gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-02 15:59:58 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['.github/pull_request_template.md', 'src/pentesting-cloud/az

Browse Source
This commit is contained in:
Translator
2024-12-31 19:02:02 +00:00
parent 7770a50092
commit 2753c75e8b
244 changed files with 8471 additions and 11302 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/pentesting-cloud/digital-ocean-pentesting/README.md
View File

@@ -2,17 +2,17 @@
{{#include ../../banners/hacktricks-training.md}}
## Basic Information
## Basiese Inligting
**Before start pentesting** a Digital Ocean environment there are a few **basics things you need to know** about how DO works to help you understand what you need to do, how to find misconfigurations and how to exploit them.
**Voordat jy begin pentesting** 'n Digital Ocean omgewing, is daar 'n paar **basiese dinge wat jy moet weet** oor hoe DO werk om jou te help verstaan wat jy moet doen, hoe om miskonfigurasies te vind en hoe om dit te benut.
Concepts such as hierarchy, access and other basic concepts are explained in:
Konsepte soos hiërargie, toegang en ander basiese konsepte word verduidelik in:
{{#ref}}
do-basic-information.md
{{#endref}}
## Basic Enumeration
## Basiese Enumerasie
### SSRF
@@ -20,28 +20,22 @@ do-basic-information.md
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
{{#endref}}
### Projects
### Projekte
To get a list of the projects and resources running on each of them from the CLI check:
Om 'n lys van die projekte en hulpbronne wat op elkeen van hulle loop vanaf die CLI te kry, kyk:
{{#ref}}
do-services/do-projects.md
{{#endref}}
### Whoami
```bash
doctl account get
```
## Services Enumeration
## Dienste Enumerasie
{{#ref}}
do-services/
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}

124
src/pentesting-cloud/digital-ocean-pentesting/do-basic-information.md
View File

