SteamCloud

So I've been doing some good old HackTheBox machines to refresh a little on my hacking skills and this machine was a very interesting one!

Exploitation itself wasn't particularly difficult; what was, however, was finding information on what I needed to do! Allow me to explain the process. :)

Enumeration

As is standard, I began with an nmap scan on SteamCloud:

Other than OpenSSH being outdated, all that I could really see was the use of various web servers. This led me to believe that there was a larger app running on the server, each service interacting with a different component of the app.

I performed some initial checks on each of these ports and found an API running on port 8443:

I noted the attempt to authenticate a user referred to as 'system:anonymous', originally thinking these could be credentials to another component of the application.

Some directory scans on different ports also revealed the presence of /metrics at port 10249 and /version at port 8443. Other than that, I really couldn't find anything and admittedly I was at a loss for a short while.

This is where I realized I'm an actual moron and didn't think to research the in-use ports. xD A quick search for 'ports 8443, 10250' returns various pages referring to Kubernetes. I can't remember precisely what page I checked but Oracle provides a summary of the components of a Kubernetes deployment.

Now that I had an idea of what was being used on the server, I was in a good place to dig further into what was exploitable.

Seeing What's Accessible

Knowing absolutely nothing about Kubernetes, I spent quite a while researching it and common vulnerabilities found in Kubernetes deployments. Eduardo Baitello provides a very informative article on attacking Kubernetes through the Kubelet API at port 10250.

With help from this article, I discovered that I was able to view pods running on the server, in addition to being able to execute commands on the kube-proxy and nginx pods. The nginx pod is where you'll find the first flag. I also made note of the token I discovered here, in addition to the token from the kube-proxy pod (though this isn't needed):

After finding these tokens, I did discover that the default account had permissions to view pods running in the default namespace through the API running on port 8443 (/api/v1/namespaces/default/pods) but I had no awareness of how this could be exploited.

If I had known Kubernetes and the workings of their APIs, I would have instantly recognised that this is the endpoint used to also add new pods to Kubernetes, but I didn't! Due to this, I wasted more time than I care to admit trying other things such as mounting the host filesystem to one of the pods I can access and establishing a reverse shell to one of the pods.

I did initially look at how to create new pods too; honestly there's very little documentation on using the API on port 8443 directly. Every example I looked at used kubectl, a commandline tool for managing Kubernetes.

Exploitation (Finally!)

After a while of digging, I finally came across a Stack Overflow page on adding a pod through the API on port 8443.

Along with this, I found a usable YAML file from Raesene in an article on Kubernetes security. I then converted this from YAML to JSON and added the pod after some minor tweaks.

My first attempt at adding a pod was unsuccessful- the pod was added, but the containers section was showing as null

However, it didn't take me long to see that this was due to the image I had specified in the original YAML file. I simply copied the image specified in the nginx pod to my YAML file and ended up with the following:

I saved the json output to a file named new-pod2.json and added the second pod.

curl -k -v -X POST -H "Authorization: Bearer <nginx-token>" -H "Content-Type: application/json" https://steamcloud.htb:8443/api/v1/namespaces/default/pods [email protected]

This time, the pod was added successfully and I was able to access the host filesystem through 'le-host'

The Vulnerability

The main issue here that made exploitation possible was the ability to access the Kubelet API on port 10250 without authorization. This should not be possible. AquaSec provide a useful article on recommendations for Kubernetes security.

Conclusion

SteamCloud was a relatively easy machine to exploit; what was difficult was finding information on the Kubernetes APIs and how to perform certain actions. It is one of those that someone with experience in the in-use technologies would have rooted in a matter of minutes; for a noob like me, the process wasn't so straightforward, particularly with information on Kubernetes being a little difficult to find! I've only recently returned to hacking, however, which might have contributed to my potential lack of Google Fu here. ^-^

I very much enjoyed the experience, however, and feel I learned the fundamentals of testing a Kubernetes deployment which I can imagine will be useful at some point in my future!

Supermarket Together New Update Mid-November

Supermarket Together New Update Mid-November – Supermarket Together has just released a new update for mid-November 2024. This update brings exciting changes and improvements to make your gameplay smoother and more enjoyable. Whether you’re managing your store alone or with friends, these updates will enhance your experience. Let’s dive into the new features! Steam Cloud Saving System: A New…

Reblogging for teeny drow and beautiful art! Yay 🥰

I think Drizz’t is canonically 5'4" (1.62)

Mine is 5'7" (1.70) but his future hubby is Cal who I make 6'1" (1.85) so same energy.

(Don’t worry @meanbossart, DU drow is still the Best Thing Ever™ 😁)

I really need to rob a bank or something so I have money for a good commission of him.

@crowwolf I was thinking like a "paint me like one of your French girls" Ryldinn. It's something Cal would do.

We love our fun-sized murder twinks in this space.

When your soon-to-be husband is a (lore-accurately sized) drow

my computer took a shit for like 3 hours straight earlier today and now i'm having redownload so many things

the fact that I've had to start ff4 over like 5 separate times throughout my life is making me really dislike it.

