mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2026-07-08 05:17:43 -07:00
Update URLs
This commit is contained in:
@@ -37,7 +37,7 @@ From a Red Team point of view, the **first step to compromise an AWS environment
|
||||
- **Social** Engineering
|
||||
- **Password** reuse (password leaks)
|
||||
- Vulnerabilities in AWS-Hosted Applications
|
||||
- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
|
||||
- [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint
|
||||
- **Local File Read**
|
||||
- `/home/USERNAME/.aws/credentials`
|
||||
- `C:\Users\USERNAME\.aws\credentials`
|
||||
@@ -67,7 +67,7 @@ aws-permissions-for-a-pentest.md
|
||||
If you found a SSRF in a machine inside AWS check this page for tricks:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
|
||||
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html
|
||||
{{#endref}}
|
||||
|
||||
### Whoami
|
||||
@@ -147,7 +147,7 @@ As pentester/red teamer you should always check if you can find **sensitive info
|
||||
In this book you should find **information** about how to find **exposed AWS services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/
|
||||
https://book.hacktricks.wiki/
|
||||
{{#endref}}
|
||||
|
||||
## Compromising the Organization
|
||||
|
||||
@@ -7,7 +7,7 @@
|
||||
For info about SAML please check:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/saml-attacks
|
||||
https://book.hacktricks.wiki/en/pentesting-web/saml-attacks/index.html
|
||||
{{#endref}}
|
||||
|
||||
In order to configure an **Identity Federation through SAML** you just need to provide a **name** and the **metadata XML** containing all the SAML configuration (**endpoints**, **certificate** with public key)
|
||||
|
||||
+1
-1
@@ -113,7 +113,7 @@ One of the scenarios where this is useful is pivoting from a [Bastion Host](http
|
||||
aws ssm start-session --target "$INSTANCE_ID"
|
||||
```
|
||||
|
||||
3. Get the Bastion EC2 AWS temporary credentials with the [Abusing SSRF in AWS EC2 environment](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#abusing-ssrf-in-aws-ec2-environment) script
|
||||
3. Get the Bastion EC2 AWS temporary credentials with the [Abusing SSRF in AWS EC2 environment](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#abusing-ssrf-in-aws-ec2-environment) script
|
||||
4. Transfer the credentials to your own machine in the `$HOME/.aws/credentials` file as `[bastion-ec2]` profile
|
||||
5. Log in to EKS as the Bastion EC2:
|
||||
|
||||
|
||||
+1
-1
@@ -51,7 +51,7 @@ aws ecr get-download-url-for-layer \
|
||||
After downloading the images you should **check them for sensitive info**:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics
|
||||
https://book.hacktricks.wiki/en/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.html
|
||||
{{#endref}}
|
||||
|
||||
### `ecr:PutLifecyclePolicy` | `ecr:DeleteRepository` | `ecr-public:DeleteRepository` | `ecr:BatchDeleteImage` | `ecr-public:BatchDeleteImage`
|
||||
|
||||
+1
-1
@@ -16,7 +16,7 @@ In ECS an **IAM role can be assigned to the task** running inside the container.
|
||||
Which means that if you manage to **compromise** an ECS instance you can potentially **obtain the IAM role associated to the ECR and to the EC2 instance**. For more info about how to get those credentials check:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
|
||||
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html
|
||||
{{#endref}}
|
||||
|
||||
> [!CAUTION]
|
||||
|
||||
@@ -194,7 +194,7 @@ aws --profile none-priv lambda update-function-configuration --function-name <fu
|
||||
For other scripting languages there are other env variables you can use. For more info check the subsections of scripting languages in:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse
|
||||
https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html
|
||||
{{#endref}}
|
||||
|
||||
#### RCE via Lambda Layers
|
||||
|
||||
@@ -26,7 +26,7 @@ aws --region us-east-1 --profile ad docdb describe-db-cluster-snapshot-attribute
|
||||
As DocumentDB is a MongoDB compatible database, you can imagine it's also vulnerable to common NoSQL injection attacks:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/nosql-injection
|
||||
https://book.hacktricks.wiki/en/pentesting-web/nosql-injection.html
|
||||
{{#endref}}
|
||||
|
||||
### DocumentDB
|
||||
|
||||
@@ -86,7 +86,7 @@ aws dynamodb describe-endpoints #Dynamodb endpoints
|
||||
There are ways to access DynamoDB data with **SQL syntax**, therefore, typical **SQL injections are also possible**.
