K8s Runtime Security TryHackMe Walkthrough | Writeup | — SuNnY

Introduction :

This Kubernetes security room focuses on runtime security, a critical aspect for DevSecOps engineers. While setting up a secure cluster is important, vulnerabilities and attacks can still occur at runtime. You’ll learn how to detect and defend against threats that emerge after your containerized application is running.

Kudos to the Room Creators :

Room Type :

Free Room
Anyone can deploy virtual machines in the room (without being subscribed)!

Room Objectives :

A Total of 8 Tasks including one practical Module

Let’s Begin !

Task 1 : Introduction

This Kubernetes security room focuses on the critical aspect of runtime security for containerized applications in Kubernetes clusters. As a DevSecOps engineer, securing the environment and configuring the cluster according to best practices is essential, but threats can still arise after applications are running. This room emphasizes the importance of protecting against runtime vulnerabilities, including zero-day threats and privilege escalation attempts. You’ll learn about runtime security solutions, their implementation, and how to detect potential threats even after your cluster is up and running. The goal is to ensure that your Kubernetes environment remains secure, even against emerging threats.

It’s good to give Task 1’s module a good read .

Task 2: Kubernetes Auditing

This section introduces Kubernetes’ limited built-in tools for runtime security, focusing on Kubernetes Auditing. It describes a scenario where unauthorized changes to a pod’s image go undetected through standard logs and events. Kubernetes Auditing captures crucial details, such as who made the changes and when, providing essential visibility for runtime security.

Task 2— Question 1 : In which request stage will the response headers have been sent out but not the response body?

The answer can be found inside the snippet above from the Task 1 module.

Task 2— Question 2 : Which level will capture the most data?

The RequestResponse level will capture the most data. It logs the request metadata, request body, and response body, providing the most detailed audit information in Kubernetes.

Task 2— Question 3: What field must be contained in an audit policy for it to be valid?

The “rule” field must be contained in an audit policy for it to be valid. This field defines the conditions under which certain Kubernetes events are logged, and all rules are evaluated in a top-down order to determine which events to capture based on the audit level.

Task 2— Question 4: At what level is it recommended to log sensitive resources (like secrets)?

For sensitive resources like secrets, it is recommended to log at the Metadata level. This ensures that only the request metadata (such as who made the request and when) is logged, without exposing the sensitive data contained in the request body or response.

Task 2 Completed !

Task 3 : Runtime Security & K8s

Task 3 — Question 1 : What percentage of containers live less than 5 minutes in 2024 according to the annual report provided in this task?

According to Sysdig’s 2024 “Cloud-Native Security and Usage Report,” 70% of containers live less than 5 minutes.

Task 3 — Question 2 : What security concept, covered in this task, is a communication that takes place between a running process and the kernel?

The security concept covered in this task is system calls (syscalls). System calls are communications that take place between a running process and the kernel, allowing processes to request services such as file operations, network access, and process management. Monitoring syscalls is crucial for detecting suspicious activity in a runtime environment.

Task 3 Question 3 : Which security runtime enforcement tool works by filtering system calls, only allowing processed to perform certain calls to already open file descriptors?

The security runtime enforcement tool that works by filtering system calls and only allowing processes to perform certain calls to already open file descriptors is Seccomp (Secure Computing Mode). Seccomp can restrict the set of system calls a container or process can make, providing a way to limit the attack surface and improve security.

Task 3 also done !

Task 4 : Falco

Task 4 — Question 1 : Falco can gain deep visibility into a Kubernetes runtime environment by analysing events from various sources. Which source (covered in a previous task) is available in Kubernetes?

Falco gains deep visibility into a Kubernetes runtime environment by analyzing Kubernetes audit logs. These logs provide detailed information about API server activities, including changes and access to resources, which helps in detecting and monitoring security events.

Task 4 — Question 2 : What allows user programs to run securely in a protected environment within the kernel space?

eBPF (extended Berkeley Packet Filter) allows user programs to run securely in a protected environment within the kernel space. eBPF provides a way to run custom programs in response to various events within the kernel, enabling powerful monitoring and security capabilities without modifying the kernel code directly.

Task 4 Question 3 : Enriched events are compared against _____, which can either be included by default or user-defined.

Enriched events are compared against rules, which can either be included by default or user-defined. These rules determine how the events are evaluated and what actions should be taken based on specific conditions.

Task 4 is now complete !

Task 5 : Falco in Action

Task 5 — Question 1 : When defining a Falco rule condition, what snippet could be used to match bash processes?

In Falco, rules are used to detect suspicious or anomalous behavior by monitoring system calls and events. The snippet proc.name = bash is part of a rule’s condition and is designed to match any process where the name is “bash.”

• proc.name: This field refers to the name of the process that is currently running. In this case, we are focusing on processes that have “bash” as the executable.
• bash: This is the actual process name you’re looking for. Bash is a commonly used shell on Linux systems, and by specifying this, you can detect when a bash shell is launched.

This condition will help you monitor instances where bash processes are started, which could be relevant if you’re concerned about shell-based attacks or suspicious usage of bash in your environment.

proc.name = bash

Task 5 — Question 2 : What can be used to reference a collection of items in a condition?

In Falco, you can reference a collection of items in a condition using lists or sets. These allow you to match against multiple values in a single condition. Lists are predefined and help simplify rules where multiple items need to be referenced.

Lists: A list is a collection of values that can be referenced in a rule’s condition. Lists are defined globally and can include strings, numbers, or other data types

Task 5 — Question 3 : What can be used to abbreviate conditions which are frequently used?

In Falco, macros are used to abbreviate frequently used conditions. A macro is a reusable, named condition that can simplify rules by allowing you to reference complex or repetitive logic with a single identifier. This makes your rules more readable and easier to maintain.

Task 5 done !

Task 6 : Event Monitoring

Task 6 — Question 1 : Which tool covered in this task can be used as a visualisation layer and allows collected data to be visualised as charts and graphs?

Grafana is an excellent tool for visualizing collected data as charts and graphs. It provides powerful and flexible dashboards that can display data from various sources, including Prometheus, Elasticsearch, and others. Grafana is widely used for monitoring and analyzing data in real-time, making it a great choice for visualizing complex datasets.

Task 6 — Question 2 : Which tool covered in this task collects and stores time series data?

The tool that collects and stores time series data is Prometheus. Prometheus is an open-source monitoring and alerting toolkit designed for reliability and scalability. It is specifically built for collecting, storing, and querying time series data, which makes it ideal for monitoring metrics and performance data over time. Prometheus supports a powerful query language called PromQL and integrates well with visualization tools like Grafana.

Task 6 — Question 3 : Which tool covered in this task is a companion project that can act as a forwarder for Falco?

The companion project that acts as a forwarder for Falco is Falcosidekick. Falcosidekick is an open-source tool that can receive events from Falco and forward them to various destinations such as Slack, Discord, or webhooks. It helps in integrating Falco alerts with different notification and logging systems, making it easier to manage and respond to security events.

Task 6 is now Complete !

Task 7 : Practical

The final task is a practical one and it’s good to give the whole module a quick read before proceeding .

Task 7 — Question 1 : What is the Base64 Encoded Custom Rule?

First we need to open the terminal from the attacker box and start Minikube

minikube start

It takes a couple of minutes to start Minikube ( The process here is sped up to 20x )

Next up : Let’s find the running Falco pods by using this command →

kubectl get pods

We find two running pods with the above command →

falco-j52gm

k8s-labs-deployment-5c655669dc-tp8tb

The command Below opens an interactive shell session (/bin/sh) in the specified Kubernetes pod (the Falco pod), allowing you to run commands inside that container.

kubectl exec falco-pod-name -it -- /bin/sh

Replacing the falco-pod-name by falco-j52gm ( the pod name we found above )

kubectl exec falco-j52gm -it -- /bin/sh

Next Step :

  kubectl logs falco-pod-name | grep shell

kubectl logs falco-j52gm | grep shell

Next Step :

cd ~/Documents/falcoctl-local

We find two files by using ls command →

default_values.yaml looks interesting

We have to edit the file default_values.yaml that we found →

vi default_values.yaml

Next Steps involves using these commands →

To get the Base64 make sure to change the Directory to →

~/Documents/falcoctl-local

and run this command →

sed -n '439,449p' default_values.yaml | base64 -w 0

Base 64 we Found a Base64 which answers Task 7 Question 1 →

ICAgIC0gcnVsZTogRGV0ZWN0IFVzYWdlIG9mIEN1cmwKICAgICAgZGVzYzogRGV0ZWN0cyB3aGVuIHRoZSBjdXJsIGNvbW1hbmQgaXMgdXNlZCBpbnNpZGUgYSBjb250YWluZXIuCiAgICAgIGNvbmRpdGlvbjogPgogICAgICAgIGNvbnRhaW5lci5pZCAhPSBob3N0IGFuZAogICAgICAgIHByb2MubmFtZSA9IGN1cmwgYW5kCiAgICAgICAgZXZ0LnR5cGUgPSBleGVjdmUKICAgICAgb3V0cHV0OiA+CiAgICAgICAgQ3VybCBjb21tYW5kIHVzZWQgaW4gY29udGFpbmVyICh1c2VyPSV1c2VyLm5hbWUgY29udGFpbmVyPSVjb250YWluZXIubmFtZQogICAgICAgIHNoZWxsPSVwcm9jLm5hbWUgcGFyZW50PSVwcm9jLnBuYW1lIGNtZGxpbmU9JXByb2MuY21kbGluZSkKICAgICAgcHJpb3JpdHk6IFdBUk5JTkcKICAgICAgdGFnczogW25ldHdvcmssIGNvbW1hbmQsIHNlY3VyaXR5XSAgCg==

Task 7 Question 2 : What is the THM flag value?

By using the below command and replacing the values that we found ,
we can find our Flag →

sudo openssl enc -aes-256-cbc -d -in <file-name-here> -out flag.txt -pass pass:"base64-signature-goes-here"

Answer →

THM{th3_c4k3_1s_a_l13}

We are done with the Task 7 now

Task 8 : Conclusion

And by doing all the above Tasks we now successfully complete this room

We have successfully completed the room !

Room Pwned !! Congratulations !!

Hope you have enjoyed this room as much i did

if you want to get the latest Try Hack Me writeups delivered go ahead and follow me on Medium and also hit the notify via email

Let’s Connect on Linkedin → https://linkedin.com/in/sunnysinghverma

You can also add me Respect on — Hack The Box if you want i would really appreciate it :)

https://app.hackthebox.com/users/1585635

My TryHackMe Profile Page →

https://tryhackme.com/p/SuNnY

if you did you can add a clap to this article to let me know and if you loved this article you can click clap icon upto 50 times to let me know and that will make my day 🤗
You can also follow me on medium to get more articles about CTFs and Cybersecurity in the near Future but don’t forget to hit that email notification icon right next to the follow me button

Thank you !
SuNnY