translate everything

2025-12-22 15:16:35 -08:00 · 2024-12-31 18:35:05 +01:00
parent 145008516e
commit 7770a50092
483 changed files with 1930 additions and 0 deletions
--- a/src/pentesting-ci-cd/apache-airflow-security/README.md
+++ b/src/pentesting-ci-cd/apache-airflow-security/README.md
@@ -173,3 +173,7 @@ foo = Variable.get("foo")
 If they are used for example inside a a bash command, you could perform a command injection.

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md
+++ b/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md
@@ -109,3 +109,7 @@ AUTH_ROLE_PUBLIC = 'Admin'
 ```

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md
+++ b/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md
@@ -41,3 +41,7 @@ These are the default permissions per default role:
 \[]

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/circleci-security.md
+++ b/src/pentesting-ci-cd/circleci-security.md
@@ -254,3 +254,6 @@ jobs:

 {{#include ../banners/hacktricks-training.md}}

+
+
+
--- a/src/pentesting-ci-cd/cloudflare-security/README.md
+++ b/src/pentesting-ci-cd/cloudflare-security/README.md
@@ -132,3 +132,7 @@ cloudflare-zero-trust-network.md
 [Check this part](cloudflare-domains.md#cloudflare-ddos-protection).

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md
+++ b/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md
@@ -131,3 +131,7 @@ TODO
 TODO

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md
+++ b/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md
@@ -59,3 +59,7 @@ TODO
 - [ ] It's recommended to **add a User Seat Expiration** to remove users that doesn't really use this service

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/concourse-security/README.md
+++ b/src/pentesting-ci-cd/concourse-security/README.md
@@ -31,3 +31,7 @@ concourse-enumeration-and-attacks.md
 {{#endref}}

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/concourse-security/concourse-architecture.md
+++ b/src/pentesting-ci-cd/concourse-security/concourse-architecture.md
@@ -36,3 +36,7 @@ In order to execute tasks concourse must have some workers. These workers **regi
 - [https://concourse-ci.org/internals.html](https://concourse-ci.org/internals.html)

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
+++ b/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md
@@ -440,3 +440,7 @@ Accept-Encoding: gzip.
 - https://concourse-ci.org/vars.html

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md
+++ b/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md
@@ -149,3 +149,7 @@ You don't need to trigger the jobs manually every-time you need to run them, you
 Check a YAML pipeline example that triggers on new commits to master in [https://concourse-ci.org/tutorial-resources.html](https://concourse-ci.org/tutorial-resources.html)

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/gitea-security/README.md
+++ b/src/pentesting-ci-cd/gitea-security/README.md
@@ -136,3 +136,7 @@ If you are inside the server you can also **use the `gitea` binary** to access/m
 - `gitea admin user create --username newuser --password superpassword --email user@user.user --admin --access-token` Create new admin user and get an access token

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md
+++ b/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md
@@ -101,3 +101,7 @@ Different protections can be applied to a branch (like to master):
 > As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline.

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/github-security/README.md
+++ b/src/pentesting-ci-cd/github-security/README.md
@@ -242,3 +242,7 @@ jobs:
 For more info check [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd)

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md
@@ -579,3 +579,7 @@ The following tools are useful to find Github Action workflows and even find vul
 - [https://github.com/carlospolop/PurplePanda](https://github.com/carlospolop/PurplePanda)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
@@ -1,2 +1,6 @@
 # Gh Actions - Artifact Poisoning

+
+
+
+
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
@@ -1,2 +1,6 @@
 # GH Actions - Cache Poisoning

+
+
+
+
--- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
+++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
@@ -1,2 +1,6 @@
 # Gh Actions - Context Script Injections

+
+
+
+
--- a/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
+++ b/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
@@ -54,3 +54,7 @@ And the latest one use a short sha-1 that is bruteforceable.
 - [https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github)

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/github-security/basic-github-information.md
+++ b/src/pentesting-ci-cd/github-security/basic-github-information.md
@@ -253,3 +253,7 @@ Different protections can be applied to a branch (like to master):
 - [https://docs.github.com/en/actions/security-guides/encrypted-secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets)

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/jenkins-security/README.md
+++ b/src/pentesting-ci-cd/jenkins-security/README.md
@@ -410,3 +410,7 @@ println(hudson.util.Secret.decrypt("{...}"))
 - [https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3](https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3)

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
+++ b/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
@@ -92,3 +92,7 @@ According to [**the docs**](https://www.jenkins.io/blog/2019/02/21/credentials-m
 - [https://www.jenkins.io/doc/book/managing/nodes/](https://www.jenkins.io/doc/book/managing/nodes/)

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
@@ -103,3 +103,7 @@ This is an AI created summary of the part of the post were the creaft of an arbi
 The example curl command provided demonstrates how to make a request to Jenkins with the necessary headers and cookies to execute arbitrary code securely.

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
@@ -87,3 +87,7 @@ for (c in creds) {
 ```

