📍 Enumeration

Performed initial nmap scan: nmap -sC -sV -oN nmap.txt 10.10.10.X
Revealed open ports: 22 (SSH), 80 (HTTP), 443 (HTTPS)

Directory enumeration using: ffuf -u http://10.10.10.X/FUZZ -w /usr/share/wordlists/dirb/common.txt

Discovered Kubernetes dashboard interface hosted insecurely under /dashboard path.

🧠 Exploitation

Located hardcoded credentials in downloaded YAML config file. Used credentials to authenticate to the dashboard. Escalated into shell via exposed control commands.

Used kubectl exec to spawn interactive shell within the container. Pivoted into system environment using mounted volumes and service accounts.

⬆️ Privilege Escalation

Enumerated user path and discovered a custom binary marked as SUID.

Binary allowed shell escape due to unsafe system() call to bash.

Gained root, captured both user.txt and root.txt.