fragment" content="!" />
|_ <meta name="distribution" content
10250/tcp open ssl/http syn-ack ttl 61 Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| tls-alpn:
| h2
|_ http/1.1
| ssl-cert: Subject: commonName=dev-01@1633275132
| Subject Alternative Name: DNS:dev-01
| Issuer: commonName=dev-01-ca@1633275132
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-03T14:32:12
| Not valid after: 2022-10-03T14:32:12
| MD5: dd8a 17b6 22ea 587b 2621 a781 be04 1abb
| SHA-1: 0056 04ff 40cd 599b dba5 5284 3212 5b60 eba1 c1a2
| -----BEGIN CERTIFICATE-----
| MIIDHzCCAgegAwIBAgIBAjANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRkZXYt
| MDEtY2FAMTYzMzI3NTEzMjAeFw0yMTEwMDMxNDMyMTJaFw0yMjEwMDMxNDMyMTJa
| MBwxGjAYBgNVBAMMEWRldi0wMUAxNjMzMjc1MTMyMIIBIjANBgkqhkiG9w0BAQEF
| AAOCAQ8AMIIBCgKCAQEAyLRjjp3bYIA9SlX3jvQEA0qGXoktj0NyTLHt0mu95Af2
| 8pTxlWFCHNsAO7NxfWMR+JQB4ye/0D+t5G+JtRufQjO43FY0BLO0X7CK2WYYn7I6
| jEcDNbt4oP8mWywDmLgup8Tv8ShwhmKPi5grodOrjPisGFfR6RRwChkShoGfHNdj
| Eq3WQTpf7igUvBGsFXlpZ62EvvOwwlPle38SQXW0YhXWLSa59j/hCLz+YgfzKT7Y
| Gbzrhxsr/Yp/uiPG5j9NvMrBGTgQcjQI7PSCX2LH/+pPJTTWcbJuPrBTXNCyyvID
| Jq17E86dUoVx+HToCJwCLlLDTFvdblATLQWo78vaYQIDAQABo2kwZzAOBgNVHQ8B
| Af8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAfBgNV
| HSMEGDAWgBRipuTO9+j4esDmwlsc9wjGEW3UOTARBgNVHREECjAIggZkZXYtMDEw
| DQYJKoZIhvcNAQELBQADggEBAIyY65CvWE787Dn5By8+XwMJwJc8wtIglcWLuian
| u+M6aqloikoURmKlT1+gN1n8MnfpyuVPKEbgXWppOKzKkAGNGn4ptNJUHcaSonvj
| qloY4cMnEYu+DRv80R2madzUA6mQpjmFQmn3oo7YlGI+lvMU7umCkdrcToMSu8WN
| rK9uWzPknZwuBKlPdZFEKOTlXKNBToRzwiUTsBcgB8SItnY9OtGelw79DZOMvbZG
| GjKjbUhLvZ5MoyRSnQIDs64Rn9bDfe9wO430UpchdvLEPdxx5DmJpYeETXWUtPLJ
| ECzUEpoPalavNxuafA9B/KKDHltXq67csvggD0zvjTmTkbo=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
10255/tcp open http syn-ack ttl 61 Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
10257/tcp open ssl/unknown syn-ack ttl 61
| tls-alpn:
| h2
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost@1652650209
| Subject Alternative Name: DNS:localhost, DNS:localhost, IP Address:127.0.0.1
| Issuer: commonName=localhost-ca@1652650208
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-05-15T20:30:07
| Not valid after: 2023-05-15T20:30:07
| MD5: 160f ea27 c628 bf14 c6b8 6ff3 a387 b26e
| SHA-1: 7b4c ed12 c4d3 d2fd b3f3 c8b0 1f13 3f18 dd73 5137
| -----BEGIN CERTIFICATE-----
| MIIDOTCCAiGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQDDBdsb2Nh
| bGhvc3QtY2FAMTY1MjY1MDIwODAeFw0yMjA1MTUyMDMwMDdaFw0yMzA1MTUyMDMw
| MDdaMB8xHTAbBgNVBAMMFGxvY2FsaG9zdEAxNjUyNjUwMjA5MIIBIjANBgkqhkiG
| 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2oZGzKV4bFxOUF8vS4NlzXQJg3DcJ0nEyiPp
| yKMHcUHyzs+tHdn25+Dp37Pnf8P/LYZ6EN7magVN0GGrQ8alQTPeRU+kU7MmWUhI
| +d3EsJ06uNGnOhNmKoTBqCb7F+gGXMY95MaXHUK/Xc70qzhhhhifmzpuTFOvO1af
| 6CcAtoDNfeuAypJNrIzBbA13oQQkbqCFc2TWOjvUYJITzx25tM2NzwkeHnozTV2t
| 12U1sf1YVvBoOQoKNHOjt1wBppctzIVvUroPcUfCqiQZKzObuBMDznm09sslJcJ9
| 3LuCz3o1snYYYnYgZVXNY+s/Sycz5NuaCMaDrskzbGySr8rWhQIDAQABo30wezAO
| BgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIw