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
@@ -37,3 +37,7 @@ Finally click on **Save**, and **Build Now** and the pipeline will be executed:
 If you can access the configuration file of some pipeline configured you could just **modify it appending your reverse shell** and then execute it or wait until it gets executed.

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
@@ -34,3 +34,7 @@ Click on **Save** and **build** the project and your **command will be executed*
 If you are not executing a reverse shell but a simple command you can **see the output of the command inside the output of the build**.

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
@@ -61,3 +61,7 @@ msf> use exploit/multi/http/jenkins_script_console
 ```

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/okta-security/README.md
+++ b/src/pentesting-ci-cd/okta-security/README.md
@@ -112,3 +112,7 @@ okta-hardening.md
 - [https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23)

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/okta-security/okta-hardening.md
+++ b/src/pentesting-ci-cd/okta-security/okta-hardening.md
@@ -197,3 +197,7 @@ Here you can find **generic information** about the Okta environment, such as th
 Here you can download Okta agents to sync Okta with other technologies.

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
+++ b/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
@@ -103,3 +103,6 @@ Check this interesting article about the top 10 CI/CD risks according to Cider:

 {{#include ../banners/hacktricks-training.md}}

+
+
+
--- a/src/pentesting-ci-cd/serverless.com-security.md
+++ b/src/pentesting-ci-cd/serverless.com-security.md
@@ -856,3 +856,7 @@ Granting excessive permissions to team members and external collaborators can le
   - Keys with broad permissions can be exploited to perform unauthorized actions across multiple resources.

 {{#include ../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/supabase-security.md
+++ b/src/pentesting-ci-cd/supabase-security.md
@@ -161,3 +161,7 @@ It's possible to set an SMTP to send emails.
 It's possible to **store secrets** in supabase also which will be **accessible by edge functions** (the can be created and deleted from the web, but it's not possible to access their value directly).

 {{#include ../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/terraform-security.md
+++ b/src/pentesting-ci-cd/terraform-security.md
@@ -310,3 +310,7 @@ brew install terrascan
 - [https://blog.plerion.com/hacking-terraform-state-privilege-escalation/](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/)

 {{#include ../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/todo.md
+++ b/src/pentesting-ci-cd/todo.md
@@ -14,3 +14,7 @@ Github PRs are welcome explaining how to (ab)use those platforms from an attacke
 - Any other CI/CD platform...

 {{#include ../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/travisci-security/README.md
+++ b/src/pentesting-ci-cd/travisci-security/README.md
@@ -63,3 +63,7 @@ If an attacker ends in an environment which uses **TravisCI enterprise** (more i
 - [https://docs.travis-ci.com/user/best-practices-security](https://docs.travis-ci.com/user/best-practices-security)

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md
+++ b/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md
@@ -90,3 +90,7 @@ The amount of deployed TCI Worker and build environment OS images will determine
 ![](<../../images/image (199).png>)

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-ci-cd/vercel-security.md
+++ b/src/pentesting-ci-cd/vercel-security.md
@@ -435,3 +435,7 @@ An **Access Group** in Vercel is a collection of projects and team members with
  - **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information.

 {{#include ../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/README.md
+++ b/src/pentesting-cloud/aws-security/README.md
@@ -387,3 +387,7 @@ aws ...
 - [https://cloudsecdocs.com/aws/defensive/tooling/audit/](https://cloudsecdocs.com/aws/defensive/tooling/audit/)