@@ -1,139 +1,127 @@
# DO - Basic Information
# DO - Basiese Inligting
{{#include ../../banners/hacktricks-training.md}}
## Basic Information
## Basiese Inligting
DigitalOcean is a **cloud computing platform that provides users with a variety of services**, including virtual private servers (VPS) and other resources for building, deploying, and managing applications. **DigitalOcean's services are designed to be simple and easy to use**, making them **popular among developers and small businesses**.
DigitalOcean is 'n **cloud computing platform wat gebruikers 'n verskeidenheid dienste bied**, insluitend virtuele private bedieners (VPS) en ander hulpbronne vir die bou, ontplooiing en bestuur van toepassings. **DigitalOcean se dienste is ontwerp om eenvoudig en maklik om te gebruik te wees**, wat hulle **gewild maak onder ontwikkelaars en klein besighede**.
Some of the key features of DigitalOcean include:
Sommige van die sleutelkenmerke van DigitalOcean sluit in:
- **Virtual private servers (VPS)**: DigitalOcean provides VPS that can be used to host websites and applications. These VPS are known for their simplicity and ease of use, and can be quickly and easily deployed using a variety of pre-built "droplets" or custom configurations.
- **Storage**: DigitalOcean offers a range of storage options, including object storage, block storage, and managed databases, that can be used to store and manage data for websites and applications.
- **Development and deployment tools**: DigitalOcean provides a range of tools that can be used to build, deploy, and manage applications, including APIs and pre-built droplets.
- **Security**: DigitalOcean places a strong emphasis on security, and offers a range of tools and features to help users keep their data and applications safe. This includes encryption, backups, and other security measures.
- **Virtuele private bedieners (VPS)**: DigitalOcean bied VPS aan wat gebruik kan word om webwerwe en toepassings te huisves. Hierdie VPS is bekend vir hul eenvoud en gebruiksgemak, en kan vinnig en maklik ontplooi word met 'n verskeidenheid voorafgeboude "droplets" of pasgemaakte konfigurasies.
- **Berging**: DigitalOcean bied 'n reeks bergingsopsies aan, insluitend objekberging, blokberging en bestuurde databasisse, wat gebruik kan word om data vir webwerwe en toepassings te stoor en te bestuur.
- **Ontwikkeling en ontplooiing gereedskap**: DigitalOcean bied 'n reeks gereedskap aan wat gebruik kan word om toepassings te bou, te ontplooi en te bestuur, insluitend API's en voorafgeboude droplets.
- **Veiligheid**: DigitalOcean plaas 'n sterk klem op veiligheid, en bied 'n reeks gereedskap en kenmerke om gebruikers te help om hul data en toepassings veilig te hou. Dit sluit versleuteling, rugsteun en ander veiligheidsmaatreëls in.
Overall, DigitalOcean is a cloud computing platform that provides users with the tools and resources they need to build, deploy, and manage applications in the cloud. Its services are designed to be simple and easy to use, making them popular among developers and small businesses.
Algeheel is DigitalOcean 'n cloud computing platform wat gebruikers die gereedskap en hulpbronne bied wat hulle nodig het om toepassings in die wolk te bou, te ontplooi en te bestuur. Sy dienste is ontwerp om eenvoudig en maklik om te gebruik te wees, wat hulle gewild maak onder ontwikkelaars en klein besighede.
### Main Differences from AWS
### Hoofverskille van AWS
One of the main differences between DigitalOcean and AWS is the **range of services they offer**. **DigitalOcean focuses on providing simple** and easy-to-use virtual private servers (VPS), storage, and development and deployment tools. **AWS**, on the other hand, offers a **much broader range of services**, including VPS, storage, databases, machine learning, analytics, and many other services. This means that AWS is more suitable for complex, enterprise-level applications, while DigitalOcean is more suited to small businesses and developers.
Een van die hoofverskille tussen DigitalOcean en AWS is die **reeks dienste wat hulle bied**. **DigitalOcean fokus op die verskaffing van eenvoudige** en maklik om te gebruik virtuele private bedieners (VPS), berging, en ontwikkeling en ontplooiing gereedskap. **AWS**, aan die ander kant, bied 'n **veel breër reeks dienste**, insluitend VPS, berging, databasisse, masjienleer, analise, en baie ander dienste. Dit beteken dat AWS meer geskik is vir komplekse, ondernemingsvlak toepassings, terwyl DigitalOcean meer geskik is vir klein besighede en ontwikkelaars.
Another key difference between the two platforms is the **pricing structure**. **DigitalOcean's pricing is generally more straightforward and easier** to understand than AWS, with a range of pricing plans that are based on the number of droplets and other resources used. AWS, on the other hand, has a more complex pricing structure that is based on a variety of factors, including the type and amount of resources used. This can make it more difficult to predict costs when using AWS.
Nog 'n sleutelverskil tussen die twee platforms is die **prysstruktuur**. **DigitalOcean se pryse is oor die algemeen meer reguit en makliker** om te verstaan as AWS, met 'n reeks prysplanne wat gebaseer is op die aantal droplets en ander hulpbronne wat gebruik word. AWS, aan die ander kant, het 'n meer komplekse prysstruktuur wat gebaseer is op 'n verskeidenheid faktore, insluitend die tipe en hoeveelheid hulpbronne wat gebruik word. Dit kan dit moeiliker maak om koste te voorspel wanneer AWS gebruik word.
## Hierarchy
## Hiërargie
### User
### Gebruiker
A user is what you expect, a user. He can **create Teams** and **be a member of different teams.**
'n gebruiker is wat jy verwag, 'n gebruiker. Hy kan **Spanne skep** en **'n lid van verskillende spanne wees.**
### **Team**
### **Span**
A team is a group of **users**. When a user creates a team he has the **role owner on that team** and he initially **sets up the billing info**. **Other** user can then be **invited** to the team.
'n Span is 'n groep **gebruikers**. Wanneer 'n gebruiker 'n span skep, het hy die **rol eienaar van daardie span** en stel hy aanvanklik die **faktuurinligting op**. **Ander** gebruikers kan dan **uitgenooi** word na die span.
Inside the team there might be several **projects**. A project is just a **set of services running**. It can be used to **separate different infra stages**, like prod, staging, dev...
Binne die span kan daar verskeie **projekte** wees. 'n Projek is net 'n **stel dienste wat saamloop**. Dit kan gebruik word om **verskillende infrastruktuurstadiums te skei**, soos prod, staging, dev...
### Project
### Projek
As explained, a project is just a container for all the **services** (droplets, spaces, databases, kubernetes...) **running together inside of it**.\
A Digital Ocean project is very similar to a GCP project without IAM.
Soos verduidelik, is 'n projek net 'n houer vir al die **dienste** (droplets, spaces, databasisse, kubernetes...) **wat saam binne dit loop**.\
'n Digital Ocean projek is baie soortgelyk aan 'n GCP projek sonder IAM.
## Permissions
## Toestemmings
### Team
### Span
Basically all members of a team have **access to the DO resources in all the projects created within the team (with more or less privileges).**
Basies het alle lede van 'n span **toegang tot die DO hulpbronne in al die projekte wat binne die span geskep is (met meer of minder voorregte).**
### Roles
### Rolle
Each **user inside a team** can have **one** of the following three **roles** inside of it:
Elke **gebruiker binne 'n span** kan **een** van die volgende drie **rolle** binne dit hê:
| Role | Shared Resources | Billing Information | Team Settings |
| Rol | Gedeelde Hulpbronne | Faktuurinligting | Spaninstellings |
| ---------- | ---------------- | ------------------- | ------------- |
| **Owner** | Full access | Full access | Full access |
| **Biller** | No access | Full access | No access |
| **Member** | Full access | No access | No access |
| **Eienaar** | Volle toegang | Volle toegang | Volle toegang |
| **Faktureerder** | Geen toegang | Volle toegang | Geen toegang |
| **Lid** | Volle toegang | Geen toegang | Geen toegang |
**Owner** and **member can list the users** and check their **roles** (biller cannot).
**Eienaar** en **lid kan die gebruikers lys** en hul **rolle** nagaan (faktureerder kan nie).
## Access
## Toegang
### Username + password (MFA)
### Gebruikersnaam + wagwoord (MFA)
As in most of the platforms, in order to access to the GUI you can use a set of **valid username and password** to **access** the cloud **resources**. Once logged in you can see **all the teams you are part** of in [https://cloud.digitalocean.com/account/profile](https://cloud.digitalocean.com/account/profile).\
And you can see all your activity in [https://cloud.digitalocean.com/account/activity](https://cloud.digitalocean.com/account/activity).
Soos in die meeste platforms, om toegang tot die GUI te verkry, kan jy 'n stel **geldige gebruikersnaam en wagwoord** gebruik om **toegang** tot die cloud **hulpbronne** te verkry. Sodra jy ingeteken is, kan jy **al die spanne waarvan jy deel is** sien in [https://cloud.digitalocean.com/account/profile](https://cloud.digitalocean.com/account/profile).\
En jy kan al jou aktiwiteit in [https://cloud.digitalocean.com/account/activity](https://cloud.digitalocean.com/account/activity) sien.
**MFA** can be **enabled** in a user and **enforced** for all the users in a **team** to access the team.
**MFA** kan **geaktiveer** word in 'n gebruiker en **afgedwing** word vir alle gebruikers in 'n **span** om toegang tot die span te verkry.
### API keys
In order to use the API, users can **generate API keys**. These will always come with Read permissions but **Write permission are optional**.\
The API keys look like this:
### API sleutels
Om die API te gebruik, kan gebruikers **API sleutels genereer**. Hierdie sal altyd met Lees-toestemmings kom, maar **Skryf-toestemmings is opsioneel**.\
Die API sleutels lyk soos volg:
```
dop_v1_1946a92309d6240274519275875bb3cb03c1695f60d47eaa1532916502361836
```
The cli tool is [**doctl**](https://github.com/digitalocean/doctl#installing-doctl). Initialise it (you need a token) with:
Die cli-gereedskap is [**doctl**](https://github.com/digitalocean/doctl#installing-doctl). Begin dit (jy het 'n token nodig) met:
```bash
doctl auth init # Asks for the token
doctl auth init --context my-context # Login with a different token
doctl auth list # List accounts
```
Deur standaard sal hierdie token in duidelike teks geskryf word in Mac in `/Users/<username>/Library/Application Support/doctl/config.yaml`.
By default this token will be written in clear-text in Mac in `/Users/<username>/Library/Application Support/doctl/config.yaml`.
### Spaces toegang sleutels
### Spaces access keys
These are keys that give **access to the Spaces** (like S3 in AWS or Storage in GCP).
They are composed by a **name**, a **keyid** and a **secret**. An example could be:
Dit is sleutels wat **toegang tot die Spaces** gee (soos S3 in AWS of Storage in GCP).
Hulle bestaan uit 'n **naam**, 'n **keyid** en 'n **secret**. 'n Voorbeeld kan wees:
```
Name: key-example
Keyid: DO00ZW4FABSGZHAABGFX
Secret: 2JJ0CcQZ56qeFzAJ5GFUeeR4Dckarsh6EQSLm87MKlM
```
### OAuth-toepassing
### OAuth Application
OAuth-toepassings kan **toegang oor Digital Ocean** verkry.
OAuth applications can be granted **access over Digital Ocean**.
Dit is moontlik om **OAuth-toepassings te skep** in [https://cloud.digitalocean.com/account/api/applications](https://cloud.digitalocean.com/account/api/applications) en al **toegestane OAuth-toepassings** te kontroleer in [https://cloud.digitalocean.com/account/api/access](https://cloud.digitalocean.com/account/api/access).
It's possible to **create OAuth applications** in [https://cloud.digitalocean.com/account/api/applications](https://cloud.digitalocean.com/account/api/applications) and check all **allowed OAuth applications** in [https://cloud.digitalocean.com/account/api/access](https://cloud.digitalocean.com/account/api/access).
### SSH Sleutels
### SSH Keys
Dit is moontlik om **SSH sleutels aan 'n Digital Ocean-span** toe te voeg vanaf die **konsol** in [https://cloud.digitalocean.com/account/security](https://cloud.digitalocean.com/account/security).
It's possible to add **SSH keys to a Digital Ocean Team** from the **console** in [https://cloud.digitalocean.com/account/security](https://cloud.digitalocean.com/account/security).
Op hierdie manier, as jy 'n **nuwe droplet skep, sal die SSH-sleutel op dit ingestel word** en jy sal in staat wees om te **log in via SSH** sonder wagwoord (let daarop dat nuut [opgelaaide SSH-sleutels nie in reeds bestaande droplets ingestel word nie om veiligheidsredes](https://docs.digitalocean.com/products/droplets/how-to/add-ssh-keys/to-existing-droplet/)).
This way, if you create a **new droplet, the SSH key will be set** on it and you will be able to **login via SSH** without password (note that newly [uploaded SSH keys aren't set in already existent droplets for security reasons](https://docs.digitalocean.com/products/droplets/how-to/add-ssh-keys/to-existing-droplet/)).
### Functions Authentication Token
The way **to trigger a function via REST API** (always enabled, it's the method the cli uses) is by triggering a request with an **authentication token** like:
### Funksie Verifikasie Token
Die manier **om 'n funksie via REST API te aktiveer** (altyd geaktiveer, dit is die metode wat die cli gebruik) is deur 'n versoek te aktiveer met 'n **verifikasie token** soos:
```bash
curl -X POST "https://faas-lon1-129376a7.doserverless.co/api/v1/namespaces/fn-c100c012-65bf-4040-1230-2183764b7c23/actions/functionname?blocking=true&result=true" \
-H "Content-Type: application/json" \
-H "Authorization: Basic MGU0NTczZGQtNjNiYS00MjZlLWI2YjctODk0N2MyYTA2NGQ4OkhwVEllQ2t4djNZN2x6YjJiRmFGc1FERXBySVlWa1lEbUxtRE1aRTludXA1UUNlU2VpV0ZGNjNqWnVhYVdrTFg="
-H "Content-Type: application/json" \
-H "Authorization: Basic MGU0NTczZGQtNjNiYS00MjZlLWI2YjctODk0N2MyYTA2NGQ4OkhwVEllQ2t4djNZN2x6YjJiRmFGc1FERXBySVlWa1lEbUxtRE1aRTludXA1UUNlU2VpV0ZGNjNqWnVhYVdrTFg="
```
## Logs
### User logs
The **logs of a user** can be found in [**https://cloud.digitalocean.com/account/activity**](https://cloud.digitalocean.com/account/activity)
Die **logs van 'n gebruiker** kan gevind word in [**https://cloud.digitalocean.com/account/activity**](https://cloud.digitalocean.com/account/activity)
### Team logs
The **logs of a team** can be found in [**https://cloud.digitalocean.com/account/security**](https://cloud.digitalocean.com/account/security)
Die **logs van 'n span** kan gevind word in [**https://cloud.digitalocean.com/account/security**](https://cloud.digitalocean.com/account/security)
## References
- [https://docs.digitalocean.com/products/teams/how-to/manage-membership/](https://docs.digitalocean.com/products/teams/how-to/manage-membership/)
{{#include ../../banners/hacktricks-training.md}}

