deleted unnecessary pages and modified some techniques

Author: hdks-bug

src/exploit/container/docker/docker-escape.md

@@ -7,7 +7,7 @@ tags:
 refs:
     - https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation
     - https://gist.github.com/PwnPeter/3f0a678bf44902eae07486c9cc589c25
-date: 2024-09-25
+date: 2024-12-24
 draft: false
 ---
 
@@ -26,6 +26,15 @@ ls -al /usr/local/sbin
 ls -al /usr/bin
 ls -al /bin
 
+# User enumeration
+cat /etc/passwd
+cat /etc/shadow
+getent passwd
+
+# Networks
+cat /etc/hosts
+cat /etc/resolv.conf
+
 # Bash history
 cat /root/.bash_history
 cat /home/<username>/.bash_history
@@ -75,8 +84,8 @@ capsh --print
 
 ### Access Another Host
 
-If we found another host but cannot access it by restrictions, we need to port forward.  
-Please see [details](/exploit/network/port-forwarding/port-forwarding-with-chisel) for port fowarding.
+If we found another host but cannot access it by restrictions, we need to **reverse port forward**.  
+Please see [details](/exploit/network/port-forwarding/port-forwarding-with-chisel).
 
 ### Import Required Binary from Local Machine
 

src/exploit/container/kubernetes/index.md

@@ -4,7 +4,7 @@ description: A portable, extensible, open source platform for managing container
 tags:
     - Container
 refs:
-date: 2024-08-11
+date: 2024-12-24
 draft: false
 ---
 
@@ -36,37 +36,28 @@ chmod +x /tmp/kubectl
 
 ## Investigation From Inside
 
-### JWT
-
 ```sh
+# JWT token
 cat /var/run/secrets/kubernetes.io/serviceaccount/token
 # if we find the token, decode it in https://jwt.io/
-```
-
-### Sensitive Information
 
-```sh
+# Sensitinve information
 ls -a /var/lib/k0s/containerd/
-```
 
-### Permissions
+# All information
+kubectl get all
 
-```sh
+# Permissions
 kubectl auth can-i --list
 # /var/run/secrets/kubernetes.io/serviceaccount/token
 kubectl auth can-i --list --token=<JWT>
-```
 
-### All Information
+# Roles
+kubectl get rolebindings -n <namespace>
+kubectl describe <bind_name> -n <namespace>
+kubectl describe role <role_name> -n <namespace>
 
-```sh
-# All information
-kubectl get all
-```
-
-### Pods
-
-```sh
+# Pods
 kubectl get pods
 # -A: List all pods across all namespaces
 kubectl get pods -A
@@ -75,62 +66,40 @@ kubectl get pods -A
 kubectl get pod <pod-name> -o yaml
 # Specify the namespace
 kubectl get pod <pod-name> -n <namespace> -o yaml
-
 # Get detailed information
 kubectl describe pods <pod-name>
 kubectl describe pod -n <namespace>
 # ClusterRole information
 kubectl describe clusterrole <role-name>
 # ClusterRoleBinding information
 kubectl describe clustrrolebinding <role-name>
-```
-
-### Services
 
-```sh
 # Services
 kubectl get svc
-```
-
-### Jobs
 
-```sh
 # Jobs
 kubectl get job -n <namespace>
 # -o: Output details
 kubectl get job -n <namespace> -o json
-```
 
-### Secrets
-
-```sh
 # Secrets
 kubectl get secrets
 kubectl get secrets -n <namespace>
-
 # Get the specific secret
 kubectl get secret <secret-name> -o json
 kubectl get secret <secret-name> -n <namespace> -o json
-
 # Edit the secret
 kubectl edit secret <secret-name>
 kubectl edit secret <secret-name> -n <namespace>
-
 # List all data contained in the specific secret
 kubectl describe secret <secret-name>
 kubectl describe secret <secret-name> -n <namespace>
-```
 
-### ServiceAccount
-
-```sh
-# Get a ServiceAccounts
+# ServiceAccounts
 kubectl get serviceaccount
 kubectl get serviceaccount -n <namespace>
-
 # Create a ServiceAccount
 kubectl create serviceaccount api-explorer
-
 # Bind the ClusterRole to a ServiceAccount
 # eg. namespace: default
 kubectl create rolebinding api-explorer:log-reader --clusterrole log-reader --serviceaccount default:api-explorer 

src/exploit/cryptography/conversion/convert-binary-to-int-in-python.md

@@ -5,7 +5,7 @@ tags:
     - Linux
     - Privilege Escalation
 refs:
-date: 2023-03-11
+date: 2024-12-24
 draft: false
 ---
 
@@ -42,3 +42,7 @@ Then click **“Configure…”** at the right of **“Discover network targets
 In the modal window, enter **“localhost:12345”** then click **“Done”**.  
 Now we should see the remote host appears at the bottom of the **“Remote Target”**.  
 Click **“inspect”** then new browser open. We can browse the website.
+
+### (Option) Find Credentials
+
+If the login page found when inspecting, we may see a credential in the developer tool at the right pane. Go to `Network` and click the target page such as `login.php` then go to the `Payload` tab. We can find credentials.

src/exploit/cryptography/conversion/convert-bytes-to-matrix-in-python.md

@@ -6,7 +6,7 @@ tags:
     - Remote Code Execution
 refs:
     - https://book.hacktricks.xyz/linux-hardening/privilege-escalation
-date: 2024-11-08
+date: 2024-12-24
 draft: false
 ---
 
@@ -59,13 +59,19 @@ For example above, we can search **`ubuntu 4.4.0-31-generic`** in search engines
 ## Interesting Information
 
 ```sh
-# Current user
+# Current user information
 whoami
 id
 id <username>
 groups
 groups <username>
 
+# Users and passwords
+cat /etc/passwd
+cat /etc/shadow
+# for NSS (Name Service Switch)
+getent passwd
+
 # Bash files
 # If we have the write permission for .bashrc or .profile, 
 # we can write arbitrary command to any line in that files.
@@ -201,19 +207,21 @@ cat /etc/mysql/mysql.conf.d/mysql.cnf
 
 # Nameserver
 cat /etc/resolv.conf
+
 # NFS settings
 cat /etc/exports
+
 # PAM
 cat /etc/pam.d/passwd
+
 # Sudo config
 cat /etc/sudoers
 cat /etc/sudoers.d/usersgroup
+
 # SSH config
 cat /etc/ssh/ssh_config
 cat /etc/ssh/sshd_config
-# Users and passwords
-cat /etc/passwd
-cat /etc/shadow
+
 # List of all groups on the system
 cat /etc/group