When Kubernetes CRD controller which is responsible to analyzing a specific CR is vulnerable, attackers may control certain custom resources and inject malicious payloads, which could trigger malicious behaviors when the controller parses, processes, stores the CRs, or generates other related resources.
Injections can be classified via 3 different way.
| id: maltrail-os-command-injection | |
| info: | |
| author: Esonhugh | |
| name: Unauthenticated OS Command Injection in stamparm/maltrail | |
| severity: critical | |
| description: | | |
| Maltrail <= v0.54 is vulnerable to unauthenticated OS command injection during the login process. | |
| reference: | |
| - "https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/" |
| function docker_cme() { | |
| if [[ -z "$1" ]] | |
| then | |
| if [[ -n `sudo docker ps -a|grep crackmapexec` ]] | |
| then | |
| sudo docker start crackmapexec | |
| sudo docker exec -it crackmapexec sh | |
| else | |
| sudo docker run -it --entrypoint=/bin/bash --name crackmapexec byt3bl33d3r/crackmapexec | |
| fi |
| id: Ruoyi-default-password | |
| info: | |
| name: Ruoyi default password admin/admin123 | |
| author: Esonhugh-self-maintained | |
| severity: critical | |
| description: | | |
| Ruoyi default password admin admin123 | |
| tags: password,default,ruoyi | |
| stop-at-first-match: true |
| #!/usr/bin/env $SHELL | |
| # Author: Esonhugh | |
| # Date: 2023/04/05 21:01 | |
| function kube() { | |
| if [[ "$1" == "help" ]] | |
| then | |
| echo "============================================ KubeHack ============================================" | |
| echo "version\t\tkubectl hack plugin version." | |
| echo "server\t\tset env var.value is the kube api server endpoint. Example: https://127.0.0.1:6443" |
| #!/bin/zsh | |
| # Author: Esonhugh | |
| # Date: 2024/07/26 | |
| # Java is installed on mac with brew and IDEA | |
| # following path is the IDEA path and brew path | |
| # JAVA Alternatives | |
| export COMMON_JAVA_HOME="$HOME/Library/Java/JavaVirtualMachines" |
| #!/usr/bin/env $SHELL | |
| # Author: Esonhugh | |
| # Date: 2023/04/05 | |
| function pyactive () { | |
| if [ -d "./venv/" ] | |
| then | |
| source "./venv/bin/activate" | |
| else | |
| echo "No Python venv there. Error" |
| id: nacos-bypass-authentication | |
| variables: | |
| #token: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6OTk5OTk5OTk5OTl9.vqhkMLKmquQ6R5AD6VWrTOqgClC599nnAQgQLHhPcLc | |
| # token is signed with a very long time expire. | |
| # token exp -1 | |
| token: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6LTF9.ybUomrBRXZhbUMWVgXRz3Q6zndbF-Zdk4RGpCnV-Ofs | |
| info: | |
| name: Nacos Bypass Auth with default jwt secret |
| // explain: | |
| // fd > 5 always occurs when user create a new interface | |
| // fd = 5 is common command line shell. | |
| // fd = 10 termius will use this, other command line shell is not test yet. | |
| // This script can logging all communication of new ssh process when new login attempt happen. | |
| tracepoint:syscalls:sys_enter_write / comm == "sshd" && args->fd >= 5 / { | |
| printf("[pid %d fd %d] %r\n", pid, args->fd ,buf(args->buf, args->count )); | |
| } |
| /* | |
| Author: Esonhugh | |
| Date: 2023-01-16 | |
| */ | |
| #ifndef __CILIUM_COMMON_HEADER | |
| #define __CILIUM_COMMON_HEADER | |
| #include <linux/vmlinux.h> | |
| #include <bpf/bpf_helpers.h> | |
| #include <bpf/bpf_core_read.h> |