8
src/pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md
View File

@@ -1,11 +1,7 @@
# DO - Permissions for a Pentest
# DO - Toestemmings vir 'n Pentest
{{#include ../../banners/hacktricks-training.md}}
DO doesn't support granular permissions. So the **minimum role** that allows a user to review all the resources is **member**. A pentester with this permission will be able to perform harmful activities, but it's what it's.
DO ondersteun nie fyn toewysings nie. So die **minimum rol** wat 'n gebruiker toelaat om al die hulpbronne te hersien, is **lid**. 'n Pentester met hierdie toestemming sal in staat wees om skadelike aktiwiteite uit te voer, maar dit is wat dit is.
{{#include ../../banners/hacktricks-training.md}}

8
src/pentesting-cloud/digital-ocean-pentesting/do-services/README.md
View File

@@ -1,8 +1,8 @@
# DO - Services
# DO - Dienste
{{#include ../../../banners/hacktricks-training.md}}
DO offers a few services, here you can find how to **enumerate them:**
DO bied 'n paar dienste aan, hier kan jy vind hoe om **hulle te evalueer:**
- [**Apps**](do-apps.md)
- [**Container Registry**](do-container-registry.md)
@@ -17,7 +17,3 @@ DO offers a few services, here you can find how to **enumerate them:**
- [**Volumes**](do-volumes.md)
{{#include ../../../banners/hacktricks-training.md}}

