From 93d9db658e88af04852af2b0a4e8b42f289ecdc7 Mon Sep 17 00:00:00 2001 From: oriagmon Date: Mon, 15 Oct 2018 17:32:50 +0300 Subject: [PATCH] Listen on port 443 as well now. --- src/modules/hunting/apiserver.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/modules/hunting/apiserver.py b/src/modules/hunting/apiserver.py index 4e81807..c44451d 100644 --- a/src/modules/hunting/apiserver.py +++ b/src/modules/hunting/apiserver.py @@ -5,7 +5,7 @@ import requests from ...core.events import handler from ...core.events.types import Vulnerability, Event, OpenPortEvent -from ...core.types import Hunter, KubernetesCluster, RemoteCodeExec, AccessRisk +from ...core.types import Hunter, KubernetesCluster, RemoteCodeExec, AccessRisk """ Vulnerabilities """ @@ -24,7 +24,7 @@ class ServiceAccountTokenAccess(Vulnerability, Event): self.evidence = evidence # Passive Hunter -@handler.subscribe(OpenPortEvent, predicate=lambda p: p.port == 6443) +@handler.subscribe(OpenPortEvent, predicate=lambda x: x.port==443 or x.port==6443) class AccessApiServerViaServiceAccountToken(Hunter): """ Accessing the api server might grant an attacker full control over the cluster @@ -39,7 +39,7 @@ class AccessApiServerViaServiceAccountToken(Hunter): logging.debug(self.event.host) logging.debug('Passive Hunter is attempting to access the API server using the pod\'s service account token') try: - res = requests.get("https://{host}:{port}/api".format(host=self.event.host, port=6443), + res = requests.get("https://{host}:{port}/api".format(host=self.event.host, port=self.event.port), headers={'Authorization': 'Bearer ' + self.service_account_token_evidence}, verify=False) self.api_server_evidence = res.content return res.status_code == 200 and res.content != '' @@ -62,4 +62,3 @@ class AccessApiServerViaServiceAccountToken(Hunter): self.publish_event(ServiceAccountTokenAccess(self.service_account_token_evidence)) if self.access_api_server(): self.publish_event(ServerApiAccess(self.api_server_evidence)) -