| ADAfBgNVHSMEGDAWgBQ2FZZHMZ8ZlRTU10/kuVMlivKUBjAlBgNVHREEHjAcggls
| b2NhbGhvc3SCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAP7Ej
| 1S4yL9otm/u/p+N+THGU4auUK1YMZV2JoTfBqacZ/wwIEkdha0h4w7qtUyRY91Hh
| kf1olDFW0/0IuBTTIKG7Ei5I95TlfUrWK4qO1lKiS7tic2xBrNQ1GI4sMNIPH4XN
| yfbcC1lfVTvHGp6jTvj2DSJl2nPmX+FN8O2h70GiNRMijkwMh9RiT4s2TyKbpAMs
| eW+1j29r8fK/1aKXRlFChHtBRJnTE3ub6iqlYtqW1LFhZf0IIZX6GmaYM/QZZWG8
| 5pqyvKuiQrhYOh6ikhFWcYxkc7+ypw1+GYM7b2gwbAhgQ13rQP5bc/g84EA80EsZ
| /qNCdrdeCOYYsFYFEA==
|_-----END CERTIFICATE-----
| fingerprint-strings:
| GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 403 Forbidden
| Cache-Control: no-cache, private
| Content-Type: application/json
| X-Content-Type-Options: nosniff
| Date: Sun, 15 May 2022 21:58:42 GMT
| Content-Length: 185
| {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot get path "/"","reason":"Forbidden","details":{},"code":403}
| HTTPOptions:
| HTTP/1.0 403 Forbidden
| Cache-Control: no-cache, private
| Content-Type: application/json
| X-Content-Type-Options: nosniff
| Date: Sun, 15 May 2022 21:58:43 GMT
| Content-Length: 189
|_ {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot options path "/"","reason":"Forbidden","details":{},"code":403}
10259/tcp open ssl/unknown syn-ack ttl 61
| tls-alpn:
| h2
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:
| GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 403 Forbidden
| Cache-Control: no-cache, private
| Content-Type: application/json
| X-Content-Type-Options: nosniff
| Date: Sun, 15 May 2022 21:58:42 GMT
| Content-Length: 185
| {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot get path "/"","reason":"Forbidden","details":{},"code":403}
| HTTPOptions:
| HTTP/1.0 403 Forbidden
| Cache-Control: no-cache, private
| Content-Type: application/json
| X-Content-Type-Options: nosniff
| Date: Sun, 15 May 2022 21:58:43 GMT
| Content-Length: 189
|_ {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot options path "/"","reason":"Forbidden","details":{},"code":403}
| ssl-cert: Subject: commonName=localhost@1652650212
| Subject Alternative Name: DNS:localhost, DNS:localhost, IP Address:127.0.0.1
| Issuer: commonName=localhost-ca@1652650211
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-05-15T20:30:07
| Not valid after: 2023-05-15T20:30:07
| MD5: ab43 09d8 4414 b48c 1d54 8354 7e13 94aa
| SHA-1: 8ea6 e7d2 99c3 9ce5 de9d 43e7 3c7b 7a92 bad7 79e1
| -----BEGIN CERTIFICATE-----
| MIIDOTCCAiGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAiMSAwHgYDVQQDDBdsb2Nh
| bGhvc3QtY2FAMTY1MjY1MDIxMTAeFw0yMjA1MTUyMDMwMDdaFw0yMzA1MTUyMDMw
| MDdaMB8xHTAbBgNVBAMMFGxvY2FsaG9zdEAxNjUyNjUwMjEyMIIBIjANBgkqhkiG
| 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp4U9hxQFZEhXWhdlJPGf309FfV1V1U1N4US0
| ffAqe6zJRo24aAHLSvzrz1tWtL9PZOaKVHy3WU6pUYxITOrdPhcGEI9mL+I6NTfY
| T8R9uvYQROYXKk9gCIjCKTTvetwoqQKklYmqNe0pPt/W1WyO+SJJ+8ee1nXQrw20
| KT3hE8vydme+NLXIIORiT5YgwF835CDRFU6wWgqETagohbKZPsklAUSedaHyMf4t
| h9hhOvNuhhXXqv02U7GjCg2gOmRzVPPZM3EneVKKnktAIqSBYuzZnLoQTUxr9WVr