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/sql-injection
|
||||
https://book.hacktricks.wiki/en/pentesting-web/sql-injection/index.html
|
||||
{{#endref}}
|
||||
|
||||
### NoSQL Injection
|
||||
@@ -109,7 +109,7 @@ If you can **change the comparison** performed or add new ones, you could retrie
|
||||
```
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/nosql-injection
|
||||
https://book.hacktricks.wiki/en/pentesting-web/nosql-injection.html
|
||||
{{#endref}}
|
||||
|
||||
### Raw Json injection
|
||||
|
||||
+1
-1
@@ -38,7 +38,7 @@ This extra step is the **creation of an** [_**instance profile**_](https://docs.
|
||||
AWS EC2 metadata is information about an Amazon Elastic Compute Cloud (EC2) instance that is available to the instance at runtime. This metadata is used to provide information about the instance, such as its instance ID, the availability zone it is running in, the IAM role associated with the instance, and the instance's hostname.
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
|
||||
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html
|
||||
{{#endref}}
|
||||
|
||||
### Enumeration
|
||||
|
||||
@@ -136,7 +136,7 @@ aws rds modify-db-instance --db-instance-identifier <ID> --master-user-password
|
||||
There are ways to access DynamoDB data with **SQL syntax**, therefore, typical **SQL injections are also possible**.
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/sql-injection
|
||||
https://book.hacktricks.wiki/en/pentesting-web/sql-injection/index.html
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
+1
-1
@@ -145,7 +145,7 @@ print(response)
|
||||
For more information about CSV Injections check the page:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/formula-injection
|
||||
https://book.hacktricks.wiki/en/pentesting-web/formula-csv-doc-latex-ghostscript-injection.html
|
||||
{{#endref}}
|
||||
|
||||
For more information about this specific technique check [https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/](https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/)
|
||||
|
||||
+2
-2
@@ -17,7 +17,7 @@ It's possible to expose the **any port of the virtual machines to the internet**
|
||||
#### SSRF
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
|
||||
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html
|
||||
{{#endref}}
|
||||
|
||||
### Public AMIs & EBS Snapshots
|
||||
@@ -39,7 +39,7 @@ aws ec2 describe-snapshots --restorable-by-user-ids all
|
||||
aws ec2 describe-snapshots --restorable-by-user-ids all | jq '.Snapshots[] | select(.OwnerId == "099720109477")'
|
||||
```
|
||||
|
||||
If you find a snapshot that is restorable by anyone, make sure to check [AWS - EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump) for directions on downloading and looting the snapshot.
|
||||
If you find a snapshot that is restorable by anyone, make sure to check [AWS - EBS Snapshot Dump](https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/index.html#ebs-snapshot-dump) for directions on downloading and looting the snapshot.
|
||||
|
||||
#### Public URL template
|
||||
|
||||
|
||||
@@ -18,7 +18,7 @@ From a Red Team point of view, the **first step to compromise an Azure environme
|
||||
- **Social** Engineering
|
||||
- **Password** reuse (password leaks)
|
||||
- Vulnerabilities in Azure-Hosted Applications
|
||||
- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
|
||||
- [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint
|
||||
- **Local File Read**
|
||||
- `/home/USERNAME/.azure`
|
||||
- `C:\Users\USERNAME\.azure`
|
||||
@@ -29,7 +29,7 @@ From a Red Team point of view, the **first step to compromise an Azure environme
|
||||
Use `Disconnect-AzAccount` to remove them.
