diff --git a/src/pentesting-ci-cd/apache-airflow-security/README.md b/src/pentesting-ci-cd/apache-airflow-security/README.md index 5da57b39d..aac46128c 100644 --- a/src/pentesting-ci-cd/apache-airflow-security/README.md +++ b/src/pentesting-ci-cd/apache-airflow-security/README.md @@ -173,3 +173,7 @@ foo = Variable.get("foo") If they are used for example inside a a bash command, you could perform a command injection. {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md b/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md index 666d49577..5fd8e486b 100644 --- a/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md +++ b/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md @@ -109,3 +109,7 @@ AUTH_ROLE_PUBLIC = 'Admin' ``` {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md b/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md index 09d5d84fa..7ff782327 100644 --- a/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md +++ b/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md @@ -41,3 +41,7 @@ These are the default permissions per default role: \[] {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/circleci-security.md b/src/pentesting-ci-cd/circleci-security.md index dce70674b..8b8a1fea1 100644 --- a/src/pentesting-ci-cd/circleci-security.md +++ b/src/pentesting-ci-cd/circleci-security.md @@ -254,3 +254,6 @@ jobs: {{#include ../banners/hacktricks-training.md}} + + + diff --git a/src/pentesting-ci-cd/cloudflare-security/README.md b/src/pentesting-ci-cd/cloudflare-security/README.md index e4e65d7dd..77d2c2c50 100644 --- a/src/pentesting-ci-cd/cloudflare-security/README.md +++ b/src/pentesting-ci-cd/cloudflare-security/README.md @@ -132,3 +132,7 @@ cloudflare-zero-trust-network.md [Check this part](cloudflare-domains.md#cloudflare-ddos-protection). {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md b/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md index 8f3665647..02989e685 100644 --- a/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md +++ b/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md @@ -131,3 +131,7 @@ TODO TODO {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md b/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md index 8348eaf6b..491ae7bc1 100644 --- a/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md +++ b/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md @@ -59,3 +59,7 @@ TODO - [ ] It's recommended to **add a User Seat Expiration** to remove users that doesn't really use this service {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/concourse-security/README.md b/src/pentesting-ci-cd/concourse-security/README.md index d354374ef..bcf20facf 100644 --- a/src/pentesting-ci-cd/concourse-security/README.md +++ b/src/pentesting-ci-cd/concourse-security/README.md @@ -31,3 +31,7 @@ concourse-enumeration-and-attacks.md {{#endref}} {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/concourse-security/concourse-architecture.md b/src/pentesting-ci-cd/concourse-security/concourse-architecture.md index 250af06ad..d70167906 100644 --- a/src/pentesting-ci-cd/concourse-security/concourse-architecture.md +++ b/src/pentesting-ci-cd/concourse-security/concourse-architecture.md @@ -36,3 +36,7 @@ In order to execute tasks concourse must have some workers. These workers **regi - [https://concourse-ci.org/internals.html](https://concourse-ci.org/internals.html) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md b/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md index 538c0a92b..4b778a804 100644 --- a/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md +++ b/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md @@ -440,3 +440,7 @@ Accept-Encoding: gzip. - https://concourse-ci.org/vars.html {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md b/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md index 14b3c7845..0cc6363a7 100644 --- a/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md +++ b/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md @@ -149,3 +149,7 @@ You don't need to trigger the jobs manually every-time you need to run them, you Check a YAML pipeline example that triggers on new commits to master in [https://concourse-ci.org/tutorial-resources.html](https://concourse-ci.org/tutorial-resources.html) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/gitea-security/README.md b/src/pentesting-ci-cd/gitea-security/README.md index b1b1842fd..bf4f6485a 100644 --- a/src/pentesting-ci-cd/gitea-security/README.md +++ b/src/pentesting-ci-cd/gitea-security/README.md @@ -136,3 +136,7 @@ If you are inside the server you can also **use the `gitea` binary** to access/m - `gitea admin user create --username newuser --password superpassword --email user@user.user --admin --access-token` Create new admin user and get an access token {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md b/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md index 0fcc1a3f8..e6e4d9ba3 100644 --- a/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md +++ b/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md @@ -101,3 +101,7 @@ Different protections can be applied to a branch (like to master): > As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline. {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/github-security/README.md b/src/pentesting-ci-cd/github-security/README.md index dc8fdc948..cdad12b57 100644 --- a/src/pentesting-ci-cd/github-security/README.md +++ b/src/pentesting-ci-cd/github-security/README.md @@ -242,3 +242,7 @@ jobs: For more info check [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md index a9f7633d1..c5ce0467b 100644 --- a/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md +++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md @@ -579,3 +579,7 @@ The following tools are useful to find Github Action workflows and even find vul - [https://github.com/carlospolop/PurplePanda](https://github.com/carlospolop/PurplePanda) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md index 6735c7d65..ae156de2d 100644 --- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md +++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md @@ -1,2 +1,6 @@ # Gh Actions - Artifact Poisoning + + + + diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md index ad5539e7c..024aa5ff8 100644 --- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md +++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md @@ -1,2 +1,6 @@ # GH Actions - Cache Poisoning + + + + diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md index 89d6cff73..3cd632bd0 100644 --- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md +++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md @@ -1,2 +1,6 @@ # Gh Actions - Context Script Injections + + + + diff --git a/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md b/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md index 879983075..f19fa699e 100644 --- a/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md +++ b/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md @@ -54,3 +54,7 @@ And the latest one use a short sha-1 that is bruteforceable. - [https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/github-security/basic-github-information.md b/src/pentesting-ci-cd/github-security/basic-github-information.md index 1fe92dd5c..ae1365a0f 100644 --- a/src/pentesting-ci-cd/github-security/basic-github-information.md +++ b/src/pentesting-ci-cd/github-security/basic-github-information.md @@ -253,3 +253,7 @@ Different protections can be applied to a branch (like to master): - [https://docs.github.com/en/actions/security-guides/encrypted-secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/jenkins-security/README.md b/src/pentesting-ci-cd/jenkins-security/README.md index 944e9cdf9..4dfba3ff3 100644 --- a/src/pentesting-ci-cd/jenkins-security/README.md +++ b/src/pentesting-ci-cd/jenkins-security/README.md @@ -410,3 +410,7 @@ println(hudson.util.Secret.decrypt("{...}")) - [https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3](https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md b/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md index 690b8b314..6e62a8536 100644 --- a/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md +++ b/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md @@ -92,3 +92,7 @@ According to [**the docs**](https://www.jenkins.io/blog/2019/02/21/credentials-m - [https://www.jenkins.io/doc/book/managing/nodes/](https://www.jenkins.io/doc/book/managing/nodes/) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md b/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md index 1839878a1..9d2b232e1 100644 --- a/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md +++ b/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md @@ -103,3 +103,7 @@ This is an AI created summary of the part of the post were the creaft of an arbi The example curl command provided demonstrates how to make a request to Jenkins with the necessary headers and cookies to execute arbitrary code securely. {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md b/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md index 035e24e4f..8699b8159 100644 --- a/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md +++ b/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md @@ -87,3 +87,7 @@ for (c in creds) { ``` {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md index f34e83a69..89ca15223 100644 --- a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md +++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md @@ -37,3 +37,7 @@ Finally click on **Save**, and **Build Now** and the pipeline will be executed: If you can access the configuration file of some pipeline configured you could just **modify it appending your reverse shell** and then execute it or wait until it gets executed. {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md index 6afbea340..f16096070 100644 --- a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md +++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md @@ -34,3 +34,7 @@ Click on **Save** and **build** the project and your **command will be executed* If you are not executing a reverse shell but a simple command you can **see the output of the command inside the output of the build**. {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md index d7b9fa3eb..33821cc03 100644 --- a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md +++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md @@ -61,3 +61,7 @@ msf> use exploit/multi/http/jenkins_script_console ``` {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/okta-security/README.md b/src/pentesting-ci-cd/okta-security/README.md index 10d34c1e4..e682996c2 100644 --- a/src/pentesting-ci-cd/okta-security/README.md +++ b/src/pentesting-ci-cd/okta-security/README.md @@ -112,3 +112,7 @@ okta-hardening.md - [https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/okta-security/okta-hardening.md b/src/pentesting-ci-cd/okta-security/okta-hardening.md index 231b4c822..a7dac96a7 100644 --- a/src/pentesting-ci-cd/okta-security/okta-hardening.md +++ b/src/pentesting-ci-cd/okta-security/okta-hardening.md @@ -197,3 +197,7 @@ Here you can find **generic information** about the Okta environment, such as th Here you can download Okta agents to sync Okta with other technologies. {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md b/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md index 2481ffb1f..41899af04 100644 --- a/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md +++ b/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md @@ -103,3 +103,6 @@ Check this interesting article about the top 10 CI/CD risks according to Cider: {{#include ../banners/hacktricks-training.md}} + + + diff --git a/src/pentesting-ci-cd/serverless.com-security.md b/src/pentesting-ci-cd/serverless.com-security.md index 007bf5cc6..bf1343702 100644 --- a/src/pentesting-ci-cd/serverless.com-security.md +++ b/src/pentesting-ci-cd/serverless.com-security.md @@ -856,3 +856,7 @@ Granting excessive permissions to team members and external collaborators can le - Keys with broad permissions can be exploited to perform unauthorized actions across multiple resources. {{#include ../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/supabase-security.md b/src/pentesting-ci-cd/supabase-security.md index 40231a605..6fa6219f8 100644 --- a/src/pentesting-ci-cd/supabase-security.md +++ b/src/pentesting-ci-cd/supabase-security.md @@ -161,3 +161,7 @@ It's possible to set an SMTP to send emails. It's possible to **store secrets** in supabase also which will be **accessible by edge functions** (the can be created and deleted from the web, but it's not possible to access their value directly). {{#include ../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/terraform-security.md b/src/pentesting-ci-cd/terraform-security.md index 9f7047a30..09b875ff2 100644 --- a/src/pentesting-ci-cd/terraform-security.md +++ b/src/pentesting-ci-cd/terraform-security.md @@ -310,3 +310,7 @@ brew install terrascan - [https://blog.plerion.com/hacking-terraform-state-privilege-escalation/](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) {{#include ../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/todo.md b/src/pentesting-ci-cd/todo.md index 7b1c48cfb..63a3bb5c8 100644 --- a/src/pentesting-ci-cd/todo.md +++ b/src/pentesting-ci-cd/todo.md @@ -14,3 +14,7 @@ Github PRs are welcome explaining how to (ab)use those platforms from an attacke - Any other CI/CD platform... {{#include ../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/travisci-security/README.md b/src/pentesting-ci-cd/travisci-security/README.md index 93e22e2f4..cff623392 100644 --- a/src/pentesting-ci-cd/travisci-security/README.md +++ b/src/pentesting-ci-cd/travisci-security/README.md @@ -63,3 +63,7 @@ If an attacker ends in an environment which uses **TravisCI enterprise** (more i - [https://docs.travis-ci.com/user/best-practices-security](https://docs.travis-ci.com/user/best-practices-security) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md b/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md index deba53bfa..46b10bf38 100644 --- a/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md +++ b/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md @@ -90,3 +90,7 @@ The amount of deployed TCI Worker and build environment OS images will determine ![](<../../images/image (199).png>) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-ci-cd/vercel-security.md b/src/pentesting-ci-cd/vercel-security.md index b9a1deb16..16dc93da7 100644 --- a/src/pentesting-ci-cd/vercel-security.md +++ b/src/pentesting-ci-cd/vercel-security.md @@ -435,3 +435,7 @@ An **Access Group** in Vercel is a collection of projects and team members with - **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information. {{#include ../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/README.md b/src/pentesting-cloud/aws-security/README.md index 8c53688de..ad71de826 100644 --- a/src/pentesting-cloud/aws-security/README.md +++ b/src/pentesting-cloud/aws-security/README.md @@ -387,3 +387,7 @@ aws ... - [https://cloudsecdocs.com/aws/defensive/tooling/audit/](https://cloudsecdocs.com/aws/defensive/tooling/audit/) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-basic-information/README.md b/src/pentesting-cloud/aws-security/aws-basic-information/README.md index c86c8f3bb..02e6e7729 100644 --- a/src/pentesting-cloud/aws-security/aws-basic-information/README.md +++ b/src/pentesting-cloud/aws-security/aws-basic-information/README.md @@ -384,3 +384,7 @@ If you are looking for something **similar** to this but for the **browser** you - [https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md b/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md index 6e25b21fe..73ae6b448 100644 --- a/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md +++ b/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md @@ -127,3 +127,7 @@ In order to specify **which service account should be able to assume the role,** - [https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/](https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md b/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md index 0135472a0..28868b9f1 100644 --- a/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md +++ b/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md @@ -15,3 +15,7 @@ These are the permissions you need on each AWS account you want to audit to be a - Optional if the client removes the analyzers for you, but usually it's easier just to ask for this permission) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/README.md b/src/pentesting-cloud/aws-security/aws-persistence/README.md index 901051f09..f3b45c4d3 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/README.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/README.md @@ -1,2 +1,6 @@ # AWS - Persistence + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md index 2026f7c2f..6d2b0ec35 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md @@ -30,3 +30,7 @@ If API keys are used, you could leak them to maintain persistence or even create Or just remove the use of API keys. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md index 0c7c000bb..e2e037e53 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md @@ -40,3 +40,7 @@ By default this is disabled:
{{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md index e37a874e8..75a824e73 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md @@ -61,3 +61,7 @@ aws dynamodb put-item \ The compromised instances or Lambda functions can periodically check the C2 table for new commands, execute them, and optionally report the results back to the table. This allows the attacker to maintain persistence and control over the compromised resources. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md index 4c87fda79..b52ac9e85 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md @@ -52,3 +52,7 @@ Create a VPN so the attacker will be able to connect directly through i to the V Create a peering connection between the victim VPC and the attacker VPC so he will be able to access the victim VPC. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md index 2efeb83cb..07928fbd4 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md @@ -95,3 +95,7 @@ aws ecr put-replication-configuration \ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md index da975a970..988626c8f 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md @@ -97,3 +97,7 @@ aws ecs create-service --service-name "undocumented-service" --task-definition " ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md index 99916b572..bdb282d41 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md @@ -19,3 +19,7 @@ Modifying the **resource policy and/or security groups** you can try to persist You could **create an access point** (with root access to `/`) accessible from a service were you have implemented **other persistence** to keep privileged access to the file system. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md index 6ff600d5e..c55e0e2ba 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md @@ -75,3 +75,7 @@ aws elasticbeanstalk update-environment --environment-name my-env --option-setti ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md index 9cab10503..e3e1944e7 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md @@ -47,3 +47,7 @@ Give Administrator permissions to a policy in not its last version (the last ver If the account is already trusting a common identity provider (such as Github) the conditions of the trust could be increased so the attacker can abuse them. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md index 5a9646176..7aefbd410 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md @@ -37,3 +37,7 @@ aws kms list-grants --key-id > A grant can give permissions only from this: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md index 7eaa170fd..1390c2d55 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md @@ -62,3 +62,7 @@ Here you have some ideas to make your **presence in AWS more stealth by creating - Every time new cloudtrail logs are generated, delete/alter them {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md index 3f78cfd42..71655ada0 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md @@ -40,3 +40,7 @@ The tool [**lambda-spy**](https://github.com/clearvector/lambda-spy) was created - [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md index 4b5b8e335..f8a5e2868 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md @@ -128,3 +128,7 @@ aws lambda remove-layer-version-permission --layer-name ExternalBackdoor --state ``` {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md index ca387e687..88b0d082a 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md @@ -31,3 +31,7 @@ If domains are configured: - Configure the **main domain IP to your own one** and perform a **MitM** from your IP to the legit ones {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md index 83e574fbe..b7a4b8f7b 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md @@ -29,3 +29,7 @@ aws rds modify-db-snapshot-attribute --db-snapshot-identifier -- ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md index 6db5208b1..f2c4ce048 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md @@ -23,3 +23,7 @@ Therefore, and attacker could get this key from the metadata and decrypt with KM Although usually ACLs of buckets are disabled, an attacker with enough privileges could abuse them (if enabled or if the attacker can enable them) to keep access to the S3 bucket. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md index e38afcdea..c15f27003 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md @@ -51,3 +51,7 @@ def generate_password(): ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md index fc0a2bced..8e97cc81c 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md @@ -79,3 +79,7 @@ aws sns subscribe --region \ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md index 50076c346..88f396173 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md @@ -37,3 +37,7 @@ The following policy gives everyone in AWS access to everything in the queue cal > You could even **trigger a Lambda in the attackers account every-time a new message** is put in the queue (you would need to re-put it) somehow. For this follow these instructinos: [https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html](https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md index 08cd69c5f..c1b9a422b 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md @@ -1,2 +1,6 @@ # AWS - SSM Perssitence + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md index b86077b38..4e8c120ff 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md @@ -19,3 +19,7 @@ Backdoor a step function to make it perform any persistence trick so every time If the AWS account is using aliases to call step functions it would be possible to modify an alias to use a new backdoored version of the step function. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md index f95eb4b7e..74db04bec 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md @@ -129,3 +129,7 @@ Write-Host "Role juggling check complete." {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md index 092b723de..53f79d916 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md @@ -1,2 +1,6 @@ # AWS - Post Exploitation + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md index 6eff1bc94..4847c40e0 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md @@ -144,3 +144,7 @@ aws apigateway create-usage-plan-key --usage-plan-id $USAGE_PLAN --key-id $API_K > Need testing {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md index ebcb510d5..4a3c4ff21 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md @@ -29,3 +29,7 @@ Accessing the response you could steal the users cookie and inject a malicious J You can check the [**tf code to recreate this scenarios here**](https://github.com/adanalvarez/AWS-Attack-Scenarios/tree/main). {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md index 913b55a5b..54be4e299 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md @@ -82,3 +82,7 @@ aws codebuild delete-source-credentials --arn **Potential Impact**: Disruption of normal functioning for applications relying on the affected repository due to the removal of source credentials. {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md index e433f04eb..c514d7a7c 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md @@ -186,3 +186,7 @@ aws codebuild start-build --project-name > Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly. {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md index a37af9d5b..f1c6fb394 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md @@ -18,3 +18,7 @@ aws controltower enable-control --control-identifier --target-i ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md index af0db2d40..baa309e53 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md @@ -93,3 +93,7 @@ A template for the policy document can be seen here: ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md index b09f35642..d63689d9e 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md @@ -347,3 +347,7 @@ bashCopy codeaws dynamodbstreams get-records \ **Potential impact**: Real-time monitoring and data leakage of the DynamoDB table's changes. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md index ae2038219..9ae6a0a4f 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md @@ -475,3 +475,7 @@ if __name__ == "__main__": ``` {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md index 8f5ebb565..7a9a19cc4 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md @@ -139,3 +139,7 @@ You can use this tool to automate the attack: [https://github.com/Static-Flow/Cl - [https://devopscube.com/mount-ebs-volume-ec2-instance/](https://devopscube.com/mount-ebs-volume-ec2-instance/) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md index 69042df5f..eb3b5f33f 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md @@ -13,3 +13,7 @@ The **impact** of malicious VPC traffic mirroring can be significant, as it allo For more information and access to the [**malmirror script**](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/malmirror), it can be found on our **GitHub repository**. The script automates and streamlines the process, making it **quick, simple, and repeatable** for offensive research purposes. {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md index aea1b48dd..a971ea769 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md @@ -94,3 +94,7 @@ aws ecr-public batch-delete-image --repository-name your-ecr-repo-name --image-i ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md index 115f36302..1d2fd80a5 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md @@ -61,3 +61,7 @@ aws ecs submit-attachment-state-changes ... The EC2 instance will probably also have the permission `ecr:GetAuthorizationToken` allowing it to **download images** (you could search for sensitive info in them). {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md index daf1fb898..35b644689 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md @@ -52,3 +52,7 @@ aws efs delete-access-point --access-point-id **Potential Impact**: Unauthorized access to the file system, data exposure or modification. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md index 90c8a2c96..eb1f77f46 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md @@ -153,3 +153,7 @@ So, if an **attacker compromises a cluster using fargate** and **removes all the > Actually, If the cluster is using Fargate you could EC2 nodes or move everything to EC2 to the cluster and recover it accessing the tokens in the node. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md index 59b9fd453..6267ee02f 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md @@ -78,3 +78,7 @@ aws elasticbeanstalk remove-tags --resource-arn arn:aws:elasticbeanstalk:us-west **Potential Impact**: Incorrect resource allocation, billing, or resource management due to added or removed tags. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md index f364899bb..f734122e8 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md @@ -101,3 +101,7 @@ A common way to avoid Confused Deputy problems is the use of a condition with `A - [https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md index e03c8a315..482af5425 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md @@ -131,3 +131,7 @@ aws kms schedule-key-deletion \
{{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md index 86bc91b90..5f25c205a 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md @@ -27,3 +27,7 @@ Abusing Lambda Layers it's also possible to abuse extensions and persist in the {{#endref}} {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md index 1aa0d0334..bc93fe53a 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md @@ -61,3 +61,7 @@ For more info check [https://github.com/carlospolop/lambda_bootstrap_switcher](h - [https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/](https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md index 7bd2b206b..830671a5e 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md @@ -28,3 +28,7 @@ Check out the Lightsail privesc options to learn different ways to access potent {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md index 88fdbd9b1..99f3b8413 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md @@ -17,3 +17,7 @@ aws organizations deregister-account --account-id --region ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md index dd6517e80..c1ccb01a4 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md @@ -90,3 +90,7 @@ aws rds start-export-task --export-task-identifier attacker-export-task --source **Potential impact**: Access to sensitive data in the exported snapshot. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md index 803b6a14d..16cc52f27 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md @@ -36,3 +36,7 @@ Finally, the attacker could upload a final file, usually named "ransom-note.txt, **For more info** [**check the original research**](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)**.** {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md index 7560dd6c5..e59cbbaaa 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md @@ -47,3 +47,7 @@ aws secretsmanager delete-secret \ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md index 157ea2e24..e67a07739 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md @@ -81,3 +81,7 @@ aws sesv2 send-custom-verification-email --email-address --template-name Still to test. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md index 39017f43d..b24660ee1 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md @@ -78,3 +78,7 @@ aws sns untag-resource --resource-arn --tag-keys **Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md index ad1073251..872693e89 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md @@ -85,3 +85,7 @@ arduinoCopy codeaws sqs remove-permission --queue-url --label **Potential Impact**: Disruption of normal functioning for applications relying on the queue due to unauthorized removal of permissions. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md index 1b02581d6..0d636f261 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md @@ -23,3 +23,7 @@ aws sso-admin delete-account-assignment --instance-arn --target ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md index 4a26196b2..6a0cd5ba9 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md @@ -72,3 +72,7 @@ aws stepfunctions untag-resource --resource-arn --tag-keys **Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md index c1023dc7b..3cabd1b71 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md @@ -102,3 +102,7 @@ response = client.get_secret_value(SecretId="flag_secret") print(response['Secre ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md index d39f99060..fe4f69e25 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md @@ -11,3 +11,7 @@ For more information: {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/README.md index f795302bc..ba8374b41 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/README.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/README.md @@ -21,3 +21,7 @@ The way to escalate your privileges in AWS is to have enough permissions to be a - [Pacu](https://github.com/RhinoSecurityLabs/pacu) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md index 297789085..7f7edbc6e 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md @@ -105,3 +105,7 @@ aws apigateway update-vpc-link --vpc-link-id $VPC_LINK_ID --patch-operations op= **Potential Impact**: Unauthorized access to private API resources, interception or disruption of API traffic. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md index f4e2282e8..b477dc31f 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md @@ -7,3 +7,7 @@ TODO {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md index d205cf1ad..39cba539e 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md @@ -116,3 +116,7 @@ An attacker could abuse this permission without the passRole permission to updat - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md index 47f709078..d41f9062c 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md @@ -79,3 +79,7 @@ aws cloudformation describe-stacks \ - [https://bishopfox.com/blog/privilege-escalation-in-aws](https://bishopfox.com/blog/privilege-escalation-in-aws) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md index b84aa8b1f..b179bec22 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md @@ -347,3 +347,7 @@ More details could be found [here](https://www.shielder.com/blog/2023/07/aws-cod **Potential Impact:** Direct privesc to attached AWS Codebuild roles. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md index 884bb7fa3..0662ae9e2 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md @@ -35,3 +35,7 @@ It might be possible to modify the role used and the command executed on a codep > When this API is called, CodePipeline **returns temporary credentials for the S3 bucket** used to store artifacts for the pipeline, if the action requires access to that S3 bucket for input or output artifacts. This API also **returns any secret values defined for the action**. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md index 9dd00b43d..387c6ffff 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md @@ -71,3 +71,7 @@ You can find the exploit in [https://github.com/RhinoSecurityLabs/Cloud-Security **Potential Impact:** Privesc to cloudformation IAM role. {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md index 7f900c00f..0de95738e 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md @@ -79,3 +79,7 @@ This is the created policy the user can privesc to (the project name was `superc ``` {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md index ab8af00d1..891d72df5 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md @@ -86,3 +86,7 @@ aws codestar create-project \ This exploit is based on the **Pacu exploit of these privileges**: [https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam\_\_privesc_scan/main.py#L1997](https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam__privesc_scan/main.py#L1997) On it you can find a variation to create an admin managed policy for a role instead of to a user. {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md index cc8d8d94f..ddd0c1efd 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md @@ -312,3 +312,7 @@ $ cognito-scanner --help For more information check [https://github.com/padok-team/cognito-scanner](https://github.com/padok-team/cognito-scanner) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md index 585e407d3..82c82682e 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md @@ -72,3 +72,7 @@ The **pipeline definition file, crafted by the attacker, includes directives to - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md index 8785f58af..ce24095ed 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md @@ -32,3 +32,7 @@ And then **grant them an AWS IAM role** for when they login, this way an AD user There isn't apparently any way to enable the application access URL, the AWS Management Console and grant permission {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md index 01661912c..b4af46712 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md @@ -21,3 +21,7 @@ As far as I know there is **no direct way to escalate privileges in AWS just by ### TODO: Read data abusing data Streams {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md index ca59c9402..36ea3bc53 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md @@ -25,3 +25,7 @@ Any AWS user possessing the **`EC2:CreateSnapshot`** permission can steal the ha You can use this tool to automate the attack: [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) or you could use one of the previous techniques after creating a snapshot. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md index 090c4e70d..ad31bde00 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md @@ -289,3 +289,7 @@ Assuming we find `aws_access_key_id` and `aws_secret_access_key`, we can use the - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md index bcf68a122..fd4686edb 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md @@ -106,3 +106,7 @@ aws ecr set-repository-policy \ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md index 31eaefddb..4988270ab 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md @@ -248,3 +248,7 @@ aws ecs update-service-primary-task-set --cluster existing-cluster --service exi - [https://ruse.tech/blogs/ecs-attack-methods](https://ruse.tech/blogs/ecs-attack-methods) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md index 821263148..8a54b28d8 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md @@ -94,3 +94,7 @@ aws efs modify-mount-target-security-groups \ **Potential Impact:** Indirect privesc by locating sensitive information in the file system. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md index e974efeb9..613dd3a47 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md @@ -183,3 +183,7 @@ The developer has intentions to establish a reverse shell using Netcat or Socat ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md index c901b22ea..0025abe52 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md @@ -62,3 +62,7 @@ The URL of the notebook is `https://.emrnotebooks-prod.eu-west-1.am **Potential Impact:** Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md index 5743a2663..b40cdf413 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md @@ -16,3 +16,7 @@ aws gamelift request-upload-credentials \ - [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md index d6cf29c3c..049d3b273 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md @@ -90,3 +90,7 @@ Just with the update permission an attacked could steal the IAM Credentials of t - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md index 657a16a48..7807f6152 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md @@ -271,3 +271,7 @@ aws iam update-open-id-connect-provider-thumbprint --open-id-connect-provider-ar - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md index 9003c400a..02c05b76d 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md @@ -120,3 +120,7 @@ For more information check: {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md index bd1cd7d00..d276ef737 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md @@ -290,3 +290,7 @@ Some lambdas are going to be **receiving sensitive info from the users in parame - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md index 7fc698f64..1bf78eb3c 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md @@ -160,3 +160,7 @@ aws lightsail update-domain-entry \ **Potential Impact:** Takeover a domain {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md index 5cf41b391..a1004bde6 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md @@ -23,3 +23,7 @@ aws mediapackage rotate-ingest-endpoint-credentials --id test --ingest-endpoint- - [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md index 29aefa731..80890e389 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md @@ -47,3 +47,7 @@ If you could somehow find the original credentials used by ActiveMQ you could pe **Potential Impact:** Steal ActiveMQ credentials {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md index 1ca4c4e60..f0538785f 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md @@ -22,3 +22,7 @@ You need access to the VPC because **you cannot enable None authentication with If **IAM role-based authentication** is used and **kafka is publicly exposed** you could still abuse these privileges to give you permissions to access it. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md index 9da7808e3..7d43bbd3b 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md @@ -16,3 +16,7 @@ If you compromise the root/management account, chances are you can compromise al To [**learn how check this page**](../#compromising-the-organization). {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md index 6e8d1b809..b4a08093e 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md @@ -167,3 +167,7 @@ aws rds add-role-to-db-instance --db-instance-identifier target-instance --role- **Potential Impact**: Access to sensitive data or unauthorized modifications to the data in the RDS instance. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md index 810cdf3ff..825c16ad6 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md @@ -105,3 +105,7 @@ Check [https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html - [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md index a85a7f764..0af161cbc 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md @@ -181,3 +181,7 @@ aws s3api put-object-acl --bucket --key flag --version-id ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md index e3c1f92b7..890686262 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md @@ -112,3 +112,7 @@ An attacker with those permissions will (potentially) be able to create an **hyp - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md index efd911f80..bdc01433b 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md @@ -49,3 +49,7 @@ policy.json: ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md index 9475d238a..699bb58cf 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md @@ -41,3 +41,7 @@ aws sns add-permission --topic-arn --label --aws-account-id --receipt-handle - **Potential Impact**: Steal sensitive information, Message loss, data corruption, and service disruption for applications relying on the affected messages. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md index aafbdcbda..c4067e2ca 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md @@ -130,3 +130,7 @@ aws-codebuild-privesc.md {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md index 18ea35aeb..0fb4e10a1 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md @@ -130,3 +130,7 @@ aws sso-admin delete-permissions-boundary-from-permission-set --instance-arn < ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md index 108dbcf3b..bfc3adb77 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md @@ -251,3 +251,7 @@ aws stepfunctions update-state-machine --state-machine-arn arn:aws:states:us-eas **Potential Impact**: Unauthorized execution and manipulation of workflows and access to sensitive resources, potentially leading to significant security breaches. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md index 5fc330366..782bcc237 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md @@ -120,3 +120,7 @@ aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789098:role/ {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md index 8756dbf07..4b1e5e7e9 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md @@ -50,3 +50,7 @@ For that follow the instructions from [https://docs.aws.amazon.com/workdocs/late Login with that user in workdoc and access the admin panel in `/workdocs/index.html#/admin` I didn't find any way to do this from the cli. + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md index f2b28170a..1519df70f 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md @@ -47,3 +47,7 @@ aws scheduler create-schedule \ - [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md index d7b87303e..fc3563ce7 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md @@ -30,3 +30,7 @@ This is possible because: Find the exploitation steps in the original research: [**https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/**](https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/README.md b/src/pentesting-cloud/aws-security/aws-services/README.md index 4c1f06d1a..dddd8ac04 100644 --- a/src/pentesting-cloud/aws-security/aws-services/README.md +++ b/src/pentesting-cloud/aws-security/aws-services/README.md @@ -29,3 +29,7 @@ Services that fall under container services have the following characteristics: **The pages of this section are ordered by AWS service. In there you will be able to find information about the service (how it works and capabilities) and that will allow you to escalate privileges.** {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md index 18b4e1ea6..09aa42d7c 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md @@ -297,3 +297,7 @@ To make an API key work, you need to add it to a **Usage Plan**, this usage plan {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md b/src/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md index 679781fe8..0f3da9d50 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md @@ -59,3 +59,7 @@ TODO TODO {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md index 75fd48594..66539b87d 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md @@ -73,3 +73,7 @@ In the following page you can check how to **abuse codestar permissions to escal - [https://docs.aws.amazon.com/cloudformation/](https://docs.aws.amazon.com/cloudformation/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md index 4a42986f4..75613cdb4 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md @@ -42,3 +42,7 @@ aws cloudfront list-distributions | jq ".DistributionList.Items[] | .Id, .Origin {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md index 9699f755d..55216fa7e 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md @@ -65,3 +65,7 @@ TODO ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md index ea2e36e55..bd54cd791 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md @@ -74,3 +74,7 @@ In the following page, you can check how to **abuse codebuild permissions to esc - [https://docs.aws.amazon.com/managedservices/latest/userguide/code-build.html](https://docs.aws.amazon.com/managedservices/latest/userguide/code-build.html) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md index 581b457be..c870c1791 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md @@ -100,3 +100,7 @@ Even if you **don't know a valid username** inside Cognito, you might be able to {{#endref}} {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md index 14d5f806a..024c7ea91 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md @@ -189,3 +189,7 @@ aws cognito-identity get-credentials-for-identity \ > It's possible to **configure different IAM roles depending on the identity provide**r the user is being logged in or even just depending **on the user** (using claims). Therefore, if you have access to different users through the same or different providers, if might be **worth it to login and access the IAM roles of all of them**. {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md index 471d04789..08e06fb45 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md @@ -490,3 +490,7 @@ An error occurred (InvalidParameterException) when calling the GetCredentialsFor ``` {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md b/src/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md index e660baf74..2a907b71b 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md @@ -101,3 +101,7 @@ git clone ssh://@git-codecommit..amazonaws.com/v1/repos/ --principals Id=anonymo {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md index 0c97e360e..caf35d03c 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md @@ -40,3 +40,7 @@ https://book.hacktricks.xyz/pentesting-web/nosql-injection - [https://aws.amazon.com/blogs/database/analyze-amazon-documentdb-workloads-with-performance-insights/](https://aws.amazon.com/blogs/database/analyze-amazon-documentdb-workloads-with-performance-insights/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md index 173d8f224..cb0864715 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md @@ -176,3 +176,7 @@ Therefore, a login like the previous one can be bypassed with something like: ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md index a3c8bc9b9..f365bc7f5 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md @@ -324,3 +324,7 @@ If a **VPN connection was stablished** you should search for **`.opvn`** config - [https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html](https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md index 0c37fd609..0575a17d8 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md @@ -269,3 +269,7 @@ The research on how to modify/create new images to bypass each protection (spcia - All the parts of the Nitro tutorial from AWS: [https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md index 08abe0d21..03277bfd1 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md @@ -193,3 +193,7 @@ In addition, take the following into consideration when you use Site-to-Site VPN - The self-service portal is **not available for clients that authenticate using mutual authentication**. {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md index 054b414b8..9025829b4 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md @@ -100,3 +100,7 @@ In the following page you can check how to **abuse ECR permissions to escalate p - [https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md index 94aa75376..cbbf596fe 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md @@ -80,3 +80,7 @@ In the following page you can check how to **abuse ECS permissions to escalate p {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md index 1a7079ae8..bcf4e58d4 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md @@ -142,3 +142,7 @@ Access points can be used for the following purposes: {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md index 3e34a3cd4..a7ead6d10 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md @@ -44,3 +44,7 @@ aws eks describe-update --name --update-id - [https://aws.amazon.com/eks/](https://aws.amazon.com/eks/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md index ddb803d1a..980504dac 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md @@ -111,3 +111,7 @@ aws elasticbeanstalk describe-events {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-elasticache.md b/src/pentesting-cloud/aws-security/aws-services/aws-elasticache.md index 69561eb89..6305fcc91 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-elasticache.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-elasticache.md @@ -43,3 +43,7 @@ aws elasticache describe-events ### Privesc (TODO) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md index 12373e9bd..b05012f3e 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md @@ -58,3 +58,7 @@ aws emr list-studios #Get studio URLs - [https://cloudacademy.com/course/domain-three-designing-secure-applications-and-architectures/elastic-mapreduce-emr-encryption-1/](https://cloudacademy.com/course/domain-three-designing-secure-applications-and-architectures/elastic-mapreduce-emr-encryption-1/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md index 618b98e7a..7a430cc17 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md @@ -400,3 +400,7 @@ aws identitystore create-user --identity-store-id --user-name privesc However, it's possible via Delegate Administrator to allow users from a different account to manage it. They won't have exactly the same permission, but they will be able to perform [**management activities**](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html). {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md index 207c1d53f..6ca66b5ed 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md @@ -49,3 +49,7 @@ aws firehose put-record-batch --delivery-stream-name my-stream --records file:// - [https://docs.amazonaws.cn/en_us/firehose/latest/dev/what-is-this-service.html](https://docs.amazonaws.cn/en_us/firehose/latest/dev/what-is-this-service.html) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md index b64eee2d5..543ed31cd 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md @@ -156,3 +156,7 @@ aws kms describe-custom-key-stores - [https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md index 8888e1a5d..03fa1aac8 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md @@ -182,3 +182,7 @@ In the following page you can check how to **abuse Lambda permissions to escalat - [https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/](https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md index 404f14c10..9f5ccb1ab 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md @@ -57,3 +57,7 @@ It's possible to generate **instance and relational database snapshots from ligh {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md index 8e221776a..8504db545 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md @@ -74,3 +74,7 @@ If you know the credentials to access the RabbitMQ web console, you can create a - [https://activemq.apache.org/](https://activemq.apache.org/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md index ca0098630..42c7ca640 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md @@ -97,3 +97,7 @@ If you are going to **have access to the VPC** where a Provisioned Kafka is, you - [https://docs.aws.amazon.com/msk/latest/developerguide/what-is-msk.html](https://docs.aws.amazon.com/msk/latest/developerguide/what-is-msk.html) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md index 445b9c5df..df5a51a37 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md @@ -45,3 +45,7 @@ aws iam get-account-summary - https://aws.amazon.com/organizations/ {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md index 8e2042191..d5cb84f1d 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md @@ -22,3 +22,7 @@ aws support describe-cases --include-resolved-cases ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md index 37304bdad..7ae94d5d6 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md @@ -97,3 +97,7 @@ The following actions allow to grant access to other AWS accounts to