| TrKuzi55S/wumX4KplmorL8U79mNtloEH/w7/+HkmQwkK1bGuQIDAQABo30wezAO
| BgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIw
| ADAfBgNVHSMEGDAWgBSMEoJVw/jyaET/05l4rRB0/yl0gzAlBgNVHREEHjAcggls
| b2NhbGhvc3SCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAKEoI
| M9jvDvCBCXQjpOTmUzn47FluIp4r5lSUqqLlGEI6vW3qp3WkT6fe+3gW60vA50eG
| sO0zF+QK+UNm0H2jy2MMbohRz+w6Yo4jJQuJCRSyX4ZapxQ7EBpmlCDdunsl8LIT
| W4Z71c+OPqF/nWdTN5vFWfAjIzDXVXRqqQ3/Wl5cf3pRvO5qUotEnbra9rwXfoXt
| OoqZ+ccyIDe1b7hzC4KXizsZTD9OOarRGOi9covvViKKhh2NkD0jZrQs1Iu8GAEC
| 7TuYzSXv8mdj1bMKerM6/tQchSwMQzuY+2IOr47P/UJxUFR3qUdGe4w8zHchHEXJ
| uin+7U/tj2y1qxWc1w==
|_-----END CERTIFICATE-----
16443/tcp open ssl/unknown syn-ack ttl 61
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
| h2
|_ http/1.1
| ssl-cert: Subject: commonName=127.0.0.1/organizationName=Canonical/stateOrProvinceName=Canonical/countryName=GB/localityName=Canonical/organizationalUnitName=Canonical
| Subject Alternative Name: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:10.152.183.1, IP Address:10.10.208.119, IP Address:172.17.0.1
| Issuer: commonName=10.152.183.1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-05-15T21:25:09
| Not valid after: 2023-05-15T21:25:09
| MD5: 4f15 397e 01b8 e3f7 747a be3a aabb 0435
| SHA-1: 285d 9753 29b4 5d70 906e 04e1 c32e de5b 75b3 1b30
| -----BEGIN CERTIFICATE-----
| MIIESzCCAzOgAwIBAgIUJSPnnYOyhWVx9FjkEmMl3eXdVqkwDQYJKoZIhvcNAQEL
| BQAwFzEVMBMGA1UEAwwMMTAuMTUyLjE4My4xMB4XDTIyMDUxNTIxMjUwOVoXDTIz
| MDUxNTIxMjUwOVowcTELMAkGA1UEBhMCR0IxEjAQBgNVBAgMCUNhbm9uaWNhbDES
| MBAGA1UEBwwJQ2Fub25pY2FsMRIwEAYDVQQKDAlDYW5vbmljYWwxEjAQBgNVBAsM
| CUNhbm9uaWNhbDESMBAGA1UEAwwJMTI3LjAuMC4xMIIBIjANBgkqhkiG9w0BAQEF
| AAOCAQ8AMIIBCgKCAQEAuERN+hndVUHIpLPiRzMKVACFoIzmnC67K9iLXkAIPg1q
| e8CvVEjV+r0N/DIArwoH/nBLcYvYRNa0xFG1OXWpayf2FkuqArUW2WGBNTZOiPw9
| zZsrDBT7K4ssFY0V0KCIgEH39AspDIrkKRtpfu24q/OP8UYb2Xt1qeI0AUyoUYMo
| 5/NNpAgGCSdHIa6yEO4Og+xlb9JxKZ0tGvhZ1u8CfhrE0s+OJKJB1HXfsjos0Npg
| 9Gwjne7mvouKbokT6+GAuJGVZ4AZbPu6PFcl771afIyDD1Fk5RE8qz+qDS5tUZqH
| phKj4PY08UFhj1+Z0r8JxhBOdIzL3Yi3vBJ/GCcDTwIDAQABo4IBMzCCAS8wUgYD
| VR0jBEswSYAUH+SBan2m9jU0CVKgCGLsV6Xb5tyhG6QZMBcxFTATBgNVBAMMDDEw
| LjE1Mi4xODMuMYIUItSnhhe8LpqTg+PJi/1G2u5vPHUwCQYDVR0TBAIwADALBgNV
| HQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGhBgNVHREE
| gZkwgZaCCmt1YmVybmV0ZXOCEmt1YmVybmV0ZXMuZGVmYXVsdIIWa3ViZXJuZXRl
| cy5kZWZhdWx0LnN2Y4Iea3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVygiRr
| dWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyHBH8AAAGHBAqYtwGH
| BAoK0HeHBKwRAAEwDQYJKoZIhvcNAQELBQADggEBAJFSJM2MNUeMP6UUfVzhHPye
| r0NvZ458x2UXr3zyK3DPfoEskPTYr49H5w4Z39UFJKJauwFUBnwAnAStI8/fxkRZ
| UysWet2lFkF1mabu4MaZrOShnhyMHRRvGF8hX1fbbGsieixmsxyEz4UWevpHMB9k
| cP88mHZaIIeZECiFvR7VBkduecQLqIOS5f3L6WtfVW3uRYgG25+4HYKZGhOt0ZLM
| RwAcnOuE53ktutAK1koY5p251YbhfHQKqscO5P3fcN+/SZxTM3jIw5B8FVh6m/BU
| dvXSOHwthUVdPcsMOaSzbBWVvFDuAouqYQuzf0WjRWEKhDUyz4huot6MHm9PFhw=
|_-----END CERTIFICATE-----
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 401 Unauthorized