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-basic-information/README.md
+++ b/src/pentesting-cloud/aws-security/aws-basic-information/README.md
@@ -384,3 +384,7 @@ If you are looking for something **similar** to this but for the **browser** you
 - [https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
+++ b/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
@@ -127,3 +127,7 @@ In order to specify **which service account should be able to assume the role,**
 - [https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/](https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md
+++ b/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md
@@ -15,3 +15,7 @@ These are the permissions you need on each AWS account you want to audit to be a
    - Optional if the client removes the analyzers for you, but usually it's easier just to ask for this permission)

 {{#include ../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/README.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/README.md
@@ -1,2 +1,6 @@
 # AWS - Persistence

+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md
@@ -30,3 +30,7 @@ If API keys are used, you could leak them to maintain persistence or even create
 Or just remove the use of API keys.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md
@@ -40,3 +40,7 @@ By default this is disabled:
 <figure><img src="https://lh6.googleusercontent.com/EOiM0EVuEgZDfW3rOJHLQjd09-KmvraCMssjZYpY9sVha6NcxwUjStrLbZxAT3D3j9y08kd5oobvW8a2fLUVROyhkHaB1OPhd7X6gJW3AEQtlZM62q41uYJjTY1EJ0iQg6Orr1O7yZ798EpIJ87og4Tbzw=s2048" alt=""><figcaption></figcaption></figure>

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md
@@ -61,3 +61,7 @@ aws dynamodb put-item \
 The compromised instances or Lambda functions can periodically check the C2 table for new commands, execute them, and optionally report the results back to the table. This allows the attacker to maintain persistence and control over the compromised resources.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md
@@ -52,3 +52,7 @@ Create a VPN so the attacker will be able to connect directly through i to the V
 Create a peering connection between the victim VPC and the attacker VPC so he will be able to access the victim VPC.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md
@@ -95,3 +95,7 @@ aws ecr put-replication-configuration \
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md
@@ -97,3 +97,7 @@ aws ecs create-service --service-name "undocumented-service" --task-definition "
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md
@@ -19,3 +19,7 @@ Modifying the **resource policy and/or security groups** you can try to persist
 You could **create an access point** (with root access to `/`) accessible from a service were you have implemented **other persistence** to keep privileged access to the file system.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md
@@ -75,3 +75,7 @@ aws elasticbeanstalk update-environment --environment-name my-env --option-setti
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md
@@ -47,3 +47,7 @@ Give Administrator permissions to a policy in not its last version (the last ver
 If the account is already trusting a common identity provider (such as Github) the conditions of the trust could be increased so the attacker can abuse them.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md
@@ -37,3 +37,7 @@ aws kms list-grants --key-id <key-id>
 > A grant can give permissions only from this: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md
@@ -62,3 +62,7 @@ Here you have some ideas to make your **presence in AWS more stealth by creating
 - Every time new cloudtrail logs are generated, delete/alter them

 {{#include ../../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md
@@ -40,3 +40,7 @@ The tool [**lambda-spy**](https://github.com/clearvector/lambda-spy) was created
 - [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/)

 {{#include ../../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md
@@ -128,3 +128,7 @@ aws lambda remove-layer-version-permission --layer-name ExternalBackdoor --state
 ```

