Manoj Deshmukh
Aspiring Cybersecurity Analyst | Intrested in Kubernetes Pentetsing
EC-Council Certified Ethical Hacker (Practical)
CompTIA Cybersecurity Analyst
Manoj Deshmukh
Cybersecurity Analyst with 4 years of expertise in Web application, Android, API, Kubernetes, and Cloud Pentesting, Vulnerability Assessment, Attacking and Defending Kubernetes, and a constant desire to learn about new security advances.
Summary
- Engaged in an in-depth exploration of Kubernetes security to ensure the safety and protection of my Kubernetes cluster. This journey deepened my understanding of both offensive and defensive strategies in the context of Kubernetes.
- Competent in examining codes, locating hardcoded secrets, and maximizing their use through scripts.
- Reported bugs like RCE, XSS, IDOR, SQL Injections, Cloud Misconfigurations, .git exploit, Kubernetes cluster compromise, OTP bypass.
- Have a track record in systematically diagnosing and resolving issues to elevate overall product performance.
- Pentesting Web, Android, Kubernetes, AWS, GCP on clients within a specific scope using OWASP’s top 10 security concepts.
- Competent in evaluating the rising cyber security threats and planning for the disaster recovery and contingency plans in case of security breaches.
What I Do
Pentesting
Pentesting, also called penetration testing, is a security assessment, analysis and progression of simulated attacks on an application or network to check its security posture.
Vulnerability Assessment
A vulnerability assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed.
Build websites
The website will be developed to meet the aesthetic and functional requirements of your company. Happy customer: voicesagainstautocracy.org
Digital Forensics
Digital Forensics is defined as the process of preservation, identification, extraction, and documentation of computer evidence which can be used by the court of law. It is a science of finding evidence from digital media like a computer, mobile phone, server, or network.
Community Talks
Fun Facts
Linux
Bug Hunting
Travel
Resume
Work
Jan 2020- Mar 2023
Cybersafe BangaloreCybersecurity Analyst
- I Have assisted the team in performing penetration testing and vulnerability assessment against companies such as Mailchimp.
- Finding bugs in client’s website, leads to SQL injection, XSS, IDOR, file traversal, XSS, open JS service manager, remote code execution and many more.
- Executing penetration tests and vulnerability assessment against websites on weekly basis. Produced devices such as wifi password grabber, fork bomber, windows password stealer, USB kill switch, raspberry pi backdoor, esp8266 deauther for the government.
- Teamed in building tools like Cyberastra and Intelisafe for the organization
- Endorsed the team in performing penetration testing and vulnerability assessment against companies such as Mailchimp.
- Detail Oriented and Expertise in Imaging/analysis of Mobile Phones and Laptops using Cellebrite UFED, Final Mobile Forensics, MOBILedit, Magnet Axiom and FTK imager
2023-Present
BambooboxSecurity Analyst
- Execute penetration tests and security assessments on internal networks.
- Vulnerability Assessment.
- Docker Scanning.
- Kubernetes Pentesting.
- Implementing security tools in CI/CD.
- Kubernetes security and Product Security.
- Planning for disaster recovery in the event of any security breaches.
- Monitor for attacks, intrusions and unusual, unauthorized or illegal activity.
- Conduct security assessments, risk analysis and root cause analysis of security incidents.
- Provide guidance to improvise the defensive capabilities of the SOC, ISO27001 and GDRP in better identifying and responding to cyber security incidents.
- Implementing Intrusion detection/Firewalls and creating alerts.
- Implementing security features to secure infrastructure.
- Preparing company for auditing.
Skills
Kubernetes Security
Cloud Security
Application Pentesting
DevSecOps
Linux
Compliance
Burp Suite Pro
AWS
Cyber forensics
Rest API
Tools/Technologies
- GCP
- Kubernetes
- ModSecurity
- Falco
- SOC2
- ISO27001
- AWS
- Trivy
- Kuberhunter
- Docker
- NMAP
- Burpsuite Pro
- Netsparker
- httpx
- FUFF
- Nuclei
- Metasploit
- Wireshark
- MobSF
- Frida
- Objection Framework
- Insomnia
- Nessus
- SqlMap
- Wpscan
- OSINT
- Johntheripper
- Finalmobile Forensics
- Magnet Axiom
- Autopsy
- Cellebrite Ufed
- FTK Imager
- WordPress
- Bash
- Ubuntu
- Kali Linux
- Ffuf
Education
2018-2020
Cambridge Institute of TechnologyMasters of Computer Applications
Visvesvaraya Technological University
2015-2018
Government Science CollegeBachelor of Science
Certificates
Findings
Reported Bugs
Complete Kubernetes and cloud Compromise
Check out more..Shell Access
Check out more..I was doing some fuzz work while looking over a healthcare website when I found a zip file containing the source code. After discovering the source code, I discovered an endpoint with an command injection, which allowed me to access the server, log in to the database, and obtain tokens for third parties using client IDs and secrets.