26
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md
View File

@@ -2,18 +2,17 @@
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
## Basiese Inligting
[From the docs:](https://docs.digitalocean.com/glossary/app-platform/) App Platform is a Platform-as-a-Service (PaaS) offering that allows developers to **publish code directly to DigitalOcean** servers without worrying about the underlying infrastructure.
[Uit die dokumentasie:](https://docs.digitalocean.com/glossary/app-platform/) App Platform is 'n Platform-as-a-Service (PaaS) aanbod wat ontwikkelaars in staat stel om **kode direk na DigitalOcean** bedieners te **publiseer** sonder om oor die onderliggende infrastruktuur te bekommer.
You can run code directly from **github**, **gitlab**, **docker hub**, **DO container registry** (or a sample app).
Jy kan kode direk vanaf **github**, **gitlab**, **docker hub**, **DO container registry** (of 'n voorbeeldtoepassing) uitvoer.
When defining an **env var** you can set it as **encrypted**. The only way to **retreive** its value is executing **commands** inside the host runnig the app.
Wanneer jy 'n **env var** definieer, kan jy dit as **geënkripteer** instel. Die enigste manier om die waarde te **herwin** is deur **opdragte** binne die gasheer wat die toepassing uitvoer, uit te voer.
An **App URL** looks like this [https://dolphin-app-2tofz.ondigitalocean.app](https://dolphin-app-2tofz.ondigitalocean.app)
### Enumeration
'n **App URL** lyk soos hierdie [https://dolphin-app-2tofz.ondigitalocean.app](https://dolphin-app-2tofz.ondigitalocean.app)
### Enumerasie
```bash
doctl apps list # You should get URLs here
doctl apps spec get <app-id> # Get yaml (including env vars, might be encrypted)
@@ -21,18 +20,13 @@ doctl apps logs <app-id> # Get HTTP logs
doctl apps list-alerts <app-id> # Get alerts
doctl apps list-regions # Get available regions and the default one
```
> [!CAUTION]
> **Apps doesn't have metadata endpoint**
> **Apps het nie 'n metadata-eindpunt nie**
### RCE & Encrypted env vars
### RCE & Gekodeerde omgewingsveranderlikes
To execute code directly in the container executing the App you will need **access to the console** and go to **`https://cloud.digitalocean.com/apps/<app-id>/console/<app-name>`**.
Om kode direk in die houer wat die App uitvoer, uit te voer, sal jy **toegang tot die konsole** nodig hê en gaan na **`https://cloud.digitalocean.com/apps/<app-id>/console/<app-name>`**.
That will give you a **shell**, and just executing **`env`** you will be able to see **all the env vars** (including the ones defined as **encrypted**).
Dit sal jou 'n **skulp** gee, en deur net **`env`** uit te voer, sal jy in staat wees om **alle omgewingsveranderlikes** te sien (insluitend die wat as **gecodeerd** gedefinieer is).
{{#include ../../../banners/hacktricks-training.md}}

18
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md
View File

@@ -2,14 +2,13 @@
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
## Basiese Inligting
DigitalOcean Container Registry is a service provided by DigitalOcean that **allows you to store and manage Docker images**. It is a **private** registry, which means that the images that you store in it are only accessible to you and users that you grant access to. This allows you to securely store and manage your Docker images, and use them to deploy containers on DigitalOcean or any other environment that supports Docker.
DigitalOcean Container Registry is 'n diens wat deur DigitalOcean verskaf word wat **jou toelaat om Docker-beelde te stoor en te bestuur**. Dit is 'n **privaat** registrasie, wat beteken dat die beelde wat jy daarin stoor slegs toeganklik is vir jou en gebruikers aan wie jy toegang verleen. Dit stel jou in staat om jou Docker-beelde veilig te stoor en te bestuur, en om dit te gebruik om houers op DigitalOcean of enige ander omgewing wat Docker ondersteun, te ontplooi.
When creating a Container Registry it's possible to **create a secret with pull images access (read) over it in all the namespaces** of Kubernetes clusters.
### Connection
Wanneer jy 'n Container Registry skep, is dit moontlik om 'n **geheime sleutel met pull images toegang (lees) oor dit in al die namespaces** van Kubernetes-klusters te skep.
### Verbinding
```bash
# Using doctl
doctl registry login
@@ -19,9 +18,7 @@ docker login registry.digitalocean.com
Username: <paste-api-token>
Password: <paste-api-token>
```
### Enumeration
### Opname
```bash
# Get creds to access the registry from the API
doctl registry docker-config
@@ -29,9 +26,4 @@ doctl registry docker-config
# List
doctl registry repository list-v2
```
{{#include ../../../banners/hacktricks-training.md}}

16
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md
View File

@@ -4,20 +4,17 @@
## Basic Information
With DigitalOcean Databases, you can easily **create and manage databases in the cloud** without having to worry about the underlying infrastructure. The service offers a variety of database options, including **MySQL**, **PostgreSQL**, **MongoDB**, and **Redis**, and provides tools for administering and monitoring your databases. DigitalOcean Databases is designed to be highly scalable, reliable, and secure, making it an ideal choice for powering modern applications and websites.
Met DigitalOcean Databases kan jy maklik **databases in die wolk skep en bestuur** sonder om te bekommer oor die onderliggende infrastruktuur. Die diens bied 'n verskeidenheid databasisopsies, insluitend **MySQL**, **PostgreSQL**, **MongoDB**, en **Redis**, en verskaf gereedskap vir die administrasie en monitering van jou databases. DigitalOcean Databases is ontwerp om hoogs skaalbaar, betroubaar, en veilig te wees, wat dit 'n ideale keuse maak om moderne toepassings en webwerwe te ondersteun.
### Connections details
When creating a database you can select to configure it **accessible from a public network**, or just from inside a **VPC**. Moreover, it request you to **whitelist IPs that can access it** (your IPv4 can be one).
The **host**, **port**, **dbname**, **username**, and **password** are shown in the **console**. You can even download the AD certificate to connect securely.
Wanneer jy 'n databasis skep, kan jy kies om dit **toeganklik te maak vanaf 'n openbare netwerk**, of net van binne 'n **VPC**. Boonop vra dit jou om **IP's wat toegang kan hê, op die witlys te plaas** (jou IPv4 kan een wees).
Die **host**, **port**, **dbname**, **username**, en **password** word in die **console** vertoon. Jy kan selfs die AD-sertifikaat aflaai om veilig te verbind.
```bash
sql -h db-postgresql-ams3-90864-do-user-2700959-0.b.db.ondigitalocean.com -U doadmin -d defaultdb -p 25060
```
### Enumeration
### Opname
```bash
# Databse clusters
doctl databases list
@@ -39,9 +36,4 @@ doctl databases backups <db-id> # List backups of DB
# Pools
doctl databases pool list <db-id> # List pools of DB
```
{{#include ../../../banners/hacktricks-training.md}}

