translate 2

2026-06-25 16:04:19 -07:00 · 2025-01-01 21:36:26 +01:00
parent d0b9174054
commit 2beb8398a6
250 changed files with 0 additions and 256 deletions
@@ -392,4 +392,3 @@ aws ...



-
@@ -389,4 +389,3 @@ If you are looking for something **similar** to this but for the **browser** you



-
@@ -132,4 +132,3 @@ In order to specify **which service account should be able to assume the role,**



-
@@ -20,4 +20,3 @@ These are the permissions you need on each AWS account you want to audit to be a



-
@@ -4,5 +4,3 @@



-
-
@@ -35,4 +35,3 @@ Or just remove the use of API keys.



-
@@ -45,4 +45,3 @@ By default this is disabled:



-
@@ -66,4 +66,3 @@ The compromised instances or Lambda functions can periodically check the C2 tabl



-
@@ -57,4 +57,3 @@ Create a peering connection between the victim VPC and the attacker VPC so he wi



-
@@ -100,4 +100,3 @@ aws ecr put-replication-configuration \



-
@@ -102,4 +102,3 @@ aws ecs create-service --service-name "undocumented-service" --task-definition "



-
@@ -24,4 +24,3 @@ You could **create an access point** (with root access to `/`) accessible from a



-
@@ -80,4 +80,3 @@ aws elasticbeanstalk update-environment --environment-name my-env --option-setti



-
@@ -52,4 +52,3 @@ If the account is already trusting a common identity provider (such as Github) t



-
@@ -42,4 +42,3 @@ aws kms list-grants --key-id <key-id>



-
@@ -67,4 +67,3 @@ Here you have some ideas to make your **presence in AWS more stealth by creating



-
@@ -45,4 +45,3 @@ The tool [**lambda-spy**](https://github.com/clearvector/lambda-spy) was created



-
@@ -133,4 +133,3 @@ aws lambda remove-layer-version-permission --layer-name ExternalBackdoor --state



-
@@ -36,4 +36,3 @@ If domains are configured:



-
@@ -34,4 +34,3 @@ aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-name> --



-
@@ -28,4 +28,3 @@ Although usually ACLs of buckets are disabled, an attacker with enough privilege



-
@@ -56,4 +56,3 @@ def generate_password():



-
@@ -84,4 +84,3 @@ aws sns subscribe --region <region> \



-
@@ -42,4 +42,3 @@ The following policy gives everyone in AWS access to everything in the queue cal



-
@@ -4,5 +4,3 @@



-
-
@@ -24,4 +24,3 @@ If the AWS account is using aliases to call step functions it would be possible



-
@@ -134,4 +134,3 @@ Write-Host "Role juggling check complete."



-
@@ -4,5 +4,3 @@



-
-
@@ -149,4 +149,3 @@ aws apigateway create-usage-plan-key --usage-plan-id $USAGE_PLAN --key-id $API_K



-
@@ -34,4 +34,3 @@ You can check the [**tf code to recreate this scenarios here**](https://github.c



-
@@ -87,4 +87,3 @@ aws codebuild delete-source-credentials --arn <value>



-
@@ -191,4 +191,3 @@ aws codebuild start-build --project-name <proj-name>



-
@@ -23,4 +23,3 @@ aws controltower enable-control --control-identifier <arn_control_id> --target-i



-
@@ -98,4 +98,3 @@ A template for the policy document can be seen here:



-
@@ -352,4 +352,3 @@ bashCopy codeaws dynamodbstreams get-records \



-
@@ -480,4 +480,3 @@ if __name__ == "__main__":



-
@@ -144,4 +144,3 @@ You can use this tool to automate the attack: [https://github.com/Static-Flow/Cl



-
@@ -18,4 +18,3 @@ For more information and access to the [**malmirror script**](https://github.com



-
@@ -99,4 +99,3 @@ aws ecr-public batch-delete-image --repository-name your-ecr-repo-name --image-i



