From 13cd85219b4fc36a8473a09f08689dd13d3d034a Mon Sep 17 00:00:00 2001 From: carlospolop Date: Sun, 11 May 2025 17:04:02 +0200 Subject: [PATCH] a --- .../az-tokens-and-public-applications.md | 20 +++++++++++++++++++ .../attacking-kubernetes-from-inside-a-pod.md | 1 + .../kubernetes-hardening/README.md | 15 ++++++++++---- .../kubernetes-kyverno-bypass.md | 3 +++ 4 files changed, 35 insertions(+), 4 deletions(-) diff --git a/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md b/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md index 14c25ae5c..428ece7a0 100644 --- a/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md +++ b/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md @@ -208,6 +208,26 @@ microsoft_office_bearer_tokens_for_graph_api = ( pprint(microsoft_office_bearer_tokens_for_graph_api) ``` +## Where to find tokens + +From an attackers perspective it's very interesting to know where is it possible to find access and refresh tokens when for example the PC of a victim is compromised: + +- Inside **`/.Azure`** + - **`azureProfile.json`** contains info about logged in users from the past + - **`clouds.config contains`** info about subscriptions + - **`service_principal_entries.json`** contains applications credentials (tenant id, clients and secret). Only in Linux & macOS + - **`msal_token_cache.json`** contains contains access tokens and refresh tokens. Only in Linux & macOS + - **`service_principal_entries.bin`** and msal_token_cache.bin are used in Windows and are encrypted with DPAPI + - **`msal_http_cache.bin`** is a cache of HTTP request + - Load it: `with open("msal_http_cache.bin", 'rb') as f: pickle.load(f)` + - **`AzureRmContext.json`** contains information about previous logins using Az PowerShell (but no credentials) +- Inside **`C:\Users\\AppData\Local\Microsoft\IdentityCache\*`** are several `.bin` files with **access tokens**, ID tokens and account information encrypted with the users DPAPI. +- It’s possible to find more **access tokens** in the `.tbres` files inside **`C:\Users\\AppData\Local\Microsoft\TokenBroken\Cache\`** which contain a base64 encrypted with DPAPI with access tokens. +- In Linux and macOS you can get **access tokens, refresh tokens and id tokens** from Az PowerShell (if used) running `pwsh -Command "Save-AzContext -Path /tmp/az-context.json"` + - In Windows this just generates id tokens. + - Possible to see if Az PowerShell was used in Linux and macSO checking is `$HOME/.local/share/.IdentityService/` exists (although the contained files are empty and useless) +- If the user is **logged inside Azure with the browser**, according to this [**post**](https://www.infosecnoodle.com/p/obtaining-microsoft-entra-refresh?r=357m16&utm_campaign=post&utm_medium=web) it's possible to start the authentication flow with a **redirect to localhost**, make the browser automatically authorize the login, and receive the resh token. Note that there are only a few FOCI applications that allow redicet to localhost (like az cli or the powershell module), so these applications must be allowed. + ## References - [https://github.com/secureworks/family-of-client-ids-research](https://github.com/secureworks/family-of-client-ids-research) diff --git a/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md b/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md index 6a96dd2da..51cdd7983 100644 --- a/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md +++ b/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md @@ -127,6 +127,7 @@ If you managed to **escape from the container** there are some interesting thing - `/var/lib/kubelet/config.yaml` - `/var/lib/kubelet/kubeadm-flags.env` - `/etc/kubernetes/kubelet-kubeconfig` + - `/etc/kubernetes/admin.conf` --> `kubectl --kubeconfig /etc/kubernetes/admin.conf get all -n kube-system` - Other **kubernetes common files**: - `$HOME/.kube/config` - **User Config** - `/etc/kubernetes/kubelet.conf`- **Regular Config** diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md b/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md index 0ef7c1d83..06350c449 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md @@ -36,6 +36,10 @@ curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh kubescape scan --verbose ``` +### [**Popeye**](https://github.com/derailed/popeye) + +[**Popeye**](https://github.com/derailed/popeye) is a utility that scans live Kubernetes cluster and **reports potential issues with deployed resources and configurations**. It sanitizes your cluster based on what's deployed and not what's sitting on disk. By scanning your cluster, it detects misconfigurations and helps you to ensure that best practices are in place, thus preventing future headaches. It aims at reducing the cognitive \_over_load one faces when operating a Kubernetes cluster in the wild. Furthermore, if your cluster employs a metric-server, it reports potential resources over/under allocations and attempts to warn you should your cluster run out of capacity. + ### [**Kube-bench**](https://github.com/aquasecurity/kube-bench) The tool [**kube-bench**](https://github.com/aquasecurity/kube-bench) is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the [**CIS Kubernetes Benchmark**](https://www.cisecurity.org/benchmark/kubernetes/).\ @@ -97,10 +101,6 @@ kube-hunter --remote some.node.com ## **Audit IaC Code** -### [**Popeye**](https://github.com/derailed/popeye) - -[**Popeye**](https://github.com/derailed/popeye) is a utility that scans live Kubernetes cluster and **reports potential issues with deployed resources and configurations**. It sanitizes your cluster based on what's deployed and not what's sitting on disk. By scanning your cluster, it detects misconfigurations and helps you to ensure that best practices are in place, thus preventing future headaches. It aims at reducing the cognitive \_over_load one faces when operating a Kubernetes cluster in the wild. Furthermore, if your cluster employs a metric-server, it reports potential resources over/under allocations and attempts to warn you should your cluster run out of capacity. - ### [**KICS**](https://github.com/Checkmarx/kics) [**KICS**](https://github.com/Checkmarx/kics) finds **security vulnerabilities**, compliance issues, and infrastructure misconfigurations in the following **Infrastructure as Code solutions**: Terraform, Kubernetes, Docker, AWS CloudFormation, Ansible, Helm, Microsoft ARM, and OpenAPI 3.0 specifications @@ -208,6 +208,13 @@ You should update your Kubernetes environment as frequently as necessary to have - cloud controller manager, if you use one. - Upgrade the Worker Node components such as kube-proxy, kubelet. +## Kubernetes monitoring & security: + +- Kyverno Policy Engine +- Cilium Tetragon - eBPF-based Security Observability and Runtime Enforcement +- Network Security Policies +- Falco - Runtime security monitoring & detection + {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md b/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md index ac912573c..fbc46f318 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md @@ -2,6 +2,7 @@ **The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196) + ## Abusing policies misconfiguration ### Enumerate rules @@ -59,5 +60,7 @@ Another way to bypass policies is to focus on the ValidatingWebhookConfiguration ../kubernetes-validatingwebhookconfiguration.md {{#endref}} +## More info +For more info check [https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-22/securing-kubernetes-clusters-using-kyverno-policy-engine/welcome/](https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-22/securing-kubernetes-clusters-using-kyverno-policy-engine/welcome/)