the cluster - [authorize-snapshot-access](https://docs.aws.amazon.com/cli/latest/reference/redshift/authorize-snapshot-access.html) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md index a91ada4e0..473369403 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md @@ -140,3 +140,7 @@ https://book.hacktricks.xyz/pentesting-web/sql-injection {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md index 2d806cac0..c37002eb7 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md @@ -29,3 +29,7 @@ aws route53 list-traffic-policies {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md index 782731590..3133c0eac 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md @@ -318,3 +318,7 @@ aws athena start-query-execution --query-string - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md index 282f983cb..a50eaa24f 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md @@ -48,3 +48,7 @@ aws secretsmanager get-resource-policy --secret-id --secret-id {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md index 0416f90ff..8348ff098 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md @@ -1,2 +1,6 @@ # AWS - Security & Detection Services + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md index 1bfc0a4ef..780f52f6e 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md @@ -293,3 +293,7 @@ This is an easiest way to perform the previous attack with different permissions - [https://cloudsecdocs.com/aws/services/logging/cloudtrail/#inventory](https://cloudsecdocs.com/aws/services/logging/cloudtrail/#inventory) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md index 482a2a1b8..0c790b881 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md @@ -456,3 +456,7 @@ aws cloudwatch untag-resource --resource-arn --tag-keys - [https://docs.aws.amazon.com/es_es/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Metric](https://docs.aws.amazon.com/es_es/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Metric) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md index 55b736e3a..f2ab3c4c5 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md @@ -44,3 +44,7 @@ Limit of 50 config rules per region before you need to contact AWS for an increa Non compliant results are NOT deleted. {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md index bbb19dd0a..9fab39fb8 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md @@ -40,3 +40,7 @@ aws controltower list-enabled-controls --target-identifier arn:aws:organizations {{#endref}} {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md index 579789482..2f967331b 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md @@ -13,3 +13,7 @@ Budgets help to **manage costs and usage**. You can get **alerted when a thresho Also, they can be used for non cost related monitoring like the usage of a service (how many GB are used in a particular S3 bucket?). {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md index 44633cf30..9d1a40eba 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md @@ -14,3 +14,7 @@ The service eases in-depth exploration of security incidents, allowing security - [https://cloudsecdocs.com/aws/services/logging/other/#detective](https://cloudsecdocs.com/aws/services/logging/other/#detective) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md index 842501e7f..0369f075c 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md @@ -307,3 +307,7 @@ aws fms untag-resource --resource-arn --tag-keys - [https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html](https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md index 6b102d98c..2794852d3 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md @@ -191,3 +191,7 @@ Extracting EC2 credentials from the metadata service and **utilizing them outsid - [https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html](https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md index 38692c854..655b81fa7 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md @@ -384,3 +384,7 @@ aws inspector2 untag-resource --resource-arn --tag-keys - [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector2.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector2.html) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md index a4a26e683..e6e3a2281 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md @@ -116,3 +116,7 @@ TODO: PRs are welcome! - [https://cloudacademy.com/blog/introducing-aws-security-hub/](https://cloudacademy.com/blog/introducing-aws-security-hub/) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md index 3597a5297..36dc8fbe9 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md @@ -61,3 +61,7 @@ TODO, PRs accepted - [https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md index 073fcb091..b1df3003b 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md @@ -13,3 +13,7 @@ AWS Shield has been designed to help **protect your infrastructure against distr Whereas the Standard version of Shield offered protection against layer three and layer four, **Advanced also offers protection against layer seven, application, attacks.** {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md index 5ea8a625d..a975d7476 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md @@ -69,3 +69,7 @@ AWS Trusted Advisor acts as a crucial tool in ensuring the optimization, perform - [https://cloudsecdocs.com/aws/services/logging/other/#trusted-advisor](https://cloudsecdocs.com/aws/services/logging/other/#trusted-advisor) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md index 8ca8a6a3b..661b836d5 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md @@ -469,3 +469,7 @@ aws wafv2 untag-resource --resource-arn --tag-keys - [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md index 88fb06dd8..bc6af90f1 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md @@ -125,3 +125,7 @@ aws ses get-send-statistics {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md index 01467ee06..cca4353cb 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md @@ -77,3 +77,7 @@ aws sns subscribe --region \ - [https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-sns-attribute-based-access-controls/](https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-sns-attribute-based-access-controls/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md index 63770cd06..1da888587 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md @@ -51,3 +51,7 @@ aws sqs send-message --queue-url --message-body - https://docs.aws.amazon.com/cdk/api/v2/python/aws\_cdk.aws\_sqs/README.html {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md index c5c6ed131..873629bba 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md @@ -338,3 +338,7 @@ In the following page, you can check how to **abuse Step Functions permissions t - [https://states-language.net/spec.html](https://states-language.net/spec.html) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md index 7e73f30ea..385d55c3b 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md @@ -98,3 +98,7 @@ In the following page you can check how to **abuse STS permissions to escalate p - [https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/?utm_source=pocket_mylist](https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/?utm_source=pocket_mylist) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md b/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md index 3be49d173..a2f2e0c2f 100644 --- a/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md @@ -79,3 +79,7 @@ In the following page, you can check how to **abuse eventbridge scheduler permis - [https://docs.aws.amazon.com/scheduler/latest/UserGuide/what-is-scheduler.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/what-is-scheduler.html) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md index 37df66613..0003290b4 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md @@ -52,3 +52,7 @@ Other services found vulnerable: - [**cloud_enum**](https://github.com/initstring/cloud_enum): Multi-cloud OSINT tool. **Find public resources** in AWS, Azure, and Google Cloud. Supported AWS services: Open / Protected S3 Buckets, awsapps (WorkMail, WorkDocs, Connect, etc.) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md index 98621c498..84c70ed0e 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md @@ -43,3 +43,7 @@ Many AWS error messages (even access denied) will give that information. - [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md index 310015617..5a69bebe0 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md @@ -54,3 +54,7 @@ This technique also allows to get **values of tags** if you know the tag key (th You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md index fc68629f1..0284e2514 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md @@ -9,3 +9,7 @@ https://{random_id}.cloudfront.net ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md index 9dc5feb14..d95410a62 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md @@ -33,3 +33,7 @@ runs-on: codebuild--${{ github.run_id }}-${{ github.run_attempt }} This new relationship between Github Actions and AWS creates another way to compromise AWS from Github as the code in Github will be running in a CodeBuild project with an IAM role attached. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md index 0a788f6e8..6f26f3a34 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md @@ -46,3 +46,7 @@ Pacu (new:test) > run cognito__enum ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md index de97c7405..004a92c2b 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md @@ -9,3 +9,7 @@ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md index 6e340d59e..e9e7fa8e4 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md @@ -13,3 +13,7 @@ For more information check: Apart from giving access to all AWS or some compromised external AWS account, or have some SQL injections in an application that communicates with DynamoDB I'm don't know more options to access AWS accounts from DynamoDB. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md index 280a7c27b..657bf7f3a 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md @@ -58,3 +58,7 @@ aws ec2 describe-instances --query "Reservations[].Instances[?PublicIpAddress!=n ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md index a36e4b72b..2febbed62 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md @@ -32,3 +32,7 @@ crane ls | sed 's/ .*//' ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md index 4a2d961f5..8d0b02ba2 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md @@ -23,3 +23,7 @@ aws elbv2 describe-load-balancers --query 'LoadBalancers[?Scheme == `internet-fa ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md index bd570128c..3a73a7328 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md @@ -35,3 +35,7 @@ aws elasticbeanstalk describe-environments --query 'Environments[?OptionSettings ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md index 73c113dca..6ed2b74fe 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md @@ -10,3 +10,7 @@ https://search-{user_provided}-[random].[region].es.amazonaws.com ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md index 8bc9c4bf0..b6092fda4 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md @@ -174,3 +174,7 @@ Note that **wildcard** (\*) before the **colon** (:). You can create an org such - [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md index 192876460..fd4d31de6 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md @@ -129,3 +129,7 @@ For more info about this [**check this post**](https://mjg59.dreamwidth.org/6217 - [https://ramimac.me/aws-device-auth](https://ramimac.me/aws-device-auth) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md index 2bc784c6b..38622c338 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md @@ -11,3 +11,7 @@ https://{random_id}.iot.{region}.amazonaws.com:443 ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md index 867126bbd..58b8a1309 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md @@ -9,3 +9,7 @@ https://{random_id}.kinesisvideo.{region}.amazonaws.com ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md index a39d47c39..5109a2044 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md @@ -20,3 +20,7 @@ This technique also allows to get **values of tags** if you know the tag key (th You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md index b15f112d5..2bbc4fdd6 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md @@ -11,3 +11,7 @@ https://{random_id}.data.mediastore.{region}.amazonaws.com ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md index 5187644a2..ab06211e2 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md @@ -20,3 +20,7 @@ ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617 ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md index 94ccbb070..9bbbd408d 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md @@ -16,3 +16,7 @@ b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md index a4ff8039b..218300e3f 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md @@ -42,3 +42,7 @@ postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432 ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md index 3503a91a7..ab1577a1e 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md @@ -9,3 +9,7 @@ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md index f78886c5d..28c7b1673 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md @@ -201,3 +201,7 @@ s3_client.put_bucket_acl( - [https://cloudar.be/awsblog/finding-the-account-id-of-any-public-s3-bucket/](https://cloudar.be/awsblog/finding-the-account-id-of-any-public-s3-bucket/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md index b97f36c13..7978eff36 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md @@ -19,3 +19,7 @@ When you configure a SNS topic from the web console it's possible to indicate th So if you **find the ARN of topics** inside the account (or brute forcing potential names for topics) you can **check** if you can **publish** or **subscribe** to **them**. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md index 2bd20c8a4..a5006a63b 100644 --- a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md @@ -21,3 +21,7 @@ https://sqs.[region].amazonaws.com/[account-id]/{user_provided} It's possible to misconfigure a SQS queue policy and grant permissions to everyone in AWS to send and receive messages, so if you get the ARN of queues try if you can access them. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/README.md b/src/pentesting-cloud/azure-security/README.md index 4e36070da..9d2de65fc 100644 --- a/src/pentesting-cloud/azure-security/README.md +++ b/src/pentesting-cloud/azure-security/README.md @@ -400,3 +400,7 @@ Invoke-GraphRunner -Tokens $tokens ``` {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-basic-information/README.md b/src/pentesting-cloud/azure-security/az-basic-information/README.md index 483d357bd..a600b66dc 100644 --- a/src/pentesting-cloud/azure-security/az-basic-information/README.md +++ b/src/pentesting-cloud/azure-security/az-basic-information/README.md @@ -379,3 +379,7 @@ You **cannot** explicitly **deny** **access** to specific resources **using cond - [https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration](https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md b/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md index c244928d3..d076e723a 100644 --- a/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md +++ b/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md @@ -201,3 +201,7 @@ pprint(microsoft_office_bearer_tokens_for_graph_api) - [https://github.com/secureworks/family-of-client-ids-research](https://github.com/secureworks/family-of-client-ids-research) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-device-registration.md b/src/pentesting-cloud/azure-security/az-device-registration.md index f3e004fac..5fe503c0b 100644 --- a/src/pentesting-cloud/azure-security/az-device-registration.md +++ b/src/pentesting-cloud/azure-security/az-device-registration.md @@ -107,3 +107,7 @@ az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-en - [https://www.youtube.com/watch?v=AFay_58QubY](https://www.youtube.com/watch?v=AFay_58QubY) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-enumeration-tools.md b/src/pentesting-cloud/azure-security/az-enumeration-tools.md index 4ada66e88..6a0dce1da 100644 --- a/src/pentesting-cloud/azure-security/az-enumeration-tools.md +++ b/src/pentesting-cloud/azure-security/az-enumeration-tools.md @@ -147,3 +147,7 @@ The Azure Active Directory (AD) module, now **deprecated**, is part of Azure Pow > This is replaced by Microsoft Graph PowerShell Follow this link for the [**installation instructions**](https://www.powershellgallery.com/packages/AzureAD). + + + + diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md index d2cac1174..855759013 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md @@ -63,3 +63,7 @@ This tool allows to perform several actions like register a machine in Azure AD - [https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md index c2278da14..e53ceb412 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md @@ -69,3 +69,7 @@ At this point, we can gather the remaining information needed to connect to Azur - [https://xybytes.com/azure/Abusing-Azure-Arc/](https://xybytes.com/azure/Abusing-Azure-Arc/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md index e77b338ab..2ddcbb0a5 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md @@ -37,3 +37,7 @@ Considering the storage of sensitive data in plaintext, it's crucial to secure t - Educating users about the risks and best practices for handling such sensitive information. