🐳 Kubernetes Container Escape Investigation
⚠️ DISCLAIMER: This is a synthetic training scenario. All data, IPs, domains, CVEs, and IOCs are fictional and created for educational purposes only.
📋 Scenario
Company: CloudNative Corp (Fictional)
Alert: Runtime security tool detected suspicious activity in production Kubernetes cluster - potential container breakout attempt using VULN-2025-K8S-9001
Impact: If successful, attacker gains root access to host node
🎯 Your Mission
- Analyze the attack chain from initial access to container escape
- Identify exploited vulnerabilities and misconfigurations
- Map attacker tactics to MITRE ATT&CK for Containers
- Understand the complete timeline of the attack
🌐 Environment (Synthetic)
- Kubernetes Version: v1.28.4
- Container Runtime: runc 1.1.x (hypothetically vulnerable)
- Compromised Pod: web-frontend-7d8f6b9c4-x9k2m
- Host Node: worker-node-03 (10.244.1.15)
⚔️ Attack Chain
📊 Evidence Analysis (Synthetic Data)
2025-11-25T08:15:42Z [INFO] HTTP Request from 203.0.113.45 2025-11-25T08:15:43Z [WARN] Suspicious payload in query 2025-11-25T08:15:44Z [ERROR] Command injection detected 2025-11-25T08:15:45Z [CRIT] Reverse shell established 2025-11-25T08:15:50Z [CRIT] Container user escalated to root 2025-11-25T08:15:55Z [CRIT] Write to /proc/self/exe symlink 2025-11-25T08:16:00Z [ALERT] Breakout detected
08:15:45 Notice Shell spawned in container 08:15:52 Warning Sensitive file read /proc/self/mountinfo 08:15:55 Critical Write below /proc/ 08:16:01 Critical Container privilege escalation CAP_SYS_ADMIN 08:16:05 Critical K8S API access from container
systemd (PID 1) [HOST] ├─ containerd (PID 1542) │ └─ runc (PID 8945) [CONTAINER] │ └─ bash (PID 8950) - REVERSE SHELL │ ├─ exploit.sh (PID 9023) │ │ ├─ mount --bind /host /mnt │ │ └─ chroot /mnt /bin/bash [ESCAPE]
[CONTAINER] /tmp/.exploit/exploit.sh - Container escape PoC [SUSPICIOUS MOUNTS] /dev/null -> /proc/sys maskedPaths bypass [HOST ACCESS] /etc/shadow - ACCESSED /root/.kube/config - STOLEN
08:15:43 203.0.113.45:4444 -> 10.244.1.15 [SYN] Reverse shell 08:16:10 test-c2.example:443 C2 communication 08:16:15 k8s-apiserver:6443 GET /api/v1/secrets 08:16:20 SSH lateral movement attempt 08:16:25 Data exfiltration 2.4 MB
📝 Investigation Tasks
Task 1 — Initial Access Vector
T1190What vulnerability allowed code execution?
Task 2 — Privilege Analysis
T1611Select ALL misconfigurations enabling escape:
Task 3 — Exploit Mechanism
T1611.001Explain the maskedPaths bypass:
Include: maskedPaths, /dev/null, symlink, race condition, bind mount
Task 4 — Post-Exploitation
T1552.007Select all post-exploitation actions:
Task 5 — MITRE ATT&CK Mapping
Containers MatrixMap attack phases to techniques:
Tasks: 0 / 5
🎯 Attack Analysis & Mitigation
📅 Timeline
08:15:42 - Initial Access (T1190)
RCE via command injection in web app query parameter
08:15:45 - Shell Establishment (T1059)
Reverse shell to 203.0.113.45:4444
08:15:55 - Container Escape (T1611)
Exploited VULN-2025-K8S-9001 maskedPaths bypass with CAP_SYS_ADMIN
08:16:05 - Host Compromise (T1552, T1021)
Credential theft, API enumeration, lateral movement, data exfiltration
🛡️ Mitigation Strategy
🚨 Immediate (0-24h)
- Isolate compromised pod/node
- Rotate all tokens cluster-wide
- Patch RCE vulnerability
- Block attacker IP
⚡ Short-term (1-7 days)
- Upgrade runc to 1.2.0+
- Remove CAP_SYS_ADMIN
- Enable Pod Security Standards
- Deploy Falco runtime security
🏗️ Long-term (1-3 months)
- User namespaces isolation
- Zero-trust networking
- Automated security scanning
- Security awareness training
🎉 Challenge Completed!
You've mastered container escape analysis