From 577457e9ab9976ffeafd8d5575657d9b4c4835ce Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Wed, 17 Dec 2025 11:01:25 +0100 Subject: [PATCH] f --- .../aws-ecr-post-exploitation/README.md | 40 ++++++++-- .../kubernetes-hardening/README.md | 77 +++++++++++++++++++ 2 files changed, 112 insertions(+), 5 deletions(-) diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation/README.md index e95fddbb4..a46203be4 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation/README.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation/README.md @@ -95,11 +95,6 @@ aws ecr-public batch-delete-image --repository-name your-ecr-repo-name --image-i ``` - - - - - ### Exfiltrate upstream registry credentials from ECR Pull‑Through Cache (PTC) If ECR Pull‑Through Cache is configured for authenticated upstream registries (Docker Hub, GHCR, ACR, etc.), the upstream credentials are stored in AWS Secrets Manager with a predictable name prefix: `ecr-pullthroughcache/`. Operators sometimes grant ECR admins broad Secrets Manager read access, enabling credential exfiltration and reuse outside AWS. @@ -218,4 +213,39 @@ aws ecr put-registry-scanning-configuration --region $REGION --scan-type BASIC - aws ecr put-account-setting --region $REGION --name BASIC_SCAN_TYPE_VERSION --value AWS_NATIVE ``` + +### Scan ECR images for vulenrabilities + +```bash +#!/bin/bash + +# This script pulls all images from ECR and runs snyk on them showing vulnerabilities for all images + +region= +profile= + +registryId=$(aws ecr describe-registry --region $region --profile $profile --output json | jq -r '.registryId') + +# Configure docker creds +aws ecr get-login-password --region $region --profile $profile | docker login --username AWS --password-stdin $registryId.dkr.ecr.$region.amazonaws.com + +while read -r repo; do + echo "Working on repository $repo" + digest=$(aws ecr describe-images --repository-name $repo --image-ids imageTag=latest --region $region --profile $profile --output json | jq -r '.imageDetails[] | .imageDigest') + if [ -z "$digest" ] + then + echo "No images! Empty repository" + continue + fi + url=$registryId.dkr.ecr.$region.amazonaws.com/$repo@$digest + echo "Pulling $url" + docker pull $url + echo "Scanning $url" + snyk container test $url --json-file-output=./snyk/$repo.json --severity-threshold=high + # trivy image -f json -o ./trivy/$repo.json --severity HIGH,CRITICAL $url + # echo "Removing image $url" + # docker image rm $url +done < <(aws ecr describe-repositories --region $region --profile $profile --output json | jq -r '.repositories[] | .repositoryName') +``` + {{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md b/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md index 64bb8e252..1059b98ea 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md @@ -179,6 +179,83 @@ helm template chart /path/to/chart \ ``` +## Scan dependency issues + +### Scan images + +```bash +#!/bin/bash +export images=$(kubectl get pods --all-namespaces -o jsonpath="{range .items[]}{.spec.containers[].image}{'\n'}{end}" | sort | uniq) +echo "All images found: $images" +echo "" +echo "" +for image in $images; do + # Run trivy scan and save JSON output + trivy image --format json --output /tmp/result.json --severity HIGH,CRITICAL "$image" >/dev/null 2>&1 + # Extract binary targets that have vulnerabilities + binaries=$(jq -r '.Results[] | select(.Vulnerabilities != null) | .Target' /tmp/result.json) + if [ -n "$binaries" ]; then + echo "- **Image:** $image" + while IFS= read -r binary; do + echo " - **Binary:** $binary" + jq -r --arg target "$binary" ' + .Results[] | select(.Target == $target) | .Vulnerabilities[] | + " - **\(.Title)** (\(.Severity)): Affecting `\(.PkgName)` fixed in version `\(.FixedVersion)` (current version is `\(.InstalledVersion)`)." + ' /tmp/result.json + done <<< "$binaries" + echo "" + echo "" + echo "" + fi +done +``` + +### Scan Helm charts + +```bash +#!/bin/bash +# scan-helm-charts.sh +# This script lists all Helm releases, renders their manifests, +# and then scans each manifest with Trivy for configuration issues. + +# Check that jq is installed +if ! command -v jq &>/dev/null; then + echo "jq is required but not installed. Please install jq and rerun." + exit 1 +fi + +# List all helm releases and extract namespace and release name +echo "Listing Helm releases..." +helm list --all-namespaces -o json | jq -r '.[] | "\(.namespace) \(.name)"' > helm_releases.txt + +# Check if any releases were found +if [ ! -s helm_releases.txt ]; then + echo "No Helm releases found." + exit 0 +fi + +# Loop through each Helm release and scan its rendered manifest +while IFS=" " read -r namespace release; do + echo "---------------------------------------------" + echo "Scanning Helm release '$release' in namespace '$namespace'..." + # Render the Helm chart manifest + manifest_file="${release}-manifest.yaml" + helm get manifest "$release" -n "$namespace" > "$manifest_file" + if [ $? -ne 0 ]; then + echo "Failed to get manifest for $release in $namespace. Skipping." + continue + fi + # Scan the manifest with Trivy (configuration scan) + echo "Running Trivy config scan on $manifest_file..." + trivy config --severity MEDIUM,HIGH,CRITICAL "$manifest_file" + echo "Completed scan for $release." +done < helm_releases.txt + +echo "---------------------------------------------" +echo "Helm chart scanning complete." +``` + + ## Tips