Island Orchestration

https://tryhackme.com/room/islandorchestration

Flag

We start with basic nmap enumeration

nmap -sS -min-rate 5000 -p- --open -vvv -n -Pn IP

We discovered three open ports, now let's get a more detailed scan of those ports

We know port 8443 belongs to a kubernetes service and we can see in the scan that we don't have permission to access the api

Let's try port 80

We see there's a simple website but if we look around we can easily find a LFI vuln on the "page" parameter

Knowing there's a LFI vuln and we don't have access to the kubernetes API now we're gonna try to find a token or cert we can use to retrieve the info we need

We know the usual file for the token is the following one:

/var/run/secrets/kubernetes.io/serviceaccount/token

So let's check

We got the token, if we decode we find useful information

Now that we have the token we can still enumerating:

The secrets file seems like a good place to hide a flag. Let's see what's inside.

curl -v -H "Authorization: Bearer $TOKEN" https://10.10.236.232:8443/api/v1/namespaces/default/secrets/ -k

We found. Now the only thing we have to do is decode it.