Kubetok - new tool to find credentials' permissions

Hi everyone,
There is a tool that I built couple of months ago called: “kubetok”.

Within a given credentials (like JWT token), it checks what permissions you have.
It uses the API selfsubjectrulesreviews to do it.
It can be good if you found a token and you want to see what permissions you have.

In case the token doesn’t have the permissions to call selfsubjectrulesreviews, I created a module that bruteforce the API to guess what permissions the token have.

One issue, this option already exist (except from the bruteforce module) in kubectl by using:
kubectl auth can-i --list --token=...

I wanted to publish it but I am not sure it is good to do it from the CyberArk github because then will be a question like:
what is the idea? this functionality is already exist…

What do you think?
I thought maybe just to publish it from my private account and preventing us from looking no professional by not checking this functionality first before creating it.
If I will publish it as private, I can present it just as another option, maybe more nicer to view permissions.

4 Likes

Hi!

That looks really interesting. Did you see the env stealer script as well ?

I watched being used during a talk about https://github.com/cruise-automation/k-rail and it was really useful.

Cheers.

1 Like

Hi,
Yes but didn’t hear about the talk. Was it in KubeCon ?

Yes, I am curious also, where did you see this and is there a recording @joalmaraz ?

Hey guys,

The talk was during OWASP AppSecDay over here in Melbourne: https://appsecday.io/schedule/#session-3

I am not sure if https://twitter.com/nfFrenchie or the conf have recorded the talk, but I think their medium post covers some of it (the live demos were really cool though :slight_smile: ):

Cheers!

1 Like

@g0ku Did you end up posting it somewhere?

@jake not yet.
But I am thinking to do it privately. Not sure yet.

@g0ku if you post it privately on your personal GitHub it’d be great if you could edit the original post with the link. I’m interested in seeing it when it’s up