The workshop is about understanding and exploiting Kubernetes Cluster environments. There is a exploitable cluster that has been built and is deployable for the workshop.
The workshop was originally written for people that do not have a large familiarity with Kubernetes or Containers. It is not intended to provide new or novel attacks, but help accelerate someone's path to understanding and using new and novel attacks.
The content covers;
- What is Kubernetes
- Structure of Networking, API, etc..
- ServiceAccount Tokens
- Pre v1.24/v1.25 Secrets structure
- Changes made during v1.24/v1.25
- Common exploitable resources
- Container Escape via docker.sock
- Service Exploitation (application exploitation against an internal service)
- A lateral movement pattern (via token access & data disclosure)
- Sidepod enumeration
- Where to find sensitive data in containers
This information/content is covered in the exploitable cluster as well as the accompanying powerpoint.
The training will be delivered in the exact same technology stack as last year; Teleport cluster & exploitable infra ran and operated by IBM X-Force Red. Participants need only bring a Laptop or Phone (if they want to...) That they can use a browser from. They will also need a GitHub account for SSO to the Teleport Cluster (because last year a non-trivial amount of the workshop time was spent providing local account access. This time I'd like to cut that time waste by simply asking that attendees have a GitHub account we can add to an org & team)
I do not plan on covering container exploitation and escapes like I did last year. Where needed for the exploitation of the cluster I'll cover missing content and as individual participants have questions regarding it.
Useful pre-req knowledge would include;
- Application Exploitation
- Network enum
- Linux priv-esc & local enum
Because the answers are provided during the workshop, there is no real pre-req knowledge *requirements*"