an attack environment for simulating realistic attack vectors against Kubernetes clusters to validate security controls and defenses.
clusterfuck simulates advanced container escape and privilege escalation techniques commonly used by attackers targeting Kubernetes environments. The toolkit allows security teams to:
- evaluate effectiveness of security controls
- validate detection capabilities
- test incident response procedures
- conduct purple team exercises
- container dscape techniques: eimulates privileged container attacks with host filesystem access
- credential exfiltration: extracts and exfiltrates Kubernetes service account tokens
- network reconnaissance: performs port scanning and network mapping
- persistence mechanisms: demonstrates common persistence techniques including cron jobs
- command & control: establishes reverse shell connections to a simulated C2 server
- payload delivery: includes a full payload server for realistic attack simulation
- cloud credential theft: simulates AWS credential theft (with dummy or real credentials)
- process hiding: demonstrates anti-forensics techniques
- kubernetes cluster (minikube, kind, EKS, GKE, etc.)
kubectlconfigured with appropriate permissions- basic understanding of Kubernetes security concepts
for a minimal setup that demonstrates key attack paths:
# deploy the payload server (C2 simulation)
kubectl apply -f payload-server.yaml
# deploy the attack simulation pod
kubectl apply -f attack-sim-deploy.yaml
# watch the attack simulation logs
kubectl logs -f sim-pod
# view captured data on the payload server
kubectl logs -f $(kubectl get pods -l app=payload-server -o name | head -n1)advanced setup: if you want to demonstrate AWS credential theft (this works with sealed secrets too):
# create AWS credentials secret with dummy data
kubectl apply -f aws-credentials.yaml
kubectl apply -f sealed-aws-credentials.yaml
# deploy the attack simulation
kubectl apply -f attack-sim-deploy.yamlexamining captured data:
# list exfiltrated files
kubectl exec -it $(kubectl get pods -l app=payload-server -o name | head -n1) -- ls -la /payloads/uploads
# view shell connection logs
kubectl exec -it $(kubectl get pods -l app=payload-server -o name | head -n1) -- ls -la /payloads/shells
# view a specific captured file (e.g., stolen token)
kubectl exec -it $(kubectl get pods -l app=payload-server -o name | head -n1) -- cat /payloads/uploads/$(kubectl exec -it $(kubectl get pods -l app=payload-server -o name | head -n1) -- ls -t /payloads/uploads | head -1)clusterfuck consists of two main components:
-
attack simulation pod: a privileged container that executes various attack techniques
-
payload server: a simulated C2 server that receives exfiltrated data and provides reverse shell connections
the simulation follows common attack phases including:
- initial access (via privileged container)
- discovery
- credential access
- privilege escalation
- persistence
- defense evasion
- lateral movement
- data exfiltration
this simulation contains:
- privileged container access - demonstrates container escape techniques
- dummy AWS credentials - no real cloud access is possible
- kubernetes attack techniques - for educational purposes only
you can modify the environment variables in attack-sim-deploy.yaml to:
- change target server names
- adjust ports
- enable/disable cloud enumeration
kubectl delete -f attack-sim-deploy.yaml
kubectl delete -f payload-server.yaml
kubectl delete secret aws-credentials --ignore-not-foundthis toolkit is for educational and defensive purposes only. it should be used exclusively in environments you own or have explicit permission to test.