 {{#include ../../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md
@@ -31,3 +31,7 @@ If domains are configured:
 - Configure the **main domain IP to your own one** and perform a **MitM** from your IP to the legit ones

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md
@@ -29,3 +29,7 @@ aws rds modify-db-snapshot-attribute --db-snapshot-identifier <snapshot-name> --
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md
@@ -23,3 +23,7 @@ Therefore, and attacker could get this key from the metadata and decrypt with KM
 Although usually ACLs of buckets are disabled, an attacker with enough privileges could abuse them (if enabled or if the attacker can enable them) to keep access to the S3 bucket.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md
@@ -51,3 +51,7 @@ def generate_password():
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md
@@ -79,3 +79,7 @@ aws sns subscribe --region <region> \
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md
@@ -37,3 +37,7 @@ The following policy gives everyone in AWS access to everything in the queue cal
 > You could even **trigger a Lambda in the attackers account every-time a new message** is put in the queue (you would need to re-put it) somehow. For this follow these instructinos: [https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html](https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md
@@ -1,2 +1,6 @@
 # AWS - SSM Perssitence

+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md
@@ -19,3 +19,7 @@ Backdoor a step function to make it perform any persistence trick so every time
 If the AWS account is using aliases to call step functions it would be possible to modify an alias to use a new backdoored version of the step function.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md
@@ -129,3 +129,7 @@ Write-Host "Role juggling check complete."
 </details>

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md
@@ -1,2 +1,6 @@
 # AWS - Post Exploitation

+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md
@@ -144,3 +144,7 @@ aws apigateway create-usage-plan-key --usage-plan-id $USAGE_PLAN --key-id $API_K
 > Need testing

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md
@@ -29,3 +29,7 @@ Accessing the response you could steal the users cookie and inject a malicious J
 You can check the [**tf code to recreate this scenarios here**](https://github.com/adanalvarez/AWS-Attack-Scenarios/tree/main).

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md
@@ -82,3 +82,7 @@ aws codebuild delete-source-credentials --arn <value>
 **Potential Impact**: Disruption of normal functioning for applications relying on the affected repository due to the removal of source credentials.

 {{#include ../../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
@@ -186,3 +186,7 @@ aws codebuild start-build --project-name <proj-name>
 > Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly.

