BugBounty story #bugbountytipsA fixed but they didn't pay the bugbounty story...Timeline:reported 21 Oct 2019validated at Critical 23 Oct 2019validated as fixed 30 Oct 2019Bounty amount stated (IDR 10.000.000 = ~700 USD) 12 ...

BugBounty story #bugbountytips A fixed but they didn't pay the bugbounty story... Timeline: reported 21 Oct 2019 validated at Critical  23 Oct 2019 validated as fixed 30 Oct 2019 Bounty amount stated (IDR ...

"Nomad is a flexible container orchestration tool that enables an organization to easily deploy and manage any containerized or legacy application using a single, unified workflow. Nomad can run a diverse workload ...

"Nomad is a flexible container orchestration tool that enables an organization to easily deploy and manage any containerized or legacy application using a single, unified workflow. Nomad can run a diverse workload ...

Notes on abusing open Docker socketsThis wont cover breaking out of docker containersPorts: usually 2375 & 2376 but can be anythingRefs:https://blog.sourcerer.io/a-crash-course-on-docker-learn-to-swim-with-the-big-fish-6ff25e8958b0https://www.slideshare.net/BorgHan/hacking-docker-the-easy-wayhttps://blog.secureideas.com/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1.htmlhttps://blog.secureideas.com/2018/08/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-2.htmlhttps://infoslack.com/devops/exploring-docker-remote-apihttps://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence_wp.pdfhttps://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/https://cert.litnet.lt/2016/11/owning-system-through-an-exposed-docker-engine/https://medium.com/@riccardo.ancarani94/attacking-docker-exposed-api-3e01ffc3c124https://www.exploit-db.com/exploits/42356https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/docker_daemon_tcp.rbhttp://blog.nibblesec.org/2014/09/abusing-dockers-remote-apis.htmlhttps://www.prodefence.org/knock-knock-docker-will-you-let-me-in-open-api-abuse-in-docker-containers/https://blog.ropnop.com/plundering-docker-images/Enable docker socket (Create practice locations)https://success.docker.com/article/how-do-i-enable-the-remote-api-for-dockerdHaving the docker API | socket exposed ...

Unauth API access (10250)Most Kubernetes deployments provide authentication for this port. But it’s still possible to expose it inadvertently and it's still pretty common to find it exposed via the "insecure API ...

Kubernetes: unauthenticated kublet API (10250) token theft & kubectl access & execkube-hunter output to get us started: do a curl -s https://k8-node:10250/runningpods/ to get a list of running podsWith that data, you ...

Below is some sample output that mainly is here to see what open 10255 will give you and look like. What probably of most interest is the /pods endpointor the /metrics endpointor ...

How to get the info that kube-hunter reports for open /containerLogs endpointVulnerabilities+---------------+-------------+------------------+----------------------+----------------+| LOCATION CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |+---------------+-------------+------------------+----------------------+----------------++----------------+------------+------------------+----------------------+----------------+| 1.2.3.4:10250 | Information | Exposed Container| Output logs from a | ...

I have a few Kubernetes posts queued up and will make this the master post to index and give references for the topic. If i'm missing blog posts or useful resources ping ...