pen / move / docker

Mitre Att&ck Entreprise:

• TA0006 - Credentials Access
• T1021 - Remote Services

Menu

• MUST TO READ
• Scan with Grype + ExploitDB
• Administration
• JDBC client
• Unsecure Azure Registry
• Java Maven Applications
• SSO / SAML

MUST TO READ

• PayloadAllTheThings

Scan with Grype + ExploitDB

grype <image> -o template -t ~/path/to/csv.tmpl
cut -f3 -d"," grivy_output.csv > /tmp/mycve.txt
while read cve; do toto=`echo $cve | tr -d \"`; grep -i $toto /usr/share/exploitdb/files_exploits.csv; done < /tmp/mycve.txt

Here’s what the csv.tmpl file might look like:

"Package","Version Installed","Vulnerability ID","Severity"

Administration

docker system info
ls -alps /var/lib/docker
docker inspect | jq 

JDBC client

alias jaqy='java -Dfile.encoding=UTF-8 -Xmx256m -jar ~/jaqy-1.2.0.jar'
jaqy

# jdbc:teradata
.protocol teradata com.teradata.jdbc.TeraDriver
.classpath teradata lib/terajdbc4.jar
.open -u dbc -p dbc teradata://127.0.0.1

# jdbc:postgresql
.protocol postgresql org.postgresql.driver
.classpath postgresql lib/postgresql-42.5.3.jar
.open -u dbc -p dbc postgresql://127.0.0.1

Unsecure Azure Registry

curl -s -k --user "USER:PASS" https://registry.azurecr.io/v2/_catalog | jq '.repositories'
curl -s -k --user "USER:PASS" https://registry.azurecr.io/v2/<image_name>/tags/list | jq '.tags'
podman pull --creds "USER:PASS" registry.azurecr.io/<image_name>:<tag>

• https://aex.dev.azure.com/me?mkt=en-US

Java Maven Applications

# extract application
jar xf app.jar

# find Spring properties files
find . -iname "*.properties"
find -iname "*.properties" -print | xargs grep -r "://"
find -iname "*.properties" -print | xargs grep -r "jdbc.*://"
find -iname "*.properties" -print | xargs grep -r "postgresql://"

SSO / SAML

• forge SAML token