* hostNetwork
* hostPID
* hostPath
* hostIPC
* privileged

Also great to demonstrate why passing secrets as arguments on the command line is a bad idea.

* simulator (with AWS)
* kube_security_lab (On-premise)

* Shell via web
* common tools for kube pentest
* Bypass read-only container file system
* Bypass signature engine

* PurplePanda - поиск миссконфигов и privesc. Cloud/SaaS

* Prowler - проведение аудитов, реагирование на инциденты и многое другое в таких средах, как AWS, Azure, GCP и Kubernetes

* CloudSploit by Aqua - Cloud Security Scans

* ScoutSuite - Multi-Cloud Security Auditing Tool

* cartography
* starbase
* IceKube
* KubeHound

dump: Lists the outstanding sessions and ephemeral nodes. This only works on the leader.

envi: Print details about serving environment

kill: Shuts down the server. This must be issued from the machine the ZooKeeper server is running on

reqs: List outstanding requests

ruok: Tests if server is running in a non-error state. The server will respond with imok if it is running. Otherwise it will not respond at all

srst: Reset statistics returned by stat command

stat: Lists statistics about performance and connected clients

echo urok | nc 192.168.1.1 2181

msf > use auxiliary/gather/zookeeper_info_disclosure

* Link
* Link

* Link
* Link

* Reconnaissance - Link
* Abusing GitLab Runners - Link
* Script for steal tasks by requesting them faster than a real runner - Link

* deepce - noscript for Enumeration, Escalation of Privileges and Container Escapes written in pure sh

* CDK - K8s, Docker penetration toolkit

* botb - analysis and exploitation tool also being CI/CD friendly with common CI/CD technologies

* amicontained - Useful tool to get the privileges the container has in order to find ways to escape from it

* grype - Get the CVEs contained in the software installed in the image

* linpeas - It can also enumerate containers

(echo -ne "GET /stealthcopter/deepce/main/deepce.sh HTTP/1.1\r\nHost: raw.githubusercontent.com\r\nConnection: close\r\n\r\n"; sleep 3) | openssl s_client -connect raw.githubusercontent.com:443 -quiet > deepce.sh

cd /tmp
tee -a getFile.sh
<copy+paste the contents of the getFile.sh noscript>
<hit enter and the ctrl-d/cmd-d>
cat getFile.sh

URL=http://localhost:8000/file OUTPUT=file ./get.sh

git clone https://github.com/stark0de/nginxpwner
cd nginxpwner
sudo docker build -t nginxpwner:latest .
sudo docker run -it nginxpwner:latest /bin/bash

* Gets Ngnix version and gets its possible exploits using searchsploit and tells if it is outdated

* Throws a wordlist specific to Nginx via gobuster

* Checks if it is vulnerable to CRLF via a common misconfiguration of using $uri in redirects

* Checks for CRLF in all of the paths provided

* Checks if the PURGE HTTP method is available from the outside

* Checks for variable leakage misconfiguration

etc

* Visualize network policies and pods in a interactive network map

* Scan cluster identify pods without network policies

* Create default deny network policies where this is missing

* Get suggestions for network policies based on existing workloads

* admin
* dpapi
* http
* mssql
* smb

* Am I Testing Keycloak?
* Keycloak Version Information
* OpenID Configuration /SAML Denoscriptor
* Realms (Enumeration && Self-Registration Enabled)
* Client IDs
* Scopes
* Grants
* Identity Providers
* Roles
* User Email Enumeration

Reconnaissance
* Additional Services and Ports
* Interesting Local Files
* Reconnaissance Conclusion

Exploitation
* Brute Force Login
* Bypassing/Automating CSRF
* JWT Signing Algorithms
* Make the most out of your scopes/roles
* offline_access
* uma_authorization
* profile
* email
* address
* phone