Kubernetes: Master Post
I have a few Kubernetes posts queued up and will make this the master post to index and give references for the topic. If i'm missing blog posts or useful resources ping me here or twitter.Talks you...
View ArticleClik here to view.
Kubernetes: Kubelet API containerLogs endpoint
How to get the info that kube-hunter reports for open /containerLogs endpointVulnerabilities+---------------+-------------+------------------+----------------------+----------------+| LOCATION...
View ArticleClik here to view.
Kubernetes: Kubernetes Dashboard
Tesla was famously hacked for leaving this open and it's pretty rare to find it exposed externally now but useful to know what it is and what you can do with it.Usually found on port 30000kube-hunter...
View ArticleKubernetes: List of ports
Other Kubernetes portsWhat are some of the visible ports used in Kubernetes?44134/tcp - Helmtiller, weave, calico10250/tcp - kubelet (kublet exploit)No authN, completely...
View ArticleClik here to view.
Kubernetes: unauth kublet API 10250 basic code exec
Unauth API access (10250)Most Kubernetes deployments provide authentication for this port. But it’s still possible to expose it inadvertently and it's still pretty common to find it exposed via the...
View ArticleClik here to view.
Kubernetes: unauth kublet API 10250 token theft & kubectl
Kubernetes: unauthenticated kublet API (10250) token theft & kubectl access & execkube-hunter output to get us started: do a curl -s https://k8-node:10250/runningpods/ to get a list of running...
View ArticleClik here to view.
Kubernetes: Kube-Hunter 10255
Below is some sample output that mainly is here to see what open 10255 will give you and look like. What probably of most interest is the /pods endpointor the /metrics endpointor the /stats endpoint$...
View ArticleAbusing Docker API | Socket
Notes on abusing open Docker socketsThis wont cover breaking out of docker containersPorts: usually 2375 & 2376 but can be...
View ArticleClik here to view.
Jenkins - messing with new exploits pt1
Jenkins notes for:https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.htmlhttp://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.htmlto download old...
View ArticleClik here to view.
Jenkins - messing with exploits pt2 - CVE-2019-1003000
After the release of Orange Tsai's exploit for Jenkins. I've been doing some poking. PreAuth RCE against Jenkins is something everyone wants.While not totally related to the blog post and tweet the...
View ArticleJenkins Master Post
A collection of posts on attacking Jenkinshttp://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.htmlManipulating build steps to get...
View ArticleClik here to view.
Jenkins - SECURITY-200 / CVE-2015-5323 PoC
API tokens of other users available to adminsSECURITY-200 / CVE-2015-5323API tokens of other users were exposed to admins by default. On instances that don’t implicitly grant RunScripts permission to...
View ArticleClik here to view.
Jenkins - SECURITY-180/CVE-2015-1814 PoC
Forced API token changeSECURITY-180/CVE-2015-1814https://jenkins.io/security/advisory/2015-03-23/#security-180cve-2015-1814-forced-api-token-changeAffected VersionsAll Jenkins releases <= 1.605All...
View ArticleClik here to view.
Jenkins - decrypting credentials.xml
If you find yourself on a Jenkins box with script console access you can decrypt the saved passwords in credentials.xml in the following way:hashed_pw='$PASSWORDHASH'passwd =...
View ArticleClik here to view.
Jenkins - Identify IP Addresses of nodes
While doing some research I found several posts on stackoverflow asking how to identify the IP address of nodes. You might want to know this if you read the decrypting credentials post and managed to...
View ArticleClik here to view.
Jenkins - messing with exploits pt3 - CVE-2019-1003000
References:https://www.exploit-db.com/exploits/46453http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.htmlThis post covers the Orange Tsai Jenkins pre-auth exploitVuln...
View ArticleJenkins - CVE-2018-1000600 PoC
second exploit from the blog posthttps://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.htmlChained with CVE-2018-1000600 to a Pre-auth Fully-responded...
View ArticleClik here to view.
Minecraft Mod, Mother's Day, and A Hacker Dad
Over the weekend my wife was feeling under the weather. This meant we were stuck indoors and since she is sick and it's Mother's day weekend - less than ideal situation - I needed to keep my son as...
View ArticleMinecraft Mod, Follow up, and Java Reflection
After yesterday's post, I received a ton of interesting and creative responses regarding how to get around the mod's restrictions which is what I love about our community. Mubix was the first person to...
View ArticleClik here to view.
Devoops: Nomad with raw_exec enabled
"Nomad is a flexible container orchestration tool that enables an organization to easily deploy and manage any containerized or legacy application using a single, unified workflow. Nomad can run a...
View Article