Access to all admin accounts
Check out more..In the front end email cannot change, but in the request using burpsuite if I change the email id to someone else's, the account will be updated with the password of the present user.
Access to another user account.
Every user will have a unique ID; users can't access it using the front end because the ID in the response can't change, so I used the burpsuite and did find and replace the ID with a different ID in both the response and the request. This leads to a login to a different account.
XSS - Cross Site Scripting - Reflected and Stored
Check out more..Reported Cross Site Scripting in Several websites and also been awarded bounties.
JK-Manager
Reported Website running JK-Manager where people can stop/start load balancer and change the load balancer servers.
SQL Injection
Check out more..Reported SQL Injection in Job portal, where people can change the job status, download all applicants’ details, modify and edit the details of an applicant, and Found SQL injection in another college websites search bar which leads to data exposer of all students.
Week Cryptography
Passwords are saved in plain text and the results of engineering login in the subdomain with backup stored in the index have been reported.
Reported that the subdomain was open to index and all the sensitive information's were stored, where the SQL DB file was stored, the passwords in the DB files was not stored in pain text and password were sending through the plain text.
AWS S3 bucket configuration error
An AWS s3 bucket configuration error has been reported, allowing users to access the bucket without aws security keys by using the awscli flag --no-sign-request.
IDOR
Check out more..Reported IDOR, where everyone can loggedin as any users and can check all the details and odcuments submitted.
AWS S3 bucket configuration error
Shopify Subdomain Takeover
Check out more..
Reported the Shopify Subdomain Takeover, where the A record was not removed for the DNS it leads to create a new shopify account and to linked the subdomain as onwer and to host the dummy website.
Login to admin Account using phpMyAdmin
Check out more..
Gained access to subdomain admin, using the open myphpadmin panel and open .env file
Projects
AWS Hacking Lab
AWS, noVNC, Ubuntu, PHP- Built a hacking lab in AWS to simulate an attacker and vulnerable machines.
- Developed labs that facilitates students to practice lab assignments on AWS server just by browser access.
Brain Sizzlers - Web Application (Online Mock Exam)
PHP, HTML, CSS, MySQL2019
Online MCQ test, to know the ability of a student in a particular subject and show the result of the student in graphical representation using web application.
Brain Sizzlers - Android Application (Online Mock Exam)
Android Studio, Java, Firebase2020
Online MCQ test, to know the ability of a student in a particular subject and show the result of the student in graphical representation using android application.
Voices Against Autocracy
WordPress, Web Scrapping, Translation2022
Voices Against Autocracy (VAA) has been created with a mandate to deliver uncensored, domestic news and information related to China, Tibet, Xinjiang, North Korea and Uyghur , where the rights of people have been suppressed and media is under complete censorship. The news would be presented in German and English.
Blogs
Ways to get into the Kubernetes cluster — Part 2
This is the second part of this blog series; find Part 1 here. https://manojdeshmukh45.medium.com/ways-to-get-into-the-kubernetes-cluster...
Nov 24, 2023 / Read More
This article teaches methods to identify and exploit vulnerabilities in Kubernetes clusters by scanning for insecure API endpoints using tools like shodan·io, search·censys·io, and kube-hunter
➜ https://manojdeshmukh45.medium.com/ways-to-get-into-the-kubernetes-cluster-part-1-2e86c3dea123
Talk 3: Ways to get into Kubernetes Cluster by Manoj Deshmukh at @Nullblr @OWASPBangalore December 2023 monthly meet.
We have some Amazing sessions lined up for our upcoming monthly meet on Dec 16th.
RSVP - https://null.community/events/954-bangalore-null-owasp-combined-meet#event_sessions
Here is my Part 2 blog on ways to get into the Kubernetes cluster.
This blog teaches you how to gain control of clusters and how to see the UI of services running in Kubernetes.
#kubernetessecurity #kubernetes #clustersecurity #hack_kubernetes