Home CTFs | 404CTF_2023 | Cloud | Le Cluster de Madame Bovary
Post
Cancel

CTFs | 404CTF_2023 | Cloud | Le Cluster de Madame Bovary

Posted Jun 6, 2023 Updated Jun 9, 2023
By Bat
2 min read

Le Cluster de Madame Bovary

image

Enumeration

For this challenge, we are given a virtual machine. When we arrive on the machine we first run the kubctl command to find pods:

image

As we can see, there is one pod agent. A Pod in Kubernetes is the smallest deployable unit that represents a running process. It can contain one or more containers that share the same network and storage resources. Pods are used to encapsulate and manage containers, providing an abstraction layer for scheduling, scaling, and managing applications within a Kubernetes cluster.

We can access the pod and find an executable in the /opt folder:

image

If we try to run it, we get the same result as if we ran the command kubctl logs agent:

image

First Exploitation

When looking at docker hub, we can find this container here. We can’t just use it on our own machine because we get an error for not running it on Kubernetes (K8s). So I created a script to deploy a pod that will deploy this container:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

apiVersion: apps/v1
kind: Deployment
metadata:
  name: thecontainer404
  namespace: 404ctf
spec:
  replicas: 1
  selector:
    matchLabels:
      app: thecontainer404
  template:
    metadata:
      labels:
        app: thecontainer404
    spec:
      containers:
        - name: thecontainer404
          image: 404ctf/the-container

I specified the namespace 404ctf because if you don’t, you will get an error saying that the container desn’t run on the correct namespace (err: not in namespace 404ctf). To create it, run the command kubectl create namespace 404ctf

We can deploy our pod using the command:

1

kubectl apply -f deployment.yml

image

Get the first part of the flag

We now can access the pod using the command kubectl exec -it deployment.apps/thecontainer404 --namespace=404ctf -- sh:

image

Don’t forget the --namespace=404ctf. If you do, you will get an error saying that the pod wasn’t found.

When executing /opt/the-container, we get several errors that we can correct:

image

We have the first half of the flag 404CTF{A_la_decouv. We know now that the rest of the flag is in the container 404ctf/web-server. We do the same steps as before and once on the machine we find a Go program for a webserver:

image

Get the second part of the flag

We can read the content of web-server.go and find the flag:

image

Or just request it with the cURL command:

image

The complete flag is then: 404CTF{A_la_decouverte_de_k8s}

CTFs, 404CTF_2023, Cloud
Cloud K8s kubctl Pods
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents