- Added a feature to display the values of stored service account tokens
- Added a verbose (-v) flag to display additional DEBUG messages.
- Updated upstream libraries to handle vulnerabilities found in dependencies: CVE-2023-39325, CVE-2023-44487, CVE-2023-3978
- Added cloud provider detection from @devsecfranklin
- Bump gopkg.in/yaml.v3 to avoid DoS risk on filesystem
- Added a function to get eth0 IP addr and put in banner
- Parse the current pod's service account name from its JWT
- Cleaned up menu formatting
- Added a second variation of kubectl-try-all that tries a command as every service account collected, no longer stopping on the first success. (Idea from @Malachi-the-Ninja)
Added image building and K8S deployment functions from @devsecfranklin Improved error handling on CoreDNS wildcard trick Added another kubelet kubeconfig file path and handled errors better Added a credits.md file and added a developer to it: @devsecfranklin
- fixed kubelet cert/key pulling code to handle kubelet kubeconfig files with embedded user cert/key pairs
- updated kubeconfig file parsing to parse via the YAML library, which is much more resilient
- Updated recovering service account tokens from the node filesystem to handle the ServiceAccount admission controller
- Beta feature: one-shot (non-interactive) menu items work, but are under-documented in the UI.
- New feature (GA): harvest secrets from the node filesystem is now available on-menu and -m one-shot
- Alpha feature: one-shot (non-interactive) menu items work, but are under-documented in the UI.
- New feature (GA) : service discovery via CoreDNS wildcard SRV request using methodology posted by @ raesene
- Alpha feature: allows you to run menu items from the command-line in a one-shot method, to allow scripting
- added feature to better name secrets found on node using the pod's etc-hosts file
- we now avoid adding duplicate service accounts from the kubelet secret gathering
- shell command takes multiple commands
- refactored curl feature
- made a bugfix to using node certs
- added quick commands for switching service accounts and namespace, without having to navigate submenus
- bugfix - kubectl logic had dropped namespace context
- added a kubectl-try-all feature - tries every service account and client cert that peirates has gathered it has until it finds one that can do the command.
- execute shell commands from the main menu via "shell [args]"
- execute kubectl commands from the menu via "kubectl [args]"
- kubectl no longer locks you to namespace context - can be overridden with -n or --all-namespaces
- Peirates can now be run outside of a pod.
- Peirates automatically gathers kubelet cert/key pairs from the node filesystem
- Peirates automatically gathers pods secrets from the node filesystem
- Peirates now uses kubelet certs if run on a node
- -u (API Server URL) replaces -i (IP address/name of API server) and -p (port of API server)
- Peirates does not require an API server to be specified to start, only to run relevant commands.
- Updated GCP metadata API token parsing for Google's change
- Added JWT parsing
- Simple TCP portscan functionality
- Many changes to appease the linter.
- Regexp compiles to appease the linter, will also speed things a tiny bit.
- Namespace switching checks inputs better.
- More inputs trim whitespace.
- adds an AWS version of the kops state bucket attack
- This also refactors some of our AWS code.
- You can now toggle Peirates' checking if each action is permitted by RBAC before doing it.
- Added sub-menu item prose in addition to numbers.
- adds custom headers to curl and IP address discovery for hostPath mounting trick
- Bugfix release - curl had been crashing when HTTP/s requests had no parameters.
- This version adds a curl-style feature, such that the user can make arbitrary GET and POST requests.
- This release adds non-numeric aliases for menu items and makes a few code-cleanups.
- Added AWS S3 bucket list and content list capabilities
- Added error fall through to the injection into other pods, making this more beautiful.
- Updated version number and cleaned up print statements.
- Implemented the insert-peirates-into-another-pod - more coming.
- Changed a path for service accounts mounted into pods from /run/secrets/... to /var/run/secrets/...
- This release adds a flexible kubectl menu item, allowing you to use the service account tokens you've acquired flexibly to perform actions that don't yet have menu items.
- Refactored URL requests and JSON parsing
- Allowed for long-running kube-exec commands by excepting them from the timers
- In this release, we've adjusted the service account token-gathering functions to store the tokens automatically for re-use
- Added ability to switch to a service account at the time you enter it.
- Minor UI changes.
- Final "Break Glass" release for demos
- This release adds credential theft via GCS, refactors the menu and is the current pre-conference "break glass" release, having received testing at thoroughness level 4/5.
- Auth checks added to avoid crashes when requested action isn't allowed
- Reverse TCP shell added