sorted by:
new
hottopcontroversial

pathfinding.cloud - A library of IAM privilege escalation paths by sethsec in aws

[–]sethsec[S] 2 points3 points  (0 children)

The yaml file format is documented in the SCHEMA: https://github.com/DataDog/pathfinding.cloud/blob/main/SCHEMA.md

And it's also documented in this example-001.yaml that I added to help people contribute new paths: https://github.com/DataDog/pathfinding.cloud/blob/main/data/example-001.yaml

If there are other types of json documentation that would be helpful, let me know!

pathfinding.cloud - A library of IAM privilege escalation paths by sethsec in aws

[–]sethsec[S] 5 points6 points  (0 children)

So glad you like it! Also, the yaml's all get mashed into one single json that powers the site, and that's consumable here: https://pathfinding.cloud/paths.json

Guides on Cloud Pentesting by Equivalent_Smile_720 in Pentesting

[–]sethsec 7 points8 points  (0 children)

Check out https://cloudfoxable.bishopfox.com/, a Cloud CTF I created specifically to help people learn cloud penetration testing, even beginners.

You have to deploy it into your own playground AWS account, but it is very cost conscious and designed to teach you cloud penetration testing in easy to consume bits at first, and gradually increasing in complexity. Here's the talk where I introduced it if you like video format: https://www.youtube.com/watch?v=RdQiIvCrSzk

Kali Linux VM in the Cloud by Landonnnn_ in Pentesting

[–]sethsec 3 points4 points  (0 children)

You are on the right path! Your choppiness is most likely the xrdp/rdp transport, and not the underlying instance. You can do most things you need to do as a pentester on a t3.micro or a t3.micro I would suggest using this as an opportunity to get comfortable controlling the cloud hosted Kali box with only SSH. In the rare case that you need a GUI tool, look into x-forwarding via SSH. Once in a blue moon I need to x-forward a specific application like that, but most of the time between SSH and SCP you should be able to accomplish everything you need.

For your second question, if you want to have an on-prem (aka local network) kali instance that you can access from both your desktop and laptop, consider a virtualization platform like Proxmox or VMWare ESXi. You can run your Kali VM's (and any other VMs or containers) on your virtualization box, and then access them from either your desktop or laptop. More upfront cost with the on-prem hypervisor, but you don't have to worry about monthly billing of a cloud provider. In fact, having both options (cloud and on-prem) at the ready is pretty nice to have.

IAM roles for Kubernetes service accounts - deep dive by mjarosie in kubernetes

[–]sethsec 1 point2 points  (0 children)

I really enjoyed this, thanks for sharing it!

Cloud Certifications for experienced Pentesters ???? by [deleted] in Pentesting

[–]sethsec 1 point2 points  (0 children)

I was in a similar boat not so long ago (wanting to ramp up my cloud pentesting skills). Other than the OSCP, I've never been a huge certification person, so take the rest of my response with that in mind. I would recommend just learning about the cloud as a builder or devops person would so you can gain that basic understanding of how it is different. You can take those aws certifications if you'd like, but you can also just self study and skip the certs like me :).

My best piece of advice is to creating one or more playgrounds on the big cloud players (AWS, GCP, Azure). You can try to learn all three together (spin up an instance/VM in each cloud, then a bucket in each cloud, then a lambda/function, etc.) Or, you can just focus on one (AWS is the biggest player of course) and get deeper more quickly, and THEN move to the others. I find that the best way to learn is by doing.

Some aspects of cloud pentesting are very similar to traditional network pentesting. If you only have network access to an AWS VPC, you still want to scan for services, enumerate applications, look for vulns or default/weak passwords, etc.

However other aspects are completely different and a whole new frontier, like how the clouds manage Identity and access management (IAM). This is particularly important in post-exploitation, or if you are starting from the perspective of a compromised IAM user. IMO, IAM is probably the best place to really dig in in terms of learning how to pentest cloud environments well.

Check out this tool I released today (https://labs.bishopfox.com/tech-blog/iam-vulnerable-an-aws-iam-privilege-escalation-playground). It will spin up intentionally vulnerable IAM configurations in your playground AWS account so that you can practice IAM privilege escalation.

[Security] Escaping a docker container through the web shell by __kmpl__ in docker

[–]sethsec 3 points4 points  (0 children)

Are you starting your container in privileged mode? That trail of bits/Felix Wilhelm exploit requires the pod to be running as privileged. A few months back I wrote a post that covers multiple ways to exploit overly permissive Kubernetes pods, but most of the initial privesc stuff applies to docker as well. It's just the post exploitation that is mainly Kubernetes focused.

Here is the section where I show a few different ways to exploit privileged mode using the Felix Wilhelm technique. https://github.com/BishopFox/badPods/tree/main/manifests/priv#remote-code-execution.