 {{#include ../../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md
@@ -18,3 +18,7 @@ aws controltower enable-control --control-identifier <arn_control_id> --target-i
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md
@@ -93,3 +93,7 @@ A template for the policy document can be seen here:
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md
@@ -347,3 +347,7 @@ bashCopy codeaws dynamodbstreams get-records \
 **Potential impact**: Real-time monitoring and data leakage of the DynamoDB table's changes.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md
@@ -475,3 +475,7 @@ if __name__ == "__main__":
 ```

 {{#include ../../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md
@@ -139,3 +139,7 @@ You can use this tool to automate the attack: [https://github.com/Static-Flow/Cl
 - [https://devopscube.com/mount-ebs-volume-ec2-instance/](https://devopscube.com/mount-ebs-volume-ec2-instance/)

 {{#include ../../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md
@@ -13,3 +13,7 @@ The **impact** of malicious VPC traffic mirroring can be significant, as it allo
 For more information and access to the [**malmirror script**](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/malmirror), it can be found on our **GitHub repository**. The script automates and streamlines the process, making it **quick, simple, and repeatable** for offensive research purposes.

 {{#include ../../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md
@@ -94,3 +94,7 @@ aws ecr-public batch-delete-image --repository-name your-ecr-repo-name --image-i
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md
@@ -61,3 +61,7 @@ aws ecs submit-attachment-state-changes ...
 The EC2 instance will probably also have the permission `ecr:GetAuthorizationToken` allowing it to **download images** (you could search for sensitive info in them).

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md
@@ -52,3 +52,7 @@ aws efs delete-access-point --access-point-id <value>
 **Potential Impact**: Unauthorized access to the file system, data exposure or modification.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md
@@ -153,3 +153,7 @@ So, if an **attacker compromises a cluster using fargate** and **removes all the
 > Actually, If the cluster is using Fargate you could EC2 nodes or move everything to EC2 to the cluster and recover it accessing the tokens in the node.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md
@@ -78,3 +78,7 @@ aws elasticbeanstalk remove-tags --resource-arn arn:aws:elasticbeanstalk:us-west
 **Potential Impact**: Incorrect resource allocation, billing, or resource management due to added or removed tags.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md
@@ -101,3 +101,7 @@ A common way to avoid Confused Deputy problems is the use of a condition with `A
 - [https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md
@@ -131,3 +131,7 @@ aws kms schedule-key-deletion \
 <figure><img src="../../../images/image (76).png" alt=""><figcaption></figcaption></figure>

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md
@@ -27,3 +27,7 @@ Abusing Lambda Layers it's also possible to abuse extensions and persist in the
 {{#endref}}

 {{#include ../../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md
@@ -61,3 +61,7 @@ For more info check [https://github.com/carlospolop/lambda_bootstrap_switcher](h
 - [https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/](https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/)

 {{#include ../../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md
@@ -28,3 +28,7 @@ Check out the Lightsail privesc options to learn different ways to access potent
 {{#endref}}

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md
@@ -17,3 +17,7 @@ aws organizations deregister-account --account-id <account_id> --region <region>
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md
@@ -90,3 +90,7 @@ aws rds start-export-task --export-task-identifier attacker-export-task --source
 **Potential impact**: Access to sensitive data in the exported snapshot.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md
@@ -36,3 +36,7 @@ Finally, the attacker could upload a final file, usually named "ransom-note.txt,
 **For more info** [**check the original research**](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)**.**

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md
@@ -47,3 +47,7 @@ aws secretsmanager delete-secret \
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md
@@ -81,3 +81,7 @@ aws sesv2 send-custom-verification-email --email-address <value> --template-name
 Still to test.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md
@@ -78,3 +78,7 @@ aws sns untag-resource --resource-arn <value> --tag-keys <key>
 **Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md
@@ -85,3 +85,7 @@ arduinoCopy codeaws sqs remove-permission --queue-url <value> --label <value>
 **Potential Impact**: Disruption of normal functioning for applications relying on the queue due to unauthorized removal of permissions.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md
@@ -23,3 +23,7 @@ aws sso-admin delete-account-assignment --instance-arn <SSOInstanceARN> --target
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md
@@ -72,3 +72,7 @@ aws stepfunctions untag-resource --resource-arn <value> --tag-keys <key>
 **Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md
@@ -102,3 +102,7 @@ response = client.get_secret_value(SecretId="flag_secret") print(response['Secre
 ```

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md
@@ -11,3 +11,7 @@ For more information:
 {{#endref}}

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/README.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/README.md
@@ -21,3 +21,7 @@ The way to escalate your privileges in AWS is to have enough permissions to be a
 - [Pacu](https://github.com/RhinoSecurityLabs/pacu)

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md
@@ -105,3 +105,7 @@ aws apigateway update-vpc-link --vpc-link-id $VPC_LINK_ID --patch-operations op=
 **Potential Impact**: Unauthorized access to private API resources, interception or disruption of API traffic.

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md
@@ -7,3 +7,7 @@
 TODO

 {{#include ../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md
+++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md
@@ -116,3 +116,7 @@ An attacker could abuse this permission without the passRole permission to updat
 - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)

 {{#include ../../../../banners/hacktricks-training.md}}
+
+
+
+
--- a/Show More
+++ b/Show More
				`@@ -254,3 +254,6 @@ jobs:`

				`{{#include ../banners/hacktricks-training.md}}`
				`@@ -103,3 +103,6 @@ Check this interesting article about the top 10 CI/CD risks according to Cider:`

				`{{#include ../banners/hacktricks-training.md}}`