I am exploring CVE 2108-1002105 about privilege escalation vulnerabilities in Kubernetes. As a remote unuauthenticated user, I would want to make use of a metrics server deployed on my cluster to exec arbitrary commands on any pod.
I am quite confused on how to do so. Currently, I have sent a GET request to the kube api server to request for a connection upgrade to web socket (CVE), and then i used the x-remote-header user to impersonate a user in the cluster that has access to the metrics server (in this case i used X-Remote-User: system:serviceaccount:kube-system:horizontal-pod-autoscaler)
However, I am unable to exec and I think it is because this user does not have exec privileges. How do I check this?
I am also thinking of creating my own user with root privileges and can do anything he wants on the cluster and impersonate him instead. How do I do this and also ensure this user has access to the metrics server?