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md index 54e834822..f2a5f2f4d 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md @@ -37,3 +37,7 @@ Main.py [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP - For more details about how Pass the Certificate works check the original post [https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md index bf7c5d0d9..f6695c40a 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md @@ -35,3 +35,7 @@ Just navigate to login.microsoftonline.com and add the cookie **`ESTSAUTHPERSIST - [https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/](https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md index 8b4cc9e15..28bc5b415 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md @@ -5,3 +5,7 @@ **Check:** [**https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/**](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md index 85a1469d3..a79c7a659 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md @@ -5,3 +5,7 @@ **Chec the post in** [**https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/) although another post explaining the same can be found in [**https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30**](https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md index 0fb52cfb7..1ba819b3a 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md @@ -35,3 +35,7 @@ curl -s -H "Authorization: Bearer " 'https://graph.microsoft.com/v1.0/sit **Note that these kind of access tokens can be also found inside other processes.** {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md index e241d2c05..ec734cb69 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md @@ -58,3 +58,7 @@ Get-ADSyncConnector ``` {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md index 9263f6668..0b8debf3e 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md @@ -47,3 +47,7 @@ The success of the attack and attainment of Domain Admin privileges hinge on mee Check it in the original post: [https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/](https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md index 92176611d..593b0222a 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md @@ -7,3 +7,7 @@ The blog post discusses a privilege escalation vulnerability in Azure AD, allowing Application Admins or compromised On-Premise Sync Accounts to escalate privileges by assigning credentials to applications. The vulnerability, stemming from the "by-design" behavior of Azure AD's handling of applications and service principals, notably affects default Office 365 applications. Although reported, the issue is not considered a vulnerability by Microsoft due to documentation of the admin rights assignment behavior. The post provides detailed technical insights and advises regular reviews of service principal credentials in Azure AD environments. For more detailed information, you can visit the original blog post. {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md index 512fb6dad..4af67011b 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md @@ -30,3 +30,7 @@ An automatically, this user will be **synced from AzureAD to the on-prem AD user - [https://www.youtube.com/watch?v=JEIR5oGCwdg](https://www.youtube.com/watch?v=JEIR5oGCwdg) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md index 8ab63e3a1..480c5f22b 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md @@ -159,3 +159,7 @@ Open-AADIntOffice365Portal -ImmutableID "aodilmsic30fugCUgHxsnK==" -Issuer http: - [https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps](https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md index 7c61e9337..0bf61effe 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md @@ -120,3 +120,7 @@ seamless-sso.md - [https://www.youtube.com/watch?v=xei8lAPitX8](https://www.youtube.com/watch?v=xei8lAPitX8) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md index dcf4d820c..f6edf1214 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md @@ -68,3 +68,7 @@ seamless-sso.md - [https://aadinternals.com/post/on-prem_admin/#pass-through-authentication](https://aadinternals.com/post/on-prem_admin/#pass-through-authentication) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md index a9039c850..289951b91 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md @@ -115,3 +115,7 @@ python rbdel.py -u \\ -p azureadssosvc$ - [TR19: I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory](https://www.youtube.com/watch?v=JEIR5oGCwdg) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md index 28c96b512..b09d8a841 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md @@ -282,3 +282,7 @@ roadrecon auth --prt-cookie --prt-context --derives-key --permissions rwd --expiry 2024- - https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md b/src/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md index ab01d48bf..95dedb925 100644 --- a/src/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md +++ b/src/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md @@ -39,3 +39,7 @@ az storage blob service-properties delete-policy update \ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md b/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md index 00cfdd9a4..8d020a39e 100644 --- a/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md +++ b/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md @@ -23,3 +23,7 @@ An attacker could get access to the instances and backdoor them: - Backdooring the **User Data** {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/README.md b/src/pentesting-cloud/azure-security/az-post-exploitation/README.md index cc0b53da5..53b20671b 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/README.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/README.md @@ -1,2 +1,6 @@ # Az - Post Exploitation + + + + diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md index 4860a9862..9c3d0b8c6 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md @@ -43,3 +43,7 @@ az storage blob upload \ This would allow to delete objects inside the storage account which might **interrupt some services** or make the client **lose valuable information**. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md index 04ac0fa8c..b3d3cf90f 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md @@ -46,3 +46,7 @@ az storage blob upload \ This would allow to delete file inside the shared filesystem which might **interrupt some services** or make the client **lose valuable information**. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md index d692dbb1a..e511ad994 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md @@ -15,3 +15,7 @@ For more information about function apps check: {{#ref}} ../az-privilege-escalation/az-functions-app-privesc.md {{#endref}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md index e353765a6..d9357b643 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md @@ -109,3 +109,7 @@ az keyvault secret restore --vault-name --file ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md index f96e47597..03c59a8d5 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md @@ -87,3 +87,7 @@ az storage queue policy set --name --permissions rwd --expiry 2024- - https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md index a82d54e24..2fdb2dc55 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md @@ -97,3 +97,7 @@ Take a look here: - https://learn.microsoft.com/en-us/cli/azure/servicebus/queue?view=azure-cli-latest {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md index 905e50bb1..7a8b1c1d5 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md @@ -100,3 +100,7 @@ az sql db import --admin-user \ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md index cdc688716..06e5df01e 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md @@ -62,3 +62,7 @@ az storage entity merge \ This would allow to delete file inside the shared filesystem which might **interrupt some services** or make the client **lose valuable information**. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md index 555db9897..900a5d9ce 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md @@ -179,3 +179,7 @@ az vm application set \ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md index 1aa36a8cf..662469fc5 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md @@ -1,2 +1,6 @@ # Az - Privilege Escalation + + + + diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md index acb4d51bb..6a805ae88 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md @@ -37,3 +37,7 @@ ssh root@127.0.0.1 -p 39895 ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md index e4572f79b..f8c4359f3 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md @@ -80,3 +80,7 @@ az rest --method PUT \ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md index c337ced69..940e80bce 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md @@ -355,3 +355,7 @@ az rest --method GET \ - `microsoft.directory/applications.myOrganization/permissions/update` {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md index 498bc7d2a..27bf965d0 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md @@ -179,3 +179,7 @@ $data = Get-SharePointFilesFromGraph -authentication $token $data[0].downloadUrl - [https://www.youtube.com/watch?v=xei8lAPitX8](https://www.youtube.com/watch?v=xei8lAPitX8) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md index 22061b615..322d18348 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md @@ -48,3 +48,7 @@ az rest --method GET \ - [https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/](https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md index 32fee7bad..dd5b81f35 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md @@ -455,3 +455,7 @@ az functionapp deployment source config \ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md index 700f6e3eb..2db843851 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md @@ -32,3 +32,7 @@ az keyvault set-policy \ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md index af2250673..db0b051cb 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md @@ -71,3 +71,7 @@ az storage queue policy set --name --permissions rwd --expiry 2024- - https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md index 1aff5fbc9..bee8aff28 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md @@ -152,3 +152,7 @@ az servicebus namespace authorization-rule update \ - https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md index 8122224dc..76dbfdcfd 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md @@ -109,3 +109,7 @@ az sql server azure-ad-only-auth disable \ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md index d94de30c0..c2545f9e2 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md @@ -150,3 +150,7 @@ az storage share-rm restore \ - [https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support](https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md index ee62ce582..6d8ba6e74 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md @@ -380,3 +380,7 @@ https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/clou According to the [**docs**](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute#microsoftcompute), this permission lets you manage the OS of your resource via Windows Admin Center as an administrator. So it looks like this gives access to the WAC to control the VMs... {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-services/README.md b/src/pentesting-cloud/azure-security/az-services/README.md index 26eacc74b..3a40a9dff 100644 --- a/src/pentesting-cloud/azure-security/az-services/README.md +++ b/src/pentesting-cloud/azure-security/az-services/README.md @@ -71,3 +71,7 @@ def main(req: func.HttpRequest) -> func.HttpResponse: **The pages of this section are ordered by Azure service. In there you will be able to find information about the service (how it works and capabilities) and also how to enumerate each service.** {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-services/az-acr.md b/src/pentesting-cloud/azure-security/az-services/az-acr.md index 3da5a42d2..800b03b30 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-acr.md +++ b/src/pentesting-cloud/azure-security/az-services/az-acr.md @@ -50,3 +50,7 @@ docker pull .azurecr.io/: ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-services/az-app-service.md b/src/pentesting-cloud/azure-security/az-services/az-app-service.md index 8bd86e5eb..d18a4d6ee 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-app-service.md +++ b/src/pentesting-cloud/azure-security/az-services/az-app-service.md @@ -212,3 +212,7 @@ git clone 'https://:@name.scm.azurewebsites.net/repo-name.gi - [https://learn.microsoft.com/en-in/azure/app-service/overview](https://learn.microsoft.com/en-in/azure/app-service/overview) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-services/az-application-proxy.md b/src/pentesting-cloud/azure-security/az-services/az-application-proxy.md index 9e40a66c8..e0cf6a053 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-application-proxy.md +++ b/src/pentesting-cloud/azure-security/az-services/az-application-proxy.md @@ -38,3 +38,7 @@ Get-ApplicationProxyAssignedUsersAndGroups -ObjectId - [https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy](https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-services/az-arm-templates.md b/src/pentesting-cloud/azure-security/az-services/az-arm-templates.md index 7ee051d41..6fcf24ecc 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-arm-templates.md +++ b/src/pentesting-cloud/azure-security/az-services/az-arm-templates.md @@ -29,3 +29,7 @@ cat | Select-String password - [https://app.gitbook.com/s/5uvPQhxNCPYYTqpRwsuS/\~/changes/argKsv1NUBY9l4Pd28TU/pentesting-cloud/azure-security/az-services/az-arm-templates#references](az-arm-templates.md#references) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-services/az-automation-account/README.md b/src/pentesting-cloud/azure-security/az-services/az-automation-account/README.md index 6d80d497f..43e03e664 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-automation-account/README.md +++ b/src/pentesting-cloud/azure-security/az-services/az-automation-account/README.md @@ -176,3 +176,7 @@ $response = Invoke-WebRequest -Method Post -Uri $uri -Body $body - [https://github.com/rootsecdev/Azure-Red-Team#runbook-automation](https://github.com/rootsecdev/Azure-Red-Team#runbook-automation) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md b/src/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md index d63ab573e..a1c9b0e78 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md +++ b/src/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md @@ -63,3 +63,7 @@ sudo nc -nlvp 443 The successful execution of this process opens numerous possibilities for further actions, such as credential dumping or expanding the attack to multiple VMs. The guide encourages continued learning and creativity in the realm of Azure Automation DSC. {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-services/az-azuread.md b/src/pentesting-cloud/azure-security/az-services/az-azuread.md index 3a5f6aeaf..145e12b7b 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-azuread.md +++ b/src/pentesting-cloud/azure-security/az-services/az-azuread.md @@ -1029,3 +1029,7 @@ The default mode is **Audit**: - [https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units](https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-services/az-file-shares.md b/src/pentesting-cloud/azure-security/az-services/az-file-shares.md index 3d6fb67b6..92ec2c2d4 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-file-shares.md +++ b/src/pentesting-cloud/azure-security/az-services/az-file-shares.md @@ -170,3 +170,7 @@ Same as storage persistence: {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-services/az-function-apps.md b/src/pentesting-cloud/azure-security/az-services/az-function-apps.md index 782dc2d1c..4d5ad8bba 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-function-apps.md +++ b/src/pentesting-cloud/azure-security/az-services/az-function-apps.md @@ -264,3 +264,7 @@ az rest --url "https://management.azure.com//resourceGroups/ -Name {{#endtabs }} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md b/src/pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md index 78ea357b7..b6e7dc37c 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md +++ b/src/pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md @@ -54,3 +54,7 @@ az group list --subscription "" --output table ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-services/az-queue-enum.md b/src/pentesting-cloud/azure-security/az-services/az-queue-enum.md index a2ccb7cc9..bd7e68a13 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-queue-enum.md +++ b/src/pentesting-cloud/azure-security/az-services/az-queue-enum.md @@ -93,3 +93,7 @@ $queueMessage.Value - https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md b/src/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md index 9a2b8b490..4e1d7d1f9 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md +++ b/src/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md @@ -98,3 +98,7 @@ az servicebus namespace authorization-rule keys list --resource-group .database.windows.net -U -P # List pools of DB ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md index bb4798592..2b82e8236 100644 --- a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md +++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md @@ -79,3 +79,7 @@ With access to the console it's possible to **get a shell inside the droplet** a It's also possible to launch a **recovery console** to run commands inside the host accessing a recovery console in **`https://cloud.digitalocean.com/droplets//console`**(but in this case you will need to know the root password). {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md index c167d4ffa..e0c7030d6 100644 --- a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md +++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md @@ -58,3 +58,7 @@ doctl serverless activations result # get only the response resu > There **isn't metadata endpoint** from the Functions sandbox. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md index b816a1c13..67b2ba40b 100644 --- a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md +++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md @@ -17,3 +17,7 @@ doctl compute image list ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md index 34ed44fb9..b838e21e3 100644 --- a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md +++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md @@ -37,3 +37,7 @@ doctl kubernetes cluster list-associated-resources ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md index c6bf58b8d..f0e752871 100644 --- a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md +++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md @@ -43,3 +43,7 @@ doctl compute firewall remove-droplets --droplet-ids ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md index 9c164f747..3f8adcdc4 100644 --- a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md +++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md @@ -21,3 +21,7 @@ doctl projects resources list # Get all the resources of a project ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md index bbb985e64..faf452f36 100644 --- a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md +++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md @@ -44,3 +44,7 @@ aws s3 ls --endpoint=https://fra1.digitaloceanspaces.com s3://uniqbucketname ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md index 95041a406..34f57bb65 100644 --- a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md +++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md @@ -13,3 +13,7 @@ compute volume list ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/README.md b/src/pentesting-cloud/gcp-security/README.md index 1b74bb6b0..6ee2826c5 100644 --- a/src/pentesting-cloud/gcp-security/README.md +++ b/src/pentesting-cloud/gcp-security/README.md @@ -243,3 +243,7 @@ gcloud config unset auth/access_token_file - [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-basic-information/README.md b/src/pentesting-cloud/gcp-security/gcp-basic-information/README.md index 890c5d03b..28c82cfe4 100644 --- a/src/pentesting-cloud/gcp-security/gcp-basic-information/README.md +++ b/src/pentesting-cloud/gcp-security/gcp-basic-information/README.md @@ -228,3 +228,7 @@ As defined by terraform in [https://registry.terraform.io/providers/hashicorp/go - [https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md b/src/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md index 55e8d2f71..7264de52e 100644 --- a/src/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md +++ b/src/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md @@ -151,3 +151,7 @@ jobs: ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md b/src/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md index 8e9d0d77b..f80fca133 100644 --- a/src/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md +++ b/src/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md @@ -142,3 +142,7 @@ roles/iam.securityReviewer roles/iam.organizationRoleViewer roles/bigquery.metadataViewer ``` + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/README.md b/src/pentesting-cloud/gcp-security/gcp-persistence/README.md index 4e8a91f74..29e628792 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/README.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/README.md @@ -1,2 +1,6 @@ # GCP - Persistence + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md index 76643a4ae..d763d87cb 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md @@ -19,3 +19,7 @@ Check how to do this in: {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md index 82bf6fd5e..6d0ee2e1f 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md @@ -19,3 +19,7 @@ If yoi could just modify the code of a running version or create a new one yo co **Every version of the web application is going to be run**, if you find that an App Engine project is running several versions, you could **create a new one** with your **backdoor** code, and then **create a new legit** one so the last one is the legit but there will be a **backdoored one also running**. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md index e4c4bb258..56d9bf760 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md @@ -40,3 +40,7 @@ https://book.hacktricks.xyz/pentesting-web/dependency-confusion {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md index e524fd97e..8d5d641e9 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md @@ -19,3 +19,7 @@ Grant further access over datasets, tables, rows and columns to compromised user {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md index e02c5e3e4..25e82bdf1 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md @@ -17,3 +17,7 @@ For more info about Cloud Functions check: - **Trigger** a Cloud Function when something happens to infect something {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md index a59ef33ba..144b68b8a 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md @@ -23,3 +23,7 @@ Make a Service publicly accessible Create a backdoored Service or Job {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md index c38442234..6484237a5 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md @@ -67,3 +67,7 @@ But you can find further information in [https://github.com/FrancescoDiSalesGith - [https://securityintelligence.com/posts/attacker-achieve-persistence-google-cloud-platform-cloud-shell/](https://securityintelligence.com/posts/attacker-achieve-persistence-google-cloud-platform-cloud-shell/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md index 795314341..1b26d09d9 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md @@ -35,3 +35,7 @@ For more information check the technique in: {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md index aebbe350c..ac3919ffa 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md @@ -17,3 +17,7 @@ For more informatoin about Compute and VPC (Networking) check: - Create new accessible instance with a privileged SA {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md index 9eb6791c1..58f285177 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md @@ -51,3 +51,7 @@ gcloud dataflow $NAME_TEMPLATE run testing \ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md index 2777d5391..0ef71caf8 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md @@ -19,3 +19,7 @@ gcp-filestore-persistence.md {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md index 86265608f..dfdec0c54 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md @@ -19,3 +19,7 @@ gcloud logging sinks create --log-filter="FILTER_CONDI ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md index 8c553e503..03f057015 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md @@ -102,3 +102,7 @@ Some remediations for these techniques are explained in [https://www.netskope.co - [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md index 16b9ea247..260bd0f1d 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md @@ -20,3 +20,7 @@ An attacker could update the secret to: - **Modify the rotation code being executed.** This happens in a different service, probably in a Cloud Function, so the attacker will need privileged access over the Cloud Function or any other service. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md index ad54454ba..af1e5e00f 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md @@ -36,3 +36,7 @@ Another exploit script for this method can be found [here](https://github.com/Rh {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md index a802993e7..059d4cbea 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md @@ -1,2 +1,6 @@ # GCP - Post Exploitation + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md index 4a92c4c1b..94fbf3f8a 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md @@ -41,3 +41,7 @@ The source code of all the versions and services are **stored in the bucket** wi Modify source code to steal credentials if they are being sent or perform a defacement web attack. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md index 08e30528d..2ddce1d54 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md @@ -19,3 +19,7 @@ The Post Exploitation and Privesc techniques of Artifact Registry were mixed in: {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md index 115fa6ee9..ba5350b4b 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md @@ -27,3 +27,7 @@ curl -X POST \ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md index 8057b3b10..2cf26d140 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md @@ -126,3 +126,7 @@ def injection(): except Exception as e: return str(e) ``` + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md index 101518536..9a1b57846 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md @@ -21,3 +21,7 @@ If the images are stored in repos inside the service Artifact Registry and the u Modify the run image to steal information and redeploy the new version (just uploading a new docker container with the same tags won't get it executed). For example, if it's exposing a login page, steal the credentials users are sending. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md index 30135adc2..b1ea7c2ce 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md @@ -100,3 +100,7 @@ cd ngrok;./ngrok tcp 3128 The instructions were copied from [https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key](https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key). Check that page for other crazy ideas to run any kind of software (databases and even windows) in Cloud Shell. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md index 34da94a25..33bfb12e4 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md @@ -101,3 +101,7 @@ gcloud sql databases delete --instance ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md index 9ef2e128a..f6d39a8f0 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md @@ -118,3 +118,7 @@ Mount the disk inside the VM: If you **cannot give access to a external project** to the snapshot or disk, you might need to p**erform these actions inside an instance in the same project as the snapshot/disk**. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md index 7300de2e5..bd24bbb0e 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md @@ -98,3 +98,7 @@ gcloud filestore backups create \ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md index eadadc6f6..f7d393701 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md @@ -27,3 +27,7 @@ If you succeeded here, try **accessing the web interface** and exploring from th This is the **highest level you can assign using the gcloud tool**. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md index fbfbf734a..3dfd31284 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md @@ -255,3 +255,7 @@ print('Verified:', verified) ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md index c63578d82..c6bdd5376 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md @@ -131,3 +131,7 @@ gcloud logging sinks update SINK_NAME --no-use-partitioned-tables ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md index d8efaccd1..4d0227c77 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md @@ -112,3 +112,7 @@ gcloud alpha monitoring channels update CHANNEL_ID --update-channel-labels=email ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md index 62f11337f..1d24f627e 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md @@ -138,3 +138,7 @@ gcloud pubsub subscriptions seek YOUR_SUBSCRIPTION_NAME \ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md index e679b0261..a12db02ed 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md @@ -20,3 +20,7 @@ gcloud secrets versions access 1 --secret="" ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md index 837f694ed..92b0cee3e 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md @@ -56,3 +56,7 @@ gcloud scc findings update `myFinding` --organization=123456 --source=5678 --sta ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md index 38ebcb8ed..3377adb88 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md @@ -32,3 +32,7 @@ If you try to give **ACLs to a bucket with disabled ACLs** you will find this er To access open buckets via browser, access the URL `https://.storage.googleapis.com/` or `https://.storage.googleapis.com/` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md index d2f1698bd..be0e1a5c5 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md @@ -19,3 +19,7 @@ The post exploitation techniques are actually the same ones as the ones shared i {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md index b79f6f274..9da5e566e 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md @@ -72,3 +72,7 @@ gcp-local-privilege-escalation-ssh-pivoting.md - [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md index 810589dcf..600b14bdd 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md @@ -76,3 +76,7 @@ Check the following page to learn how to do this, although this action belongs t {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md index 38c219102..ecf58d98f 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md @@ -110,3 +110,7 @@ Even though App Engine creates docker images inside Artifact Registry. It was te It might be possible that performing a **Race Condition attack like with the buckets it might be possible to overwrite the executed code**, but this wasn't tested. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md index 36c973132..64222603a 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md @@ -171,3 +171,7 @@ Even though App Engine creates docker images inside Artifact Registry. It was te It might be possible that performing a **Race Condition attack like with the buckets it might be possible to overwrite the executed code**, but this wasn't tested. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md index b8839f01d..34f4bdf00 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md @@ -56,3 +56,7 @@ EOD ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md index 08f89c1d1..aa5752bc9 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md @@ -114,3 +114,7 @@ bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICIES ON `. Another potential option to bypass row access policies would be to just change the value of the restricted data. If you can only see when `term` is `Cfba`, just modify all the records of the table to have `term = "Cfba"`. However this is prevented by bigquery. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md index a79e4c231..ec119a462 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md @@ -24,3 +24,7 @@ gcloud iap oauth-clients create projects/PROJECT_NUMBER/brands/BRAND-ID --displa ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md index 20d3d8d00..5d463c0c6 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md @@ -60,3 +60,7 @@ curl -X GET \ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md index 69b7d7841..38e2a6582 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md @@ -109,3 +109,7 @@ When a Cloud Function is created a new docker image is pushed to the Artifact Re - [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md index f851a05d7..768828935 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md @@ -32,3 +32,7 @@ gcloud identity groups memberships modify-membership-roles --group-email ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md index ed5dfa4ef..bea78fd35 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md @@ -115,3 +115,7 @@ gcloud auth activate-service-account --key-file=/tmp/lab.json - [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md index 5b5e8283e..02733bcb0 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md @@ -123,3 +123,7 @@ TODO: Check what is possible to compromise by uploading plugins TODO: Check what is possible to compromise by uploading data {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md index 774b0c3ff..f76da5809 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md @@ -146,3 +146,7 @@ Following this link you find some [**ideas to try to bypass access scopes**](../ - [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md index f0d3982df..f74387441 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md @@ -98,3 +98,7 @@ It's possible to broaden the reach of SSH access to multiple Virtual Machines (V - [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md index 0d19418a2..ea10ba464 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md @@ -89,3 +89,7 @@ These permissions might allow you to escalate privileges in Kubernetes, but more For more information [**follow this link**](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#malicious-admission-controller). {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md index e90828d7e..f77f14f62 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md @@ -27,3 +27,7 @@ This is like the previous abuse but instead of directly creating a new deploymen - [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md index bd601f58d..4ad8b082e 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md @@ -142,3 +142,7 @@ You can find an example on how to create and OpenID token behalf a service accou - [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md index 3d8668070..1ca91fe11 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md @@ -86,3 +86,7 @@ gcloud projects add-iam-policy-binding [YOUR_PROJECT_ID] \ Replace `[YOUR_PROJECT_ID]` and `[SERVICE_ACCOUNT_EMAIL]` with your project ID and the email of the service account, respectively. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md index 798518438..36ef69fea 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md @@ -96,3 +96,7 @@ grep -Pzr '(?s)
