Welcome to the blog series about how to hack a box! In this first post I’ll guide you through the global steps you can take to hack a box. The steps are universal, so you can use them on any target which you have permission for.
As a developer, you are familiar with Docker. You push your images to the Hub, use Compose locally and know a thing or two about Kubernetes. Or… Well… To be honest… You don’t. And you are ashamed you don’t know anything about it. You browse the internet and it’s so overwhelming. So you stop looking and continue what you’ve been doing all the time. Deep inside, you still wonder. Can’t anyone not just explain Docker in simple terms? Is it really this hard? Or am I just missing something really obvious?
In my last blog I gave you a small introduction into the term "Reverse Shell". I described it as: "A Reverse Shell is where your target machine creates a connection to your machine, after which you get a shell on the target machine in which you can execute system commands." It is similar to SSH, but without any encryption and the connection is created the other way around (from target to you, instead of you to the target).
At JCore, we follow a three year program to become senior developers. After following this program successfully, you will be promoted to the JDriven company. In the final year, we have a specialization in a topic of our choice. I chose to specialize myself further into security. I have been studying this topic for some time now, even contributing to the fast track courses as a security teacher. Until now, most of my time I spent on the defending side and now I want to take a look on "the other side". So my specialization is all about attack, also described as joining "The Red Team".
In my previous blog about Running AWS locally with LocalStack I’ve shown you how to use Localstack, a tool to mock your AWS environment on your local machine. When working with Localstack, I always had to prepare the environment for my application to run. Most of the time this could be done automatically via scripts, but some preparations, for instance editing some data in a S3 bucket, could become a little tricky.
More and more companies are switching over to cloud native environments. As a developer this gives me a lot of services to create awesome applications. The challenge that occurred to me right away was how to use all those new components during development, since some companies do not have a testing/development environment in their cloud provider to play with. LocalStack piqued my interest to simulate an AWS environment locally on my laptop, or when running the CI/CD pipeline.
Adding code coverage to SonarQube is quite easy for any Maven project nowadays. Just add the jacoco-maven-plugin dependency to your pom.xml, add the
prepare-agent execution task, and you are good to go. Even for multiple modules this works out of the box. But time goes on and your application grows as well. You start moving code to other modules, and somehow SonarQube no longer seems to pick up the covered code. What the heck is going on?
MongoDB, or Mongo compatible DocumentDB, saves their data in Binary JSON (BSON). They used to save their UUIDs as binary subtype 0x03, but the interpretation was not similar in a multi-platform environment and caused issues. Therefore, the 0x04 was introduced.
Spring Boot Admin describes several ways of connecting clients to the admin server. If your Spring Boot applications are running on kubernetes or openshift then Spring Boot Admin can use the Spring Cloud Kubernetes discovery client. In this blogpost i’ll show you how.
I’ve recently had the situation where I deployed a Spring Boot application on OpenShift where a certain dependency needed a properties file that couldn’t be found. The problem was that this dependency didn’t scan the classpath for the file, but just opened a FileInputStream relative to the current path.