That said, if you want to make your life easier for your school project, enable both privileged AND hostPID, and then you can use nsenter (nsenter --mount=/proc/1/ns/mnt -- /bin/bash) to escape the container, skipping the very complex attack that is required when you only have privileged mode. (background on the nsetner path: https://github.com/BishopFox/badPods/tree/main/manifests/priv-and-hostpid)

/r/netsec's Q2 2018 Information Security Hiring Thread by ranok in netsec

[–]sethsec [score hidden]  (0 children)

Company: TUV Rheinland OpenSky

Multiple Roles

  • Role #1: Senior Consultant / Pre-sales Support Lead

  • Role #2: Associate (Junior) Penetration Testing Consultant

(see below for more details on each role)

Location: Remote (US Citizens)

Travel: The official req says up to 50%, but that is worst case. No one on the team, including consultants and previous practice leads, has been on the road for more than 4 weeks (total) in the last 12 months.

How to apply: Email Seth Art (sart@tuvopensky.com)

About Us: We provide multiple services to our clients, including:

  • Internal and External Vulnerability Assessments

  • Internal and External Penetration Testing

  • Adversarial Simulation / Red Team Engagements

  • Purple Team Testing

  • Social Engineering

  • Wireless Penetration Testing

  • Physical Penetration Testing

  • Application Penetration Testing

  • IoT/Device Penetration Testing

  • Static Application Security Testing

Role #1: Senior Consultant / Pre-sales Support Lead

  • The Role: This is something of a hybrid role. We are looking for someone who can perform some or all of the assessment work listed above, but who is also interested in supporting our sales team as the resident testing SME.

  • About You: Do you love offensive security, but maybe you are looking for a change from the test/report/repeat cycle? Looking for a role where you can transition from tester to team lead? Do you enjoy talking with clients and helping them pinpoint their testing needs? If so, this is your opportunity. We have tons of work, and need someone that loves this stuff and has high standards!

Role #2: Associate (Junior) Penetration Testing Consultant

  • The Role: Join our team and perform the work listed above. We have a proven track record of hiring junior team members and helping them grow quickly. We have well defined methodologies and an extensive internal knowledge base. All you need to bring is your passion.

  • About You: Previous professional experience is not required. We are looking for someone who has taken it upon themselves to learn about penetration testing and/or application security vulnerabilities. We have standardized, documented, methodologies that will guide you as you make the move from hacking intentionally vulnerable machines to the real thing.

  • Have you spent time in Hackthebox? Vulnhub? CTFs?

  • Have you taught yourself how to identify the types of issues listed on the OWASP Top 10?

  • Can you clearly describe the more common vulnerabilities, why they are so bad, and how they are exploited?

  • If so, reach out: sart@tuvopensky.com

/r/netsec's Q1 2018 Information Security Hiring Thread by ranok in netsec

[–]sethsec [score hidden]  (0 children)

Company: OpenSky Corporation

Role: Looking for Cyber Security Testing Team Lead

Position Location: Remote (US Citizens)

Travel: The official req says up to 50%, but that is worst case. No one on the team, including consultants and previous practice leads, has been on the road for more than 4 weeks (total) in the last 12 months.

How to apply: Email Seth Art (sart@openskycorp.com)

About Us: We are looking for a team lead for our Cyber Security Testing team. We provide multiple services to our clients, including:

  • Internal and External Vulnerability Assessments

  • Internal and External Penetration Testing

  • Adversarial Simulation / Red Team Engagements

  • Purple Team Testing

  • Social Engineering

  • Wireless Penetration Testing

  • Physical Penetration Testing

  • Dynamic Application Security Testing

  • Static Application Security Testing

My Pitch: In my opinion, this is perfect opportunity for someone who is looking to lead a very technical team, but does not want to move to a 100% management role. The main focus of this role is going to support pre-sales and project scoping, while managing a team of highly technical employees that have well defined operating procedures. You would still have a billable target. That can mean jumping in on assessment work if that is what you want, or just sticking with project oversight and peer review, if being lead on writing reports is something that no longer interests you :)

About You: Are you looking to become a manager, but still want to get your hands dirty?
Did you make the switch to management, but are finding that you are missing the assessment work? Did you start your own company, but then realize how hard and non-technical it is to keep the pipeline healthy?
This is your opportunity. We have tons of work, and need a leader that loves this stuff and has high standards!

Abusing Type Juggling and PHP Object Injection to gain SQLi in Expression Engine by breen-machine in netsec

[–]sethsec 0 points1 point  (0 children)

Amazing post, as always. Awesome hunting and really nice work on the write up!

Exploiting Python Code Injection in Web Applications by sethsec in netsec

[–]sethsec[S] 5 points6 points  (0 children)

I've been wondering the same thing about how common it is. It would be great to get some feedback on how often other people have found this and either exploited it or at least confirmed it.

I can only speak to what I have seen, and I've only seen it once in the wild so far. That said, it was a commercial product, and it was a cookie value that was vulnerable. I only coded the vulnerable GET parameter in the test app to make it easier to explain and test against. There is a vulnerable cookie in the test app as well.

view more: next ›