|
||||
- 3rd parties **breached**
|
||||
- **Internal** Employee
|
||||
- [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or Oauth App)
|
||||
- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) (credentials or Oauth App)
|
||||
- [Device Code Authentication Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
|
||||
- [Azure **Password Spraying**](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
|
||||
|
||||
@@ -52,7 +52,7 @@ az-unauthenticated-enum-and-initial-entry/
|
||||
If you found a SSRF in a machine inside Azure check this page for tricks:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
|
||||
https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html
|
||||
{{#endref}}
|
||||
|
||||
### Bypass Login Conditions
|
||||
|
||||
+3
-3
@@ -9,15 +9,15 @@ Browser **cookies** are a great mechanism to **bypass authentication and MFA**.
|
||||
You can see where are **browser cookies located** in:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts?q=browse#google-chrome
|
||||
https://book.hacktricks.wiki/en/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#google-chrome
|
||||
{{#endref}}
|
||||
|
||||
## Attack
|
||||
|
||||
The challenging part is that those **cookies are encrypted** for the **user** via the Microsoft Data Protection API (**DPAPI**). This is encrypted using cryptographic [keys tied to the user](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) the cookies belong to. You can find more information about this in:
|
||||
The challenging part is that those **cookies are encrypted** for the **user** via the Microsoft Data Protection API (**DPAPI**). This is encrypted using cryptographic [keys tied to the user](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html) the cookies belong to. You can find more information about this in:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
|
||||
https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html
|
||||
{{#endref}}
|
||||
|
||||
With Mimikatz in hand, I am able to **extract a user’s cookies** even though they are encrypted with this command:
|
||||
|
||||
+2
-2
@@ -32,7 +32,7 @@ In any federation setup there are three parties:
|
||||
**If you want to learn more about SAML authentication and common attacks go to:**
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/saml-attacks
|
||||
https://book.hacktricks.wiki/en/pentesting-web/saml-attacks/index.html
|
||||
{{#endref}}
|
||||
|
||||
## Pivoting
|
||||
@@ -56,7 +56,7 @@ https://book.hacktricks.xyz/pentesting-web/saml-attacks
|
||||
|
||||
The process where an **Identity Provider (IdP)** produces a **SAMLResponse** to authorize user sign-in is paramount. Depending on the IdP's specific implementation, the **response** might be **signed** or **encrypted** using the **IdP's private key**. This procedure enables the **Service Provider (SP)** to confirm the authenticity of the SAMLResponse, ensuring it was indeed issued by a trusted IdP.
|
||||
|
||||
A parallel can be drawn with the [golden ticket attack](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket), where the key authenticating the user’s identity and permissions (KRBTGT for golden tickets, token-signing private key for golden SAML) can be manipulated to **forge an authentication object** (TGT or SAMLResponse). This allows impersonation of any user, granting unauthorized access to the SP.
|
||||
A parallel can be drawn with the [golden ticket attack](https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/index.html#golden-ticket), where the key authenticating the user’s identity and permissions (KRBTGT for golden tickets, token-signing private key for golden SAML) can be manipulated to **forge an authentication object** (TGT or SAMLResponse). This allows impersonation of any user, granting unauthorized access to the SP.
|
||||
|
||||
Golden SAMLs offer certain advantages:
|
||||
|
||||
|
||||
+1
-1
@@ -173,7 +173,7 @@ Then go to [https://portal.azure.com](https://portal.azure.com)
|
||||
#### Steps
|
||||
|
||||
1. The **PRT (Primary Refresh Token) is extracted from LSASS** (Local Security Authority Subsystem Service) and stored for subsequent use.
|
||||
2. The **Session Key is extracted next**. Given that this key is initially issued and then re-encrypted by the local device, it necessitates decryption using a DPAPI masterkey. Detailed information about DPAPI (Data Protection API) can be found in these resources: [HackTricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) and for an understanding of its application, refer to [Pass-the-cookie attack](az-pass-the-cookie.md).
|
||||
2. The **Session Key is extracted next**. Given that this key is initially issued and then re-encrypted by the local device, it necessitates decryption using a DPAPI masterkey. Detailed information about DPAPI (Data Protection API) can be found in these resources: [HackTricks](https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html) and for an understanding of its application, refer to [Pass-the-cookie attack](az-pass-the-cookie.md).