' \ - [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md index 6c155ac6a..2a4e5729a 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md @@ -23,3 +23,7 @@ These permissions can be very useful to try to escalate privileges in resources This permission will usually let you **access or modify a Service Account in some resource** (e.g.: compute.instances.setServiceAccount). This **could lead to a privilege escalation** vector, but it will depend on each case. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md index 8126e305e..b3d2e3034 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md @@ -54,3 +54,7 @@ This step authorizes the public key, enabling SSH connection with the correspond - [https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities](https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md index 8cd87c332..c025a23fe 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md @@ -23,3 +23,7 @@ A python script for this method can be found [here](https://github.com/RhinoSecu - [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md index f0537d23d..9daf0bde5 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md @@ -35,3 +35,7 @@ Access messages using the subscription. Give yourself any of the preiovus permissions {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md index 9f69d21fa..b602b36dc 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md @@ -17,3 +17,7 @@ Like in the exploitation of `iam.serviceAccounts.setIamPolicy`, this permission Like in the exploitation of `iam.serviceAccounts.setIamPolicy`, this permission allows you to **modify** your **permissions** against **any resource** at **project** level. So, you can follow the same exploitation example. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md index 08298f6be..d6318811c 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md @@ -87,3 +87,7 @@ gcloud beta run jobs execute job-name --region --update-env-vars="PYTHO - [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md index f63af9cf7..e635e1265 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md @@ -36,3 +36,7 @@ gcloud secrets add-iam-policy-binding \ ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md index acfdea07f..934a814ed 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md @@ -55,3 +55,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **.** + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md index 447045572..ab9d4b2ae 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md @@ -85,3 +85,7 @@ gcloud source project-configs update --remove-topic=UPDATE_TOPIC ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md index 29193d5f5..62ab9cb89 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md @@ -115,3 +115,7 @@ The mentioned attack can be performed in a lot of different ways, all of them st - [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/#:\~:text=apiKeys.-,create,privileges%20than%20our%20own%20user.](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md index 35e558e54..f4c25540e 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md @@ -105,3 +105,7 @@ According [**to the docs**](https://cloud.google.com/workflows/docs/authenticate With this permission instead of `workflows.workflows.create` it's possible to update an already existing workflow and perform the same attacks. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/README.md b/src/pentesting-cloud/gcp-security/gcp-services/README.md index 6098aaeb6..616e3f78c 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/README.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/README.md @@ -1,2 +1,6 @@ # GCP - Services + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md index 7196bf8e7..fd5d80305 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md @@ -20,3 +20,7 @@ gcloud ai-platform jobs describe ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md index 5d13eca1c..6d7e7a204 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md @@ -42,3 +42,7 @@ gcloud services api-keys list --show-deleted {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md index 0563fdb98..03e6fde03 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md @@ -115,3 +115,7 @@ gcloud app ssl-certificates describe {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md index 493e8b2d5..4e9514b90 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md @@ -90,3 +90,7 @@ gcloud artifacts docker images list-vulnerabilities projects//locatio {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md index 9a8812bad..1959d2a89 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md @@ -33,3 +33,7 @@ gcloud batch tasks describe projects//locations//jobs/.INFORMATION_SCHEMA.SC - [https://cloud.google.com/bigquery/docs/column-level-security-intro](https://cloud.google.com/bigquery/docs/column-level-security-intro) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md index a4bcbbdbc..423437992 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md @@ -30,3 +30,7 @@ gcloud bigtable app-profiles describe --instance ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md index 387f2272a..de8d1650c 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md @@ -169,3 +169,7 @@ done {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md index 6e808a158..36f87175d 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md @@ -106,3 +106,7 @@ In the following page, you can check how to **abuse cloud function permissions t - [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md index 49b68e259..91e11a44c 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md @@ -109,3 +109,7 @@ In the following page, you can check how to **abuse cloud run permissions to esc - [https://cloud.google.com/run/docs/overview/what-is-cloud-run](https://cloud.google.com/run/docs/overview/what-is-cloud-run) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md index 71d199dc8..d2fc063c8 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md @@ -44,3 +44,7 @@ gcloud scheduler jobs describe --location us-central1 {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md index 38133aa99..f6a7f6553 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md @@ -26,3 +26,7 @@ Note that Cloud Shell can be **easily disabled** for the organization. {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md index 1b6cd0392..421207574 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md @@ -87,3 +87,7 @@ gcloud sql backups describe --instance {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md index 4abb9e39a..a4e7edbcb 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md @@ -41,3 +41,7 @@ In the following page you can check how to **abuse composer permissions to escal {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md index db56d94df..0a943c01f 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md @@ -229,3 +229,7 @@ Check the Compute Instances privilege escalation section. - [https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching](https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md index 3e3ead129..10c9af0cc 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md @@ -101,3 +101,7 @@ A Google-managed encryption key is used by default a but a Customer-managed encr
{{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md index a55faeb46..8fe32acd3 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md @@ -83,3 +83,7 @@ These are the needed permissions: - [https://cloud.google.com/vpc/docs/firewall-policies-overview#rule-evaluation](https://cloud.google.com/vpc/docs/firewall-policies-overview#rule-evaluation) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md index a06af7e15..df3164830 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md @@ -102,3 +102,7 @@ curl -v -k http://10.124.200.1:10255/pods Even if the API **doesn't allow to modify resources**, it could be possible to find **sensitive information** in the response. The endpoint /pods was found using [**Kiterunner**](https://github.com/assetnote/kiterunner). {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md index 8742886bc..5a178d0b3 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md @@ -23,3 +23,7 @@ gcloud dns policies list ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md index aaa7bacc7..559326596 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md @@ -72,3 +72,7 @@ There aren't ways to escalate privileges in GCP directly abusing this service, b {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md index a2a9fafd4..3b7157d06 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md @@ -75,3 +75,7 @@ You may be able to access some interesting information - ​[https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1](https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1)​ {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md index 2e63d18cd..9b7d2b421 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md @@ -15,3 +15,7 @@ gcloud firestore export gs://my-source-project-export/export-20190113_2109 --col ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md index df894ea13..789679201 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md @@ -224,3 +224,7 @@ In the following page you can check how to **abuse org policies permissions to e {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md index 25d143161..4d42e1ef6 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md @@ -80,3 +80,7 @@ gcloud kms decrypt --ciphertext-file=[INFILE] \ - [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md index efb699e73..71acd1a6e 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md @@ -144,3 +144,7 @@ There aren't logs of **`testIamPermissions`**: - [https://betterstack.com/community/guides/logging/gcp-logging/](https://betterstack.com/community/guides/logging/gcp-logging/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md index 7af0a0350..3c1793f76 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md @@ -19,3 +19,7 @@ gcloud redis instances export gs://my-bucket/my-redis-instance.rdb my-redis-inst ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md index 88b10a074..83f163400 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md @@ -55,3 +55,7 @@ gcloud alpha monitoring channels describe - [https://cloud.google.com/monitoring/alerts/manage-snooze#gcloud-cli](https://cloud.google.com/monitoring/alerts/manage-snooze#gcloud-cli) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md index 6cd241087..fa73d5f0a 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md @@ -92,3 +92,7 @@ gcloud pubsub lite-operations describe ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md index a0d1764dc..f56c2fcb0 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md @@ -51,3 +51,7 @@ In the following page you can check how to **abuse secretmanager permissions to An attacker could update the secret to **stop rotations** (so it won't be modified), or **make rotations much less often** (so the secret won't be modified) or to **publish the rotation message to a different pub/sub**, or modifying the rotation code being executed (this happens in a different service, probably in a Clound Function, so the attacker will need privileged access over the Cloud Function or any other service) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md index e38244da5..b5aada876 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md @@ -90,3 +90,7 @@ gcp-secrets-manager-enum.md - **Access Context Manager**: Part of Google Cloud's BeyondCorp Enterprise, this tool helps define and enforce fine-grained access control policies based on a user's identity and the context of their request, such as device security status, IP address, and more. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md index a578f7e4b..330cf685b 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md @@ -65,3 +65,7 @@ git add, commit, push... {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md index 671c876da..5c3d70ee5 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md @@ -29,3 +29,7 @@ gcloud spanner instance-configs describe ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md index f1ce0c957..91c145171 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md @@ -31,3 +31,7 @@ gcloud logging buckets list - [https://initblog.com/2020/gcp-post-exploitation/](https://initblog.com/2020/gcp-post-exploitation/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md index c3c590471..e584d6448 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md @@ -154,3 +154,7 @@ In the following page you can check how to **abuse storage permissions to escala {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md index 1492b3cb3..fc11f13dd 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md @@ -36,3 +36,7 @@ gcloud workflows executions describe projects//locations/ {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md b/src/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md index 9358b40c2..f70b027ee 100644 --- a/src/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md +++ b/src/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md @@ -169,3 +169,7 @@ Abusing the **google groups privesc** you might be able to escalate to a group w - [https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover](https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md b/src/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md index 0f33fecee..19656923b 100644 --- a/src/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md +++ b/src/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md @@ -26,3 +26,7 @@ This is how a GCP Service Account can access Google APIs on behalf of other iden 5. **Google APIs return the requested data**: If the access token is valid and the service account has appropriate authorization, the Google APIs return the requested data. For example, in the following picture, we’ve leveraged the _users.messages.list_ method to list all the Gmail message IDs associated with a target Workspace user. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md index 8dd74fae5..141e307cf 100644 --- a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md +++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md @@ -16,3 +16,7 @@ Note that other cloud resources could be searched for and that some times these - [https://github.com/0xsha/CloudBrute](https://github.com/0xsha/CloudBrute): This tool in GCP brute-force Buckets and Apps. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md index c2e81cd6c..8fe218ed7 100644 --- a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md @@ -50,3 +50,7 @@ Help Token: ARD_zUaNgNilGTg9oYUnMhfa3foMvL7qspRpBJ-YZog8RLbTjCTBolt_WjQQ3myTaOqu As you might not know which APIs are enabled in the project, it would be interesting to run the tool [https://github.com/ozguralp/gmapsapiscanner](https://github.com/ozguralp/gmapsapiscanner) and check **what you can access with the API key.** {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md index 52d1c8097..53211e47c 100644 --- a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md @@ -23,3 +23,7 @@ You could use tools like the ones indicated in: {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md index 0fd2f5639..b2a9af31a 100644 --- a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md @@ -19,3 +19,7 @@ Check the following page: {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md index 62964c53a..6bfa43ce0 100644 --- a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md @@ -40,3 +40,7 @@ Moreover, it's easy to see if some cloudbuild execution needs to be performed wh > Then, even if the cloudbuild is not executed the attacker will be able to see the **project name of a GCP project** that belongs to the company. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md index c8730c80a..bb2e65cbb 100644 --- a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md @@ -75,3 +75,7 @@ done ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md index 71808873c..521412f9d 100644 --- a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md @@ -57,3 +57,7 @@ done ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md index f123b614e..fac47ccf9 100644 --- a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md @@ -23,3 +23,7 @@ https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force Remember that with some privileges it's possible to **list all the database users** via GCP API. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md index 102399e83..8e8abfa0e 100644 --- a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md @@ -23,3 +23,7 @@ https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery If a GCP instance has a vulnerable exposed service an attacker could abuse it to compromise it. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md index 7de36faff..5dde2c77f 100644 --- a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md @@ -108,3 +108,7 @@ ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal test ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md index 26918ddb9..3d831b51a 100644 --- a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md +++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md @@ -18,3 +18,7 @@ If an external repository is being used via Source Repositories an attacker coul - if this source repository is used by other GCP services, they could get compromised {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md index 848b2d0ba..f6e17261a 100644 --- a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md +++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md @@ -71,3 +71,7 @@ done ``` {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md index 2d9f1e2c0..f6cf4c708 100644 --- a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md +++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md @@ -29,3 +29,7 @@ Another attack would be to **remove the bucket an d recreate it in your account - [https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/](https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/) {{#include ../../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/ibm-cloud-pentesting/README.md b/src/pentesting-cloud/ibm-cloud-pentesting/README.md index 1ce69b6e7..93a9a05c3 100644 --- a/src/pentesting-cloud/ibm-cloud-pentesting/README.md +++ b/src/pentesting-cloud/ibm-cloud-pentesting/README.md @@ -36,3 +36,7 @@ https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/clou - [https://redresscompliance.com/navigating-the-ibm-cloud-a-comprehensive-overview/#:\~:text=IBM%20Cloud%20is%3A,%2C%20networking%2C%20and%20database%20management.](https://redresscompliance.com/navigating-the-ibm-cloud-a-comprehensive-overview/) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md b/src/pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md index d9e32ea7f..a11fbec57 100644 --- a/src/pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md +++ b/src/pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md @@ -70,3 +70,7 @@ When creating the policy you need to choose: - [https://cloud.ibm.com/docs/account?topic=account-iamoverview](https://cloud.ibm.com/docs/account?topic=account-iamoverview) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md b/src/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md index 0cbc55061..f0d1a605a 100644 --- a/src/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md +++ b/src/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md @@ -27,3 +27,7 @@ HSMs can be used for a wide range of applications, including secure online trans Overall, the high level of security provided by HSMs makes it **very difficult to extract raw keys from them, and attempting to do so is often considered a breach of security**. However, there may be **certain scenarios** where a **raw key could be extracted** by authorized personnel for specific purposes, such as in the case of a key recovery procedure. {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md b/src/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md index a1d9a8100..eb99bff8f 100644 --- a/src/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md +++ b/src/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md @@ -40,3 +40,7 @@ Compared to x64 architecture, which is the most common architecture used in serv Overall, LinuxONE is a powerful and secure platform that is well-suited for running large-scale, mission-critical workloads that require high levels of performance and reliability. While x64 architecture has its own advantages, it may not be able to provide the same level of scalability, security, and reliability as LinuxONE for certain workloads.