44
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md
View File

@@ -2,47 +2,46 @@
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
## Basiese Inligting
In DigitalOcean, a "droplet" is a v**irtual private server (VPS)** that can be used to host websites and applications. A droplet is a **pre-configured package of computing resources**, including a certain amount of CPU, memory, and storage, that can be quickly and easily deployed on DigitalOcean's cloud infrastructure.
In DigitalOcean is 'n "droplet" 'n v**irtuele privaat bediener (VPS)** wat gebruik kan word om webwerwe en toepassings te huisves. 'n Droplet is 'n **vooraf-gekonfigureerde pakket van rekenaarhulpbronne**, insluitend 'n sekere hoeveelheid CPU, geheue, en stoorplek, wat vinnig en maklik op DigitalOcean se wolkinfrastruktuur ontplooi kan word.
You can select from **common OS**, to **applications** already running (such as WordPress, cPanel, Laravel...), or even upload and use **your own images**.
Jy kan kies uit **gewone OS**, tot **toepassings** wat reeds loop (soos WordPress, cPanel, Laravel...), of selfs jou **eie beelde** oplaai en gebruik.
Droplets support **User data scripts**.
Droplets ondersteun **Gebruikersdata-skripte**.
<details>
<summary>Difference between a snapshot and a backup</summary>
<summary>Verskil tussen 'n snapshot en 'n rugsteun</summary>
In DigitalOcean, a snapshot is a point-in-time copy of a Droplet's disk. It captures the state of the Droplet's disk at the time the snapshot was taken, including the operating system, installed applications, and all the files and data on the disk.
In DigitalOcean is 'n snapshot 'n punt-in-tyd kopie van 'n Droplet se skyf. Dit vang die toestand van die Droplet se skyf vas op die tydstip waarop die snapshot geneem is, insluitend die bedryfstelsel, geïnstalleerde toepassings, en al die lêers en data op die skyf.
Snapshots can be used to create new Droplets with the same configuration as the original Droplet, or to restore a Droplet to the state it was in when the snapshot was taken. Snapshots are stored on DigitalOcean's object storage service, and they are incremental, meaning that only the changes since the last snapshot are stored. This makes them efficient to use and cost-effective to store.
Snapshots kan gebruik word om nuwe Droplets te skep met dieselfde konfigurasie as die oorspronklike Droplet, of om 'n Droplet te herstel na die toestand waarin dit was toe die snapshot geneem is. Snapshots word gestoor op DigitalOcean se objekbergingdiens, en hulle is inkrementeel, wat beteken dat slegs die veranderinge sedert die laaste snapshot gestoor word. Dit maak hulle doeltreffend om te gebruik en kostedoeltreffend om te stoor.
On the other hand, a backup is a complete copy of a Droplet, including the operating system, installed applications, files, and data, as well as the Droplet's settings and metadata. Backups are typically performed on a regular schedule, and they capture the entire state of a Droplet at a specific point in time.
Aan die ander kant is 'n rugsteun 'n volledige kopie van 'n Droplet, insluitend die bedryfstelsel, geïnstalleerde toepassings, lêers, en data, sowel as die Droplet se instellings en metadata. Rugsteun word tipies op 'n gereelde skedule uitgevoer, en hulle vang die hele toestand van 'n Droplet op 'n spesifieke tydstip vas.
Unlike snapshots, backups are stored in a compressed and encrypted format, and they are transferred off of DigitalOcean's infrastructure to a remote location for safekeeping. This makes backups ideal for disaster recovery, as they provide a complete copy of a Droplet that can be restored in the event of data loss or other catastrophic events.
Verskillend van snapshots, word rugsteun in 'n gecomprimeerde en versleutelde formaat gestoor, en hulle word van DigitalOcean se infrastruktuur na 'n afgeleë plek oorgedra vir veilige bewaring. Dit maak rugsteun ideaal vir rampherstel, aangesien hulle 'n volledige kopie van 'n Droplet bied wat herstel kan word in die geval van dataverlies of ander katastrofiese gebeurtenisse.
In summary, snapshots are point-in-time copies of a Droplet's disk, while backups are complete copies of a Droplet, including its settings and metadata. Snapshots are stored on DigitalOcean's object storage service, while backups are transferred off of DigitalOcean's infrastructure to a remote location. Both snapshots and backups can be used to restore a Droplet, but snapshots are more efficient to use and store, while backups provide a more comprehensive backup solution for disaster recovery.
In samevatting, snapshots is punt-in-tyd kopieë van 'n Droplet se skyf, terwyl rugsteun volledige kopieë van 'n Droplet is, insluitend sy instellings en metadata. Snapshots word gestoor op DigitalOcean se objekbergingdiens, terwyl rugsteun van DigitalOcean se infrastruktuur na 'n afgeleë plek oorgedra word. Beide snapshots en rugsteun kan gebruik word om 'n Droplet te herstel, maar snapshots is doeltreffender om te gebruik en te stoor, terwyl rugsteun 'n meer omvattende rugsteunoplossing vir rampherstel bied.
</details>
### Authentication
### Verifikasie
For authentication it's possible to **enable SSH** through username and **password** (password defined when the droplet is created). Or **select one or more of the uploaded SSH keys**.
Vir verifikasie is dit moontlik om **SSH** in te skakel deur gebruikersnaam en **wagwoord** (wagwoord gedefinieer wanneer die droplet geskep word). Of **een of meer van die opgelaaide SSH-sleutels te kies**.
### Firewall
### Vuurmuur
> [!CAUTION]
> By default **droplets are created WITHOUT A FIREWALL** (not like in oder clouds such as AWS or GCP). So if you want DO to protect the ports of the droplet (VM), you need to **create it and attach it**.
> Standaard **word droplets GEEN VUURMUUR geskep** (nie soos in ander wolke soos AWS of GCP nie). So as jy wil hê DO moet die poorte van die droplet (VM) beskerm, moet jy **dit skep en aanheg**.
More info in:
Meer inligting in:
{{#ref}}
do-networking.md
{{#endref}}
### Enumeration
### Enumerasie
```bash
# VMs
doctl compute droplet list # IPs will appear here
@@ -68,18 +67,13 @@ doctl compute certificate list
# Snapshots
doctl compute snapshot list
```
> [!CAUTION]
> **Droplets have metadata endpoints**, but in DO there **isn't IAM** or things such as role from AWS or service accounts from GCP.
> **Droplets het metadata-eindpunte**, maar in DO **is daar nie IAM** of dinge soos rolle van AWS of diensrekeninge van GCP nie.
### RCE
With access to the console it's possible to **get a shell inside the droplet** accessing the URL: **`https://cloud.digitalocean.com/droplets/<droplet-id>/terminal/ui/`**
Met toegang tot die konsole is dit moontlik om **'n shell binne die droplet te kry** deur die URL te benader: **`https://cloud.digitalocean.com/droplets/<droplet-id>/terminal/ui/`**
It's also possible to launch a **recovery console** to run commands inside the host accessing a recovery console in **`https://cloud.digitalocean.com/droplets/<droplet-id>/console`**(but in this case you will need to know the root password).
Dit is ook moontlik om 'n **herstelkonsole** te begin om opdragte binne die gasheer uit te voer deur 'n herstelkonsole in **`https://cloud.digitalocean.com/droplets/<droplet-id>/console`** te benader (maar in hierdie geval sal jy die wortelwagwoord moet ken).
{{#include ../../../banners/hacktricks-training.md}}

