https://moyer.dev/ Recent content on Matt Moyer Hugo -- gohugo.io en-US Thu, 02 Nov 2023 04:00:00 +0000 https://moyer.dev/blog/eks-cluster-games-challenge-5/ Thu, 02 Nov 2023 04:00:00 +0000 https://moyer.dev/blog/eks-cluster-games-challenge-5/ This is a writeup of how I solved part five of the EKS Cluster Games. Huge thanks to Wiz for putting this together. If you haven’t yet, you should start with challenges one, two, three, and four. Challenge Five In this level the clues contain some vital information. The flag we’re looking for is in an S3 bucket. There’s an IAM role with read access to this bucket and we can see the trust policy of this role is using IAM Roles for Service Accounts (IRSA). https://moyer.dev/blog/eks-cluster-games-challenge-4/ Thu, 02 Nov 2023 03:00:00 +0000 https://moyer.dev/blog/eks-cluster-games-challenge-4/ This is a writeup of how I solved part four of the EKS Cluster Games. Huge thanks to Wiz for putting this together. If you haven’t yet, you should start with challenges one, two, and three. Challenge Four This time our service account has zero permissions: root@wiz-eks-challenge:~# kubectl whoami system:serviceaccount:challenge4:service-account-challenge4 root@wiz-eks-challenge:~# kubectl get pods Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:challenge4:service-account-challenge4" cannot list resource "pods" in API group "" in the namespace "challenge4" We still have access to the IMDSv1 endpoint and are now able to directly use the node’s IAM role: https://moyer.dev/blog/eks-cluster-games-challenge-3/ Thu, 02 Nov 2023 02:00:00 +0000 https://moyer.dev/blog/eks-cluster-games-challenge-3/ This is a writeup of how I solved part three of the EKS Cluster Games. Huge thanks to Wiz for putting this together. If you haven’t yet, you should start with challenges one and two. Challenge Three This challenge starts with access to a Kubernetes service account, but this time it doesn’t seem to have access to much interesting data: root@wiz-eks-challenge:~# kubectl whoami system:serviceaccount:challenge3:service-account-challenge3 root@wiz-eks-challenge:~# kubectl get secrets Error from server (Forbidden): secrets is forbidden: User "system:serviceaccount:challenge3:service-account-challenge3" cannot list resource "secrets" in API group "" in the namespace "challenge3" root@wiz-eks-challenge:~# kubectl get pods NAME READY STATUS RESTARTS AGE accounting-pod-876647f8 1/1 Running 0 25h The pod is running an image that we’d like to explore, but we don’t have permission: https://moyer.dev/blog/eks-cluster-games-challenge-2/ Thu, 02 Nov 2023 01:00:00 +0000 https://moyer.dev/blog/eks-cluster-games-challenge-2/ This is a writeup of how I solved part two of the EKS Cluster Games. Huge thanks to Wiz for putting this together. If you haven’t yet, you should start with challenge one. Challenge Two In this challenge, the hint tells us to check the container registries. We can use our kubectl access to see a pod running and list the image it’s running: root@wiz-eks-challenge:~# kubectl get pods NAME READY STATUS RESTARTS AGE database-pod-2c9b3a4e 1/1 Running 0 26h root@wiz-eks-challenge:~# kubectl get pod database-pod-2c9b3a4e -o yaml apiVersion: v1 kind: Pod metadata: name: database-pod-2c9b3a4e namespace: challenge2 [. https://moyer.dev/blog/eks-cluster-games-challenge-1/ Thu, 02 Nov 2023 00:00:00 +0000 https://moyer.dev/blog/eks-cluster-games-challenge-1/ This is a writeup of how I solved part one of the EKS Cluster Games. Huge thanks to Wiz for putting this together. Challenge One This challenge starts with a shell with kubectl. We can notice right away that we have access to list secrets: root@wiz-eks-challenge:~# kubectl get secrets NAME TYPE DATA AGE log-rotate Opaque 1 26h Finding the Flag We can dump out this secret and then decode it with jq and base64 -d: https://moyer.dev/about/ Mon, 01 Jan 0001 00:00:00 +0000 https://moyer.dev/about/ I live in Kansas City, MO where I work as a security engineer at Figma. Before joining Figma I worked on Kubernetes security and identity in the Modern Applications Platform business unit at VMware. Prior to our 2018 acquisition by VMware, I worked in a similar role at Heptio. I was also previously a security engineer at Simple. Mastodon @[email protected] Bluesky @moyer.dev GitHub github.com/mattmoyer LinkedIn linkedin.com/in/moyerma