-
@@ -66,4 +66,3 @@ The EC2 instance will probably also have the permission `ecr:GetAuthorizationTok



-
@@ -57,4 +57,3 @@ aws efs delete-access-point --access-point-id <value>



-
@@ -158,4 +158,3 @@ So, if an **attacker compromises a cluster using fargate** and **removes all the



-
@@ -83,4 +83,3 @@ aws elasticbeanstalk remove-tags --resource-arn arn:aws:elasticbeanstalk:us-west



-
@@ -106,4 +106,3 @@ A common way to avoid Confused Deputy problems is the use of a condition with `A



-
@@ -136,4 +136,3 @@ aws kms schedule-key-deletion \



-
@@ -32,4 +32,3 @@ Abusing Lambda Layers it's also possible to abuse extensions and persist in the



-
@@ -66,4 +66,3 @@ For more info check [https://github.com/carlospolop/lambda_bootstrap_switcher](h



-
@@ -33,4 +33,3 @@ Check out the Lightsail privesc options to learn different ways to access potent



-
@@ -22,4 +22,3 @@ aws organizations deregister-account --account-id <account_id> --region <region>



-
@@ -95,4 +95,3 @@ aws rds start-export-task --export-task-identifier attacker-export-task --source



-
@@ -41,4 +41,3 @@ Finally, the attacker could upload a final file, usually named "ransom-note.txt,



-
@@ -52,4 +52,3 @@ aws secretsmanager delete-secret \



-
@@ -86,4 +86,3 @@ Still to test.



-
@@ -83,4 +83,3 @@ aws sns untag-resource --resource-arn <value> --tag-keys <key>



-
@@ -90,4 +90,3 @@ arduinoCopy codeaws sqs remove-permission --queue-url <value> --label <value>



-
@@ -28,4 +28,3 @@ aws sso-admin delete-account-assignment --instance-arn <SSOInstanceARN> --target



-
@@ -77,4 +77,3 @@ aws stepfunctions untag-resource --resource-arn <value> --tag-keys <key>



-
@@ -51,7 +51,6 @@ resp=$(curl -s "$federation_endpoint" \
 signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri)


