diff --git a/cloud-security/pentesting-kubernetes/namespace-escalation.md b/cloud-security/pentesting-kubernetes/namespace-escalation.md index 2d7d88b4..6b67e5f8 100644 --- a/cloud-security/pentesting-kubernetes/namespace-escalation.md +++ b/cloud-security/pentesting-kubernetes/namespace-escalation.md @@ -16,3 +16,15 @@ For more info about which privileges you can abuse read: ### Escape to the node +If you can escape to the node either because you have compromised a pod and you can escape or because you ca create a privileged pod and escape you could do several things to steal other SAs tokens: + +* Check for **SAs tokens mounted in other docker containers** running in the node +* Check for new **kubeconfig files in the node with extra permissions** given to the node +* If enabled (or enable it yourself) try to **create mirrored pods of other namespaces** as you might get access to those namespaces default token accounts (I haven't tested this yet) + +All these techniques are explained in: + +{% content-ref url="../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md" %} +[attacking-kubernetes-from-inside-a-pod.md](../../pentesting/pentesting-kubernetes/attacking-kubernetes-from-inside-a-pod.md) +{% endcontent-ref %} + diff --git a/pentesting/pentesting-kubernetes/README.md b/pentesting/pentesting-kubernetes/README.md index c6d91eca..2cbcc326 100644 --- a/pentesting/pentesting-kubernetes/README.md +++ b/pentesting/pentesting-kubernetes/README.md @@ -48,6 +48,12 @@ Another important details about enumeration and Kubernetes permissions abuse is [hardening-roles-clusterroles](hardening-roles-clusterroles/) {% endcontent-ref %} +### Privesc to a different Namespace + +If you have compromised a namespace you can potentially escape to other namespaces with more interesting permissions/resources: + + + ### From Kubernetes to the Cloud If you have compromised a K8s account or a pod, you might be able able to move to other clouds. This is because in clouds like AWS or GCP is possible to **give a K8s SA permissions over the cloud**. diff --git a/pentesting/pentesting-web/symphony.md b/pentesting/pentesting-web/symphony.md index e6924785..f2e58a9c 100644 --- a/pentesting/pentesting-web/symphony.md +++ b/pentesting/pentesting-web/symphony.md @@ -1,5 +1,7 @@ # Symphony +**This page was copied from** [**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment)**** + ## Introduction Since its creation in 2008, the use of the [Symfony](https://symfony.com) framework has been growing more and more in PHP based applications. It is now a core component of many well known CMSs, such as [Drupal](https://www.drupal.org), [Joomla!](https://www.joomla.org), [eZPlatform](https://ezplatform.com) (formerly eZPublish), or [Bolt](https://bolt.cm), and is often used to build custom websites. @@ -509,6 +511,8 @@ The exploit will therefore run through every possible variable combination, and ## Accessing symphony /\_profiler information +(info taken from [https://flattsecurity.hatenablog.com/entry/2020/11/02/124807](https://flattsecurity.hatenablog.com/entry/2020/11/02/124807)) + ![f:id:flattsecurity:20201021204553p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204553.png) As you see the screenshot above, there is `sf` logo on the right bottom side of the page. This logo is shown when the Symfony is under the debug mode. There are some cases that this logo doesn’t show up, so try accessing `/_profiler` and you will see the page as shown below @@ -524,17 +528,3 @@ The Symfony framework itself is very secure, but enabling debug mode will make t As you see in the screenshot above, you can access all sent requests to the server. By clicking hashes in the token, you will see that all POST parameters can be read, as seen in the following screenshot. With this feature, we can hijack the administrator and user’s account credentials. ![f:id:flattsecurity:20201021204637p:plain](https://cdn-ak.f.st-hatena.com/images/fotolife/f/flattsecurity/20201021/20201021204637.png) - -### Other Debug Enabled Endpoints - -You should also check these URLs: - -* **https://example.com/app\_dev.php/\_profiler** -* **https://example.com/app\_dev.php**\ - - -## References - -* [**https://www.ambionics.io/blog/symfony-secret-fragment**](https://www.ambionics.io/blog/symfony-secret-fragment)**** -* [**https://flattsecurity.hatenablog.com/entry/2020/11/02/124807**](https://flattsecurity.hatenablog.com/entry/2020/11/02/124807)**** -* ****[**https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144**](https://infosecwriteups.com/how-i-was-able-to-find-multiple-vulnerabilities-of-a-symfony-web-framework-web-application-2b82cd5de144)****