search

Challenge 2: Registry Hunt

Add description after the challenge is over.

hashtag
References

LogoHell’s Keychain: Supply-chain vulnerability in IBM Cloud Databases for PostgreSQL allows potential unauthorized database access | Wiz Blogwiz.iochevron-right
Logogo-containerregistry/cmd/crane/doc/crane.md at main · google/go-containerregistryGitHubchevron-right

hashtag
The Challenge breakdown

Description:

A thing we learned during our research: always check the container registries.

For your convenience, the cranearrow-up-right utility is already pre-installed on the machine.

Challenge Value: 10 pts

Permissions complements of Wiz: (You're too kind guys)

hashtag
Solving the Challenge

Lets get started in the terminal below by first confirming what the kubeconfig profile settings were are connected with has the ability to do. In short lets run the `whoami` of kubernetes.

Here we can see that we have permissions that are consistent with the permission hint provided from Wiz. (Thanks, Wiz, for not lying)

Let's break down the permissions of user connected to the kubeconfig file allowing us to run the kubectl commands in the first place in order to interact with the Kubernetes cluster.

Resource
Verb
Description

secrets

get

Allows the user/role/SA to get information about a specific secret object that was made in the kubernetes cluster. Please note however this doesn't allow us to see all the secrets so the member seeking information on the secret will need to know the secrets name. In order to list available secrets, the k8s member would need the list permission as well.

pods

get

Similar to the get verb for the secrets object, it is used to get information about the pod resource(s). Must specify resource name without list functionality.

pods

list

This allows the k8s member to list the available pods that it has access to per namespace without knowing any of the pod resource names.

Example for why we cannot see any secrets just by calling the get verb on secret object resources.

hashtag

hashtag
Enumerating the available resources

Only one pod is returned, but this isn't enough information to get a potential secret name.

When creating a Kubernetes pod with an image from a private container registry, it is necessary to supply the imagePullSecretsarrow-up-right field in the pod configuration, which references a secret holding the credentials for the container registry.

We can see here a simple describe call is not giving us the imagePullSecrets field so lets run the get command again but supply the full json output to get more information about the pod.

Great! now we have the secret name associated with the pods image. We can now enumerate the secret in a similar method as in challenge 1.

Lets check to make sure we can start enumeration of the secret by running the "get" verb

Perfect! Now lets take it a step further.

Interesting this secret looks to be associated with a docker config and the key name contains a special character that would exist in the JSON once we view the full contents of the secrets configuration.

In the configuration we can see that the data parent key that hosts the secret identity appears to be part of a file. Lets decode the ".dockerconfigjson" key and view those contents.

hashtag
Get the base64 encoding.

hashtag
Decode the encoded configuration

hashtag
Decode the configs auth key

Radical! We got the credentials of the private repository. Now if we remember from the challenge description there is a utility to interact with containers, images, repositories, and more. Let's check it out!

After reviewing the help information at the top level of the command a couple of sub commands come to mind for gathering more information. The first is to take advantage of the "auth" sub command to login.

The second once we are logged in is to export the image attached to the running pod and get the file system contents.

So how do we do all this??? Let's break it down one command at a time be using a combination of the help commands and the official documentation from the References section.

hashtag
Login to Registry

hashtag
crane auth --help

Great now we need to get just a little more information for the "login" sub command.

hashtag
crane auth login --help

Perfect, now we can use the example provided to try and login ourselves with the credentials we uncovered.

hashtag
Forming our own login syntax

Ok so wait a second. How did we do that? Let's breakdown the command content syntax for a greater understanding.

  • crane auth login - This part is the main command and sub commands to make the login api call to the images registry

  • docker.io - This is the registry name, remember this was exposed with the kubectl describe pod <pod name> command and found under the key Image ID with the value of - docker.io/eksclustergames/base_ext_image

  • -u eksclustergames - The -u stands for username and the username was found in the first part of the string uncovered in Decode the configs auth key

  • -p dckr_pat_YtncV-R85mG7m4lr45iYQj8FuCo - The -p stands for password and the contents that follows the argument is the second part of the uncovered string found in Decode the configs auth key

hashtag
Export the Filesystem

hashtag
crane export --help

Ok so this sub command seems to be the parent and child command to run in order to get the contents of the file system. Lets mock the command and run

  • crane export docker.io/eksclustergames/base_ext_image /tmp/base_ext_image.tar

    • crane export - parent and child commands

    • docker.io/eksclustergames/base_ext_image - image location

    • /tmp/base_ext_image.tar - name and location of filesystem in tarball compression format

Quickly lets check the file location

Good, now lets unpack the tarball

Now lets check out our images filesystem

Maybe we should check out that flag.txt file???

This seems legit, shall we submit and move on, I think so.

PreviousChallenge 1: Secret SeekerNextChallenge 3: Image Inquisition

Last updated