mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2026-07-03 03:15:13 -07:00
translate 2
This commit is contained in:
@@ -391,4 +391,3 @@ aws ...
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -388,4 +388,3 @@ If you are looking for something **similar** to this but for the **browser** you
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -131,4 +131,3 @@ In order to specify **which service account should be able to assume the role,**
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -19,4 +19,3 @@ These are the permissions you need on each AWS account you want to audit to be a
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -3,4 +3,3 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -34,4 +34,3 @@ Or just remove the use of API keys.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -44,4 +44,3 @@ By default this is disabled:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -65,4 +65,3 @@ The compromised instances or Lambda functions can periodically check the C2 tabl
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -56,4 +56,3 @@ Create a peering connection between the victim VPC and the attacker VPC so he wi
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -99,4 +99,3 @@ aws ecr put-replication-configuration \
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -101,4 +101,3 @@ aws ecs create-service --service-name "undocumented-service" --task-definition "
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -23,4 +23,3 @@ You could **create an access point** (with root access to `/`) accessible from a
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -79,4 +79,3 @@ aws elasticbeanstalk update-environment --environment-name my-env --option-setti
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -51,4 +51,3 @@ If the account is already trusting a common identity provider (such as Github) t
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -41,4 +41,3 @@ aws kms list-grants --key-id <key-id>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -66,4 +66,3 @@ Here you have some ideas to make your **presence in AWS more stealth by creating
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -44,4 +44,3 @@ The tool [**lambda-spy**](https://github.com/clearvector/lambda-spy) was created
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -132,4 +132,3 @@ aws lambda remove-layer-version-permission --layer-name ExternalBackdoor --state
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -35,4 +35,3 @@ If domains are configured:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -33,4 +33,3 @@ aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-name> --
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -27,4 +27,3 @@ Although usually ACLs of buckets are disabled, an attacker with enough privilege
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -55,4 +55,3 @@ def generate_password():
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -83,4 +83,3 @@ aws sns subscribe --region <region> \
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -41,4 +41,3 @@ The following policy gives everyone in AWS access to everything in the queue cal
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -3,4 +3,3 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -23,4 +23,3 @@ If the AWS account is using aliases to call step functions it would be possible
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -133,4 +133,3 @@ Write-Host "Role juggling check complete."
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -3,4 +3,3 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -148,4 +148,3 @@ aws apigateway create-usage-plan-key --usage-plan-id $USAGE_PLAN --key-id $API_K
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -33,4 +33,3 @@ You can check the [**tf code to recreate this scenarios here**](https://github.c
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -86,4 +86,3 @@ aws codebuild delete-source-credentials --arn <value>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -190,4 +190,3 @@ aws codebuild start-build --project-name <proj-name>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -22,4 +22,3 @@ aws controltower enable-control --control-identifier <arn_control_id> --target-i
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -97,4 +97,3 @@ A template for the policy document can be seen here:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -351,4 +351,3 @@ bashCopy codeaws dynamodbstreams get-records \
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -479,4 +479,3 @@ if __name__ == "__main__":
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -143,4 +143,3 @@ You can use this tool to automate the attack: [https://github.com/Static-Flow/Cl
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -17,4 +17,3 @@ For more information and access to the [**malmirror script**](https://github.com
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -98,4 +98,3 @@ aws ecr-public batch-delete-image --repository-name your-ecr-repo-name --image-i
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -65,4 +65,3 @@ The EC2 instance will probably also have the permission `ecr:GetAuthorizationTok
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -56,4 +56,3 @@ aws efs delete-access-point --access-point-id <value>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -157,4 +157,3 @@ So, if an **attacker compromises a cluster using fargate** and **removes all the
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -82,4 +82,3 @@ aws elasticbeanstalk remove-tags --resource-arn arn:aws:elasticbeanstalk:us-west
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -105,4 +105,3 @@ A common way to avoid Confused Deputy problems is the use of a condition with `A
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -135,4 +135,3 @@ aws kms schedule-key-deletion \
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -31,4 +31,3 @@ Abusing Lambda Layers it's also possible to abuse extensions and persist in the
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -65,4 +65,3 @@ For more info check [https://github.com/carlospolop/lambda_bootstrap_switcher](h
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -32,4 +32,3 @@ Check out the Lightsail privesc options to learn different ways to access potent
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -21,4 +21,3 @@ aws organizations deregister-account --account-id <account_id> --region <region>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -94,4 +94,3 @@ aws rds start-export-task --export-task-identifier attacker-export-task --source
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -40,4 +40,3 @@ Finally, the attacker could upload a final file, usually named "ransom-note.txt,
