Clik here to view.
Kubernetes: open etcd
Quick post on Kubernetes and open etcd (port 2379)"etcd is a distributed key-value store. In fact, etcd is the primary datastore of Kubernetes; storing and replicating all Kubernetes cluster state. As...
View ArticleClik here to view.
Kubernetes: cAdvisor
"cAdvisor (Container Advisor) provides container users an understanding of the resource usage and performance characteristics of their running containers. It is a running daemon that collects,...
View ArticleKubernetes: Master Post
I have a few Kubernetes posts queued up and will make this the master post to index and give references for the topic. If i'm missing blog posts or useful resources ping me here or twitter.Talks you...
View ArticleClik here to view.
Kubernetes: Kubelet API containerLogs endpoint
How to get the info that kube-hunter reports for open /containerLogs endpointVulnerabilities+---------------+-------------+------------------+----------------------+----------------+| LOCATION...
View ArticleClik here to view.
Kubernetes: Kubernetes Dashboard
Tesla was famously hacked for leaving this open and it's pretty rare to find it exposed externally now but useful to know what it is and what you can do with it.Usually found on port 30000kube-hunter...
View ArticleKubernetes: List of ports
Other Kubernetes portsWhat are some of the visible ports used in Kubernetes?44134/tcp - Helmtiller, weave, calico10250/tcp - kubelet (kublet exploit)No authN, completely...
View ArticleClik here to view.
Kubernetes: unauth kublet API 10250 basic code exec
Unauth API access (10250)Most Kubernetes deployments provide authentication for this port. But it’s still possible to expose it inadvertently and it's still pretty common to find it exposed via the...
View ArticleClik here to view.
Kubernetes: unauth kublet API 10250 token theft & kubectl
Kubernetes: unauthenticated kublet API (10250) token theft & kubectl access & execkube-hunter output to get us started: do a curl -s https://k8-node:10250/runningpods/ to get a list of running...
View ArticleClik here to view.
Kubernetes: Kube-Hunter 10255
Below is some sample output that mainly is here to see what open 10255 will give you and look like. What probably of most interest is the /pods endpointor the /metrics endpointor the /stats endpoint$...
View ArticleAbusing Docker API | Socket
Notes on abusing open Docker socketsThis wont cover breaking out of docker containersPorts: usually 2375 & 2376 but can be...
View ArticleClik here to view.
Jenkins - messing with new exploits pt1
Jenkins notes for:https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.htmlhttp://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.htmlto download old...
View ArticleClik here to view.
Jenkins - messing with exploits pt2 - CVE-2019-1003000
After the release of Orange Tsai's exploit for Jenkins. I've been doing some poking. PreAuth RCE against Jenkins is something everyone wants.While not totally related to the blog post and tweet the...
View ArticleJenkins Master Post
A collection of posts on attacking Jenkinshttp://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.htmlManipulating build steps to get...
View ArticleClik here to view.
Jenkins - SECURITY-200 / CVE-2015-5323 PoC
API tokens of other users available to adminsSECURITY-200 / CVE-2015-5323API tokens of other users were exposed to admins by default. On instances that don’t implicitly grant RunScripts permission to...
View ArticleClik here to view.
Jenkins - SECURITY-180/CVE-2015-1814 PoC
Forced API token changeSECURITY-180/CVE-2015-1814https://jenkins.io/security/advisory/2015-03-23/#security-180cve-2015-1814-forced-api-token-changeAffected VersionsAll Jenkins releases <= 1.605All...
View ArticleClik here to view.
Jenkins - decrypting credentials.xml
If you find yourself on a Jenkins box with script console access you can decrypt the saved passwords in credentials.xml in the following way:hashed_pw='$PASSWORDHASH'passwd =...
View ArticleClik here to view.
Jenkins - Identify IP Addresses of nodes
While doing some research I found several posts on stackoverflow asking how to identify the IP address of nodes. You might want to know this if you read the decrypting credentials post and managed to...
View ArticleClik here to view.
Jenkins - messing with exploits pt3 - CVE-2019-1003000
References:https://www.exploit-db.com/exploits/46453http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.htmlThis post covers the Orange Tsai Jenkins pre-auth exploitVuln...
View ArticleJenkins - CVE-2018-1000600 PoC
second exploit from the blog posthttps://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.htmlChained with CVE-2018-1000600 to a Pre-auth Fully-responded...
View ArticleClik here to view.
Minecraft Mod, Mother's Day, and A Hacker Dad
Over the weekend my wife was feeling under the weather. This meant we were stuck indoors and since she is sick and it's Mother's day weekend - less than ideal situation - I needed to keep my son as...
View ArticleMinecraft Mod, Follow up, and Java Reflection
After yesterday's post, I received a ton of interesting and creative responses regarding how to get around the mod's restrictions which is what I love about our community. Mubix was the first person to...
View ArticleClik here to view.
Devoops: Nomad with raw_exec enabled
"Nomad is a flexible container orchestration tool that enables an organization to easily deploy and manage any containerized or legacy application using a single, unified workflow. Nomad can run a...
View ArticleClik here to view.
What is your GCP infra worth?...about ~$700 [Bugbounty]
BugBounty story #bugbountytipsA fixed but they didn't pay the bugbounty story...Timeline:reported 21 Oct 2019validated at Critical 23 Oct 2019validated as fixed 30 Oct 2019Bounty amount stated (IDR...
View ArticleClik here to view.
The Duality of Attackers - Or Why Bad Guys are a Good Thing™
The Duality of Attackers - Or Why Bad Guys are a Good Thing™It’s no secret I've been on a spiritual journey the last few years. I tell most people it’s fundamentally changed my life and how I look at...
View ArticleClik here to view.
WeirdAAL update - get EC2 snapshots
I watched a good DEF CON video on abusing public AWS Snapshotshttps://www.youtube.com/watch?v=-LGR63yCTtsI, of course, wanted to check this out. There are tens of thousands of public snapshots in the...
View Article