Kuber
CHALLENGE DESCRIPTION
As a digital forensics investigator, you received an urgent request from a client managing multiple proxy Kubernetes clusters. The client reports unusual behavior in one of their development environments, where they were testing a proxy via SSH. This environment was exposed to the internet, raising concerns about a potential security breach. You have been provided with a dump of the kube-system namespace, as most of the testing activity occurred there. Your task is to thoroughly analyze the data and determine if the system has been compromised.
SOLUTION
At which NodePort is the ssh-deployment Kubernetes service exposed for external access?
1
grep -i nodeport *
Answer
31337What is the ClusterIP of the kubernetes cluster?
1
grep -i ClusterIP *
Answer
10.43.191.212What is the flag value inside ssh-config configmap?
1
grep -i htb{ *
Answer
HTB{1d2d2b861c5f8631f841b57f327f46f8}What is the value of password (in plaintext) which is found inside ssh-deployment via secret?
1
grep -i password *
We will get base64 encoding password.
Answer
SuperCrazyPassword123!What is the name of the malicious pod?
1
grep -a5 -i 'pod' pods.yaml
Scroll down and we can see something like command.
Answer
metrics-server-557ff575fx-4q62xWhat is the image attacker is using to create malicious pod?
Answer
alpineWhats the attacker IP?