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -51,4 +51,3 @@ aws secretsmanager delete-secret \
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -85,4 +85,3 @@ Still to test.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -82,4 +82,3 @@ aws sns untag-resource --resource-arn <value> --tag-keys <key>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -89,4 +89,3 @@ arduinoCopy codeaws sqs remove-permission --queue-url <value> --label <value>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -27,4 +27,3 @@ aws sso-admin delete-account-assignment --instance-arn <SSOInstanceARN> --target
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -76,4 +76,3 @@ aws stepfunctions untag-resource --resource-arn <value> --tag-keys <key>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -105,4 +105,3 @@ response = client.get_secret_value(SecretId="flag_secret") print(response['Secre
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -15,4 +15,3 @@ For more information:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -24,4 +24,3 @@ The way to escalate your privileges in AWS is to have enough permissions to be a
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -109,4 +109,3 @@ aws apigateway update-vpc-link --vpc-link-id $VPC_LINK_ID --patch-operations op=
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -11,4 +11,3 @@ TODO
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -119,4 +119,3 @@ An attacker could abuse this permission without the passRole permission to updat
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -82,4 +82,3 @@ aws cloudformation describe-stacks \
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -350,4 +350,3 @@ More details could be found [here](https://www.shielder.com/blog/2023/07/aws-cod
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -38,4 +38,3 @@ It might be possible to modify the role used and the command executed on a codep
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -74,4 +74,3 @@ You can find the exploit in [https://github.com/RhinoSecurityLabs/Cloud-Security
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -82,4 +82,3 @@ This is the created policy the user can privesc to (the project name was `superc
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -89,4 +89,3 @@ This exploit is based on the **Pacu exploit of these privileges**: [https://gith
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -315,4 +315,3 @@ For more information check [https://github.com/padok-team/cognito-scanner](https
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -75,4 +75,3 @@ The **pipeline definition file, crafted by the attacker, includes directives to
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -35,4 +35,3 @@ There isn't apparently any way to enable the application access URL, the AWS Man
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -24,4 +24,3 @@ As far as I know there is **no direct way to escalate privileges in AWS just by
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -28,4 +28,3 @@ You can use this tool to automate the attack: [https://github.com/Static-Flow/Cl
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -292,4 +292,3 @@ Assuming we find `aws_access_key_id` and `aws_secret_access_key`, we can use the
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -109,4 +109,3 @@ aws ecr set-repository-policy \
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -251,4 +251,3 @@ aws ecs update-service-primary-task-set --cluster existing-cluster --service exi
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -98,4 +98,3 @@ aws efs modify-mount-target-security-groups \
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -186,4 +186,3 @@ The developer has intentions to establish a reverse shell using Netcat or Socat
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -66,4 +66,3 @@ The URL of the notebook is `https://<notebook-id>.emrnotebooks-prod.eu-west-1.am
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -19,4 +19,3 @@ aws gamelift request-upload-credentials \
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -93,4 +93,3 @@ Just with the update permission an attacked could steal the IAM Credentials of t
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -274,4 +274,3 @@ aws iam update-open-id-connect-provider-thumbprint --open-id-connect-provider-ar
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -124,4 +124,3 @@ For more information check:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -293,4 +293,3 @@ Some lambdas are going to be **receiving sensitive info from the users in parame
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -163,4 +163,3 @@ aws lightsail update-domain-entry \
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -27,4 +27,3 @@ aws mediapackage rotate-ingest-endpoint-credentials --id test --ingest-endpoint-
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -51,4 +51,3 @@ If you could somehow find the original credentials used by ActiveMQ you could pe
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -25,4 +25,3 @@ If **IAM role-based authentication** is used and **kafka is publicly exposed** y
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -20,4 +20,3 @@ To [**learn how check this page**](../#compromising-the-organization).
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -171,4 +171,3 @@ aws rds add-role-to-db-instance --db-instance-identifier target-instance --role-
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -108,4 +108,3 @@ Check [https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -184,4 +184,3 @@ aws s3api put-object-acl --bucket <bucket-name> --key flag --version-id <value>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -115,4 +115,3 @@ An attacker with those permissions will (potentially) be able to create an **hyp
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -52,4 +52,3 @@ policy.json:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -45,4 +45,3 @@ aws sns add-permission --topic-arn <value> --label <value> --aws-account-id <val
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -48,4 +48,3 @@ aws sqs change-message-visibility --queue-url <value> --receipt-handle <value> -
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -133,4 +133,3 @@ aws-codebuild-privesc.md
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -133,4 +133,3 @@ aws sso-admin delete-permissions-boundary-from-permission-set --instance-arn <
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-1
@@ -255,4 +255,3 @@ aws stepfunctions update-state-machine --state-machine-arn arn:aws:states:us-eas
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user