|
||||
3. Post decryption of the Session Key, the **derived key and context for the PRT are obtained**. These are crucial for the **creation of the PRT cookie**. Specifically, the derived key is employed for signing the JWT (JSON Web Token) that constitutes the cookie. A comprehensive explanation of this process has been provided by Dirk-jan, accessible [here](https://dirkjanm.io/digging-further-into-the-primary-refresh-token/).
|
||||
|
||||
> [!CAUTION]
|
||||
|
||||
@@ -19,7 +19,7 @@ An attacker identifies applications, extensions or images being frequently used
|
||||
An attacker could get access to the instances and backdoor them:
|
||||
|
||||
- Using a traditional **rootkit** for example
|
||||
- Adding a new **public SSH key** (check [EC2 privesc options](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc))
|
||||
- Adding a new **public SSH key** (check [EC2 privesc options](https://cloud.hacktricks.wiki/en/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.html))
|
||||
- Backdooring the **User Data**
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
+1
-1
@@ -372,7 +372,7 @@ az vm identity assign \
|
||||
Then the attacker needs to have **compromised somehow the VM** to steal tokens from the assigned managed identities. Check **more info in**:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm
|
||||
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm
|
||||
{{#endref}}
|
||||
|
||||
### TODO: Microsoft.Compute/virtualMachines/WACloginAsAdmin/action
|
||||
|
||||
@@ -67,7 +67,7 @@ The **system assigned** one will be a managed identity that **only the function*
|
||||
|
||||
It's possible to use the [**PEASS scripts**](https://github.com/peass-ng/PEASS-ng) to get tokens from the default managed identity from the metadata endpoint. Or you could get them **manually** as explained in:
|
||||
|
||||
{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" %}
|
||||
{% embed url="https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm" %}
|
||||
|
||||
Note that you need to find out a way to **check all the Managed Identities a function has attached** as if you don't indicate it, the metadata endpoint will **only use the default one** (check the previous link for more info).
|
||||
|
||||
|
||||
@@ -208,7 +208,7 @@ Moreover, to contact the metadata endpoint, the HTTP request must have the heade
|
||||
Check how to enumerate it in:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm
|
||||
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm
|
||||
{{#endref}}
|
||||
|
||||
## VM Enumeration
|
||||
|
||||
+1
-1
@@ -231,7 +231,7 @@ Use [**Storage Explorer**](https://azure.microsoft.com/en-us/features/storage-ex
|
||||
|
||||
### Phishing
|
||||
|
||||
- [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or OAuth App -[Illicit Consent Grant Attack](az-oauth-apps-phishing.md)-)
|
||||
- [**Common Phishing**](https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html) (credentials or OAuth App -[Illicit Consent Grant Attack](az-oauth-apps-phishing.md)-)
|
||||
- [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md)
|
||||
|
||||
### Password Spraying / Brute-Force
|
||||
|
||||
@@ -17,7 +17,7 @@ do-basic-information.md
|
||||
### SSRF
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
|
||||
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html
|
||||
{{#endref}}
|
||||
|
||||
### Projects
|
||||
|
||||
@@ -29,7 +29,7 @@ From a Red Team point of view, the **first step to compromise a GCP environment*
|
||||
- **Social** Engineering (Check the page [**Workspace Security**](../workspace-security/index.html))
|
||||
- **Password** reuse (password leaks)
|
||||
- Vulnerabilities in GCP-Hosted Applications
|
||||
- [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
|
||||
- [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint
|
||||
- **Local File Read**
|
||||
- `/home/USERNAME/.config/gcloud/*`
|
||||
- `C:\Users\USERNAME\.config\gcloud\*`
|
||||
@@ -58,7 +58,7 @@ gcp-permissions-for-a-pentest.md
|
||||
For more information about how to **enumerate GCP metadata** check the following hacktricks page:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#6440
|
||||
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html
|
||||
{{#endref}}
|
||||
|
||||
### Whoami
|
||||
@@ -149,7 +149,7 @@ As pentester/red teamer you should always check if you can find **sensitive info
|
||||
In this book you should find **information** about how to find **exposed GCP services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/
|
||||
https://book.hacktricks.wiki/
|
||||
{{#endref}}
|
||||
|
||||
## GCP <--> Workspace Pivoting
|
||||
|
||||
+1
-1
@@ -36,7 +36,7 @@ For persistence these are the steps you need to follow:
|
||||
For more information about dependency confusion check:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/dependency-confusion
|
||||
https://book.hacktricks.wiki/en/pentesting-web/dependency-confusion.html
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -13,7 +13,7 @@ sqlite3 $HOME/.config/gcloud/access_tokens.db "select access_token from access_t
|
||||
Check in this page how to **directly use this token using gcloud**:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#id-6440-1
|
||||
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#gcp
|
||||
{{#endref}}
|
||||
|
||||
To get the details to **generate a new access token** run:
|
||||
|
||||
+1
-1
@@ -27,7 +27,7 @@ Moreover, it's possible to add **userdata**, which is a script that will be **ex
|
||||
For more info check:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
|
||||
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html
|
||||
{{#endref}}
|
||||
|
||||
## **Abusing IAM permissions**
|
||||
|
||||
+1
-1
@@ -91,7 +91,7 @@ curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?re
|
||||
Moreover, **auth token for the attached service account** and **general info** about the instance, network and project is also going to be available from the **metadata endpoint**. For more info check:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#6440
|
||||
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#gcp
|
||||
{{#endref}}
|
||||
|
||||
### Encryption
|
||||
|
||||
+1
-1
@@ -17,7 +17,7 @@ If you have **access to a Cloud SQL port** because all internet is permitted or
|
||||
Check this page for **different tools to burte-force** different database technologies:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force
|
||||
https://book.hacktricks.wiki/en/generic-hacking/brute-force.html
|
||||
{{#endref}}
|
||||
|
||||
Remember that with some privileges it's possible to **list all the database users** via GCP API.
|
||||
|
||||
+1
-1
@@ -15,7 +15,7 @@ For more information about Compute and VPC (Networking) check:
|
||||
If a web is **vulnerable to SSRF** and it's possible to **add the metadata header**, an attacker could abuse it to access the SA OAuth token from the metadata endpoint. For more info about SSRF check:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery
|
||||
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/index.html
|
||||
{{#endref}}
|
||||
|
||||
### Vulnerable exposed services
|
||||
|
||||
@@ -28,7 +28,7 @@ ibm-basic-information.md
|
||||
Learn how you can access the medata endpoint of IBM in the following page:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#2af0
|
||||
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#ibm-cloud
|
||||
{{#endref}}
|
||||
|
||||
## References
|
||||
|
||||
@@ -13,13 +13,13 @@
|
||||
In order to try to escape from the pods you might need to **escalate privileges** first, some techniques to do it:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/linux-hardening/privilege-escalation
|
||||
https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html
|
||||
{{#endref}}
|
||||
|
||||
You can check this **docker breakouts to try to escape** from a pod you have compromised:
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout
|
||||
https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html
|
||||
{{#endref}}
|
||||
|
||||
### Abusing Kubernetes Privileges
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
## Generic Phishing Methodology
|
||||
|
||||
{{#ref}}
|
||||
https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology
|
||||
https://book.hacktricks.wiki/en/generic-methodologies-and-resources/phishing-methodology/index.html
|
||||
{{#endref}}
|
||||
|
||||
## Google Groups Phishing
|
||||
@@ -59,7 +59,7 @@ The with some code like the following an attacker could make the script load arb
|
||||
```javascript
|
||||
function doGet() {
|
||||
return HtmlService.createHtmlOutput(
|
||||
'<meta http-equiv="refresh" content="0;url=https://cloud.hacktricks.xyz/pentesting-cloud/workspace-security/gws-google-platforms-phishing#app-scripts-redirect-phishing">'
|
||||
'<meta http-equiv="refresh" content="0;url=https://cloud.hacktricks.wiki/en/pentesting-cloud/workspace-security/gws-google-platforms-phishing/index.html#app-scripts-redirect-phishing">'
|
||||
).setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL)
|
||||
}
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user