0x22bb/hacktricks
1
2
Fork 0
mirror of https://github.com/carlospolop/hacktricks.git synced 2023-12-14 19:12:55 +01:00
Code Releases Activity

GitBook: [#2988] No subject

Browse source
This commit is contained in:
CPol 2022-02-04 15:03:59 +00:00 committed by gitbook-bot
parent 87034104df
commit 1d52146bb8
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
3 changed files with 22 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
cloud-security/pentesting-kubernetes/namespace-escalation.md
View file

@ -16,3 +16,15 @@ For more info about which privileges you can abuse read:
### Escape to the node
If you can escape to the node either because you have compromised a pod and you can escape or because you ca create a privileged pod and escape you could do several things to steal other SAs tokens:
* Check for **SAs tokens mounted in other docker containers** running in the node
* Check for new **kubeconfig files in the node with extra permissions** given to the node
* If enabled (or enable it yourself) try to **create mirrored pods of other namespaces** as you might get access to those namespaces default token accounts (I haven't tested this yet)
All these techniques are explained in:
{% content-ref url="../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md" %}
[attacking-kubernetes-from-inside-a-pod.md](../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md)
{% endcontent-ref %}

6
pentesting/pentesting-kubernetes/README.md
View file

@ -48,6 +48,12 @@ Another important details about enumeration and Kubernetes permissions abuse is
[hardening-roles-clusterroles](hardening-roles-clusterroles/)
{% endcontent-ref %}
### Privesc to a different Namespace
If you have compromised a namespace you can potentially escape to other namespaces with more interesting permissions/resources:
### From Kubernetes to the Cloud
If you have compromised a K8s account or a pod, you might be able able to move to other clouds. This is because in clouds like AWS or GCP is possible to **give a K8s SA permissions over the cloud**.

18
pentesting/pentesting-web/symphony.md
View file

@ -1,5 +1,7 @@
# Symphony
**This page was copied from** [**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment)****
## Introduction <a href="#introduction" id="introduction"></a>
Since its creation in 2008, the use of the [Symfony](https://symfony.com) framework has been growing more and more in PHP based applications. It is now a core component of many well known CMSs, such as [Drupal](https://www.drupal.org), [Joomla!](https://www.joomla.org), [eZPlatform](https://ezplatform.com) (formerly eZPublish), or [Bolt](https://bolt.cm), and is often used to build custom websites.
@ -509,6 +511,8 @@ The exploit will therefore run through every possible variable combination, and
## Accessing symphony /\_profiler information&#x20;
(info taken from [https://flattsecurity.hatenablog.com/entry/2020/11/02/124807](https://flattsecurity.hatenablog.com/entry/2020/11/02/124807))
![f:id:flattsecurity:20201021204553p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204553.png)
As you see the screenshot above, there is `sf` logo on the right bottom side of the page. This logo is shown when the Symfony is under the debug mode. There are some cases that this logo doesnt show up, so try accessing `/_profiler` and you will see the page as shown below
@ -524,17 +528,3 @@ The Symfony framework itself is very secure, but enabling debug mode will make t
As you see in the screenshot above, you can access all sent requests to the server. By clicking hashes in the token, you will see that all POST parameters can be read, as seen in the following screenshot. With this feature, we can hijack the administrator and users account credentials.
![f:id:flattsecurity:20201021204637p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204637.png)
### Other Debug Enabled Endpoints
You should also check these URLs:
* **https://example.com/app\_dev.php/\_profiler**
* **https://example.com/app\_dev.php**\
## References
* [**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment)****
* [**https://flattsecurity.hatenablog.com/entry/2020/11/02/124807**](https://flattsecurity.hatenablog.com/entry/2020/11/02/124807)****
* ****[**https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144**](https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144)****