"HOW YOU SEE YOURSELF" MEME

tagged by @eternalergo & @lurakha !!! ^_^

im so bad at shit like this LMFAOOO sorry its lookin so low effort i ... i did my best o7

the character is ardbert final fantasy if life was kind to me i would be 1:1 a copy of him irl ... the fashion says "i never dreamed that one day i'd become a grumpy old man but here i am killin' it" because thats the dream baby thats the goal im gonna wear that shirt ... the object is afhiri gremlin from jellycat @vorgoth got me for christmas last year <33 ... place is just a chalk stream in the uk hehe they are sooo lovely theyre the bestest ... i didnt include a jumping spider picture to be a mercy on those i tag but please imagine theres a very cute one there :( .... song would be mines (cloth) or mines (icicles) or volcano mines (molten jelly) or volcano mines (forgotten world) so i just picked the sdv ost in general LOL .... my job is gamer :) ........ for food i picked the ideal meal : turkey dinosaurs and an ultra pineapple monster SLKDFJSDF .. colour yellow ^_^ !! ....... ok i did it

idk if i did this right ^_^ hehe

tagging everyone who liked this post undercut :3c

@magmethius @minrathousrain @hatsune @alistairstheirins

@quendiviner @magicmissiled @heavenfelll @evkaivo

@azatas @arborstone @fields-of-rye @talizoraa

@kadefox @demonia @carlosoliveiraa @tunarath

@lusus--naturae @theoldwest @timothylawrence @vieille-femme-moisie

@full---ofstarlight @ottobooty @left4dead @covenscribe

@lovedu @astarionsdarling @wormskul @ratscrap @darkwehl

@andrwminward @ch3rrybomb @vanoefucks @charico

@prettyjellyfish @cavesallegory @rosenfey @velnat004

@panicbroadcast @jerichoes @mt07131 @censorship

@crysdrawsthings @hellionsheart @hiddenbeks @palladium-poisoned

@sadchtulhu @anakinsthesis @ikarons @fluffy-top

@deadrlngers @frootabooga @vampireposter @agapimenos

@asharaks @kdval @edgepunk @jeanstapleton

@luttare @pathogenic @drhu0806 @steamclouds

@estevnys @pawnguild @nerdferatum @agothorn

@demisaurus @xhinc @eloquentspeeches @fair-lead

@radioactive-synth @rcpunzel @commandermahariel @ehlnofaey

@heinrix @localbisexualgenius @thedeadthree @jurispotence

@esmecarmona @ritualslaughter @gojjosatoru @gothimp

@johnnystorm @vampireposter @celticwoman @golden-ailment

@moltara @barking @mikumoroll @shadowsofrose

@mnasthaii @fllagellant @manakhemia @numiidiium

@alexios @elphael @fjorrd @wendingswoods

@darthyolk @cuntservant @vyrantium

Oh my god this is comedy gold 😂😂🤣🤣 haha great fucking idea!

Somebody needs to pay Emma Gregory to say this as Minthara 😂

Love the drow club!

@steamclouds and I drew Voradras and Vierith, they got a congratulations t shirt for leaving Menzo…

Their bfs regretted that decision, …maybe?

*high pitched squeak*

Sooo, I want to know lore wise why did your Tav's let Volo do his surgery on your Tav. Like was it because they were desperate, curious or some other reason?

Please add a before and after picture of your Tav's eyes if you can!

Personally, Audhild is just a dumbass (Canonically has 8 Int)

She got into talking into Volo while her friends ( my friend's Tavs) was busy with the other companions. She was convinced it could work.

Well, she lost an one of her glow in the dark eyes. A friend hated it as they like how Audhild's eyes originally looked.

After everything though, Audhild still likes Volo because he's silly bard. (She is still unaware that Volo is not a bard)

@spellbooking @elspethdekarios @steamclouds @sorceresssundries I'm tagging you peeps because maybe you guys have a Tav victimized by Volo 😗

I commissioned the incredible @steamclouds to draw my Tav, Priyali, with her love Gale!! They both look so, so good! I especially love the detail of Priyali's hair. It's thrown me right back into that good BG3 brain rot, and all I can think about is Priyali and Gale's love story.

no one tagged me but this was too cute not to do...

(picrew)

Tav'Lyn and Astarion :)

tagging @silver-horse @communistfries @tadpole-apocalypse @mercymaker @bardic-inspo @mynthara @aira-besque @dolceaspidenera @phasebun @steamclouds anyone else i have missed!!

Thank you SO MUCH @steamclouds for this lovely drawing of Elspeth!!! 😍💓

Voradras for @steamclouds

Your honor, I am obsessed with him! Thanks for letting me draw him :) Happy Birthday again!

Also if you're not following @steamclouds go do it because her art is great <3

“i certainly love him. does he love me?”

let me know if you’d like to be tagged!

@belladonna413 @steamclouds

I don't really post my art but @steamclouds harassed me to post some sketches of my character in our Pathfinder campaign, Belladonna! Changeling sorceress, daughter of a Night Hag but born and raised by a human couple in the countryside of Taldor, she left a couple of years after her Calling not to join her biological mother, but to hunt her down. We'll see how her story goes <3

A Perfect Heart's Eve.

“Sounds like you had fun~” The argonian smiled as she saw the khajiit exit Uttering Hills Cave, now back in her original form. “You know me Sithek, I can be a right beast when I want to be~ “And I wouldn’t have it any other way Morgan~” The pair embraced each other, Sithek planning a bloody kiss upon Morgan’s muzzle, getting a purr from the slightly smaller female in response. “I’ll tell you one thing~” Morgan smiled wickedly at the vampire who gave a similar smile back. “What is that, my love~?” The lycanthrope placed a clawed hand under the chin of the argonian, burning amber eyes meeting feral yellow ones as she took in her mates white scales and mane of black feathers. “You know how to give a woman a perfect Heart’s Day~”

-----------

An absolutely gorgous commission done by @steamclouds featuring my argonian Sithek and @vorpalshadows's kahjiit Morgan.

Seriously, the amount of bang-for-your-buck you get with Steam is unreal, she's wonderful to work with and keeps you updated every step of the way. Go buy her art!

Link to the full story

https://www.furaffinity.net/view/45956385/

https://www.deviantart.com/dragon-fang2/art/A-Perfect-Heart-s-Day-907002703

Magic by the River

A little compilation of Voradras @steamclouds ‘s lovely oc 💜