38
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md
View File

@@ -2,39 +2,34 @@
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
## Basiese Inligting
DigitalOcean Functions, also known as "DO Functions," is a serverless computing platform that lets you **run code without having to worry about the underlying infrastructure**. With DO Functions, you can write and deploy your code as "functions" that can be **triggered** via **API**, **HTTP requests** (if enabled) or **cron**. These functions are executed in a fully managed environment, so you **don't need to worry** about scaling, security, or maintenance.
DigitalOcean Functions, ook bekend as "DO Functions," is 'n serverless computing platform wat jou toelaat om **kode te loop sonder om oor die onderliggende infrastruktuur te bekommer**. Met DO Functions kan jy jou kode skryf en ontplooi as "funksies" wat **geaktiveer** kan word via **API**, **HTTP versoeke** (indien geaktiveer) of **cron**. Hierdie funksies word in 'n volledig bestuurde omgewing uitgevoer, so jy **hoef nie te bekommer** oor skaal, sekuriteit of onderhoud nie.
In DO, to create a function first you need to **create a namespace** which will be **grouping functions**.\
Inside the namespace you can then create a function.
In DO, om 'n funksie te skep moet jy eers 'n **naamruimte** **skep** wat die **funksies groepeer**.\
Binne die naamruimte kan jy dan 'n funksie skep.
### Triggers
The way **to trigger a function via REST API** (always enabled, it's the method the cli uses) is by triggering a request with an **authentication token** like:
Die manier om **'n funksie via REST API te aktiveer** (altyd geaktiveer, dit is die metode wat die cli gebruik) is deur 'n versoek met 'n **authentikasie token** te aktiveer soos:
```bash
curl -X POST "https://faas-lon1-129376a7.doserverless.co/api/v1/namespaces/fn-c100c012-65bf-4040-1230-2183764b7c23/actions/functionname?blocking=true&result=true" \
-H "Content-Type: application/json" \
-H "Authorization: Basic MGU0NTczZGQtNjNiYS00MjZlLWI2YjctODk0N2MyYTA2NGQ4OkhwVEllQ2t4djNZN2x6YjJiRmFGc1FERXBySVlWa1lEbUxtRE1aRTludXA1UUNlU2VpV0ZGNjNqWnVhYVdrTFg="
-H "Content-Type: application/json" \
-H "Authorization: Basic MGU0NTczZGQtNjNiYS00MjZlLWI2YjctODk0N2MyYTA2NGQ4OkhwVEllQ2t4djNZN2x6YjJiRmFGc1FERXBySVlWa1lEbUxtRE1aRTludXA1UUNlU2VpV0ZGNjNqWnVhYVdrTFg="
```
To see how is the **`doctl`** cli tool getting this token (so you can replicate it), the **following command shows the complete network trace:**
Om te sien hoe die **`doctl`** cli-gereedskap hierdie token verkry (sodat jy dit kan repliseer), die **volgende opdrag toon die volledige netwerkspoor:**
```bash
doctl serverless connect --trace
```
**When HTTP trigger is enabled**, a web function can be invoked through these **HTTP methods GET, POST, PUT, PATCH, DELETE, HEAD and OPTIONS**.
**Wanneer HTTP-trigger geaktiveer is**, kan 'n webfunksie deur hierdie **HTTP-metodes GET, POST, PUT, PATCH, DELETE, HEAD en OPTIONS** aangeroep word.
> [!CAUTION]
> In DO functions, **environment variables cannot be encrypted** (at the time of this writing).\
> I couldn't find any way to read them from the CLI but from the console it's straight forward.
> In DO-funksies kan **omgewing veranderlikes nie geënkripteer** word (op die tyd van hierdie skrywe).\
> Ek kon nie enige manier vind om hulle van die CLI te lees nie, maar van die konsole is dit reguit vorentoe.
**Functions URLs** look like this: `https://<random>.doserverless.co/api/v1/web/<namespace-id>/default/<function-name>`
### Enumeration
**Funksies-URL's** lyk soos volg: `https://<random>.doserverless.co/api/v1/web/<namespace-id>/default/<function-name>`
### Enumerasie
```bash
# Namespace
doctl serverless namespaces list
@@ -53,12 +48,7 @@ doctl serverless activations result <activation-id> # get only the response resu
# I couldn't find any way to get the env variables form the CLI
```
> [!CAUTION]
> There **isn't metadata endpoint** from the Functions sandbox.
> Daar **is nie 'n metadata-eindpunt** van die Functions sandkas nie.
{{#include ../../../banners/hacktricks-training.md}}

