Privilege Escalation in AWS Elastic Kubernetes Service (EKS) by compromising the instance role of worker nodes

In this post, we discuss the risks of the AWS Instance Metadata service in AWS Elastic Kubernetes Service (EKS) clusters. In particular, we demonstrate that compromising a pod in the cluster can have disastrous consequences on resources in the AWS account if access to the Instance Metadata service is not explicitly blocked. Introduction For the purposes of this post, we’ll use an EKS cluster running Kubernetes v1.17.9 and created with eksctl. We could also have created the cluster using Terraform or CloudFormation. Once we created the cluster, we can use the AWS CLI to update our kubectl configuration file forContinue reading… Privilege Escalation in AWS Elastic Kubernetes Service (EKS) by compromising the instance role of worker nodes


Continue reading

Automating the provisioning of Active Directory labs in Azure

Today, I’m releasing Adaz, a project aimed at automating the provisioning of hunting-oriented Active Directory labs in Azure. This post is the making of, where we walk through how to leverage Terraform and Ansible to spin up full-blown Active Directory environments with Windows Server 2019 and Windows 10 machines.


Continue reading

They told me I could be anything, so I became a Kubernetes node – Using K3s for command and control on compromised Linux hosts

In their RSA 2020 talk Advanced Persistence Threats: The Future of Kubernetes Attacks, Ian Coldwater and Brad Geesaman demonstrated that K3s, a lightweight version of Kubernetes, can be used to backdoor compromised Kubernetes clusters. This post describes how K3s can also serve as an easy command and control (C2) mechanism to remotely control compromised Linux machines. 3+


Continue reading

Hidden in PEB Sight: Hiding Windows API Imports With a Custom Loader

In this post, we look at different techniques to hide Windows API imports in a program in order to fly under the radar of static analysis tools. Especially, we show a method to hide those imports by dynamically walking the process environment block (PEB) and parsing kernel32.dll in-memory to find its exported functions. Let’s dive in! 2+


Continue reading

Quickly access your configuration files on your server

It’s been a while since I last wrote a post on this blog, so I’ve decided to share a simple way to quickly access the configuration files of the numerous services you may be running on your server. It is indeed quite painful to frequently edit arbitrary deep configuration files (such as /etc/php5/apache2/php.ini) that are spread out in your file system and which you don’t remember the names. The trick I am using is a directory named cfg at the root of my server, in which I create symbolic links pointing to configuration files or directories containing them, with names that are easier to remember.Continue reading… Quickly access your configuration files on your server


Continue reading