| Cache-Control: no-cache, private
| Content-Type: application/json
| Date: Sun, 15 May 2022 21:59:16 GMT
| Content-Length: 129
| {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
| GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 401 Unauthorized
| Cache-Control: no-cache, private
| Content-Type: application/json
| Date: Sun, 15 May 2022 21:58:42 GMT
| Content-Length: 129
| {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
| HTTPOptions:
| HTTP/1.0 401 Unauthorized
| Cache-Control: no-cache, private
| Content-Type: application/json
| Date: Sun, 15 May 2022 21:58:43 GMT
| Content-Length: 129
|_ {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
25000/tcp open ssl/http syn-ack ttl 61 Gunicorn 19.7.1
|_http-server-header: gunicorn/19.7.1
| ssl-cert: Subject: commonName=127.0.0.1/organizationName=Canonical/stateOrProvinceName=Canonical/countryName=GB/localityName=Canonical/organizationalUnitName=Canonical
| Subject Alternative Name: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:10.152.183.1, IP Address:10.10.208.119, IP Address:172.17.0.1
| Issuer: commonName=10.152.183.1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-05-15T21:25:09
| Not valid after: 2023-05-15T21:25:09
| MD5: 4f15 397e 01b8 e3f7 747a be3a aabb 0435
| SHA-1: 285d 9753 29b4 5d70 906e 04e1 c32e de5b 75b3 1b30
| -----BEGIN CERTIFICATE-----
| MIIESzCCAzOgAwIBAgIUJSPnnYOyhWVx9FjkEmMl3eXdVqkwDQYJKoZIhvcNAQEL
| BQAwFzEVMBMGA1UEAwwMMTAuMTUyLjE4My4xMB4XDTIyMDUxNTIxMjUwOVoXDTIz
| MDUxNTIxMjUwOVowcTELMAkGA1UEBhMCR0IxEjAQBgNVBAgMCUNhbm9uaWNhbDES
| MBAGA1UEBwwJQ2Fub25pY2FsMRIwEAYDVQQKDAlDYW5vbmljYWwxEjAQBgNVBAsM
| CUNhbm9uaWNhbDESMBAGA1UEAwwJMTI3LjAuMC4xMIIBIjANBgkqhkiG9w0BAQEF
| AAOCAQ8AMIIBCgKCAQEAuERN+hndVUHIpLPiRzMKVACFoIzmnC67K9iLXkAIPg1q
| e8CvVEjV+r0N/DIArwoH/nBLcYvYRNa0xFG1OXWpayf2FkuqArUW2WGBNTZOiPw9
| zZsrDBT7K4ssFY0V0KCIgEH39AspDIrkKRtpfu24q/OP8UYb2Xt1qeI0AUyoUYMo
| 5/NNpAgGCSdHIa6yEO4Og+xlb9JxKZ0tGvhZ1u8CfhrE0s+OJKJB1HXfsjos0Npg
| 9Gwjne7mvouKbokT6+GAuJGVZ4AZbPu6PFcl771afIyDD1Fk5RE8qz+qDS5tUZqH
| phKj4PY08UFhj1+Z0r8JxhBOdIzL3Yi3vBJ/GCcDTwIDAQABo4IBMzCCAS8wUgYD
| VR0jBEswSYAUH+SBan2m9jU0CVKgCGLsV6Xb5tyhG6QZMBcxFTATBgNVBAMMDDEw
| LjE1Mi4xODMuMYIUItSnhhe8LpqTg+PJi/1G2u5vPHUwCQYDVR0TBAIwADALBgNV
| HQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIGhBgNVHREE
| gZkwgZaCCmt1YmVybmV0ZXOCEmt1YmVybmV0ZXMuZGVmYXVsdIIWa3ViZXJuZXRl
| cy5kZWZhdWx0LnN2Y4Iea3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVygiRr
| dWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyHBH8AAAGHBAqYtwGH
| BAoK0HeHBKwRAAEwDQYJKoZIhvcNAQELBQADggEBAJFSJM2MNUeMP6UUfVzhHPye
| r0NvZ458x2UXr3zyK3DPfoEskPTYr49H5w4Z39UFJKJauwFUBnwAnAStI8/fxkRZ
| UysWet2lFkF1mabu4MaZrOShnhyMHRRvGF8hX1fbbGsieixmsxyEz4UWevpHMB9k
| cP88mHZaIIeZECiFvR7VBkduecQLqIOS5f3L6WtfVW3uRYgG25+4HYKZGhOt0ZLM
| RwAcnOuE53ktutAK1koY5p251YbhfHQKqscO5P3fcN+/SZxTM3jIw5B8FVh6m/BU
| dvXSOHwthUVdPcsMOaSzbBWVvFDuAouqYQuzf0WjRWEKhDUyz4huot6MHm9PFhw=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
|_http-title: 404 Not Found