16
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md
View File

@@ -2,22 +2,16 @@
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
## Basiese Inligting
DigitalOcean Images are **pre-built operating system or application images** that can be used to create new Droplets (virtual machines) on DigitalOcean. They are similar to virtual machine templates, and they allow you to **quickly and easily create new Droplets with the operating system** and applications that you need.
DigitalOcean Images is **voorafgeboude bedryfstelsels of toepassingsbeelde** wat gebruik kan word om nuwe Droplets (virtuele masjiene) op DigitalOcean te skep. Hulle is soortgelyk aan virtuele masjien sjablone, en hulle stel jou in staat om **vinning en maklik nuwe Droplets met die bedryfstelsel** en toepassings wat jy nodig het, te skep.
DigitalOcean provides a wide range of Images, including popular operating systems such as Ubuntu, CentOS, and FreeBSD, as well as pre-configured application Images such as LAMP, MEAN, and LEMP stacks. You can also create your own custom Images, or use Images from the community.
DigitalOcean bied 'n wye verskeidenheid van Beelde, insluitend gewilde bedryfstelsels soos Ubuntu, CentOS, en FreeBSD, sowel as vooraf-gekonfigureerde toepassingsbeelde soos LAMP, MEAN, en LEMP stakke. Jy kan ook jou eie pasgemaakte Beelde skep, of Beelde van die gemeenskap gebruik.
When you create a new Droplet on DigitalOcean, you can choose an Image to use as the basis for the Droplet. This will automatically install the operating system and any pre-installed applications on the new Droplet, so you can start using it right away. Images can also be used to create snapshots and backups of your Droplets, so you can easily create new Droplets from the same configuration in the future.
### Enumeration
Wanneer jy 'n nuwe Droplet op DigitalOcean skep, kan jy 'n Beeld kies om as die basis vir die Droplet te gebruik. Dit sal outomaties die bedryfstelsel en enige vooraf-geïnstalleerde toepassings op die nuwe Droplet installeer, sodat jy dit onmiddellik kan begin gebruik. Beelde kan ook gebruik word om snapshots en rugsteun van jou Droplets te skep, sodat jy maklik nuwe Droplets uit dieselfde konfigurasie in die toekoms kan skep.
### Enumerasie
```
doctl compute image list
```
{{#include ../../../banners/hacktricks-training.md}}

24
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md
View File

@@ -2,19 +2,18 @@
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
## Basiese Inligting
### DigitalOcean Kubernetes (DOKS)
DOKS is a managed Kubernetes service offered by DigitalOcean. The service is designed to **deploy and manage Kubernetes clusters on DigitalOcean's platform**. The key aspects of DOKS include:
DOKS is 'n bestuurde Kubernetes-diens wat deur DigitalOcean aangebied word. Die diens is ontwerp om **Kubernetes-klusters op DigitalOcean se platform te ontplooi en te bestuur**. Die sleutel aspekte van DOKS sluit in:
1. **Ease of Management**: The requirement to set up and maintain the underlying infrastructure is eliminated, simplifying the management of Kubernetes clusters.
2. **User-Friendly Interface**: It provides an intuitive interface that facilitates the creation and administration of clusters.
3. **Integration with DigitalOcean Services**: It seamlessly integrates with other services provided by DigitalOcean, such as Load Balancers and Block Storage.
4. **Automatic Updates and Upgrades**: The service includes the automatic updating and upgrading of clusters to ensure they are up-to-date.
### Connection
1. **Maklike Bestuur**: Die vereiste om die onderliggende infrastruktuur op te stel en te onderhou, word uitgeskakel, wat die bestuur van Kubernetes-klusters vereenvoudig.
2. **Gebruikersvriendelike Koppelvlak**: Dit bied 'n intuïtiewe koppelvlak wat die skepping en administrasie van klusters vergemaklik.
3. **Integrasie met DigitalOcean Dienste**: Dit integreer naatloos met ander dienste wat deur DigitalOcean aangebied word, soos Laai Balansers en Blok Berging.
4. **Outomatiese Opdaterings en Opgraderings**: Die diens sluit die outomatiese opdatering en opgradering van klusters in om te verseker dat hulle op datum is.
### Verbinding
```bash
# Generate kubeconfig from doctl
doctl kubernetes cluster kubeconfig save <cluster-id>
@@ -22,9 +21,7 @@ doctl kubernetes cluster kubeconfig save <cluster-id>
# Use a kubeconfig file that you can download from the console
kubectl --kubeconfig=/<pathtodirectory>/k8s-1-25-4-do-0-ams3-1670939911166-kubeconfig.yaml get nodes
```
### Enumeration
### Opname
```bash
# Get clusters
doctl kubernetes cluster list
@@ -35,9 +32,4 @@ doctl kubernetes cluster node-pool list <cluster-id>
# Get DO resources used by the cluster
doctl kubernetes cluster list-associated-resources <cluster-id>
```
{{#include ../../../banners/hacktricks-training.md}}