-
 # Give the URL to login
 echo -n "https://signin.aws.amazon.com/federation?Action=login&Issuer=example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=$signin_token"
 ```
@@ -107,4 +106,3 @@ response = client.get_secret_value(SecretId="flag_secret") print(response['Secre



-
@@ -16,4 +16,3 @@ For more information:



-
@@ -25,4 +25,3 @@ The way to escalate your privileges in AWS is to have enough permissions to be a



-
@@ -110,4 +110,3 @@ aws apigateway update-vpc-link --vpc-link-id $VPC_LINK_ID --patch-operations op=



-
@@ -12,4 +12,3 @@ TODO



-
@@ -120,4 +120,3 @@ An attacker could abuse this permission without the passRole permission to updat



-
@@ -83,4 +83,3 @@ aws cloudformation describe-stacks \



-
@@ -351,4 +351,3 @@ More details could be found [here](https://www.shielder.com/blog/2023/07/aws-cod



-
@@ -39,4 +39,3 @@ It might be possible to modify the role used and the command executed on a codep



-
@@ -75,4 +75,3 @@ You can find the exploit in [https://github.com/RhinoSecurityLabs/Cloud-Security



-
@@ -83,4 +83,3 @@ This is the created policy the user can privesc to (the project name was `superc



-
@@ -90,4 +90,3 @@ This exploit is based on the **Pacu exploit of these privileges**: [https://gith



-
@@ -316,4 +316,3 @@ For more information check [https://github.com/padok-team/cognito-scanner](https



-
@@ -76,4 +76,3 @@ The **pipeline definition file, crafted by the attacker, includes directives to



-
@@ -36,4 +36,3 @@ There isn't apparently any way to enable the application access URL, the AWS Man



-
@@ -25,4 +25,3 @@ As far as I know there is **no direct way to escalate privileges in AWS just by



-
@@ -29,4 +29,3 @@ You can use this tool to automate the attack: [https://github.com/Static-Flow/Cl



-
@@ -293,4 +293,3 @@ Assuming we find `aws_access_key_id` and `aws_secret_access_key`, we can use the



-
@@ -110,4 +110,3 @@ aws ecr set-repository-policy \



-
@@ -252,4 +252,3 @@ aws ecs update-service-primary-task-set --cluster existing-cluster --service exi



-
@@ -99,4 +99,3 @@ aws efs modify-mount-target-security-groups \



-
@@ -187,4 +187,3 @@ The developer has intentions to establish a reverse shell using Netcat or Socat



-
@@ -67,4 +67,3 @@ The URL of the notebook is `https://<notebook-id>.emrnotebooks-prod.eu-west-1.am



-
@@ -20,4 +20,3 @@ aws gamelift request-upload-credentials \



-
@@ -94,4 +94,3 @@ Just with the update permission an attacked could steal the IAM Credentials of t



-
@@ -275,4 +275,3 @@ aws iam update-open-id-connect-provider-thumbprint --open-id-connect-provider-ar



-
@@ -125,4 +125,3 @@ For more information check:



-
@@ -294,4 +294,3 @@ Some lambdas are going to be **receiving sensitive info from the users in parame



-
@@ -164,4 +164,3 @@ aws lightsail update-domain-entry \



-
@@ -28,4 +28,3 @@ aws mediapackage rotate-ingest-endpoint-credentials --id test --ingest-endpoint-



-
@@ -52,4 +52,3 @@ If you could somehow find the original credentials used by ActiveMQ you could pe



-
@@ -26,4 +26,3 @@ If **IAM role-based authentication** is used and **kafka is publicly exposed** y



-
@@ -21,4 +21,3 @@ To [**learn how check this page**](../#compromising-the-organization).



-
@@ -172,4 +172,3 @@ aws rds add-role-to-db-instance --db-instance-identifier target-instance --role-



-
@@ -109,4 +109,3 @@ Check [https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html



-
@@ -185,4 +185,3 @@ aws s3api put-object-acl --bucket <bucket-name> --key flag --version-id <value>



-
@@ -116,4 +116,3 @@ An attacker with those permissions will (potentially) be able to create an **hyp



-
@@ -53,4 +53,3 @@ policy.json:



-
@@ -46,4 +46,3 @@ aws sns add-permission --topic-arn <value> --label <value> --aws-account-id <val



-
@@ -49,4 +49,3 @@ aws sqs change-message-visibility --queue-url <value> --receipt-handle <value> -



-
@@ -134,4 +134,3 @@ aws-codebuild-privesc.md



-
@@ -134,4 +134,3 @@ aws sso-admin   delete-permissions-boundary-from-permission-set --instance-arn <



-
@@ -256,4 +256,3 @@ aws stepfunctions update-state-machine --state-machine-arn arn:aws:states:us-eas



-
--- a/Show More
+++ b/Show More
				`@@ -389,4 +389,3 @@ If you are looking for something similar to this but for the browser you`
				`@@ -132,4 +132,3 @@ In order to specify which service account should be able to assume the role,`
				`@@ -20,4 +20,3 @@ These are the permissions you need on each AWS account you want to audit to be a`
				`@@ -66,4 +66,3 @@ The compromised instances or Lambda functions can periodically check the C2 tabl`
				`@@ -57,4 +57,3 @@ Create a peering connection between the victim VPC and the attacker VPC so he wi`
				`@@ -100,4 +100,3 @@ aws ecr put-replication-configuration \`
				`@@ -102,4 +102,3 @@ aws ecs create-service --service-name "undocumented-service" --task-definition "`
				@@ -24,4 +24,3 @@ You could create an access point (with root access to `/`) accessible from a
				`@@ -80,4 +80,3 @@ aws elasticbeanstalk update-environment --environment-name my-env --option-setti`
				`@@ -52,4 +52,3 @@ If the account is already trusting a common identity provider (such as Github) t`