“Azure Cloud Shell is a browser-based shell experience to manage and develop Azure resources.

Cloud Shell offers a browser-accessible, pre-configured shell experience for managing Azure resources without the overhead of installing, versioning, and maintaining a machine yourself.”

so we will start right away with how things works in the backend of “Azure Cloud Shell” service.

User requests Cloud Shell through Azure Portal
User requests Cloud Shell through Azure Portal
1. Client request Cloud Shell via Azure Portal 2. Random Kubernetes cluster is chosen 3. free node in the cluster is assigned for the client 4. Container is created on the node with the client token, allows the user to control all of his Azure Resources

While I was playing around with “Azure Cloud Shell”, I Immediately noticed that I run as a low-privileged user, that is not able to do much, except running the azure-cli command(s). I tried to gain higher privileges in different ways without luck.

Kubernetes is the leading container orchestration platform for SMB and enterprises that provides a fast deployment, load balancing, high availability, resource monitoring and is now widely offered as a service on different Cloud providers.

Microsoft Azure

During a security analysis that I have done on a customer’s containers environment running on Azure AKS (Azure Kubernetes Service), I found that the Kubernetes deprecated read-only port (10255) that was designed for metrics and “health” checks, can be accessed from any container that has no restrictions to the host IP addresses. by default, Cloud providers does not restrict the connectivity between containers(pods) and…

On the 30.5.2019 I Presented at OWASP Global AppSec Tel Aviv conference with my team leader Asher Genachowski.

The lecture was focused on docker containers security, security best practices, the dangers of privileged containers and more.

The following steps allow anyone who desire to recreate the demo by themselves.

The start point is an already-have shell access (assuming we hacked an application running on a container and we gained shell access)

Step 1:

Now that we have a shell on the container, we don’t really sure on what kind of system we hacked into, therefore we want to to…

Chen Cohen

Penetration Tester @eBay

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store