DevOps & Linux Breach Tactics Intermediate - 5 days - 4800€
Description
DevOps environments heavily rely on Linux to power microservices architectures, hybrid infrastructures, and continuous deployment pipelines. The security of these environments depends on automation and containerization tools, the mastery of which has become a critical challenge for modern attackers.
Over this five-day course, participants will be exposed to five theoretical modules detailing a complete kill chain: from initial access via CI/CD pipeline injection (GitLab, Jenkins) to the abuse of Infra-as-Code tools (Ansible, Terraform) to compromise the infrastructure. An additional module will be dedicated to hardened systems (AppArmor, SELinux). These concepts will be applied throughout the week on two complex corporate networks, inspired by real-world intrusions conducted by our experts.
-
5 days (35 hours)
-
5 course modules following realistic intrusion steps + 1 module on hardened systems
-
2 corporate environments with more than 20 machines including GitLab, Jenkins, Artifactory, AWX, HashiCorp Vault, Guacamole, KeyCloak, and vSphere services
-
RedHat-like and Debian-like distributions
Objectives
- Understand the security challenges of DevOps and Linux environments
- Identify the main exploitable weaknesses in CI/CD pipelines and Linux systems
- Perform a realistic intrusion simulation on a DevOps/Linux environment
Public and prerequisites
This training is suitable for people with notions of offensive security but no prior experience in the intrusion of corporate DevOps & Linux environments. It is aimed primarily at pentesters, system administrators and security architects, but also at any technical profile wishing to enrich their professional career with a security component.
-
Pentesters
-
System administrators
-
Security architects
Solid Unix/Linux skills, networking basics, and an interest in offensive security are recommended.
Content
Day 1
Fundamental concepts: Identity and Access Management (IAM), security mechanisms (extended ACLs, standard and extended attributes, capabilities), networking fundamentals, containerization (namespaces, cgroups, seccomp, Docker and LXC / LXD). Microservices: Docker registry, Portainer, Traefik, Redis, container detection, image analysis, secret hunting, and backdooring. Centralized authentication: Kerberos, OpenLDAP, SSSD and FreeIPA, reconnaissance, enumeration, and tooling.
Day 2
Lateral movement: network pivoting, SOCKS proxy, port forwarding, TUN forwarding, and tooling. CI/CD: Jenkins, pipeline injection and agent compromise, Artifactory, dependency confusion and artifact poisoning. Workstations: KeePass, DBUS Secret Service API, SSH and GPG agents, Firefox and Chrome browsers, keyloggers.
Day 3
Administration: PKI and certificate signing, firewall manipulation (iptables / nftables), derouting (DNAT) and spoofing (SNAT), file systems (NFS, Samba, FUSE), IAM (KeyCloak), bastion (Guacamole), packaging and poisoning (Deb and RPM). Hypervisors (vSphere): architecture, ESXi and vCenter, authentication methods, post-exploitation techniques (network capture and bypass, optimized exfiltration), golden SAML.
Day 4
GitLab: IAM study, runner architecture and implementation, reconnaissance, initial access via dumps and project analysis (TruffleHog, noseyparker), privilege escalation via pipeline injection, secrets dumping. Infra-as-Code: Ansible, Terraform, AWX, and automated deployments. HashiCorp Vault: architecture, authentication, access policies, and usage.
Day 5
Advanced exploitation: process management (sessions, groups and lifecycle), TTY internals and injections, PAM stack analysis, and backdooring. Compromising hardened systems: implementation and configuration of AppArmor and SELinux LSMs, hardening analysis and bypass techniques.
All the details regarding how the training is conducted are described on this page.