22
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md
View File

@@ -2,48 +2,34 @@
{{#include ../../../banners/hacktricks-training.md}}
### Domains
### Domeine
```bash
doctl compute domain list
doctl compute domain records list <domain>
# You can also create records
```
### Reserverd IPs
### Gereserveerde IP's
```bash
doctl compute reserved-ip list
doctl compute reserved-ip-action unassign <ip>
```
### Load Balancers
### Laai Balansers
```bash
doctl compute load-balancer list
doctl compute load-balancer remove-droplets <id> --droplet-ids 12,33
doctl compute load-balancer add-forwarding-rules <id> --forwarding-rules entry_protocol:tcp,entry_port:3306,...
```
### VPC
```
doctl vpcs list
```
### Firewall
> [!CAUTION]
> By default **droplets are created WITHOUT A FIREWALL** (not like in oder clouds such as AWS or GCP). So if you want DO to protect the ports of the droplet (VM), you need to **create it and attach it**.
> Standaard **word droëwels geskep SONDER 'N VUURMURE** (nie soos in ander wolke soos AWS of GCP nie). So as jy wil hê DO moet die poorte van die droëwel (VM) beskerm, moet jy dit **skep en aanheg**.
```bash
doctl compute firewall list
doctl compute firewall list-by-droplet <droplet-id>
doctl compute firewall remove-droplets <fw-id> --droplet-ids <droplet-id>
```
{{#include ../../../banners/hacktricks-training.md}}

16
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md
View File

@@ -2,26 +2,20 @@
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
## Basiese Inligting
> project is just a container for all the **services** (droplets, spaces, databases, kubernetes...) **running together inside of it**.\
> For more info check:
> project is net 'n houer vir al die **dienste** (droplets, spaces, databases, kubernetes...) **wat saam binne dit loop**.\
> Vir meer inligting, kyk:
{{#ref}}
../do-basic-information.md
{{#endref}}
### Enumeration
It's possible to **enumerate all the projects a user have access to** and all the resources that are running inside a project very easily:
### Enumerasie
Dit is moontlik om **alle projekte wat 'n gebruiker toegang het tot** en al die hulpbronne wat binne 'n projek loop, baie maklik te **enumerate**:
```bash
doctl projects list # Get projects
doctl projects resources list <proj-id> # Get all the resources of a project
```
{{#include ../../../banners/hacktricks-training.md}}

24
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md
View File

@@ -2,25 +2,24 @@
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
## Basiese Inligting
DigitalOcean Spaces are **object storage services**. They allow users to **store and serve large amounts of data**, such as images and other files, in a scalable and cost-effective way. Spaces can be accessed via the DigitalOcean control panel, or using the DigitalOcean API, and are integrated with other DigitalOcean services such as Droplets (virtual private servers) and Load Balancers.
DigitalOcean Spaces is **objekbergingdienste**. Hulle stel gebruikers in staat om **groot hoeveelhede data** te **stoor en te bedien**, soos beelde en ander lêers, op 'n skaalbare en kostedoeltreffende manier. Spaces kan toegang verkry word via die DigitalOcean beheerpaneel, of deur die DigitalOcean API, en is geïntegreer met ander DigitalOcean dienste soos Droplets (virtuele privaat bedieners) en Laaibalansers.
### Access
### Toegang
Spaces can be **public** (anyone can access them from the Internet) or **private** (only authorised users). To access the files from a private space outside of the Control Panel, we need to generate an **access key** and **secret**. These are a pair of random tokens that serve as a **username** and **password** to grant access to your Space.
Spaces kan **openbaar** wees (enigeen kan hulle vanaf die Internet toegang) of **privaat** wees (slegs gemagtigde gebruikers). Om toegang te verkry tot die lêers van 'n private ruimte buite die Beheerpaneel, moet ons 'n **toegangsleutel** en **geheime** genereer. Dit is 'n paar willekeurige tokens wat dien as 'n **gebruikersnaam** en **wagwoord** om toegang tot jou Space te verleen.
A **URL of a space** looks like this: **`https://uniqbucketname.fra1.digitaloceanspaces.com/`**\
Note the **region** as **subdomain**.
'n **URL van 'n ruimte** lyk soos volg: **`https://uniqbucketname.fra1.digitaloceanspaces.com/`**\
Let op die **streek** as **subdomein**.
Even if the **space** is **public**, **files** **inside** of it can be **private** (you will be able to access them only with credentials).
Selfs al is die **ruimte** **openbaar**, kan **lêers** **binne** daarvan **privaat** wees (jy sal slegs met geloofsbriewe toegang tot hulle hê).
However, **even** if the file is **private**, from the console it's possible to share a file with a link such as `https://fra1.digitaloceanspaces.com/uniqbucketname/filename?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=DO00PL3RA373GBV4TRF7%2F20221213%2Ffra1%2Fs3%2Faws4_request&X-Amz-Date=20221213T121017Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=6a183dbc42453a8d30d7cd2068b66aeb9ebc066123629d44a8108115def975bc` for a period of time:
Tog, **selfs** al is die lêer **privaat**, is dit moontlik om 'n lêer vanaf die konsole te deel met 'n skakel soos `https://fra1.digitaloceanspaces.com/uniqbucketname/filename?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=DO00PL3RA373GBV4TRF7%2F20221213%2Ffra1%2Fs3%2Faws4_request&X-Amz-Date=20221213T121017Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=6a183dbc42453a8d30d7cd2068b66aeb9ebc066123629d44a8108115def975bc` vir 'n tydperk:
<figure><img src="../../../images/image (277).png" alt=""><figcaption></figcaption></figure>
### Enumeration
### Enumerasie
```bash
# Unauthenticated
## Note how the region is specified in the endpoint
@@ -42,9 +41,4 @@ aws s3 ls --endpoint=https://fra1.digitaloceanspaces.com s3://uniqbucketname
## It's also possible to generate authorized access to buckets from the API
```
{{#include ../../../banners/hacktricks-training.md}}

12
src/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md
View File

@@ -2,18 +2,12 @@
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
## Basiese Inligting
DigitalOcean volumes are **block storage** devices that can be **attached to and detached from Droplets**. Volumes are useful for **storing data** that needs to **persist** independently of the Droplet itself, such as databases or file storage. They can be resized, attached to multiple Droplets, and snapshot for backups.
### Enumeration
DigitalOcean volumes is **blokberging** toestelle wat aan en van Droplets **aangeheg** en **ontheg** kan word. Volumes is nuttig vir **die stoor van data** wat **moet voortduur** onafhanklik van die Droplet self, soos databasisse of lêerberging. Hulle kan vergroot word, aan verskeie Droplets geheg word, en 'n snapshot vir rugsteun maak.
### Enumerasie
```
compute volume list
```
{{#include ../../../banners/hacktricks-training.md}}