How we hacked Distributed Configuration Management Systems

Presented at TROOPERS17 (2017), March 23, 2017, 10:30 a.m. (Unknown duration)

With increase in necessity of distributed applications, coordination and configuration management tools for these classes of applications have popped up. These systems might pop-up occasionally during penetration tests. The major focus of this research was to find ways to abuse these systems as well as use them for getting deeper access to other systems.

The talk deals with how we came across and exploited different configuration management systems during our pentests.

Presenters:

• Bharadwaj Machiraju
  Bharadwaj Machiraju is project leader for OWASP OWTF. He is mostly found either building a web appsec tool or hunting bugs for fame hackerone.com/tunnelshade. All tools are available at https://github.com/tunnelshade and all ramblings at blog.tunnelshade.in. He has spoken at few conferences, most notably Brucon and Pycon India. Apart from information security, he is interested in sleeping, mnemonic techniques & machine learning.
• Francis Alexander
  Francis Alexander is an Information Security Researcher and the author of NoSQL Exploitation Framework. He has a strong vision of Free & Open Information Security Education for all. His areas of interest includes web app & standalone app security, DBMS security, coding tools and fuzzing. He has spoke at multiple conferences such as HITB AMS 2014,Hack in Paris 2014, 44Con 2014, Derbycon USA 2013, Defcon Kerala and Defcon Bangalore.All his tools are available at github.com/torque59.

Links:

• https://troopers.de/troopers17/talks/771-how-we-hacked-distributed-configuration-management-systems/

Similar Presentations:

• Black Hat Asia 2014 / Owning a Building: Exploiting Access Control and Facility Management Systems
• Black Hat USA 2022 / Controlling the Source: Abusing Source Code Management Systems
• Still Hacking Anyway (SHA2017) / Tor, Puppet & Configuration Management Workshop