\\ {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/kubernetes-security/README.md b/src/pentesting-cloud/kubernetes-security/README.md index c903d3209..4f7e16ef0 100644 --- a/src/pentesting-cloud/kubernetes-security/README.md +++ b/src/pentesting-cloud/kubernetes-security/README.md @@ -78,3 +78,7 @@ kubernetes-pivoting-to-clouds.md {{#endref}} {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md b/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md index 9cc723a9a..67ebbd554 100644 --- a/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md +++ b/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md @@ -696,3 +696,7 @@ https://github.com/aquasecurity/kube-bench - [**https://blog.rewanthtammana.com/creating-malicious-admission-controllers**](https://blog.rewanthtammana.com/creating-malicious-admission-controllers) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md b/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md index 30b1a245e..0524213fb 100644 --- a/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md +++ b/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md @@ -610,3 +610,7 @@ kubectl delete serviceaccount test-sa ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md b/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md index c9e6f8470..606d7a287 100644 --- a/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md +++ b/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md @@ -47,3 +47,7 @@ spec: ``` {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md b/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md index e95909ad1..4a0a3ebc0 100644 --- a/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md +++ b/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md @@ -393,3 +393,7 @@ Off-Menu + - [**https://github.com/r0binak/MTKPI**](https://github.com/r0binak/MTKPI) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/kubernetes-security/exposing-services-in-kubernetes.md b/src/pentesting-cloud/kubernetes-security/exposing-services-in-kubernetes.md index 8f96b119f..cc1a49ce0 100644 --- a/src/pentesting-cloud/kubernetes-security/exposing-services-in-kubernetes.md +++ b/src/pentesting-cloud/kubernetes-security/exposing-services-in-kubernetes.md @@ -213,3 +213,7 @@ kubectl get ingresses --all-namespaces -o=yaml - [https://kubernetes.io/docs/concepts/services-networking/service/](https://kubernetes.io/docs/concepts/services-networking/service/) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md b/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md index 1625346aa..f4e4ed9e0 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md @@ -567,3 +567,7 @@ https://www.youtube.com/watch?v=X48VuDVv0do {{#endref}} {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md b/src/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md index 10490838c..9978c527c 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md @@ -610,3 +610,7 @@ https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-metho {{#endref}} {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md b/src/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md index 321b2d32d..6f0db6d77 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md @@ -116,3 +116,7 @@ https://external-secrets.io/latest/ {{#ref}} https://github.com/external-secrets/external-secrets {{#endref}} + + + + diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md b/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md index 52528aaee..0e7e19ca4 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md @@ -172,3 +172,7 @@ You should update your Kubernetes environment as frequently as necessary to have - Upgrade the Worker Node components such as kube-proxy, kubelet. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md b/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md index f9083020d..7d6ac6206 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md @@ -60,3 +60,7 @@ Note that the attributes set in **both SecurityContext and PodSecurityContext**, - [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md b/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md index b2bb60bc6..188e55680 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md @@ -54,3 +54,7 @@ When a pod is created in the `default` namespace without the label `app: myapp`, ## References * [https://kyverno.io/](https://kyverno.io/) + + + + diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md b/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md index 635343b6c..db10b992a 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md @@ -58,3 +58,7 @@ Another way to bypass policies is to focus on the ValidatingWebhookConfiguration {{#ref}} ../kubernetes-validatingwebhookconfiguration.md {{#endref}} + + + + diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md b/src/pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md index b0ddbb10b..a32a97b19 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md @@ -31,3 +31,7 @@ attacking-kubernetes-from-inside-a-pod.md {{#endref}} {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md b/src/pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md index cf2940aa7..0972fcc04 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md @@ -288,3 +288,7 @@ It will install agents in the selected pods and gather their traffic information - [https://blog.aquasec.com/dns-spoofing-kubernetes-clusters](https://blog.aquasec.com/dns-spoofing-kubernetes-clusters) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md b/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md index 4ad34f392..5d883761a 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md @@ -74,3 +74,7 @@ When Gatekeeper is deployed in the Kubernetes cluster, it will enforce this poli ## References * [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper) + + + + diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md b/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md index 96cf3b0e3..c821fd89c 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md @@ -61,3 +61,7 @@ Another way to bypass constraints is to focus on the ValidatingWebhookConfigurat - [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper) - [https://github.com/sighupio/gatekeeper-policy-manager](https://github.com/sighupio/gatekeeper-policy-manager) + + + + diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md b/src/pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md index b5958557f..cf64bca6c 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md @@ -321,3 +321,7 @@ fi - [https://blogs.halodoc.io/iam-roles-for-service-accounts-2/](https://blogs.halodoc.io/iam-roles-for-service-accounts-2/) {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.md b/src/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.md index 037697582..3ef90b8f5 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.md @@ -163,3 +163,7 @@ abusing-roles-clusterroles-in-kubernetes/ {{#endref}} {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md b/src/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md index 90c7e4173..4b1ddd273 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md @@ -100,3 +100,7 @@ abusing-roles-clusterroles-in-kubernetes/ - [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper) - [https://kyverno.io/](https://kyverno.io/) - [https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) + + + + diff --git a/src/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md b/src/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md index a2a89e01b..f339ac821 100644 --- a/src/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md +++ b/src/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md @@ -212,3 +212,7 @@ https://labs.f-secure.com/blog/attacking-kubernetes-through-kubelet {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md b/src/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md index abcfdccd7..7cb68dbd9 100644 --- a/src/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md +++ b/src/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md @@ -107,3 +107,7 @@ Forbidden (user=system:node:ip-172-31-28-172.ec2.internal, verb=get, resource=no - [https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/openshift-pentesting/README.md b/src/pentesting-cloud/openshift-pentesting/README.md index f06a1552c..10c2e46ac 100644 --- a/src/pentesting-cloud/openshift-pentesting/README.md +++ b/src/pentesting-cloud/openshift-pentesting/README.md @@ -17,3 +17,7 @@ openshift-scc.md {{#ref}} openshift-privilege-escalation/ {{#endref}} + + + + diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-basic-information.md b/src/pentesting-cloud/openshift-pentesting/openshift-basic-information.md index 59647f2e9..fb5103835 100644 --- a/src/pentesting-cloud/openshift-pentesting/openshift-basic-information.md +++ b/src/pentesting-cloud/openshift-pentesting/openshift-basic-information.md @@ -38,3 +38,7 @@ openshift-scc.md {{#ref}} https://docs.openshift.com/container-platform/3.11/architecture/additional_concepts/authorization.html#security-context-constraints {{#endref}} + + + + diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md b/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md index eb111ebd7..6edec0d9f 100644 --- a/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md +++ b/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md @@ -37,3 +37,7 @@ You can just edit a build script (such as Jenkinsfile), commit and push (eventua {{#ref}} openshift-jenkins-build-overrides.md {{#endref}} + + + + diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md b/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md index 15ef981b4..fb2aca679 100644 --- a/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md +++ b/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md @@ -272,3 +272,7 @@ pipeline { } } } + + + + diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md index 437a848f6..43ad1ade4 100644 --- a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md +++ b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md @@ -17,3 +17,7 @@ openshift-tekton.md {{#ref}} openshift-scc-bypass.md {{#endref}} + + + + diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md index 60fa06b95..f591b8026 100644 --- a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md +++ b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md @@ -21,3 +21,7 @@ The following tool can be use to enumerate this issue and more generally to grap {{#ref}} https://github.com/maxDcb/OpenShiftGrapher {{#endref}} + + + + diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md index b7fae734b..794430e16 100644 --- a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md +++ b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md @@ -136,3 +136,7 @@ To bypass GateKeeper's rules and set this label to execute a cluster takeover, * - [https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html](https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html) - [https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html](https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html) - [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper) + + + + diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md index bdb8deb70..45080c799 100644 --- a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md +++ b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md @@ -73,3 +73,7 @@ spec: default: "restricted-v2" maxAllowed: "privileged" ``` + + + + diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-scc.md b/src/pentesting-cloud/openshift-pentesting/openshift-scc.md index 6728c4ce2..46fb57c6f 100644 --- a/src/pentesting-cloud/openshift-pentesting/openshift-scc.md +++ b/src/pentesting-cloud/openshift-pentesting/openshift-scc.md @@ -66,3 +66,7 @@ openshift-privilege-escalation/openshift-scc-bypass.md ## References - [https://www.redhat.com/en/blog/managing-sccs-in-openshift](https://www.redhat.com/en/blog/managing-sccs-in-openshift) + + + + diff --git a/src/pentesting-cloud/pentesting-cloud-methodology.md b/src/pentesting-cloud/pentesting-cloud-methodology.md index 782f630a2..0be67db54 100644 --- a/src/pentesting-cloud/pentesting-cloud-methodology.md +++ b/src/pentesting-cloud/pentesting-cloud-methodology.md @@ -455,3 +455,7 @@ azure-security/ You need **Global Admin** or at least **Global Admin Reader** (but note that Global Admin Reader is a little bit limited). However, those limitations appear in some PS modules and can be bypassed accessing the features **via the web application**. {{#include ../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/workspace-security/README.md b/src/pentesting-cloud/workspace-security/README.md index 089b8f164..a0f6a7e9b 100644 --- a/src/pentesting-cloud/workspace-security/README.md +++ b/src/pentesting-cloud/workspace-security/README.md @@ -71,3 +71,7 @@ gws-persistence.md - [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite? {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md b/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md index 7877374d9..2e2a9b874 100644 --- a/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md +++ b/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md @@ -163,3 +163,7 @@ It's possible to do something using gcloud instead of the web console, check: - [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite? {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md b/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md index f51006208..d6f166da8 100644 --- a/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md +++ b/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md @@ -233,3 +233,7 @@ Moreover, if someone **shared** with you a document with **editor access**, you > To abuse this you also need people to trigger the App Script. And one neat trick if to **publish the script as a web app**. When the **people** that already granted **access** to the App Script access the web page, they will **trigger the App Script** (this also works using `` tags). {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/workspace-security/gws-persistence.md b/src/pentesting-cloud/workspace-security/gws-persistence.md index 3dd28ae67..1061458fd 100644 --- a/src/pentesting-cloud/workspace-security/gws-persistence.md +++ b/src/pentesting-cloud/workspace-security/gws-persistence.md @@ -180,3 +180,7 @@ gws-google-platforms-phishing/gws-app-scripts.md - [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite? {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/workspace-security/gws-post-exploitation.md b/src/pentesting-cloud/workspace-security/gws-post-exploitation.md index 411fcca77..a78597271 100644 --- a/src/pentesting-cloud/workspace-security/gws-post-exploitation.md +++ b/src/pentesting-cloud/workspace-security/gws-post-exploitation.md @@ -72,3 +72,7 @@ You can also find emails by searching through all the user's invoices in [**http - [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite? {{#include ../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md index 30dd96b90..e7f4b93ae 100644 --- a/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md +++ b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md @@ -56,3 +56,7 @@ gws-admin-directory-sync.md {{#endref}} {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md index 47a7a9468..15e78a699 100644 --- a/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md +++ b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md @@ -338,3 +338,7 @@ curl -X POST \ > It's not possible to give the new user the Super Amin role because the **refresh token doesn't have enough scopes** to give the required privileges. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md index 8a7623ba3..db7a19b1b 100644 --- a/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md +++ b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md @@ -938,3 +938,7 @@ It's possible to find the key components of this in the Chromium source code: - [https://issues.chromium.org/issues/40063291](https://issues.chromium.org/issues/40063291) {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md index 5b76e330c..f94757b63 100644 --- a/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md +++ b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md @@ -190,3 +190,7 @@ Which is the same one you get if you don't indicate any scope. > With this scope you could **modify the password of a existing user to escalate privileges**. {{#include ../../../banners/hacktricks-training.md}} + + + + diff --git a/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md index 4f7f7e554..a74528e3b 100644 --- a/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md +++ b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md @@ -55,3 +55,7 @@ Note that Workspace require credentials with read only access over AD or EntraID I also don't know where does Google store the AD credentials or EntraID token and you **can't recover them re-configuring the synchronizarion** (they don't appear in the web form, you need to give them again). However, from the web it might be possible to abuse the current functionality to **list users and groups**. {{#include ../../../banners/hacktricks-training.md}} + + + +