31337/tcp open http syn-ack ttl 60 nginx 1.21.3
|_http-server-header: nginx/1.21.3
|_http-title: Heroic Features - Start Bootstrap Template
| http-methods:
|_ Supported Methods: GET HEAD
32000/tcp open http syn-ack ttl 60 Docker Registry (API: 2.0)
|_http-title: Site doesn't have a title.
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Sun May 15 15:00:33 2022 -- 1 IP address (1 host up) scanned in 131.13 seconds
| Ports | Service | Notes |
|---|---|---|
| 22/tcp | SSH | OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 |
| 3000/tcp | HTTP | Running a RocketChat instance. |
| We created a “test” user and were able to collect some useful information, posted below. | ||
| 31337/tcp | HTTP | A very barebones webapp... or is it? |
| 16443/tcp | HTTPS | Kubernetes API Server |
| We don’t have a kubeconfig to interact with this API endpoint just yet... | ||
| 10250/tcp | HTTPS Kubelet? | ssl-cert: Subject: commonName=dev-01@1633275132 |
| 10255/tcp | HTTPS | Kube-API Server |
| /metrics is the metrics endpoint | ||
| Possibly other endpoints... | ||
| We know the Kubernetes version from one of the metrics lines | ||
kubernetes_build_info{build_date="2021-09-28T15:36:44Z",compiler="gc",git_commit="83e2bb7ee3972654beca02a12a94777da22d6669",git_tree_state="clean",git_version="v1.21.5-3+83e2bb7ee39726",go_version="go1.16.8",major="1",minor="21+",platform="linux/amd64"} |
||
| 10257/tcp | HTTPS | some kube api endpoint |
| 10259/tcp | HTTPS | some kube api endpoint |
| 25000/tcp | HTTPS | But what the hell is running here? We get an error: Error code: SEC_ERROR_REUSED_ISSUER_AND_SERIAL |
| 32000/tcp | HTTP | This appears to be a container registry for the cluster. |
The service on port 3000 is Rocket Chat, an open source Slack-like chat client. We were able to register a user account and find some helpful information in the various chat channels:
So now we know the Kube platform is Microk8s v1.21.5 and we can interact with it using the microk8s.kubectl command on the CLI (once we have a shell!).
There were a few exploits for Rocket chat but I wasn’t able to determine the version number very quickly and from my limited testing of the NoSQL RCE it didn’t seem to work (I also wasn’t able to enumerate the admin’s (herby) email address to use with the exploit.
Taking a look at this port show us a pretty basic webapp with not much of the website. We started directory bruteforcing with directory-list-2.3-medium.txt and common.txt but both of those lists didn’t turn anything up. I almost stopped here because I figured those lists covered most of what we’d want to look for but Twitch chat suggest another list dirsearch.txt. Of course this list turned up a juicy git credentials file. This is a good lesson in continuing to enumerate a little further but also keep in mind the point of diminishing returns and don’t spend too much time.
We now have credentials for frank (they are URL encoded, just fix them). These credentials do not work for Rocket Chat but they do work for SSH access. :homer-woohoo:
